セキュリティモニタリング

セキュリティルール、シグナル、フィルターなどを作成および管理します。詳細については、Datadog Security ページをご覧ください。

Create a critical asset

v2 (latest)

POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/critical_assetshttps://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/critical_assetshttps://api.datadoghq.eu/api/v2/security_monitoring/configuration/critical_assetshttps://api.ddog-gov.com/api/v2/security_monitoring/configuration/critical_assetshttps://api.datadoghq.com/api/v2/security_monitoring/configuration/critical_assetshttps://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/critical_assetshttps://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets

概要

Create a new critical asset.

OAuth apps require the security_monitoring_critical_assets_write authorization scope to access this endpoint.

リクエスト

Body Data (required)

The definition of the new critical asset.

Expand All

フィールド

種類

説明

data [required]

object

Object for a single critical asset.

{
  "data": {
    "type": "critical_assets",
    "attributes": {
      "query": "host:examplesecuritymonitoring",
      "rule_query": "type:(log_detection OR signal_correlation OR workload_security OR application_security) source:cloudtrail",
      "severity": "decrease",
      "tags": [
        "team:security",
        "env:test"
      ]
    }
  }
}

応答

Response object containing a single critical asset.

Expand All

フィールド

種類

説明

data

object

The critical asset's properties.

{
  "data": {
    "attributes": {
      "creation_author_id": 367742,
      "creation_date": "integer",
      "creator": {
        "handle": "john.doe@datadoghq.com",
        "name": "John Doe"
      },
      "enabled": true,
      "query": "security:monitoring",
      "rule_query": "type:log_detection source:cloudtrail",
      "severity": "increase",
      "tags": [
        "team:database",
        "source:cloudtrail"
      ],
      "update_author_id": 367743,
      "update_date": "integer",
      "updater": {
        "handle": "john.doe@datadoghq.com",
        "name": "John Doe"
      },
      "version": 2
    },
    "id": "4e2435a5-6670-4b8f-baff-46083cd1c250",
    "type": "critical_assets"
  }
}

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Conflict

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                          # Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "type": "critical_assets",
    "attributes": {
      "query": "host:examplesecuritymonitoring",
      "rule_query": "type:(log_detection OR signal_correlation OR workload_security OR application_security) source:cloudtrail",
      "severity": "decrease",
      "tags": [
        "team:security",
        "env:test"
      ]
    }
  }
}
EOF

                        

Create a suppression rule

v2 (latest)

POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressionshttps://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/suppressionshttps://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressionshttps://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressionshttps://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressionshttps://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressionshttps://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions

概要

Create a new suppression rule.

OAuth apps require the security_monitoring_suppressions_write authorization scope to access this endpoint.

リクエスト

Body Data (required)

The definition of the new suppression rule.

Expand All

フィールド

種類

説明

data [required]

object

Object for a single suppression rule.

{
  "data": {
    "attributes": {
      "description": "This rule suppresses low-severity signals in staging environments.",
      "enabled": true,
      "start_date": 1637493071000,
      "expiration_date": 1638443471000,
      "name": "Example-Security-Monitoring",
      "rule_query": "type:log_detection source:cloudtrail",
      "suppression_query": "env:staging status:low",
      "tags": [
        "technique:T1110-brute-force",
        "source:cloudtrail"
      ]
    },
    "type": "suppressions"
  }
}
{
  "data": {
    "attributes": {
      "description": "This rule suppresses low-severity signals in staging environments.",
      "enabled": true,
      "start_date": 1637493071000,
      "expiration_date": 1638443471000,
      "name": "Example-Security-Monitoring",
      "rule_query": "type:log_detection source:cloudtrail",
      "data_exclusion_query": "account_id:12345"
    },
    "type": "suppressions"
  }
}

応答

Response object containing a single suppression rule.

Expand All

フィールド

種類

説明

data

object

The suppression rule's properties.

{
  "data": {
    "attributes": {
      "creation_date": "integer",
      "creator": {
        "handle": "john.doe@datadoghq.com",
        "name": "John Doe"
      },
      "data_exclusion_query": "source:cloudtrail account_id:12345",
      "description": "This rule suppresses low-severity signals in staging environments.",
      "editable": true,
      "enabled": true,
      "expiration_date": 1703187336000,
      "name": "Custom suppression",
      "rule_query": "type:log_detection source:cloudtrail",
      "start_date": 1703187336000,
      "suppression_query": "env:staging status:low",
      "tags": [
        "technique:T1110-brute-force",
        "source:cloudtrail"
      ],
      "update_date": "integer",
      "updater": {
        "handle": "john.doe@datadoghq.com",
        "name": "John Doe"
      },
      "version": 42
    },
    "id": "3dd-0uc-h1s",
    "type": "suppressions"
  }
}

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Conflict

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                          # Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "description": "This rule suppresses low-severity signals in staging environments.",
      "enabled": true,
      "start_date": 1637493071000,
      "expiration_date": 1638443471000,
      "name": "Example-Security-Monitoring",
      "rule_query": "type:log_detection source:cloudtrail",
      "suppression_query": "env:staging status:low",
      "tags": [
        "technique:T1110-brute-force",
        "source:cloudtrail"
      ]
    },
    "type": "suppressions"
  }
}
EOF

                        
                          # Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "description": "This rule suppresses low-severity signals in staging environments.",
      "enabled": true,
      "start_date": 1637493071000,
      "expiration_date": 1638443471000,
      "name": "Example-Security-Monitoring",
      "rule_query": "type:log_detection source:cloudtrail",
      "data_exclusion_query": "account_id:12345"
    },
    "type": "suppressions"
  }
}
EOF

                        

// Create a suppression rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringSuppressionCreateRequest{
		Data: datadogV2.SecurityMonitoringSuppressionCreateData{
			Attributes: datadogV2.SecurityMonitoringSuppressionCreateAttributes{
				Description:      datadog.PtrString("This rule suppresses low-severity signals in staging environments."),
				Enabled:          true,
				StartDate:        datadog.PtrInt64(1637493071000),
				ExpirationDate:   datadog.PtrInt64(1638443471000),
				Name:             "Example-Security-Monitoring",
				RuleQuery:        "type:log_detection source:cloudtrail",
				SuppressionQuery: datadog.PtrString("env:staging status:low"),
				Tags: []string{
					"technique:T1110-brute-force",
					"source:cloudtrail",
				},
			},
			Type: datadogV2.SECURITYMONITORINGSUPPRESSIONTYPE_SUPPRESSIONS,
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.CreateSecurityMonitoringSuppression(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringSuppression`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringSuppression`:\n%s\n", responseContent)
}

// Create a suppression rule with an exclusion query returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringSuppressionCreateRequest{
		Data: datadogV2.SecurityMonitoringSuppressionCreateData{
			Attributes: datadogV2.SecurityMonitoringSuppressionCreateAttributes{
				Description:        datadog.PtrString("This rule suppresses low-severity signals in staging environments."),
				Enabled:            true,
				StartDate:          datadog.PtrInt64(1637493071000),
				ExpirationDate:     datadog.PtrInt64(1638443471000),
				Name:               "Example-Security-Monitoring",
				RuleQuery:          "type:log_detection source:cloudtrail",
				DataExclusionQuery: datadog.PtrString("account_id:12345"),
			},
			Type: datadogV2.SECURITYMONITORINGSUPPRESSIONTYPE_SUPPRESSIONS,
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.CreateSecurityMonitoringSuppression(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringSuppression`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringSuppression`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Create a suppression rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateAttributes;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateData;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateRequest;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionType;
import java.util.Arrays;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringSuppressionCreateRequest body =
        new SecurityMonitoringSuppressionCreateRequest()
            .data(
                new SecurityMonitoringSuppressionCreateData()
                    .attributes(
                        new SecurityMonitoringSuppressionCreateAttributes()
                            .description(
                                "This rule suppresses low-severity signals in staging"
                                    + " environments.")
                            .enabled(true)
                            .startDate(1637493071000L)
                            .expirationDate(1638443471000L)
                            .name("Example-Security-Monitoring")
                            .ruleQuery("type:log_detection source:cloudtrail")
                            .suppressionQuery("env:staging status:low")
                            .tags(
                                Arrays.asList("technique:T1110-brute-force", "source:cloudtrail")))
                    .type(SecurityMonitoringSuppressionType.SUPPRESSIONS));

    try {
      SecurityMonitoringSuppressionResponse result =
          apiInstance.createSecurityMonitoringSuppression(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#createSecurityMonitoringSuppression");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

// Create a suppression rule with an exclusion query returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateAttributes;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateData;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateRequest;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionType;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringSuppressionCreateRequest body =
        new SecurityMonitoringSuppressionCreateRequest()
            .data(
                new SecurityMonitoringSuppressionCreateData()
                    .attributes(
                        new SecurityMonitoringSuppressionCreateAttributes()
                            .description(
                                "This rule suppresses low-severity signals in staging"
                                    + " environments.")
                            .enabled(true)
                            .startDate(1637493071000L)
                            .expirationDate(1638443471000L)
                            .name("Example-Security-Monitoring")
                            .ruleQuery("type:log_detection source:cloudtrail")
                            .dataExclusionQuery("account_id:12345"))
                    .type(SecurityMonitoringSuppressionType.SUPPRESSIONS));

    try {
      SecurityMonitoringSuppressionResponse result =
          apiInstance.createSecurityMonitoringSuppression(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#createSecurityMonitoringSuppression");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

"""
Create a suppression rule returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_suppression_create_attributes import (
    SecurityMonitoringSuppressionCreateAttributes,
)
from datadog_api_client.v2.model.security_monitoring_suppression_create_data import (
    SecurityMonitoringSuppressionCreateData,
)
from datadog_api_client.v2.model.security_monitoring_suppression_create_request import (
    SecurityMonitoringSuppressionCreateRequest,
)
from datadog_api_client.v2.model.security_monitoring_suppression_type import SecurityMonitoringSuppressionType

body = SecurityMonitoringSuppressionCreateRequest(
    data=SecurityMonitoringSuppressionCreateData(
        attributes=SecurityMonitoringSuppressionCreateAttributes(
            description="This rule suppresses low-severity signals in staging environments.",
            enabled=True,
            start_date=1637493071000,
            expiration_date=1638443471000,
            name="Example-Security-Monitoring",
            rule_query="type:log_detection source:cloudtrail",
            suppression_query="env:staging status:low",
            tags=[
                "technique:T1110-brute-force",
                "source:cloudtrail",
            ],
        ),
        type=SecurityMonitoringSuppressionType.SUPPRESSIONS,
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.create_security_monitoring_suppression(body=body)

    print(response)

"""
Create a suppression rule with an exclusion query returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_suppression_create_attributes import (
    SecurityMonitoringSuppressionCreateAttributes,
)
from datadog_api_client.v2.model.security_monitoring_suppression_create_data import (
    SecurityMonitoringSuppressionCreateData,
)
from datadog_api_client.v2.model.security_monitoring_suppression_create_request import (
    SecurityMonitoringSuppressionCreateRequest,
)
from datadog_api_client.v2.model.security_monitoring_suppression_type import SecurityMonitoringSuppressionType

body = SecurityMonitoringSuppressionCreateRequest(
    data=SecurityMonitoringSuppressionCreateData(
        attributes=SecurityMonitoringSuppressionCreateAttributes(
            description="This rule suppresses low-severity signals in staging environments.",
            enabled=True,
            start_date=1637493071000,
            expiration_date=1638443471000,
            name="Example-Security-Monitoring",
            rule_query="type:log_detection source:cloudtrail",
            data_exclusion_query="account_id:12345",
        ),
        type=SecurityMonitoringSuppressionType.SUPPRESSIONS,
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.create_security_monitoring_suppression(body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Create a suppression rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateRequest.new({
  data: DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateData.new({
    attributes: DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateAttributes.new({
      description: "This rule suppresses low-severity signals in staging environments.",
      enabled: true,
      start_date: 1637493071000,
      expiration_date: 1638443471000,
      name: "Example-Security-Monitoring",
      rule_query: "type:log_detection source:cloudtrail",
      suppression_query: "env:staging status:low",
      tags: [
        "technique:T1110-brute-force",
        "source:cloudtrail",
      ],
    }),
    type: DatadogAPIClient::V2::SecurityMonitoringSuppressionType::SUPPRESSIONS,
  }),
})
p api_instance.create_security_monitoring_suppression(body)

# Create a suppression rule with an exclusion query returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateRequest.new({
  data: DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateData.new({
    attributes: DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateAttributes.new({
      description: "This rule suppresses low-severity signals in staging environments.",
      enabled: true,
      start_date: 1637493071000,
      expiration_date: 1638443471000,
      name: "Example-Security-Monitoring",
      rule_query: "type:log_detection source:cloudtrail",
      data_exclusion_query: "account_id:12345",
    }),
    type: DatadogAPIClient::V2::SecurityMonitoringSuppressionType::SUPPRESSIONS,
  }),
})
p api_instance.create_security_monitoring_suppression(body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// Create a suppression rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateAttributes;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateData;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateRequest;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionType;

#[tokio::main]
async fn main() {
    let body = SecurityMonitoringSuppressionCreateRequest::new(
        SecurityMonitoringSuppressionCreateData::new(
            SecurityMonitoringSuppressionCreateAttributes::new(
                true,
                "Example-Security-Monitoring".to_string(),
                "type:log_detection source:cloudtrail".to_string(),
            )
            .description(
                "This rule suppresses low-severity signals in staging environments.".to_string(),
            )
            .expiration_date(1638443471000)
            .start_date(1637493071000)
            .suppression_query("env:staging status:low".to_string())
            .tags(vec![
                "technique:T1110-brute-force".to_string(),
                "source:cloudtrail".to_string(),
            ]),
            SecurityMonitoringSuppressionType::SUPPRESSIONS,
        ),
    );
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.create_security_monitoring_suppression(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

// Create a suppression rule with an exclusion query returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateAttributes;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateData;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateRequest;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionType;

#[tokio::main]
async fn main() {
    let body = SecurityMonitoringSuppressionCreateRequest::new(
        SecurityMonitoringSuppressionCreateData::new(
            SecurityMonitoringSuppressionCreateAttributes::new(
                true,
                "Example-Security-Monitoring".to_string(),
                "type:log_detection source:cloudtrail".to_string(),
            )
            .data_exclusion_query("account_id:12345".to_string())
            .description(
                "This rule suppresses low-severity signals in staging environments.".to_string(),
            )
            .expiration_date(1638443471000)
            .start_date(1637493071000),
            SecurityMonitoringSuppressionType::SUPPRESSIONS,
        ),
    );
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.create_security_monitoring_suppression(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * Create a suppression rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiCreateSecurityMonitoringSuppressionRequest =
  {
    body: {
      data: {
        attributes: {
          description:
            "This rule suppresses low-severity signals in staging environments.",
          enabled: true,
          startDate: 1637493071000,
          expirationDate: 1638443471000,
          name: "Example-Security-Monitoring",
          ruleQuery: "type:log_detection source:cloudtrail",
          suppressionQuery: "env:staging status:low",
          tags: ["technique:T1110-brute-force", "source:cloudtrail"],
        },
        type: "suppressions",
      },
    },
  };

apiInstance
  .createSecurityMonitoringSuppression(params)
  .then((data: v2.SecurityMonitoringSuppressionResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

/**
 * Create a suppression rule with an exclusion query returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiCreateSecurityMonitoringSuppressionRequest =
  {
    body: {
      data: {
        attributes: {
          description:
            "This rule suppresses low-severity signals in staging environments.",
          enabled: true,
          startDate: 1637493071000,
          expirationDate: 1638443471000,
          name: "Example-Security-Monitoring",
          ruleQuery: "type:log_detection source:cloudtrail",
          dataExclusionQuery: "account_id:12345",
        },
        type: "suppressions",
      },
    },
  };

apiInstance
  .createSecurityMonitoringSuppression(params)
  .then((data: v2.SecurityMonitoringSuppressionResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Delete a critical asset

v2 (latest)

DELETE https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id}https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id}https://api.datadoghq.eu/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id}

概要

Delete a specific critical asset.

OAuth apps require the security_monitoring_critical_assets_write authorization scope to access this endpoint.

引数

パスパラメーター

名前

種類

説明

critical_asset_id [required]

string

The ID of the critical asset.

応答

Not Authorized

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                  # Path parameters
export critical_asset_id="CHANGE_ME"
# Curl command
curl -X DELETE "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/${critical_asset_id}" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                

Delete a suppression rule

v2 (latest)

DELETE https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}

概要

Delete a specific suppression rule.

OAuth apps require the security_monitoring_suppressions_write authorization scope to access this endpoint.

引数

パスパラメーター

名前

種類

説明

suppression_id [required]

string

The ID of the suppression rule

応答

Not Authorized

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                  # Path parameters
export suppression_id="CHANGE_ME"
# Curl command
curl -X DELETE "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/${suppression_id}" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                

"""
Delete a suppression rule returns "OK" response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

# there is a valid "suppression" in the system
SUPPRESSION_DATA_ID = environ["SUPPRESSION_DATA_ID"]

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    api_instance.delete_security_monitoring_suppression(
        suppression_id=SUPPRESSION_DATA_ID,
    )

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Delete a suppression rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

# there is a valid "suppression" in the system
SUPPRESSION_DATA_ID = ENV["SUPPRESSION_DATA_ID"]
api_instance.delete_security_monitoring_suppression(SUPPRESSION_DATA_ID)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// Delete a suppression rule returns "OK" response

package main

import (
	"context"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "suppression" in the system
	SuppressionDataID := os.Getenv("SUPPRESSION_DATA_ID")

	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	r, err := api.DeleteSecurityMonitoringSuppression(ctx, SuppressionDataID)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.DeleteSecurityMonitoringSuppression`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Delete a suppression rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    // there is a valid "suppression" in the system
    String SUPPRESSION_DATA_ID = System.getenv("SUPPRESSION_DATA_ID");

    try {
      apiInstance.deleteSecurityMonitoringSuppression(SUPPRESSION_DATA_ID);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#deleteSecurityMonitoringSuppression");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

// Delete a suppression rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    // there is a valid "suppression" in the system
    let suppression_data_id = std::env::var("SUPPRESSION_DATA_ID").unwrap();
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .delete_security_monitoring_suppression(suppression_data_id.clone())
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * Delete a suppression rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

// there is a valid "suppression" in the system
const SUPPRESSION_DATA_ID = process.env.SUPPRESSION_DATA_ID as string;

const params: v2.SecurityMonitoringApiDeleteSecurityMonitoringSuppressionRequest =
  {
    suppressionId: SUPPRESSION_DATA_ID,
  };

apiInstance
  .deleteSecurityMonitoringSuppression(params)
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Get a critical asset

v2 (latest)

GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id}https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id}https://api.datadoghq.eu/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id}

概要

Get the details of a specific critical asset.

OAuth apps require the security_monitoring_critical_assets_read authorization scope to access this endpoint.

引数

パスパラメーター

名前

種類

説明

critical_asset_id [required]

string

The ID of the critical asset.

応答

Response object containing a single critical asset.

Expand All

フィールド

種類

説明

data

object

The critical asset's properties.

{
  "data": {
    "attributes": {
      "creation_author_id": 367742,
      "creation_date": "integer",
      "creator": {
        "handle": "john.doe@datadoghq.com",
        "name": "John Doe"
      },
      "enabled": true,
      "query": "security:monitoring",
      "rule_query": "type:log_detection source:cloudtrail",
      "severity": "increase",
      "tags": [
        "team:database",
        "source:cloudtrail"
      ],
      "update_author_id": 367743,
      "update_date": "integer",
      "updater": {
        "handle": "john.doe@datadoghq.com",
        "name": "John Doe"
      },
      "version": 2
    },
    "id": "4e2435a5-6670-4b8f-baff-46083cd1c250",
    "type": "critical_assets"
  }
}

Not Authorized

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                  # Path parameters
export critical_asset_id="CHANGE_ME"
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/${critical_asset_id}" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                

Get a suppression rule

v2 (latest)

GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}

概要

Get the details of a specific suppression rule.

OAuth apps require the security_monitoring_suppressions_read authorization scope to access this endpoint.

引数

パスパラメーター

名前

種類

説明

suppression_id [required]

string

The ID of the suppression rule

応答

Response object containing a single suppression rule.

Expand All

フィールド

種類

説明

data

object

The suppression rule's properties.

{
  "data": {
    "attributes": {
      "creation_date": "integer",
      "creator": {
        "handle": "john.doe@datadoghq.com",
        "name": "John Doe"
      },
      "data_exclusion_query": "source:cloudtrail account_id:12345",
      "description": "This rule suppresses low-severity signals in staging environments.",
      "editable": true,
      "enabled": true,
      "expiration_date": 1703187336000,
      "name": "Custom suppression",
      "rule_query": "type:log_detection source:cloudtrail",
      "start_date": 1703187336000,
      "suppression_query": "env:staging status:low",
      "tags": [
        "technique:T1110-brute-force",
        "source:cloudtrail"
      ],
      "update_date": "integer",
      "updater": {
        "handle": "john.doe@datadoghq.com",
        "name": "John Doe"
      },
      "version": 42
    },
    "id": "3dd-0uc-h1s",
    "type": "suppressions"
  }
}

Not Authorized

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                  # Path parameters
export suppression_id="CHANGE_ME"
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/${suppression_id}" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                

"""
Get a suppression rule returns "OK" response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

# there is a valid "suppression" in the system
SUPPRESSION_DATA_ID = environ["SUPPRESSION_DATA_ID"]

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.get_security_monitoring_suppression(
        suppression_id=SUPPRESSION_DATA_ID,
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Get a suppression rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

# there is a valid "suppression" in the system
SUPPRESSION_DATA_ID = ENV["SUPPRESSION_DATA_ID"]
p api_instance.get_security_monitoring_suppression(SUPPRESSION_DATA_ID)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// Get a suppression rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "suppression" in the system
	SuppressionDataID := os.Getenv("SUPPRESSION_DATA_ID")

	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.GetSecurityMonitoringSuppression(ctx, SuppressionDataID)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSecurityMonitoringSuppression`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSecurityMonitoringSuppression`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Get a suppression rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    // there is a valid "suppression" in the system
    String SUPPRESSION_DATA_ID = System.getenv("SUPPRESSION_DATA_ID");

    try {
      SecurityMonitoringSuppressionResponse result =
          apiInstance.getSecurityMonitoringSuppression(SUPPRESSION_DATA_ID);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#getSecurityMonitoringSuppression");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

// Get a suppression rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    // there is a valid "suppression" in the system
    let suppression_data_id = std::env::var("SUPPRESSION_DATA_ID").unwrap();
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .get_security_monitoring_suppression(suppression_data_id.clone())
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * Get a suppression rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

// there is a valid "suppression" in the system
const SUPPRESSION_DATA_ID = process.env.SUPPRESSION_DATA_ID as string;

const params: v2.SecurityMonitoringApiGetSecurityMonitoringSuppressionRequest =
  {
    suppressionId: SUPPRESSION_DATA_ID,
  };

apiInstance
  .getSecurityMonitoringSuppression(params)
  .then((data: v2.SecurityMonitoringSuppressionResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Get a suppression's version history

v2 (latest)

GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}/version_historyhttps://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}/version_historyhttps://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressions/{suppression_id}/version_historyhttps://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}/version_historyhttps://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}/version_historyhttps://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}/version_historyhttps://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}/version_history

概要

Get a suppression’s version history.

OAuth apps require the security_monitoring_suppressions_read authorization scope to access this endpoint.

引数

パスパラメーター

名前

種類

説明

suppression_id [required]

string

The ID of the suppression rule

クエリ文字列

名前

種類

説明

page[size]

integer

Size for a given page. The maximum allowed value is 100.

page[number]

integer

Specific page number to return.

応答

Response for getting the suppression version history.

Expand All

フィールド

種類

説明

data

object

Data for the suppression version history.

attributes

object

Response object containing the version history of a suppression.

{
  "data": {
    "attributes": {
      "count": "integer",
      "data": {
        "<any-key>": {
          "changes": [
            {
              "change": "cloud_provider:aws",
              "field": "Tags",
              "type": "string"
            }
          ],
          "suppression": {
            "creation_date": "integer",
            "creator": {
              "handle": "john.doe@datadoghq.com",
              "name": "John Doe"
            },
            "data_exclusion_query": "source:cloudtrail account_id:12345",
            "description": "This rule suppresses low-severity signals in staging environments.",
            "editable": true,
            "enabled": true,
            "expiration_date": 1703187336000,
            "name": "Custom suppression",
            "rule_query": "type:log_detection source:cloudtrail",
            "start_date": 1703187336000,
            "suppression_query": "env:staging status:low",
            "tags": [
              "technique:T1110-brute-force",
              "source:cloudtrail"
            ],
            "update_date": "integer",
            "updater": {
              "handle": "john.doe@datadoghq.com",
              "name": "John Doe"
            },
            "version": 42
          }
        }
      }
    },
    "id": "string",
    "type": "string"
  }
}

Not Authorized

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                  # Path parameters
export suppression_id="CHANGE_ME"
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/${suppression_id}/version_history" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                

"""
Get a suppression's version history returns "OK" response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

# there is a valid "suppression" in the system
SUPPRESSION_DATA_ID = environ["SUPPRESSION_DATA_ID"]

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.get_suppression_version_history(
        suppression_id=SUPPRESSION_DATA_ID,
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Get a suppression's version history returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

# there is a valid "suppression" in the system
SUPPRESSION_DATA_ID = ENV["SUPPRESSION_DATA_ID"]
p api_instance.get_suppression_version_history(SUPPRESSION_DATA_ID)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// Get a suppression's version history returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "suppression" in the system
	SuppressionDataID := os.Getenv("SUPPRESSION_DATA_ID")

	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.GetSuppressionVersionHistory(ctx, SuppressionDataID, *datadogV2.NewGetSuppressionVersionHistoryOptionalParameters())

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSuppressionVersionHistory`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSuppressionVersionHistory`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Get a suppression's version history returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.GetSuppressionVersionHistoryResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    // there is a valid "suppression" in the system
    String SUPPRESSION_DATA_ID = System.getenv("SUPPRESSION_DATA_ID");

    try {
      GetSuppressionVersionHistoryResponse result =
          apiInstance.getSuppressionVersionHistory(SUPPRESSION_DATA_ID);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#getSuppressionVersionHistory");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

// Get a suppression's version history returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::GetSuppressionVersionHistoryOptionalParams;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    // there is a valid "suppression" in the system
    let suppression_data_id = std::env::var("SUPPRESSION_DATA_ID").unwrap();
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .get_suppression_version_history(
            suppression_data_id.clone(),
            GetSuppressionVersionHistoryOptionalParams::default(),
        )
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * Get a suppression's version history returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

// there is a valid "suppression" in the system
const SUPPRESSION_DATA_ID = process.env.SUPPRESSION_DATA_ID as string;

const params: v2.SecurityMonitoringApiGetSuppressionVersionHistoryRequest = {
  suppressionId: SUPPRESSION_DATA_ID,
};

apiInstance
  .getSuppressionVersionHistory(params)
  .then((data: v2.GetSuppressionVersionHistoryResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Get all critical assets

v2 (latest)

GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/critical_assetshttps://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/critical_assetshttps://api.datadoghq.eu/api/v2/security_monitoring/configuration/critical_assetshttps://api.ddog-gov.com/api/v2/security_monitoring/configuration/critical_assetshttps://api.datadoghq.com/api/v2/security_monitoring/configuration/critical_assetshttps://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/critical_assetshttps://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets

概要

Get the list of all critical assets.

OAuth apps require the security_monitoring_critical_assets_read authorization scope to access this endpoint.

引数

クエリ文字列

名前

種類

説明

query

string

Query string.

応答

Response object containing the available critical assets.

Expand All

フィールド

種類

説明

data

[object]

A list of critical assets objects.

{
  "data": [
    {
      "attributes": {
        "creation_author_id": 367742,
        "creation_date": "integer",
        "creator": {
          "handle": "john.doe@datadoghq.com",
          "name": "John Doe"
        },
        "enabled": true,
        "query": "security:monitoring",
        "rule_query": "type:log_detection source:cloudtrail",
        "severity": "increase",
        "tags": [
          "team:database",
          "source:cloudtrail"
        ],
        "update_author_id": 367743,
        "update_date": "integer",
        "updater": {
          "handle": "john.doe@datadoghq.com",
          "name": "John Doe"
        },
        "version": 2
      },
      "id": "4e2435a5-6670-4b8f-baff-46083cd1c250",
      "type": "critical_assets"
    }
  ]
}

Not Authorized

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                  # Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                

Get all suppression rules

v2 (latest)

GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressionshttps://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/suppressionshttps://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressionshttps://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressionshttps://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressionshttps://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressionshttps://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions

概要

Get the list of all suppression rules.

OAuth apps require the security_monitoring_suppressions_read authorization scope to access this endpoint.

引数

クエリ文字列

名前

種類

説明

query

string

Query string.

sort

enum

Attribute used to sort the list of suppression rules. Prefix with - to sort in descending order.
Allowed enum values: name, start_date, expiration_date, update_date, enabled, -name, -start_date, -expiration_date, -update_date, -enabled

page[size]

integer

Size for a given page. Use -1 to return all items.

page[number]

integer

Specific page number to return.

応答

Response object containing the available suppression rules with pagination metadata.

Expand All

フィールド

種類

説明

data

[object]

A list of suppressions objects.

meta

object

Metadata for the suppression list response.

{
  "data": [
    {
      "attributes": {
        "creation_date": "integer",
        "creator": {
          "handle": "john.doe@datadoghq.com",
          "name": "John Doe"
        },
        "data_exclusion_query": "source:cloudtrail account_id:12345",
        "description": "This rule suppresses low-severity signals in staging environments.",
        "editable": true,
        "enabled": true,
        "expiration_date": 1703187336000,
        "name": "Custom suppression",
        "rule_query": "type:log_detection source:cloudtrail",
        "start_date": 1703187336000,
        "suppression_query": "env:staging status:low",
        "tags": [
          "technique:T1110-brute-force",
          "source:cloudtrail"
        ],
        "update_date": "integer",
        "updater": {
          "handle": "john.doe@datadoghq.com",
          "name": "John Doe"
        },
        "version": 42
      },
      "id": "3dd-0uc-h1s",
      "type": "suppressions"
    }
  ],
  "meta": {
    "page": {
      "pageNumber": 0,
      "pageSize": 2,
      "totalCount": 2
    }
  }
}

Not Authorized

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                  # Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                

"""
Get all suppression rules returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.list_security_monitoring_suppressions()

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Get all suppression rules returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.list_security_monitoring_suppressions()

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// Get all suppression rules returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.ListSecurityMonitoringSuppressions(ctx, *datadogV2.NewListSecurityMonitoringSuppressionsOptionalParameters())

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListSecurityMonitoringSuppressions`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListSecurityMonitoringSuppressions`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Get all suppression rules returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionsResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      SecurityMonitoringSuppressionsResponse result =
          apiInstance.listSecurityMonitoringSuppressions();
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#listSecurityMonitoringSuppressions");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

// Get all suppression rules returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::ListSecurityMonitoringSuppressionsOptionalParams;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .list_security_monitoring_suppressions(
            ListSecurityMonitoringSuppressionsOptionalParams::default(),
        )
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * Get all suppression rules returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

apiInstance
  .listSecurityMonitoringSuppressions()
  .then((data: v2.SecurityMonitoringSuppressionsResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Get critical assets affecting a specific rule

v2 (latest)

GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/rules/{rule_id}https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/rules/{rule_id}https://api.datadoghq.eu/api/v2/security_monitoring/configuration/critical_assets/rules/{rule_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/critical_assets/rules/{rule_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/rules/{rule_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/rules/{rule_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/rules/{rule_id}

概要

Get the list of critical assets that affect a specific existing rule by the rule’s ID.

OAuth apps require the security_monitoring_critical_assets_read authorization scope to access this endpoint.

引数

パスパラメーター

名前

種類

説明

rule_id [required]

string

The ID of the rule.

応答

Response object containing the available critical assets.

Expand All

フィールド

種類

説明

data

[object]

A list of critical assets objects.

{
  "data": [
    {
      "attributes": {
        "creation_author_id": 367742,
        "creation_date": "integer",
        "creator": {
          "handle": "john.doe@datadoghq.com",
          "name": "John Doe"
        },
        "enabled": true,
        "query": "security:monitoring",
        "rule_query": "type:log_detection source:cloudtrail",
        "severity": "increase",
        "tags": [
          "team:database",
          "source:cloudtrail"
        ],
        "update_author_id": 367743,
        "update_date": "integer",
        "updater": {
          "handle": "john.doe@datadoghq.com",
          "name": "John Doe"
        },
        "version": 2
      },
      "id": "4e2435a5-6670-4b8f-baff-46083cd1c250",
      "type": "critical_assets"
    }
  ]
}

Not Authorized

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                  # Path parameters
export rule_id="CHANGE_ME"
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/rules/${rule_id}" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                

Get suppressions affecting a specific rule

v2 (latest)

GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/rules/{rule_id}https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/rules/{rule_id}https://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressions/rules/{rule_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressions/rules/{rule_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/rules/{rule_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/rules/{rule_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/rules/{rule_id}

概要

Get the list of suppressions that affect a specific existing rule by its ID.

OAuth apps require the security_monitoring_suppressions_read authorization scope to access this endpoint.

引数

パスパラメーター

名前

種類

説明

rule_id [required]

string

The ID of the rule.

応答

Response object containing the available suppression rules.

Expand All

フィールド

種類

説明

data

[object]

A list of suppressions objects.

{
  "data": [
    {
      "attributes": {
        "creation_date": "integer",
        "creator": {
          "handle": "john.doe@datadoghq.com",
          "name": "John Doe"
        },
        "data_exclusion_query": "source:cloudtrail account_id:12345",
        "description": "This rule suppresses low-severity signals in staging environments.",
        "editable": true,
        "enabled": true,
        "expiration_date": 1703187336000,
        "name": "Custom suppression",
        "rule_query": "type:log_detection source:cloudtrail",
        "start_date": 1703187336000,
        "suppression_query": "env:staging status:low",
        "tags": [
          "technique:T1110-brute-force",
          "source:cloudtrail"
        ],
        "update_date": "integer",
        "updater": {
          "handle": "john.doe@datadoghq.com",
          "name": "John Doe"
        },
        "version": 42
      },
      "id": "3dd-0uc-h1s",
      "type": "suppressions"
    }
  ]
}

Not Authorized

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                  # Path parameters
export rule_id="CHANGE_ME"
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/rules/${rule_id}" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                

"""
Get suppressions affecting a specific rule returns "OK" response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

# there is a valid "security_rule" in the system
SECURITY_RULE_ID = environ["SECURITY_RULE_ID"]

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.get_suppressions_affecting_rule(
        rule_id=SECURITY_RULE_ID,
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Get suppressions affecting a specific rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

# there is a valid "security_rule" in the system
SECURITY_RULE_ID = ENV["SECURITY_RULE_ID"]
p api_instance.get_suppressions_affecting_rule(SECURITY_RULE_ID)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// Get suppressions affecting a specific rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "security_rule" in the system
	SecurityRuleID := os.Getenv("SECURITY_RULE_ID")

	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.GetSuppressionsAffectingRule(ctx, SecurityRuleID)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSuppressionsAffectingRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSuppressionsAffectingRule`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Get suppressions affecting a specific rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionsResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    // there is a valid "security_rule" in the system
    String SECURITY_RULE_ID = System.getenv("SECURITY_RULE_ID");

    try {
      SecurityMonitoringSuppressionsResponse result =
          apiInstance.getSuppressionsAffectingRule(SECURITY_RULE_ID);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#getSuppressionsAffectingRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

// Get suppressions affecting a specific rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    // there is a valid "security_rule" in the system
    let security_rule_id = std::env::var("SECURITY_RULE_ID").unwrap();
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .get_suppressions_affecting_rule(security_rule_id.clone())
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * Get suppressions affecting a specific rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

// there is a valid "security_rule" in the system
const SECURITY_RULE_ID = process.env.SECURITY_RULE_ID as string;

const params: v2.SecurityMonitoringApiGetSuppressionsAffectingRuleRequest = {
  ruleId: SECURITY_RULE_ID,
};

apiInstance
  .getSuppressionsAffectingRule(params)
  .then((data: v2.SecurityMonitoringSuppressionsResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Get suppressions affecting future rule

v2 (latest)

POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/ruleshttps://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/ruleshttps://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressions/ruleshttps://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressions/ruleshttps://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/ruleshttps://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/ruleshttps://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/rules

概要

Get the list of suppressions that would affect a rule.

OAuth apps require the security_monitoring_suppressions_read authorization scope to access this endpoint.

リクエスト

Body Data (required)

Expand All

フィールド

種類

説明

Option 1

object

Create a new rule.

options [required]

object

Options.

Option 2

object

Create a new signal correlation rule.

options [required]

object

Options.

Option 3

object

Create a new cloud configuration rule.

{
  "name": "Example-Security-Monitoring",
  "queries": [
    {
      "query": "@test:true",
      "aggregation": "count",
      "groupByFields": [],
      "distinctFields": [],
      "metrics": []
    }
  ],
  "filters": [],
  "cases": [
    {
      "name": "",
      "status": "info",
      "condition": "a > 0",
      "notifications": []
    }
  ],
  "options": {
    "evaluationWindow": 900,
    "keepAlive": 3600,
    "maxSignalDuration": 86400
  },
  "message": "Test rule",
  "tags": [],
  "isEnabled": true,
  "type": "log_detection"
}

応答

Response object containing the available suppression rules.

Expand All

フィールド

種類

説明

data

[object]

A list of suppressions objects.

{
  "data": [
    {
      "attributes": {
        "creation_date": "integer",
        "creator": {
          "handle": "john.doe@datadoghq.com",
          "name": "John Doe"
        },
        "data_exclusion_query": "source:cloudtrail account_id:12345",
        "description": "This rule suppresses low-severity signals in staging environments.",
        "editable": true,
        "enabled": true,
        "expiration_date": 1703187336000,
        "name": "Custom suppression",
        "rule_query": "type:log_detection source:cloudtrail",
        "start_date": 1703187336000,
        "suppression_query": "env:staging status:low",
        "tags": [
          "technique:T1110-brute-force",
          "source:cloudtrail"
        ],
        "update_date": "integer",
        "updater": {
          "handle": "john.doe@datadoghq.com",
          "name": "John Doe"
        },
        "version": 42
      },
      "id": "3dd-0uc-h1s",
      "type": "suppressions"
    }
  ]
}

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                          # Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/rules" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "name": "Example-Security-Monitoring",
  "queries": [
    {
      "query": "@test:true",
      "aggregation": "count",
      "groupByFields": [],
      "distinctFields": [],
      "metrics": []
    }
  ],
  "filters": [],
  "cases": [
    {
      "name": "",
      "status": "info",
      "condition": "a > 0",
      "notifications": []
    }
  ],
  "options": {
    "evaluationWindow": 900,
    "keepAlive": 3600,
    "maxSignalDuration": 86400
  },
  "message": "Test rule",
  "tags": [],
  "isEnabled": true,
  "type": "log_detection"
}
EOF

                        

// Get suppressions affecting future rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringRuleCreatePayload{
		SecurityMonitoringStandardRuleCreatePayload: &datadogV2.SecurityMonitoringStandardRuleCreatePayload{
			Name: "Example-Security-Monitoring",
			Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{
				{
					Query:          datadog.PtrString("@test:true"),
					Aggregation:    datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
					GroupByFields:  []string{},
					DistinctFields: []string{},
					Metrics:        []string{},
				},
			},
			Filters: []datadogV2.SecurityMonitoringFilter{},
			Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{
				{
					Name:          datadog.PtrString(""),
					Status:        datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
					Condition:     datadog.PtrString("a > 0"),
					Notifications: []string{},
				},
			},
			Options: datadogV2.SecurityMonitoringRuleOptions{
				EvaluationWindow:  datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(),
				KeepAlive:         datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(),
				MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(),
			},
			Message:   "Test rule",
			Tags:      []string{},
			IsEnabled: true,
			Type:      datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(),
		}}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.GetSuppressionsAffectingFutureRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSuppressionsAffectingFutureRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSuppressionsAffectingFutureRule`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Get suppressions affecting future rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionsResponse;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringRuleCreatePayload body =
        new SecurityMonitoringRuleCreatePayload(
            new SecurityMonitoringStandardRuleCreatePayload()
                .name("Example-Security-Monitoring")
                .queries(
                    Collections.singletonList(
                        new SecurityMonitoringStandardRuleQuery()
                            .query("@test:true")
                            .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)))
                .cases(
                    Collections.singletonList(
                        new SecurityMonitoringRuleCaseCreate()
                            .name("")
                            .status(SecurityMonitoringRuleSeverity.INFO)
                            .condition("a > 0")))
                .options(
                    new SecurityMonitoringRuleOptions()
                        .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES)
                        .keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR)
                        .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ONE_DAY))
                .message("Test rule")
                .isEnabled(true)
                .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION));

    try {
      SecurityMonitoringSuppressionsResponse result =
          apiInstance.getSuppressionsAffectingFutureRule(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#getSuppressionsAffectingFutureRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

"""
Get suppressions affecting future rule returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
    SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
    SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
    SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
from datadog_api_client.v2.model.security_monitoring_standard_rule_create_payload import (
    SecurityMonitoringStandardRuleCreatePayload,
)
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery

body = SecurityMonitoringStandardRuleCreatePayload(
    name="Example-Security-Monitoring",
    queries=[
        SecurityMonitoringStandardRuleQuery(
            query="@test:true",
            aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
            group_by_fields=[],
            distinct_fields=[],
            metrics=[],
        ),
    ],
    filters=[],
    cases=[
        SecurityMonitoringRuleCaseCreate(
            name="",
            status=SecurityMonitoringRuleSeverity.INFO,
            condition="a > 0",
            notifications=[],
        ),
    ],
    options=SecurityMonitoringRuleOptions(
        evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,
        keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR,
        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY,
    ),
    message="Test rule",
    tags=[],
    is_enabled=True,
    type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.get_suppressions_affecting_future_rule(body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Get suppressions affecting future rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringStandardRuleCreatePayload.new({
  name: "Example-Security-Monitoring",
  queries: [
    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
      query: "@test:true",
      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
      group_by_fields: [],
      distinct_fields: [],
      metrics: [],
    }),
  ],
  filters: [],
  cases: [
    DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
      name: "",
      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
      condition: "a > 0",
      notifications: [],
    }),
  ],
  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR,
    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY,
  }),
  message: "Test rule",
  tags: [],
  is_enabled: true,
  type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
})
p api_instance.get_suppressions_affecting_future_rule(body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// Get suppressions affecting future rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCreatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleCreatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;

#[tokio::main]
async fn main() {
    let body =
        SecurityMonitoringRuleCreatePayload::SecurityMonitoringStandardRuleCreatePayload(Box::new(
            SecurityMonitoringStandardRuleCreatePayload::new(
                vec![
                    SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO)
                        .condition("a > 0".to_string())
                        .name("".to_string())
                        .notifications(vec![]),
                ],
                true,
                "Test rule".to_string(),
                "Example-Security-Monitoring".to_string(),
                SecurityMonitoringRuleOptions::new()
                    .evaluation_window(SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES)
                    .keep_alive(SecurityMonitoringRuleKeepAlive::ONE_HOUR)
                    .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::ONE_DAY),
                vec![SecurityMonitoringStandardRuleQuery::new()
                    .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
                    .distinct_fields(vec![])
                    .group_by_fields(vec![])
                    .metrics(vec![])
                    .query("@test:true".to_string())],
            )
            .filters(vec![])
            .tags(vec![])
            .type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION),
        ));
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.get_suppressions_affecting_future_rule(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * Get suppressions affecting future rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiGetSuppressionsAffectingFutureRuleRequest =
  {
    body: {
      name: "Example-Security-Monitoring",
      queries: [
        {
          query: "@test:true",
          aggregation: "count",
          groupByFields: [],
          distinctFields: [],
          metrics: [],
        },
      ],
      filters: [],
      cases: [
        {
          name: "",
          status: "info",
          condition: "a > 0",
          notifications: [],
        },
      ],
      options: {
        evaluationWindow: 900,
        keepAlive: 3600,
        maxSignalDuration: 86400,
      },
      message: "Test rule",
      tags: [],
      isEnabled: true,
      type: "log_detection",
    },
  };

apiInstance
  .getSuppressionsAffectingFutureRule(params)
  .then((data: v2.SecurityMonitoringSuppressionsResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Update a critical asset

v2 (latest)

PATCH https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id}https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id}https://api.datadoghq.eu/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/{critical_asset_id}

概要

Update a specific critical asset.

OAuth apps require the security_monitoring_critical_assets_write authorization scope to access this endpoint.

引数

パスパラメーター

名前

種類

説明

critical_asset_id [required]

string

The ID of the critical asset.

リクエスト

Body Data (required)

New definition of the critical asset. Supports partial updates.

Expand All

フィールド

種類

説明

data [required]

object

The new critical asset properties; partial updates are supported.

{
  "data": {
    "type": "critical_assets",
    "attributes": {
      "enabled": false,
      "query": "no:alert",
      "rule_query": "type:(log_detection OR signal_correlation OR workload_security OR application_security) ruleId:djg-ktx-ipq",
      "severity": "decrease",
      "tags": [
        "env:production"
      ],
      "version": 1
    }
  }
}

応答

Response object containing a single critical asset.

Expand All

フィールド

種類

説明

data

object

The critical asset's properties.

{
  "data": {
    "attributes": {
      "creation_author_id": 367742,
      "creation_date": "integer",
      "creator": {
        "handle": "john.doe@datadoghq.com",
        "name": "John Doe"
      },
      "enabled": true,
      "query": "security:monitoring",
      "rule_query": "type:log_detection source:cloudtrail",
      "severity": "increase",
      "tags": [
        "team:database",
        "source:cloudtrail"
      ],
      "update_author_id": 367743,
      "update_date": "integer",
      "updater": {
        "handle": "john.doe@datadoghq.com",
        "name": "John Doe"
      },
      "version": 2
    },
    "id": "4e2435a5-6670-4b8f-baff-46083cd1c250",
    "type": "critical_assets"
  }
}

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Concurrent Modification

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                          # Path parameters
export critical_asset_id="CHANGE_ME"
# Curl command
curl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/critical_assets/${critical_asset_id}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "type": "critical_assets",
    "attributes": {
      "enabled": false,
      "query": "no:alert",
      "rule_query": "type:(log_detection OR signal_correlation OR workload_security OR application_security) ruleId:djg-ktx-ipq",
      "severity": "decrease",
      "tags": [
        "env:production"
      ],
      "version": 1
    }
  }
}
EOF

                        

Update a suppression rule

v2 (latest)

PATCH https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}

概要

Update a specific suppression rule.

OAuth apps require the security_monitoring_suppressions_write authorization scope to access this endpoint.

引数

パスパラメーター

名前

種類

説明

suppression_id [required]

string

The ID of the suppression rule

リクエスト

Body Data (required)

New definition of the suppression rule. Supports partial updates.

Expand All

フィールド

種類

説明

data [required]

object

The new suppression properties; partial updates are supported.

{
  "data": {
    "attributes": {
      "suppression_query": "env:staging status:low"
    },
    "type": "suppressions"
  }
}

応答

Response object containing a single suppression rule.

Expand All

フィールド

種類

説明

data

object

The suppression rule's properties.

{
  "data": {
    "attributes": {
      "creation_date": "integer",
      "creator": {
        "handle": "john.doe@datadoghq.com",
        "name": "John Doe"
      },
      "data_exclusion_query": "source:cloudtrail account_id:12345",
      "description": "This rule suppresses low-severity signals in staging environments.",
      "editable": true,
      "enabled": true,
      "expiration_date": 1703187336000,
      "name": "Custom suppression",
      "rule_query": "type:log_detection source:cloudtrail",
      "start_date": 1703187336000,
      "suppression_query": "env:staging status:low",
      "tags": [
        "technique:T1110-brute-force",
        "source:cloudtrail"
      ],
      "update_date": "integer",
      "updater": {
        "handle": "john.doe@datadoghq.com",
        "name": "John Doe"
      },
      "version": 42
    },
    "id": "3dd-0uc-h1s",
    "type": "suppressions"
  }
}

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Concurrent Modification

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                          # Path parameters
export suppression_id="CHANGE_ME"
# Curl command
curl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/${suppression_id}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "suppression_query": "env:staging status:low"
    },
    "type": "suppressions"
  }
}
EOF

                        

// Update a suppression rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "suppression" in the system
	SuppressionDataID := os.Getenv("SUPPRESSION_DATA_ID")

	body := datadogV2.SecurityMonitoringSuppressionUpdateRequest{
		Data: datadogV2.SecurityMonitoringSuppressionUpdateData{
			Attributes: datadogV2.SecurityMonitoringSuppressionUpdateAttributes{
				SuppressionQuery: datadog.PtrString("env:staging status:low"),
			},
			Type: datadogV2.SECURITYMONITORINGSUPPRESSIONTYPE_SUPPRESSIONS,
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.UpdateSecurityMonitoringSuppression(ctx, SuppressionDataID, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.UpdateSecurityMonitoringSuppression`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.UpdateSecurityMonitoringSuppression`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Update a suppression rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionType;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionUpdateAttributes;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionUpdateData;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionUpdateRequest;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    // there is a valid "suppression" in the system
    String SUPPRESSION_DATA_ID = System.getenv("SUPPRESSION_DATA_ID");

    SecurityMonitoringSuppressionUpdateRequest body =
        new SecurityMonitoringSuppressionUpdateRequest()
            .data(
                new SecurityMonitoringSuppressionUpdateData()
                    .attributes(
                        new SecurityMonitoringSuppressionUpdateAttributes()
                            .suppressionQuery("env:staging status:low"))
                    .type(SecurityMonitoringSuppressionType.SUPPRESSIONS));

    try {
      SecurityMonitoringSuppressionResponse result =
          apiInstance.updateSecurityMonitoringSuppression(SUPPRESSION_DATA_ID, body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#updateSecurityMonitoringSuppression");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

"""
Update a suppression rule returns "OK" response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_suppression_type import SecurityMonitoringSuppressionType
from datadog_api_client.v2.model.security_monitoring_suppression_update_attributes import (
    SecurityMonitoringSuppressionUpdateAttributes,
)
from datadog_api_client.v2.model.security_monitoring_suppression_update_data import (
    SecurityMonitoringSuppressionUpdateData,
)
from datadog_api_client.v2.model.security_monitoring_suppression_update_request import (
    SecurityMonitoringSuppressionUpdateRequest,
)

# there is a valid "suppression" in the system
SUPPRESSION_DATA_ID = environ["SUPPRESSION_DATA_ID"]

body = SecurityMonitoringSuppressionUpdateRequest(
    data=SecurityMonitoringSuppressionUpdateData(
        attributes=SecurityMonitoringSuppressionUpdateAttributes(
            suppression_query="env:staging status:low",
        ),
        type=SecurityMonitoringSuppressionType.SUPPRESSIONS,
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.update_security_monitoring_suppression(suppression_id=SUPPRESSION_DATA_ID, body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Update a suppression rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

# there is a valid "suppression" in the system
SUPPRESSION_DATA_ID = ENV["SUPPRESSION_DATA_ID"]

body = DatadogAPIClient::V2::SecurityMonitoringSuppressionUpdateRequest.new({
  data: DatadogAPIClient::V2::SecurityMonitoringSuppressionUpdateData.new({
    attributes: DatadogAPIClient::V2::SecurityMonitoringSuppressionUpdateAttributes.new({
      suppression_query: "env:staging status:low",
    }),
    type: DatadogAPIClient::V2::SecurityMonitoringSuppressionType::SUPPRESSIONS,
  }),
})
p api_instance.update_security_monitoring_suppression(SUPPRESSION_DATA_ID, body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// Update a suppression rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionType;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionUpdateAttributes;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionUpdateData;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionUpdateRequest;

#[tokio::main]
async fn main() {
    // there is a valid "suppression" in the system
    let suppression_data_id = std::env::var("SUPPRESSION_DATA_ID").unwrap();
    let body = SecurityMonitoringSuppressionUpdateRequest::new(
        SecurityMonitoringSuppressionUpdateData::new(
            SecurityMonitoringSuppressionUpdateAttributes::new()
                .suppression_query("env:staging status:low".to_string()),
            SecurityMonitoringSuppressionType::SUPPRESSIONS,
        ),
    );
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .update_security_monitoring_suppression(suppression_data_id.clone(), body)
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * Update a suppression rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

// there is a valid "suppression" in the system
const SUPPRESSION_DATA_ID = process.env.SUPPRESSION_DATA_ID as string;

const params: v2.SecurityMonitoringApiUpdateSecurityMonitoringSuppressionRequest =
  {
    body: {
      data: {
        attributes: {
          suppressionQuery: "env:staging status:low",
        },
        type: "suppressions",
      },
    },
    suppressionId: SUPPRESSION_DATA_ID,
  };

apiInstance
  .updateSecurityMonitoringSuppression(params)
  .then((data: v2.SecurityMonitoringSuppressionResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Validate a suppression rule

v2 (latest)

POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/validationhttps://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/validationhttps://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressions/validationhttps://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressions/validationhttps://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/validationhttps://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/validationhttps://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/validation

概要

Validate a suppression rule. This endpoint requires the security_monitoring_suppressions_write permission.

OAuth apps require the security_monitoring_suppressions_write authorization scope to access this endpoint.

リクエスト

Body Data (required)

Expand All

フィールド

種類

説明

data [required]

object

Object for a single suppression rule.

{
  "data": {
    "attributes": {
      "data_exclusion_query": "source:cloudtrail account_id:12345",
      "description": "This rule suppresses low-severity signals in staging environments.",
      "enabled": true,
      "name": "Custom suppression",
      "rule_query": "type:log_detection source:cloudtrail"
    },
    "type": "suppressions"
  }
}

応答

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                          # Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/validation" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "data_exclusion_query": "source:cloudtrail account_id:12345",
      "description": "This rule suppresses low-severity signals in staging environments.",
      "enabled": true,
      "name": "Custom suppression",
      "rule_query": "type:log_detection source:cloudtrail"
    },
    "type": "suppressions"
  }
}
EOF

                        

// Validate a suppression rule returns "OK" response

package main

import (
	"context"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringSuppressionCreateRequest{
		Data: datadogV2.SecurityMonitoringSuppressionCreateData{
			Attributes: datadogV2.SecurityMonitoringSuppressionCreateAttributes{
				DataExclusionQuery: datadog.PtrString("source:cloudtrail account_id:12345"),
				Description:        datadog.PtrString("This rule suppresses low-severity signals in staging environments."),
				Enabled:            true,
				Name:               "Custom suppression",
				RuleQuery:          "type:log_detection source:cloudtrail",
			},
			Type: datadogV2.SECURITYMONITORINGSUPPRESSIONTYPE_SUPPRESSIONS,
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	r, err := api.ValidateSecurityMonitoringSuppression(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ValidateSecurityMonitoringSuppression`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Validate a suppression rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateAttributes;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateData;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateRequest;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionType;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringSuppressionCreateRequest body =
        new SecurityMonitoringSuppressionCreateRequest()
            .data(
                new SecurityMonitoringSuppressionCreateData()
                    .attributes(
                        new SecurityMonitoringSuppressionCreateAttributes()
                            .dataExclusionQuery("source:cloudtrail account_id:12345")
                            .description(
                                "This rule suppresses low-severity signals in staging"
                                    + " environments.")
                            .enabled(true)
                            .name("Custom suppression")
                            .ruleQuery("type:log_detection source:cloudtrail"))
                    .type(SecurityMonitoringSuppressionType.SUPPRESSIONS));

    try {
      apiInstance.validateSecurityMonitoringSuppression(body);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#validateSecurityMonitoringSuppression");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

"""
Validate a suppression rule returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_suppression_create_attributes import (
    SecurityMonitoringSuppressionCreateAttributes,
)
from datadog_api_client.v2.model.security_monitoring_suppression_create_data import (
    SecurityMonitoringSuppressionCreateData,
)
from datadog_api_client.v2.model.security_monitoring_suppression_create_request import (
    SecurityMonitoringSuppressionCreateRequest,
)
from datadog_api_client.v2.model.security_monitoring_suppression_type import SecurityMonitoringSuppressionType

body = SecurityMonitoringSuppressionCreateRequest(
    data=SecurityMonitoringSuppressionCreateData(
        attributes=SecurityMonitoringSuppressionCreateAttributes(
            data_exclusion_query="source:cloudtrail account_id:12345",
            description="This rule suppresses low-severity signals in staging environments.",
            enabled=True,
            name="Custom suppression",
            rule_query="type:log_detection source:cloudtrail",
        ),
        type=SecurityMonitoringSuppressionType.SUPPRESSIONS,
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    api_instance.validate_security_monitoring_suppression(body=body)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Validate a suppression rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateRequest.new({
  data: DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateData.new({
    attributes: DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateAttributes.new({
      data_exclusion_query: "source:cloudtrail account_id:12345",
      description: "This rule suppresses low-severity signals in staging environments.",
      enabled: true,
      name: "Custom suppression",
      rule_query: "type:log_detection source:cloudtrail",
    }),
    type: DatadogAPIClient::V2::SecurityMonitoringSuppressionType::SUPPRESSIONS,
  }),
})
api_instance.validate_security_monitoring_suppression(body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// Validate a suppression rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateAttributes;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateData;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateRequest;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionType;

#[tokio::main]
async fn main() {
    let body = SecurityMonitoringSuppressionCreateRequest::new(
        SecurityMonitoringSuppressionCreateData::new(
            SecurityMonitoringSuppressionCreateAttributes::new(
                true,
                "Custom suppression".to_string(),
                "type:log_detection source:cloudtrail".to_string(),
            )
            .data_exclusion_query("source:cloudtrail account_id:12345".to_string())
            .description(
                "This rule suppresses low-severity signals in staging environments.".to_string(),
            ),
            SecurityMonitoringSuppressionType::SUPPRESSIONS,
        ),
    );
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.validate_security_monitoring_suppression(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * Validate a suppression rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiValidateSecurityMonitoringSuppressionRequest =
  {
    body: {
      data: {
        attributes: {
          dataExclusionQuery: "source:cloudtrail account_id:12345",
          description:
            "This rule suppresses low-severity signals in staging environments.",
          enabled: true,
          name: "Custom suppression",
          ruleQuery: "type:log_detection source:cloudtrail",
        },
        type: "suppressions",
      },
    },
  };

apiInstance
  .validateSecurityMonitoringSuppression(params)
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

List findings

v2 (latest)

Note: This endpoint uses the legacy security findings data model and is planned for deprecation. Use the search security findings endpoint, which is based on the new security findings schema, to search security findings. If you have any feedback, contact Datadog support.

GET https://api.ap1.datadoghq.com/api/v2/posture_management/findingshttps://api.ap2.datadoghq.com/api/v2/posture_management/findingshttps://api.datadoghq.eu/api/v2/posture_management/findingshttps://api.ddog-gov.com/api/v2/posture_management/findingshttps://api.datadoghq.com/api/v2/posture_management/findingshttps://api.us3.datadoghq.com/api/v2/posture_management/findingshttps://api.us5.datadoghq.com/api/v2/posture_management/findings

概要

Get a list of findings. These include both misconfigurations and identity risks.

Note: To filter and return only identity risks, add the following query parameter: ?filter[tags]=dd_rule_type:ciem

Filtering

Filters can be applied by appending query parameters to the URL.

Using a single filter: ?filter[attribute_key]=attribute_value
Chaining filters: ?filter[attribute_key]=attribute_value&filter[attribute_key]=attribute_value...
Filtering on tags: ?filter[tags]=tag_key:tag_value&filter[tags]=tag_key_2:tag_value_2

Here, attribute_key can be any of the filter keys described further below.

Query parameters of type integer support comparison operators (>, >=, <, <=). This is particularly useful when filtering by evaluation_changed_at or resource_discovery_timestamp. For example: ?filter[evaluation_changed_at]=>20123123121.

You can also use the negation operator on strings. For example, use filter[resource_type]=-aws* to filter for any non-AWS resources.

The operator must come after the equal sign. For example, to filter with the >= operator, add the operator after the equal sign: filter[evaluation_changed_at]=>=1678809373257.

Query parameters must be only among the documented ones and with values of correct types. Duplicated query parameters (e.g. filter[status]=low&filter[status]=info) are not allowed.

Additional extension fields

Additional extension fields are available for some findings.

The data is available when you include the query parameter ?detailed_findings=true in the request.

The following fields are available for findings:

external_id: The resource external ID related to the finding.
description: The description and remediation steps for the finding.
datadog_link: The Datadog relative link for the finding.
ip_addresses: The list of private IP addresses for the resource related to the finding.

Response

The response includes an array of finding objects, pagination metadata, and a count of items that match the query.

Each finding object contains the following:

The finding ID that can be used in a GetFinding request to retrieve the full finding details.
Core attributes, including status, evaluation, high-level resource details, muted state, and rule details.
evaluation_changed_at and resource_discovery_date time stamps.
An array of associated tags.

OAuth apps require the security_monitoring_findings_read authorization scope to access this endpoint.

引数

クエリ文字列

名前

種類

説明

page[limit]

integer

Limit the number of findings returned. Must be <= 1000.

snapshot_timestamp

integer

Return findings for a given snapshot of time (Unix ms).

page[cursor]

string

Return the next page of findings pointed to by the cursor.

filter[tags]

string

Return findings that have these associated tags (repeatable).

filter[evaluation_changed_at]

string

Return findings that have changed from pass to fail or vice versa on a specified date (Unix ms) or date range (using comparison operators).

filter[muted]

boolean

Set to true to return findings that are muted. Set to false to return unmuted findings.

filter[rule_id]

string

Return findings for the specified rule ID.

filter[rule_name]

string

Return findings for the specified rule.

filter[resource_type]

string

Return only findings for the specified resource type.

filter[@resource_id]

string

Return only findings for the specified resource id.

filter[discovery_timestamp]

string

Return findings that were found on a specified date (Unix ms) or date range (using comparison operators).

filter[evaluation]

enum

Return only pass or fail findings.
Allowed enum values: pass, fail

filter[status]

enum

Return only findings with the specified status.
Allowed enum values: critical, high, medium, low, info

filter[vulnerability_type]

array

Return findings that match the selected vulnerability types (repeatable).

detailed_findings

boolean

Return additional fields for some findings.

応答

The expected response schema when listing findings.

Expand All

フィールド

種類

説明

data [required]

[object]

Array of findings.

meta [required]

object

Metadata for pagination.

{
  "data": [
    {
      "attributes": {
        "datadog_link": "/security/compliance?panels=cpfinding%7Cevent%7CruleId%3Adef-000-u5t%7CresourceId%3Ae8c9ab7c52ebd7bf2fdb4db641082d7d%7CtabId%3Aoverview",
        "description": "## Remediation\n\n1. In the console, go to **Storage Account**.\n2. For each Storage Account, navigate to **Data Protection**.\n3. Select **Set soft delete enabled** and enter the number of days to retain soft deleted data.",
        "evaluation": "pass",
        "evaluation_changed_at": 1678721573794,
        "external_id": "arn:aws:s3:::my-example-bucket",
        "mute": {
          "description": "To be resolved later",
          "expiration_date": 1778721573794,
          "muted": true,
          "reason": "ACCEPTED_RISK",
          "start_date": 1678721573794,
          "uuid": "e51c9744-d158-11ec-ad23-da7ad0900002"
        },
        "resource": "my_resource_name",
        "resource_discovery_date": 1678721573794,
        "resource_type": "azure_storage_account",
        "rule": {
          "id": "dv2-jzf-41i",
          "name": "Soft delete is enabled for Azure Storage"
        },
        "status": "critical",
        "tags": [
          "cloud_provider:aws",
          "myTag:myValue"
        ],
        "vulnerability_type": "misconfiguration"
      },
      "id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==",
      "type": "finding"
    }
  ],
  "meta": {
    "page": {
      "cursor": "eyJhZnRlciI6IkFRQUFBWWJiaEJXQS1OY1dqUUFBQUFCQldXSmlhRUpYUVVGQlJFSktkbTlDTUdaWFRVbDNRVUUiLCJ2YWx1ZXMiOlsiY3JpdGljYWwiXX0=",
      "total_filtered_count": 213
    },
    "snapshot_timestamp": 1678721573794
  }
}

Bad Request: The server cannot process the request due to invalid syntax in the request.

API error response.

Expand All

フィールド

種類

説明

errors [required]

[object]

A list of errors.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Forbidden: Access denied

API error response.

Expand All

フィールド

種類

説明

errors [required]

[object]

A list of errors.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Not Found: The requested finding cannot be found.

API error response.

Expand All

フィールド

種類

説明

errors [required]

[object]

A list of errors.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Too many requests: The rate limit set by the API has been exceeded.

API error response.

Expand All

フィールド

種類

説明

errors [required]

[object]

A list of errors.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

コード例

                  # Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/posture_management/findings" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                

"""
List findings returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

configuration = Configuration()
configuration.unstable_operations["list_findings"] = True
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.list_findings()

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# List findings returns "OK" response

require "datadog_api_client"
DatadogAPIClient.configure do |config|
  config.unstable_operations["v2.list_findings".to_sym] = true
end
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.list_findings()

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// List findings returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	configuration.SetUnstableOperationEnabled("v2.ListFindings", true)
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.ListFindings(ctx, *datadogV2.NewListFindingsOptionalParameters())

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListFindings`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListFindings`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// List findings returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.ListFindingsResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    defaultClient.setUnstableOperationEnabled("v2.listFindings", true);
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      ListFindingsResponse result = apiInstance.listFindings();
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#listFindings");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

// List findings returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::ListFindingsOptionalParams;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    let mut configuration = datadog::Configuration::new();
    configuration.set_unstable_operation_enabled("v2.ListFindings", true);
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .list_findings(ListFindingsOptionalParams::default())
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * List findings returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
configuration.unstableOperations["v2.listFindings"] = true;
const apiInstance = new v2.SecurityMonitoringApi(configuration);

apiInstance
  .listFindings()
  .then((data: v2.ListFindingsResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

List security findings

v2 (latest)

GET https://api.ap1.datadoghq.com/api/v2/security/findingshttps://api.ap2.datadoghq.com/api/v2/security/findingshttps://api.datadoghq.eu/api/v2/security/findingshttps://api.ddog-gov.com/api/v2/security/findingshttps://api.datadoghq.com/api/v2/security/findingshttps://api.us3.datadoghq.com/api/v2/security/findingshttps://api.us5.datadoghq.com/api/v2/security/findings

概要

Get a list of security findings that match a search query. See the schema for security findings.

Query Syntax

This endpoint uses the logs query syntax. Findings attributes (living in the attributes.attributes. namespace) are prefixed by @ when queried. Tags are queried without a prefix.

Example: @severity:(critical OR high) @status:open team:platform

This endpoint requires any of the following permissions:

security_monitoring_findings_read

appsec_vm_read

OAuth apps require the security_monitoring_findings_read authorization scope to access this endpoint.

引数

クエリ文字列

名前

種類

説明

filter[query]

string

The search query following log search syntax.

page[cursor]

string

Get the next page of results with a cursor provided in the previous query.

page[limit]

integer

The maximum number of findings in the response.

sort

enum

Sorts by @detection_changed_at.
Allowed enum values: @detection_changed_at, -@detection_changed_at

応答

The expected response schema when listing security findings.

Expand All

フィールド

種類

説明

data

[object]

Array of security findings matching the search query.

links

object

Links for pagination.

meta

object

Metadata about the response.

{
  "data": [
    {
      "attributes": {
        "attributes": {
          "severity": "high",
          "status": "open"
        },
        "tags": [
          "team:platform",
          "env:prod"
        ],
        "timestamp": 1765901760
      },
      "id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==",
      "type": "finding"
    }
  ],
  "links": {
    "next": "https://app.datadoghq.com/api/v2/security/findings?page[cursor]=eyJhZnRlciI6IkF3QUFBWnPcm1pd0FBQUJbVlBQUKBa1pqRTVdZUzSTBNemN0YWiIsLTE3Mjk0MzYwMjFdfQ==\u0026page[limit]=25"
  },
  "meta": {
    "elapsed": 548,
    "page": {
      "after": "eyJhZnRlciI6IkFRQUFBWWJiaEJXQS1OY1dqUUFBQUFCQldXSmlhRUpYUVVGQlJFSktkbTlDTUdaWFRVbDNRVUUiLCJ2YWx1ZXMiOlsiY3JpdGljYWwiXX0="
    },
    "request_id": "pddv1ChZwVlMxMUdYRFRMQ1lyb3B4MGNYbFlnIi0KHQu35LDbucx",
    "status": "done"
  }
}

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Forbidden

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                  # Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/findings" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                

Get a finding

v2 (latest)

GET https://api.ap1.datadoghq.com/api/v2/posture_management/findings/{finding_id}https://api.ap2.datadoghq.com/api/v2/posture_management/findings/{finding_id}https://api.datadoghq.eu/api/v2/posture_management/findings/{finding_id}https://api.ddog-gov.com/api/v2/posture_management/findings/{finding_id}https://api.datadoghq.com/api/v2/posture_management/findings/{finding_id}https://api.us3.datadoghq.com/api/v2/posture_management/findings/{finding_id}https://api.us5.datadoghq.com/api/v2/posture_management/findings/{finding_id}

概要

Returns a single finding with message and resource configuration.

OAuth apps require the security_monitoring_findings_read authorization scope to access this endpoint.

引数

パスパラメーター

名前

種類

説明

finding_id [required]

string

The ID of the finding.

クエリ文字列

名前

種類

説明

snapshot_timestamp

integer

Return the finding for a given snapshot of time (Unix ms).

応答

The expected response schema when getting a finding.

Expand All

フィールド

種類

説明

data [required]

object

A single finding with with message and resource configuration.

{
  "data": {
    "attributes": {
      "evaluation": "pass",
      "evaluation_changed_at": 1678721573794,
      "message": "## Remediation\n\n### From the console\n\n1. Go to Storage Account\n2. For each Storage Account, navigate to Data Protection\n3. Select Set soft delete enabled and enter the number of days to retain soft deleted data.",
      "mute": {
        "description": "To be resolved later",
        "expiration_date": 1778721573794,
        "muted": true,
        "reason": "ACCEPTED_RISK",
        "start_date": 1678721573794,
        "uuid": "e51c9744-d158-11ec-ad23-da7ad0900002"
      },
      "resource": "my_resource_name",
      "resource_configuration": {},
      "resource_discovery_date": 1678721573794,
      "resource_type": "azure_storage_account",
      "rule": {
        "id": "dv2-jzf-41i",
        "name": "Soft delete is enabled for Azure Storage"
      },
      "status": "critical",
      "tags": [
        "cloud_provider:aws",
        "myTag:myValue"
      ]
    },
    "id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==",
    "type": "detailed_finding"
  }
}

Bad Request: The server cannot process the request due to invalid syntax in the request.

API error response.

Expand All

フィールド

種類

説明

errors [required]

[object]

A list of errors.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Forbidden: Access denied

API error response.

Expand All

フィールド

種類

説明

errors [required]

[object]

A list of errors.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Not Found: The requested finding cannot be found.

API error response.

Expand All

フィールド

種類

説明

errors [required]

[object]

A list of errors.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Too many requests: The rate limit set by the API has been exceeded.

API error response.

Expand All

フィールド

種類

説明

errors [required]

[object]

A list of errors.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

コード例

                  # Path parameters
export finding_id="CHANGE_ME"
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/posture_management/findings/${finding_id}" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                

"""
Get a finding returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

configuration = Configuration()
configuration.unstable_operations["get_finding"] = True
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.get_finding(
        finding_id="AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz",
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Get a finding returns "OK" response

require "datadog_api_client"
DatadogAPIClient.configure do |config|
  config.unstable_operations["v2.get_finding".to_sym] = true
end
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.get_finding("AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz")

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// Get a finding returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	configuration.SetUnstableOperationEnabled("v2.GetFinding", true)
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.GetFinding(ctx, "AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz", *datadogV2.NewGetFindingOptionalParameters())

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetFinding`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetFinding`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Get a finding returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.GetFindingResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    defaultClient.setUnstableOperationEnabled("v2.getFinding", true);
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      GetFindingResponse result =
          apiInstance.getFinding(
              "AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz");
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#getFinding");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

// Get a finding returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::GetFindingOptionalParams;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    let mut configuration = datadog::Configuration::new();
    configuration.set_unstable_operation_enabled("v2.GetFinding", true);
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp =
        api
            .get_finding(
                "AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz".to_string(),
                GetFindingOptionalParams::default(),
            )
            .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * Get a finding returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
configuration.unstableOperations["v2.getFinding"] = true;
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiGetFindingRequest = {
  findingId:
    "AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz",
};

apiInstance
  .getFinding(params)
  .then((data: v2.GetFindingResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Mute or unmute a batch of findings

v2 (latest)

Note: This endpoint is in public beta. If you have any feedback, contact Datadog support.

PATCH https://api.ap1.datadoghq.com/api/v2/posture_management/findingshttps://api.ap2.datadoghq.com/api/v2/posture_management/findingshttps://api.datadoghq.eu/api/v2/posture_management/findingshttps://api.ddog-gov.com/api/v2/posture_management/findingshttps://api.datadoghq.com/api/v2/posture_management/findingshttps://api.us3.datadoghq.com/api/v2/posture_management/findingshttps://api.us5.datadoghq.com/api/v2/posture_management/findings

概要

Mute or unmute findings. This endpoint requires any of the following permissions:

security_monitoring_findings_write

appsec_vm_write

リクエスト

Body Data (required)

Attributes

All findings are updated with the same attributes. The request body must include at least two attributes: muted and reason. The allowed reasons depend on whether the finding is being muted or unmuted:

To mute a finding: PENDING_FIX, FALSE_POSITIVE, ACCEPTED_RISK, OTHER.
To unmute a finding : NO_PENDING_FIX, HUMAN_ERROR, NO_LONGER_ACCEPTED_RISK, OTHER.

応答

The expected response schema.

Expand All

フィールド

種類

説明

data [required]

object

Data object containing the ID of the request that was updated.

{
  "data": {
    "id": "93bfeb70-af47-424d-908a-948d3f08e37f",
    "type": "finding"
  }
}

Bad Request: The server cannot process the request due to invalid syntax in the request.

API error response.

Expand All

フィールド

種類

説明

errors [required]

[object]

A list of errors.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Forbidden: Access denied

API error response.

Expand All

フィールド

種類

説明

errors [required]

[object]

A list of errors.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Not Found: The requested finding cannot be found.

API error response.

Expand All

フィールド

種類

説明

errors [required]

[object]

A list of errors.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Invalid Request: The server understands the request syntax but cannot process it due to invalid data.

API error response.

Expand All

フィールド

種類

説明

errors [required]

[object]

A list of errors.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Too many requests: The rate limit set by the API has been exceeded.

API error response.

Expand All

フィールド

種類

説明

errors [required]

[object]

A list of errors.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

コード例

                          # Curl command
curl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/posture_management/findings" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "mute": {
        "expiration_date": 1778721573794,
        "muted": true,
        "reason": "ACCEPTED_RISK"
      }
    },
    "id": "dbe5f567-192b-4404-b908-29b70e1c9f76",
    "meta": {
      "findings": [
        {
          "finding_id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw=="
        }
      ]
    },
    "type": "finding"
  }
}
EOF

                        

// Mute or unmute a batch of findings returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.BulkMuteFindingsRequest{
		Data: datadogV2.BulkMuteFindingsRequestData{
			Attributes: datadogV2.BulkMuteFindingsRequestAttributes{
				Mute: datadogV2.BulkMuteFindingsRequestProperties{
					ExpirationDate: datadog.PtrInt64(1778721573794),
					Muted:          true,
					Reason:         datadogV2.FINDINGMUTEREASON_ACCEPTED_RISK,
				},
			},
			Id: "dbe5f567-192b-4404-b908-29b70e1c9f76",
			Meta: datadogV2.BulkMuteFindingsRequestMeta{
				Findings: []datadogV2.BulkMuteFindingsRequestMetaFindings{
					{
						FindingId: datadog.PtrString("ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw=="),
					},
				},
			},
			Type: datadogV2.FINDINGTYPE_FINDING,
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	configuration.SetUnstableOperationEnabled("v2.MuteFindings", true)
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.MuteFindings(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.MuteFindings`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.MuteFindings`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Mute or unmute a batch of findings returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.BulkMuteFindingsRequest;
import com.datadog.api.client.v2.model.BulkMuteFindingsRequestAttributes;
import com.datadog.api.client.v2.model.BulkMuteFindingsRequestData;
import com.datadog.api.client.v2.model.BulkMuteFindingsRequestMeta;
import com.datadog.api.client.v2.model.BulkMuteFindingsRequestMetaFindings;
import com.datadog.api.client.v2.model.BulkMuteFindingsRequestProperties;
import com.datadog.api.client.v2.model.BulkMuteFindingsResponse;
import com.datadog.api.client.v2.model.FindingMuteReason;
import com.datadog.api.client.v2.model.FindingType;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    defaultClient.setUnstableOperationEnabled("v2.muteFindings", true);
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    BulkMuteFindingsRequest body =
        new BulkMuteFindingsRequest()
            .data(
                new BulkMuteFindingsRequestData()
                    .attributes(
                        new BulkMuteFindingsRequestAttributes()
                            .mute(
                                new BulkMuteFindingsRequestProperties()
                                    .expirationDate(1778721573794L)
                                    .muted(true)
                                    .reason(FindingMuteReason.ACCEPTED_RISK)))
                    .id("dbe5f567-192b-4404-b908-29b70e1c9f76")
                    .meta(
                        new BulkMuteFindingsRequestMeta()
                            .findings(
                                Collections.singletonList(
                                    new BulkMuteFindingsRequestMetaFindings()
                                        .findingId(
                                            "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw=="))))
                    .type(FindingType.FINDING));

    try {
      BulkMuteFindingsResponse result = apiInstance.muteFindings(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#muteFindings");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

"""
Mute or unmute a batch of findings returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.bulk_mute_findings_request import BulkMuteFindingsRequest
from datadog_api_client.v2.model.bulk_mute_findings_request_attributes import BulkMuteFindingsRequestAttributes
from datadog_api_client.v2.model.bulk_mute_findings_request_data import BulkMuteFindingsRequestData
from datadog_api_client.v2.model.bulk_mute_findings_request_meta import BulkMuteFindingsRequestMeta
from datadog_api_client.v2.model.bulk_mute_findings_request_meta_findings import BulkMuteFindingsRequestMetaFindings
from datadog_api_client.v2.model.bulk_mute_findings_request_properties import BulkMuteFindingsRequestProperties
from datadog_api_client.v2.model.finding_mute_reason import FindingMuteReason
from datadog_api_client.v2.model.finding_type import FindingType

body = BulkMuteFindingsRequest(
    data=BulkMuteFindingsRequestData(
        attributes=BulkMuteFindingsRequestAttributes(
            mute=BulkMuteFindingsRequestProperties(
                expiration_date=1778721573794,
                muted=True,
                reason=FindingMuteReason.ACCEPTED_RISK,
            ),
        ),
        id="dbe5f567-192b-4404-b908-29b70e1c9f76",
        meta=BulkMuteFindingsRequestMeta(
            findings=[
                BulkMuteFindingsRequestMetaFindings(
                    finding_id="ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==",
                ),
            ],
        ),
        type=FindingType.FINDING,
    ),
)

configuration = Configuration()
configuration.unstable_operations["mute_findings"] = True
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.mute_findings(body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Mute or unmute a batch of findings returns "OK" response

require "datadog_api_client"
DatadogAPIClient.configure do |config|
  config.unstable_operations["v2.mute_findings".to_sym] = true
end
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::BulkMuteFindingsRequest.new({
  data: DatadogAPIClient::V2::BulkMuteFindingsRequestData.new({
    attributes: DatadogAPIClient::V2::BulkMuteFindingsRequestAttributes.new({
      mute: DatadogAPIClient::V2::BulkMuteFindingsRequestProperties.new({
        expiration_date: 1778721573794,
        muted: true,
        reason: DatadogAPIClient::V2::FindingMuteReason::ACCEPTED_RISK,
      }),
    }),
    id: "dbe5f567-192b-4404-b908-29b70e1c9f76",
    meta: DatadogAPIClient::V2::BulkMuteFindingsRequestMeta.new({
      findings: [
        DatadogAPIClient::V2::BulkMuteFindingsRequestMetaFindings.new({
          finding_id: "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==",
        }),
      ],
    }),
    type: DatadogAPIClient::V2::FindingType::FINDING,
  }),
})
p api_instance.mute_findings(body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// Mute or unmute a batch of findings returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::BulkMuteFindingsRequest;
use datadog_api_client::datadogV2::model::BulkMuteFindingsRequestAttributes;
use datadog_api_client::datadogV2::model::BulkMuteFindingsRequestData;
use datadog_api_client::datadogV2::model::BulkMuteFindingsRequestMeta;
use datadog_api_client::datadogV2::model::BulkMuteFindingsRequestMetaFindings;
use datadog_api_client::datadogV2::model::BulkMuteFindingsRequestProperties;
use datadog_api_client::datadogV2::model::FindingMuteReason;
use datadog_api_client::datadogV2::model::FindingType;

#[tokio::main]
async fn main() {
    let body = BulkMuteFindingsRequest::new(BulkMuteFindingsRequestData::new(
        BulkMuteFindingsRequestAttributes::new(
            BulkMuteFindingsRequestProperties::new(true, FindingMuteReason::ACCEPTED_RISK)
                .expiration_date(1778721573794),
        ),
        "dbe5f567-192b-4404-b908-29b70e1c9f76".to_string(),
        BulkMuteFindingsRequestMeta::new()
            .findings(vec![BulkMuteFindingsRequestMetaFindings::new().finding_id(
                "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==".to_string(),
            )]),
        FindingType::FINDING,
    ));
    let mut configuration = datadog::Configuration::new();
    configuration.set_unstable_operation_enabled("v2.MuteFindings", true);
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.mute_findings(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * Mute or unmute a batch of findings returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
configuration.unstableOperations["v2.muteFindings"] = true;
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiMuteFindingsRequest = {
  body: {
    data: {
      attributes: {
        mute: {
          expirationDate: 1778721573794,
          muted: true,
          reason: "ACCEPTED_RISK",
        },
      },
      id: "dbe5f567-192b-4404-b908-29b70e1c9f76",
      meta: {
        findings: [
          {
            findingId: "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==",
          },
        ],
      },
      type: "finding",
    },
  },
};

apiInstance
  .muteFindings(params)
  .then((data: v2.BulkMuteFindingsResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Search security findings

v2 (latest)

POST https://api.ap1.datadoghq.com/api/v2/security/findings/searchhttps://api.ap2.datadoghq.com/api/v2/security/findings/searchhttps://api.datadoghq.eu/api/v2/security/findings/searchhttps://api.ddog-gov.com/api/v2/security/findings/searchhttps://api.datadoghq.com/api/v2/security/findings/searchhttps://api.us3.datadoghq.com/api/v2/security/findings/searchhttps://api.us5.datadoghq.com/api/v2/security/findings/search

概要

Get a list of security findings that match a search query. See the schema for security findings.

Query Syntax

The API uses the logs query syntax. Findings attributes (living in the attributes.attributes. namespace) are prefixed by @ when queried. Tags are queried without a prefix.

Example: @severity:(critical OR high) @status:open team:platform

This endpoint requires any of the following permissions:

security_monitoring_findings_read

appsec_vm_read

OAuth apps require the security_monitoring_findings_read authorization scope to access this endpoint.

リクエスト

Body Data (required)

Expand All

フィールド

種類

説明

data

object

Request data for searching security findings.

{
  "data": {
    "attributes": {
      "filter": "@severity:(critical OR high)"
    }
  }
}
{
  "data": {
    "attributes": {
      "filter": "@severity:(critical OR high)",
      "page": {
        "limit": 1
      }
    }
  }
}

応答

The expected response schema when listing security findings.

Expand All

フィールド

種類

説明

data

[object]

Array of security findings matching the search query.

links

object

Links for pagination.

meta

object

Metadata about the response.

{
  "data": [
    {
      "attributes": {
        "attributes": {
          "severity": "high",
          "status": "open"
        },
        "tags": [
          "team:platform",
          "env:prod"
        ],
        "timestamp": 1765901760
      },
      "id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==",
      "type": "finding"
    }
  ],
  "links": {
    "next": "https://app.datadoghq.com/api/v2/security/findings?page[cursor]=eyJhZnRlciI6IkF3QUFBWnPcm1pd0FBQUJbVlBQUKBa1pqRTVdZUzSTBNemN0YWiIsLTE3Mjk0MzYwMjFdfQ==\u0026page[limit]=25"
  },
  "meta": {
    "elapsed": 548,
    "page": {
      "after": "eyJhZnRlciI6IkFRQUFBWWJiaEJXQS1OY1dqUUFBQUFCQldXSmlhRUpYUVVGQlJFSktkbTlDTUdaWFRVbDNRVUUiLCJ2YWx1ZXMiOlsiY3JpdGljYWwiXX0="
    },
    "request_id": "pddv1ChZwVlMxMUdYRFRMQ1lyb3B4MGNYbFlnIi0KHQu35LDbucx",
    "status": "done"
  }
}

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Forbidden

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                          # Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/findings/search" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "filter": "@severity:(critical OR high)"
    }
  }
}
EOF

                        
                          # Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security/findings/search" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "filter": "@severity:(critical OR high)",
      "page": {
        "limit": 1
      }
    }
  }
}
EOF

                        

Add a security signal to an incident

v1 (latest)

PATCH https://api.ap1.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/add_to_incidenthttps://api.ap2.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/add_to_incidenthttps://api.datadoghq.eu/api/v1/security_analytics/signals/{signal_id}/add_to_incidenthttps://api.ddog-gov.com/api/v1/security_analytics/signals/{signal_id}/add_to_incidenthttps://api.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/add_to_incidenthttps://api.us3.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/add_to_incidenthttps://api.us5.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/add_to_incident

概要

インシデントにセキュリティシグナルを追加します。これにより、シグナルエクスプローラー内でインシデント別にシグナルを検索したり、インシデントタイムライン上でシグナルを表示したりすることが可能になります。 This endpoint requires the security_monitoring_signals_write permission.

引数

パスパラメーター

名前

種類

説明

signal_id [required]

string

The ID of the signal.

リクエスト

Body Data (required)

シグナルの更新を記述する属性。

Expand All

フィールド

種類

説明

add_to_signal_timeline

boolean

Whether to post the signal on the incident timeline.

incident_id [required]

int64

Public ID attribute of the incident to which the signal will be added.

version

int64

Version of the updated signal. If server side version is higher, update will be rejected.

{
  "incident_id": 2609
}

応答

Updated signal data following a successfully performed update.

Expand All

フィールド

種類

説明

status

string

Status of the response.

{
  "status": "string"
}

Bad Request

Error response object.

Expand All

フィールド

種類

説明

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Forbidden

Error response object.

Expand All

フィールド

種類

説明

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

Error response object.

Expand All

フィールド

種類

説明

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

Error response object.

Expand All

フィールド

種類

説明

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                          # Path parameters
export signal_id="CHANGE_ME"
# Curl command
curl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v1/security_analytics/signals/${signal_id}/add_to_incident" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "incident_id": 2609
}
EOF

                        

// Add a security signal to an incident returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV1"
)

func main() {
	body := datadogV1.AddSignalToIncidentRequest{
		IncidentId: 2609,
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV1.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.AddSecurityMonitoringSignalToIncident(ctx, "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.AddSecurityMonitoringSignalToIncident`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.AddSecurityMonitoringSignalToIncident`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"

// Add a security signal to an incident returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v1.api.SecurityMonitoringApi;
import com.datadog.api.client.v1.model.AddSignalToIncidentRequest;
import com.datadog.api.client.v1.model.SuccessfulSignalUpdateResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    AddSignalToIncidentRequest body = new AddSignalToIncidentRequest().incidentId(2609L);

    try {
      SuccessfulSignalUpdateResponse result =
          apiInstance.addSecurityMonitoringSignalToIncident(
              "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#addSecurityMonitoringSignalToIncident");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"

"""
Add a security signal to an incident returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v1.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v1.model.add_signal_to_incident_request import AddSignalToIncidentRequest

body = AddSignalToIncidentRequest(
    incident_id=2609,
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.add_security_monitoring_signal_to_incident(
        signal_id="AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body=body
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"

# Add a security signal to an incident returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V1::SecurityMonitoringAPI.new

body = DatadogAPIClient::V1::AddSignalToIncidentRequest.new({
  incident_id: 2609,
})
p api_instance.add_security_monitoring_signal_to_incident("AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"

// Add a security signal to an incident returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV1::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV1::model::AddSignalToIncidentRequest;

#[tokio::main]
async fn main() {
    let body = AddSignalToIncidentRequest::new(2609);
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .add_security_monitoring_signal_to_incident(
            "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE".to_string(),
            body,
        )
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" cargo run

/**
 * Add a security signal to an incident returns "OK" response
 */

import { client, v1 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v1.SecurityMonitoringApi(configuration);

const params: v1.SecurityMonitoringApiAddSecurityMonitoringSignalToIncidentRequest =
  {
    body: {
      incidentId: 2609,
    },
    signalId: "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE",
  };

apiInstance
  .addSecurityMonitoringSignalToIncident(params)
  .then((data: v1.SuccessfulSignalUpdateResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"

Change the triage state of a security signal

v1
v2 (latest)

PATCH https://api.ap1.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/statehttps://api.ap2.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/statehttps://api.datadoghq.eu/api/v1/security_analytics/signals/{signal_id}/statehttps://api.ddog-gov.com/api/v1/security_analytics/signals/{signal_id}/statehttps://api.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/statehttps://api.us3.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/statehttps://api.us5.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/state

概要

セキュリティシグナルのトリアージ状態を変更します。 This endpoint requires the security_monitoring_signals_write permission.

引数

パスパラメーター

名前

種類

説明

signal_id [required]

string

The ID of the signal.

リクエスト

Body Data (required)

シグナルの更新を記述する属性。

Expand All

フィールド

種類

説明

archiveComment

string

Optional comment to explain why a signal is being archived.

archiveReason

enum

Reason why a signal has been archived. Allowed enum values: none,false_positive,testing_or_maintenance,investigated_case_opened,true_positive_benign,true_positive_malicious,other

state [required]

enum

The new triage state of the signal. Allowed enum values: open,archived,under_review

version

int64

Version of the updated signal. If server side version is higher, update will be rejected.

{
  "archiveReason": "none",
  "state": "open"
}

応答

Updated signal data following a successfully performed update.

Expand All

フィールド

種類

説明

status

string

Status of the response.

{
  "status": "string"
}

Bad Request

Error response object.

Expand All

フィールド

種類

説明

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Forbidden

Error response object.

Expand All

フィールド

種類

説明

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

Error response object.

Expand All

フィールド

種類

説明

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

Error response object.

Expand All

フィールド

種類

説明

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                          # Path parameters
export signal_id="CHANGE_ME"
# Curl command
curl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v1/security_analytics/signals/${signal_id}/state" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "archiveReason": "none",
  "state": "open"
}
EOF

                        

// Change the triage state of a security signal returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV1"
)

func main() {
	body := datadogV1.SignalStateUpdateRequest{
		ArchiveReason: datadogV1.SIGNALARCHIVEREASON_NONE.Ptr(),
		State:         datadogV1.SIGNALTRIAGESTATE_OPEN,
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV1.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.EditSecurityMonitoringSignalState(ctx, "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.EditSecurityMonitoringSignalState`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.EditSecurityMonitoringSignalState`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"

// Change the triage state of a security signal returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v1.api.SecurityMonitoringApi;
import com.datadog.api.client.v1.model.SignalArchiveReason;
import com.datadog.api.client.v1.model.SignalStateUpdateRequest;
import com.datadog.api.client.v1.model.SignalTriageState;
import com.datadog.api.client.v1.model.SuccessfulSignalUpdateResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SignalStateUpdateRequest body =
        new SignalStateUpdateRequest()
            .archiveReason(SignalArchiveReason.NONE)
            .state(SignalTriageState.OPEN);

    try {
      SuccessfulSignalUpdateResponse result =
          apiInstance.editSecurityMonitoringSignalState(
              "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#editSecurityMonitoringSignalState");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"

"""
Change the triage state of a security signal returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v1.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v1.model.signal_archive_reason import SignalArchiveReason
from datadog_api_client.v1.model.signal_state_update_request import SignalStateUpdateRequest
from datadog_api_client.v1.model.signal_triage_state import SignalTriageState

body = SignalStateUpdateRequest(
    archive_reason=SignalArchiveReason.NONE,
    state=SignalTriageState.OPEN,
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.edit_security_monitoring_signal_state(
        signal_id="AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body=body
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"

# Change the triage state of a security signal returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V1::SecurityMonitoringAPI.new

body = DatadogAPIClient::V1::SignalStateUpdateRequest.new({
  archive_reason: DatadogAPIClient::V1::SignalArchiveReason::NONE,
  state: DatadogAPIClient::V1::SignalTriageState::OPEN,
})
p api_instance.edit_security_monitoring_signal_state("AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"

// Change the triage state of a security signal returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV1::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV1::model::SignalArchiveReason;
use datadog_api_client::datadogV1::model::SignalStateUpdateRequest;
use datadog_api_client::datadogV1::model::SignalTriageState;

#[tokio::main]
async fn main() {
    let body = SignalStateUpdateRequest::new(SignalTriageState::OPEN)
        .archive_reason(SignalArchiveReason::NONE);
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .edit_security_monitoring_signal_state(
            "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE".to_string(),
            body,
        )
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" cargo run

/**
 * Change the triage state of a security signal returns "OK" response
 */

import { client, v1 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v1.SecurityMonitoringApi(configuration);

const params: v1.SecurityMonitoringApiEditSecurityMonitoringSignalStateRequest =
  {
    body: {
      archiveReason: "none",
      state: "open",
    },
    signalId: "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE",
  };

apiInstance
  .editSecurityMonitoringSignalState(params)
  .then((data: v1.SuccessfulSignalUpdateResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"

PATCH https://api.ap1.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/statehttps://api.ap2.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/statehttps://api.datadoghq.eu/api/v2/security_monitoring/signals/{signal_id}/statehttps://api.ddog-gov.com/api/v2/security_monitoring/signals/{signal_id}/statehttps://api.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/statehttps://api.us3.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/statehttps://api.us5.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/state

概要

セキュリティシグナルのトリアージ状態を変更します。 This endpoint requires the security_monitoring_signals_write permission.

引数

パスパラメーター

名前

種類

説明

signal_id [required]

string

The ID of the signal.

リクエスト

Body Data (required)

シグナルの更新を記述する属性。

Expand All

フィールド

種類

説明

data [required]

object

Data containing the patch for changing the state of a signal.

{
  "data": {
    "attributes": {
      "archive_reason": "none",
      "state": "open"
    }
  }
}

応答

The response returned after all triage operations, containing the updated signal triage data.

Expand All

フィールド

種類

説明

data [required]

object

Data containing the updated triage attributes of the signal.

{
  "data": {
    "attributes": {
      "archive_comment": "string",
      "archive_comment_timestamp": "integer",
      "archive_comment_user": {
        "handle": "string",
        "icon": "/path/to/matching/gravatar/icon",
        "id": "integer",
        "name": "string",
        "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
      },
      "archive_reason": "string",
      "assignee": {
        "handle": "string",
        "icon": "/path/to/matching/gravatar/icon",
        "id": "integer",
        "name": "string",
        "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
      },
      "incident_ids": [
        2066
      ],
      "state": "open",
      "state_update_timestamp": "integer",
      "state_update_user": {
        "handle": "string",
        "icon": "/path/to/matching/gravatar/icon",
        "id": "integer",
        "name": "string",
        "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
      }
    },
    "id": "string",
    "type": "signal_metadata"
  }
}

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Forbidden

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                          # Path parameters
export signal_id="CHANGE_ME"
# Curl command
curl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/${signal_id}/state" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "archive_reason": "none",
      "state": "open"
    }
  }
}
EOF

                        

// Change the triage state of a security signal returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringSignalStateUpdateRequest{
		Data: datadogV2.SecurityMonitoringSignalStateUpdateData{
			Attributes: datadogV2.SecurityMonitoringSignalStateUpdateAttributes{
				ArchiveReason: datadogV2.SECURITYMONITORINGSIGNALARCHIVEREASON_NONE.Ptr(),
				State:         datadogV2.SECURITYMONITORINGSIGNALSTATE_OPEN,
			},
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.EditSecurityMonitoringSignalState(ctx, "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.EditSecurityMonitoringSignalState`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.EditSecurityMonitoringSignalState`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"

// Change the triage state of a security signal returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalArchiveReason;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalState;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalStateUpdateAttributes;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalStateUpdateData;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalStateUpdateRequest;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalTriageUpdateResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringSignalStateUpdateRequest body =
        new SecurityMonitoringSignalStateUpdateRequest()
            .data(
                new SecurityMonitoringSignalStateUpdateData()
                    .attributes(
                        new SecurityMonitoringSignalStateUpdateAttributes()
                            .archiveReason(SecurityMonitoringSignalArchiveReason.NONE)
                            .state(SecurityMonitoringSignalState.OPEN)));

    try {
      SecurityMonitoringSignalTriageUpdateResponse result =
          apiInstance.editSecurityMonitoringSignalState(
              "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#editSecurityMonitoringSignalState");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"

"""
Change the triage state of a security signal returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_signal_archive_reason import SecurityMonitoringSignalArchiveReason
from datadog_api_client.v2.model.security_monitoring_signal_state import SecurityMonitoringSignalState
from datadog_api_client.v2.model.security_monitoring_signal_state_update_attributes import (
    SecurityMonitoringSignalStateUpdateAttributes,
)
from datadog_api_client.v2.model.security_monitoring_signal_state_update_data import (
    SecurityMonitoringSignalStateUpdateData,
)
from datadog_api_client.v2.model.security_monitoring_signal_state_update_request import (
    SecurityMonitoringSignalStateUpdateRequest,
)

body = SecurityMonitoringSignalStateUpdateRequest(
    data=SecurityMonitoringSignalStateUpdateData(
        attributes=SecurityMonitoringSignalStateUpdateAttributes(
            archive_reason=SecurityMonitoringSignalArchiveReason.NONE,
            state=SecurityMonitoringSignalState.OPEN,
        ),
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.edit_security_monitoring_signal_state(
        signal_id="AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body=body
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"

# Change the triage state of a security signal returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringSignalStateUpdateRequest.new({
  data: DatadogAPIClient::V2::SecurityMonitoringSignalStateUpdateData.new({
    attributes: DatadogAPIClient::V2::SecurityMonitoringSignalStateUpdateAttributes.new({
      archive_reason: DatadogAPIClient::V2::SecurityMonitoringSignalArchiveReason::NONE,
      state: DatadogAPIClient::V2::SecurityMonitoringSignalState::OPEN,
    }),
  }),
})
p api_instance.edit_security_monitoring_signal_state("AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"

// Change the triage state of a security signal returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalArchiveReason;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalState;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalStateUpdateAttributes;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalStateUpdateData;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalStateUpdateRequest;

#[tokio::main]
async fn main() {
    let body = SecurityMonitoringSignalStateUpdateRequest::new(
        SecurityMonitoringSignalStateUpdateData::new(
            SecurityMonitoringSignalStateUpdateAttributes::new(SecurityMonitoringSignalState::OPEN)
                .archive_reason(SecurityMonitoringSignalArchiveReason::NONE),
        ),
    );
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .edit_security_monitoring_signal_state(
            "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE".to_string(),
            body,
        )
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" cargo run

/**
 * Change the triage state of a security signal returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiEditSecurityMonitoringSignalStateRequest =
  {
    body: {
      data: {
        attributes: {
          archiveReason: "none",
          state: "open",
        },
      },
    },
    signalId: "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE",
  };

apiInstance
  .editSecurityMonitoringSignalState(params)
  .then((data: v2.SecurityMonitoringSignalTriageUpdateResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"

Create a custom framework

v2 (latest)

POST https://api.ap1.datadoghq.com/api/v2/cloud_security_management/custom_frameworkshttps://api.ap2.datadoghq.com/api/v2/cloud_security_management/custom_frameworkshttps://api.datadoghq.eu/api/v2/cloud_security_management/custom_frameworkshttps://api.ddog-gov.com/api/v2/cloud_security_management/custom_frameworkshttps://api.datadoghq.com/api/v2/cloud_security_management/custom_frameworkshttps://api.us3.datadoghq.com/api/v2/cloud_security_management/custom_frameworkshttps://api.us5.datadoghq.com/api/v2/cloud_security_management/custom_frameworks

概要

Create a custom framework. This endpoint requires all of the following permissions:

security_monitoring_rules_read

security_monitoring_rules_write

OAuth apps require the security_monitoring_rules_read, security_monitoring_rules_write authorization scope to access this endpoint.

リクエスト

Body Data (required)

Expand All

フィールド

種類

説明

data [required]

object

Contains type and attributes for custom frameworks.

{
  "data": {
    "type": "custom_framework",
    "attributes": {
      "name": "name",
      "handle": "create-framework-new",
      "version": "10",
      "icon_url": "test-url",
      "requirements": [
        {
          "name": "requirement",
          "controls": [
            {
              "name": "control",
              "rules_id": [
                "def-000-be9"
              ]
            }
          ]
        }
      ]
    }
  }
}

応答

Response object to create a custom framework.

Expand All

フィールド

種類

説明

data [required]

object

Contains type and attributes for custom frameworks.

{
  "data": {
    "attributes": {
      "handle": "sec2",
      "version": "2"
    },
    "id": "handle-version",
    "type": "custom_framework"
  }
}

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Conflict

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                          # Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/cloud_security_management/custom_frameworks" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "type": "custom_framework",
    "attributes": {
      "name": "name",
      "handle": "create-framework-new",
      "version": "10",
      "icon_url": "test-url",
      "requirements": [
        {
          "name": "requirement",
          "controls": [
            {
              "name": "control",
              "rules_id": [
                "def-000-be9"
              ]
            }
          ]
        }
      ]
    }
  }
}
EOF

                        

// Create a custom framework returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.CreateCustomFrameworkRequest{
		Data: datadogV2.CustomFrameworkData{
			Type: datadogV2.CUSTOMFRAMEWORKTYPE_CUSTOM_FRAMEWORK,
			Attributes: datadogV2.CustomFrameworkDataAttributes{
				Name:    "name",
				Handle:  "create-framework-new",
				Version: "10",
				IconUrl: datadog.PtrString("test-url"),
				Requirements: []datadogV2.CustomFrameworkRequirement{
					{
						Name: "requirement",
						Controls: []datadogV2.CustomFrameworkControl{
							{
								Name: "control",
								RulesId: []string{
									"def-000-be9",
								},
							},
						},
					},
				},
			},
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.CreateCustomFramework(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateCustomFramework`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateCustomFramework`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Create a custom framework returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.CreateCustomFrameworkRequest;
import com.datadog.api.client.v2.model.CreateCustomFrameworkResponse;
import com.datadog.api.client.v2.model.CustomFrameworkControl;
import com.datadog.api.client.v2.model.CustomFrameworkData;
import com.datadog.api.client.v2.model.CustomFrameworkDataAttributes;
import com.datadog.api.client.v2.model.CustomFrameworkRequirement;
import com.datadog.api.client.v2.model.CustomFrameworkType;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    CreateCustomFrameworkRequest body =
        new CreateCustomFrameworkRequest()
            .data(
                new CustomFrameworkData()
                    .type(CustomFrameworkType.CUSTOM_FRAMEWORK)
                    .attributes(
                        new CustomFrameworkDataAttributes()
                            .name("name")
                            .handle("create-framework-new")
                            .version("10")
                            .iconUrl("test-url")
                            .requirements(
                                Collections.singletonList(
                                    new CustomFrameworkRequirement()
                                        .name("requirement")
                                        .controls(
                                            Collections.singletonList(
                                                new CustomFrameworkControl()
                                                    .name("control")
                                                    .rulesId(
                                                        Collections.singletonList(
                                                            "def-000-be9"))))))));

    try {
      CreateCustomFrameworkResponse result = apiInstance.createCustomFramework(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#createCustomFramework");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

"""
Create a custom framework returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.create_custom_framework_request import CreateCustomFrameworkRequest
from datadog_api_client.v2.model.custom_framework_control import CustomFrameworkControl
from datadog_api_client.v2.model.custom_framework_data import CustomFrameworkData
from datadog_api_client.v2.model.custom_framework_data_attributes import CustomFrameworkDataAttributes
from datadog_api_client.v2.model.custom_framework_requirement import CustomFrameworkRequirement
from datadog_api_client.v2.model.custom_framework_type import CustomFrameworkType

body = CreateCustomFrameworkRequest(
    data=CustomFrameworkData(
        type=CustomFrameworkType.CUSTOM_FRAMEWORK,
        attributes=CustomFrameworkDataAttributes(
            name="name",
            handle="create-framework-new",
            version="10",
            icon_url="test-url",
            requirements=[
                CustomFrameworkRequirement(
                    name="requirement",
                    controls=[
                        CustomFrameworkControl(
                            name="control",
                            rules_id=[
                                "def-000-be9",
                            ],
                        ),
                    ],
                ),
            ],
        ),
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.create_custom_framework(body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Create a custom framework returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::CreateCustomFrameworkRequest.new({
  data: DatadogAPIClient::V2::CustomFrameworkData.new({
    type: DatadogAPIClient::V2::CustomFrameworkType::CUSTOM_FRAMEWORK,
    attributes: DatadogAPIClient::V2::CustomFrameworkDataAttributes.new({
      name: "name",
      handle: "create-framework-new",
      version: "10",
      icon_url: "test-url",
      requirements: [
        DatadogAPIClient::V2::CustomFrameworkRequirement.new({
          name: "requirement",
          controls: [
            DatadogAPIClient::V2::CustomFrameworkControl.new({
              name: "control",
              rules_id: [
                "def-000-be9",
              ],
            }),
          ],
        }),
      ],
    }),
  }),
})
p api_instance.create_custom_framework(body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// Create a custom framework returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::CreateCustomFrameworkRequest;
use datadog_api_client::datadogV2::model::CustomFrameworkControl;
use datadog_api_client::datadogV2::model::CustomFrameworkData;
use datadog_api_client::datadogV2::model::CustomFrameworkDataAttributes;
use datadog_api_client::datadogV2::model::CustomFrameworkRequirement;
use datadog_api_client::datadogV2::model::CustomFrameworkType;

#[tokio::main]
async fn main() {
    let body = CreateCustomFrameworkRequest::new(CustomFrameworkData::new(
        CustomFrameworkDataAttributes::new(
            "create-framework-new".to_string(),
            "name".to_string(),
            vec![CustomFrameworkRequirement::new(
                vec![CustomFrameworkControl::new(
                    "control".to_string(),
                    vec!["def-000-be9".to_string()],
                )],
                "requirement".to_string(),
            )],
            "10".to_string(),
        )
        .icon_url("test-url".to_string()),
        CustomFrameworkType::CUSTOM_FRAMEWORK,
    ));
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.create_custom_framework(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * Create a custom framework returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiCreateCustomFrameworkRequest = {
  body: {
    data: {
      type: "custom_framework",
      attributes: {
        name: "name",
        handle: "create-framework-new",
        version: "10",
        iconUrl: "test-url",
        requirements: [
          {
            name: "requirement",
            controls: [
              {
                name: "control",
                rulesId: ["def-000-be9"],
              },
            ],
          },
        ],
      },
    },
  },
};

apiInstance
  .createCustomFramework(params)
  .then((data: v2.CreateCustomFrameworkResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Create a detection rule

v2 (latest)

POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.ap2.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.datadoghq.eu/api/v2/security_monitoring/ruleshttps://api.ddog-gov.com/api/v2/security_monitoring/ruleshttps://api.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us3.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules

概要

Create a detection rule. This endpoint requires the security_monitoring_rules_write permission.

OAuth apps require the security_monitoring_rules_write authorization scope to access this endpoint.

リクエスト

Body Data (required)

Expand All

フィールド

種類

説明

Option 1

object

Create a new rule.

options [required]

object

Options.

Option 2

object

Create a new signal correlation rule.

options [required]

object

Options.

Option 3

object

Create a new cloud configuration rule.

{
  "type": "cloud_configuration",
  "name": "Example-Security-Monitoring_cloud",
  "isEnabled": false,
  "cases": [
    {
      "status": "info",
      "notifications": [
        "channel"
      ]
    }
  ],
  "options": {
    "complianceRuleOptions": {
      "resourceType": "gcp_compute_disk",
      "complexRule": false,
      "regoRule": {
        "policy": "package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n",
        "resourceTypes": [
          "gcp_compute_disk"
        ]
      }
    }
  },
  "message": "ddd",
  "tags": [
    "my:tag"
  ],
  "complianceSignalOptions": {
    "userActivationStatus": true,
    "userGroupByFields": [
      "@account_id"
    ]
  },
  "filters": [
    {
      "action": "require",
      "query": "resource_id:helo*"
    },
    {
      "action": "suppress",
      "query": "control:helo*"
    }
  ]
}
{
  "name": "Example-Security-Monitoring",
  "queries": [
    {
      "query": "@test:true",
      "aggregation": "count",
      "groupByFields": [],
      "distinctFields": [],
      "metric": ""
    }
  ],
  "filters": [],
  "cases": [
    {
      "name": "",
      "status": "info",
      "condition": "a > 0",
      "notifications": []
    }
  ],
  "options": {
    "evaluationWindow": 900,
    "keepAlive": 3600,
    "maxSignalDuration": 86400
  },
  "message": "Test rule",
  "tags": [],
  "isEnabled": true,
  "type": "log_detection",
  "referenceTables": [
    {
      "tableName": "synthetics_test_reference_table_dont_delete",
      "columnName": "value",
      "logFieldPath": "testtag",
      "checkPresence": true,
      "ruleQueryName": "a"
    }
  ]
}
{
  "name": "Example-Security-Monitoring",
  "type": "log_detection",
  "isEnabled": true,
  "queries": [
    {
      "aggregation": "count",
      "dataSource": "logs",
      "distinctFields": [],
      "groupByFields": [
        "@usr.email",
        "@network.client.ip"
      ],
      "hasOptionalGroupByFields": false,
      "name": "",
      "query": "service:app status:error"
    }
  ],
  "cases": [
    {
      "name": "",
      "status": "info",
      "notifications": [],
      "condition": "a > 0.995"
    }
  ],
  "message": "An anomaly detection rule",
  "options": {
    "detectionMethod": "anomaly_detection",
    "evaluationWindow": 900,
    "keepAlive": 3600,
    "maxSignalDuration": 86400,
    "anomalyDetectionOptions": {
      "bucketDuration": 300,
      "learningDuration": 24,
      "detectionTolerance": 3,
      "learningPeriodBaseline": 10
    }
  },
  "tags": [],
  "filters": []
}

応答

Create a new rule.

Expand All

フィールド

種類

説明

Option 1

object

Rule.

options

object

Options.

Option 2

object

Rule.

options

object

Options.

{
  "calculatedFields": [
    {
      "expression": "@request_end_timestamp - @request_start_timestamp",
      "name": "response_time"
    }
  ],
  "cases": [
    {
      "actions": [
        {
          "options": {
            "duration": 0,
            "flaggedIPType": "FLAGGED",
            "userBehaviorName": "string"
          },
          "type": "string"
        }
      ],
      "condition": "string",
      "customStatus": "critical",
      "name": "string",
      "notifications": [],
      "status": "critical"
    }
  ],
  "complianceSignalOptions": {
    "defaultActivationStatus": false,
    "defaultGroupByFields": [],
    "userActivationStatus": false,
    "userGroupByFields": []
  },
  "createdAt": "integer",
  "creationAuthorId": "integer",
  "customMessage": "string",
  "customName": "string",
  "defaultTags": [
    "security:attacks"
  ],
  "deprecationDate": "integer",
  "filters": [
    {
      "action": "string",
      "query": "string"
    }
  ],
  "groupSignalsBy": [
    "service"
  ],
  "hasExtendedTitle": false,
  "id": "string",
  "isDefault": false,
  "isDeleted": false,
  "isEnabled": false,
  "message": "string",
  "name": "string",
  "options": {
    "anomalyDetectionOptions": {
      "bucketDuration": 300,
      "detectionTolerance": 5,
      "learningDuration": "integer",
      "learningPeriodBaseline": "integer"
    },
    "complianceRuleOptions": {
      "complexRule": false,
      "regoRule": {
        "policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n  # Logic that evaluates to true if the resource should be skipped\n  true\n} else = \"pass\" {\n  # Logic that evaluates to true if the resource is compliant\n  true\n} else = \"fail\" {\n  # Logic that evaluates to true if the resource is not compliant\n  true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n  some resource in input.resources[input.main_resource_type]\n  result := dd_output.format(resource, eval(resource))\n}",
        "resourceTypes": [
          "gcp_iam_service_account",
          "gcp_iam_policy"
        ]
      },
      "resourceType": "aws_acm"
    },
    "decreaseCriticalityBasedOnEnv": false,
    "detectionMethod": "string",
    "evaluationWindow": "integer",
    "hardcodedEvaluatorType": "string",
    "impossibleTravelOptions": {
      "baselineUserLocations": true
    },
    "keepAlive": "integer",
    "maxSignalDuration": "integer",
    "newValueOptions": {
      "forgetAfter": "integer",
      "instantaneousBaseline": false,
      "learningDuration": "integer",
      "learningMethod": "string",
      "learningThreshold": "integer"
    },
    "sequenceDetectionOptions": {
      "stepTransitions": [
        {
          "child": "string",
          "evaluationWindow": "integer",
          "parent": "string"
        }
      ],
      "steps": [
        {
          "condition": "string",
          "evaluationWindow": "integer",
          "name": "string"
        }
      ]
    },
    "thirdPartyRuleOptions": {
      "defaultNotifications": [],
      "defaultStatus": "critical",
      "rootQueries": [
        {
          "groupByFields": [],
          "query": "source:cloudtrail"
        }
      ],
      "signalTitleTemplate": "string"
    }
  },
  "queries": [
    {
      "aggregation": "string",
      "customQueryExtension": "a > 3",
      "dataSource": "logs",
      "distinctFields": [],
      "groupByFields": [],
      "hasOptionalGroupByFields": false,
      "index": "string",
      "indexes": [],
      "metric": "string",
      "metrics": [],
      "name": "string",
      "query": "a > 3"
    }
  ],
  "referenceTables": [
    {
      "checkPresence": false,
      "columnName": "string",
      "logFieldPath": "string",
      "ruleQueryName": "string",
      "tableName": "string"
    }
  ],
  "schedulingOptions": {
    "rrule": "FREQ=HOURLY;INTERVAL=1;",
    "start": "2025-07-14T12:00:00",
    "timezone": "America/New_York"
  },
  "tags": [],
  "thirdPartyCases": [
    {
      "customStatus": "critical",
      "name": "string",
      "notifications": [],
      "query": "string",
      "status": "critical"
    }
  ],
  "type": "string",
  "updateAuthorId": "integer",
  "updatedAt": "integer",
  "version": "integer"
}

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                          # Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "type": "cloud_configuration",
  "name": "Example-Security-Monitoring_cloud",
  "isEnabled": false,
  "cases": [
    {
      "status": "info",
      "notifications": [
        "channel"
      ]
    }
  ],
  "options": {
    "complianceRuleOptions": {
      "resourceType": "gcp_compute_disk",
      "complexRule": false,
      "regoRule": {
        "policy": "package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n",
        "resourceTypes": [
          "gcp_compute_disk"
        ]
      }
    }
  },
  "message": "ddd",
  "tags": [
    "my:tag"
  ],
  "complianceSignalOptions": {
    "userActivationStatus": true,
    "userGroupByFields": [
      "@account_id"
    ]
  },
  "filters": [
    {
      "action": "require",
      "query": "resource_id:helo*"
    },
    {
      "action": "suppress",
      "query": "control:helo*"
    }
  ]
}
EOF

                        
                          # Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "name": "Example-Security-Monitoring",
  "queries": [
    {
      "query": "@test:true",
      "aggregation": "count",
      "groupByFields": [],
      "distinctFields": [],
      "metric": ""
    }
  ],
  "filters": [],
  "cases": [
    {
      "name": "",
      "status": "info",
      "condition": "a > 0",
      "notifications": []
    }
  ],
  "options": {
    "evaluationWindow": 900,
    "keepAlive": 3600,
    "maxSignalDuration": 86400
  },
  "message": "Test rule",
  "tags": [],
  "isEnabled": true,
  "type": "log_detection",
  "referenceTables": [
    {
      "tableName": "synthetics_test_reference_table_dont_delete",
      "columnName": "value",
      "logFieldPath": "testtag",
      "checkPresence": true,
      "ruleQueryName": "a"
    }
  ]
}
EOF

                        
                          # Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "name": "Example-Security-Monitoring",
  "type": "log_detection",
  "isEnabled": true,
  "queries": [
    {
      "aggregation": "count",
      "dataSource": "logs",
      "distinctFields": [],
      "groupByFields": [
        "@usr.email",
        "@network.client.ip"
      ],
      "hasOptionalGroupByFields": false,
      "name": "",
      "query": "service:app status:error"
    }
  ],
  "cases": [
    {
      "name": "",
      "status": "info",
      "notifications": [],
      "condition": "a > 0.995"
    }
  ],
  "message": "An anomaly detection rule",
  "options": {
    "detectionMethod": "anomaly_detection",
    "evaluationWindow": 900,
    "keepAlive": 3600,
    "maxSignalDuration": 86400,
    "anomalyDetectionOptions": {
      "bucketDuration": 300,
      "learningDuration": 24,
      "detectionTolerance": 3,
      "learningPeriodBaseline": 10
    }
  },
  "tags": [],
  "filters": []
}
EOF

                        

// Create a cloud_configuration rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringRuleCreatePayload{
		CloudConfigurationRuleCreatePayload: &datadogV2.CloudConfigurationRuleCreatePayload{
			Type:      datadogV2.CLOUDCONFIGURATIONRULETYPE_CLOUD_CONFIGURATION.Ptr(),
			Name:      "Example-Security-Monitoring_cloud",
			IsEnabled: false,
			Cases: []datadogV2.CloudConfigurationRuleCaseCreate{
				{
					Status: datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
					Notifications: []string{
						"channel",
					},
				},
			},
			Options: datadogV2.CloudConfigurationRuleOptions{
				ComplianceRuleOptions: datadogV2.CloudConfigurationComplianceRuleOptions{
					ResourceType: datadog.PtrString("gcp_compute_disk"),
					ComplexRule:  datadog.PtrBool(false),
					RegoRule: &datadogV2.CloudConfigurationRegoRule{
						Policy: `package datadog

import data.datadog.output as dd_output

import future.keywords.contains
import future.keywords.if
import future.keywords.in

milliseconds_in_a_day := ((1000 * 60) * 60) * 24

eval(iam_service_account_key) = "skip" if {
	iam_service_account_key.disabled
} else = "pass" if {
	(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"

# This part remains unchanged for all rules
results contains result if {
	some resource in input.resources[input.main_resource_type]
	result := dd_output.format(resource, eval(resource))
}
`,
						ResourceTypes: []string{
							"gcp_compute_disk",
						},
					},
				},
			},
			Message: "ddd",
			Tags: []string{
				"my:tag",
			},
			ComplianceSignalOptions: datadogV2.CloudConfigurationRuleComplianceSignalOptions{
				UserActivationStatus: *datadog.NewNullableBool(datadog.PtrBool(true)),
				UserGroupByFields: *datadog.NewNullableList(&[]string{
					"@account_id",
				}),
			},
			Filters: []datadogV2.SecurityMonitoringFilter{
				{
					Action: datadogV2.SECURITYMONITORINGFILTERACTION_REQUIRE.Ptr(),
					Query:  datadog.PtrString("resource_id:helo*"),
				},
				{
					Action: datadogV2.SECURITYMONITORINGFILTERACTION_SUPPRESS.Ptr(),
					Query:  datadog.PtrString("control:helo*"),
				},
			},
		}}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.CreateSecurityMonitoringRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringRule`:\n%s\n", responseContent)
}

// Create a detection rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringRuleCreatePayload{
		SecurityMonitoringStandardRuleCreatePayload: &datadogV2.SecurityMonitoringStandardRuleCreatePayload{
			Name: "Example-Security-Monitoring",
			Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{
				{
					Query:          datadog.PtrString("@test:true"),
					Aggregation:    datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
					GroupByFields:  []string{},
					DistinctFields: []string{},
					Metric:         datadog.PtrString(""),
				},
			},
			Filters: []datadogV2.SecurityMonitoringFilter{},
			Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{
				{
					Name:          datadog.PtrString(""),
					Status:        datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
					Condition:     datadog.PtrString("a > 0"),
					Notifications: []string{},
				},
			},
			Options: datadogV2.SecurityMonitoringRuleOptions{
				EvaluationWindow:  datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(),
				KeepAlive:         datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(),
				MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(),
			},
			Message:   "Test rule",
			Tags:      []string{},
			IsEnabled: true,
			Type:      datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(),
			ReferenceTables: []datadogV2.SecurityMonitoringReferenceTable{
				{
					TableName:     datadog.PtrString("synthetics_test_reference_table_dont_delete"),
					ColumnName:    datadog.PtrString("value"),
					LogFieldPath:  datadog.PtrString("testtag"),
					CheckPresence: datadog.PtrBool(true),
					RuleQueryName: datadog.PtrString("a"),
				},
			},
		}}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.CreateSecurityMonitoringRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringRule`:\n%s\n", responseContent)
}

// Create a detection rule with detection method 'anomaly_detection' returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringRuleCreatePayload{
		SecurityMonitoringStandardRuleCreatePayload: &datadogV2.SecurityMonitoringStandardRuleCreatePayload{
			Name:      "Example-Security-Monitoring",
			Type:      datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(),
			IsEnabled: true,
			Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{
				{
					Aggregation:    datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
					DataSource:     datadogV2.SECURITYMONITORINGSTANDARDDATASOURCE_LOGS.Ptr(),
					DistinctFields: []string{},
					GroupByFields: []string{
						"@usr.email",
						"@network.client.ip",
					},
					HasOptionalGroupByFields: datadog.PtrBool(false),
					Name:                     datadog.PtrString(""),
					Query:                    datadog.PtrString("service:app status:error"),
				},
			},
			Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{
				{
					Name:          datadog.PtrString(""),
					Status:        datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
					Notifications: []string{},
					Condition:     datadog.PtrString("a > 0.995"),
				},
			},
			Message: "An anomaly detection rule",
			Options: datadogV2.SecurityMonitoringRuleOptions{
				DetectionMethod:   datadogV2.SECURITYMONITORINGRULEDETECTIONMETHOD_ANOMALY_DETECTION.Ptr(),
				EvaluationWindow:  datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(),
				KeepAlive:         datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(),
				MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(),
				AnomalyDetectionOptions: &datadogV2.SecurityMonitoringRuleAnomalyDetectionOptions{
					BucketDuration:         datadogV2.SECURITYMONITORINGRULEANOMALYDETECTIONOPTIONSBUCKETDURATION_FIVE_MINUTES.Ptr(),
					LearningDuration:       datadogV2.SECURITYMONITORINGRULEANOMALYDETECTIONOPTIONSLEARNINGDURATION_ONE_DAY.Ptr(),
					DetectionTolerance:     datadogV2.SECURITYMONITORINGRULEANOMALYDETECTIONOPTIONSDETECTIONTOLERANCE_THREE.Ptr(),
					LearningPeriodBaseline: datadog.PtrInt64(10),
				},
			},
			Tags:    []string{},
			Filters: []datadogV2.SecurityMonitoringFilter{},
		}}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.CreateSecurityMonitoringRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringRule`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Create a cloud_configuration rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.CloudConfigurationComplianceRuleOptions;
import com.datadog.api.client.v2.model.CloudConfigurationRegoRule;
import com.datadog.api.client.v2.model.CloudConfigurationRuleCaseCreate;
import com.datadog.api.client.v2.model.CloudConfigurationRuleComplianceSignalOptions;
import com.datadog.api.client.v2.model.CloudConfigurationRuleCreatePayload;
import com.datadog.api.client.v2.model.CloudConfigurationRuleOptions;
import com.datadog.api.client.v2.model.CloudConfigurationRuleType;
import com.datadog.api.client.v2.model.SecurityMonitoringFilter;
import com.datadog.api.client.v2.model.SecurityMonitoringFilterAction;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import java.util.Arrays;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringRuleCreatePayload body =
        new SecurityMonitoringRuleCreatePayload(
            new CloudConfigurationRuleCreatePayload()
                .type(CloudConfigurationRuleType.CLOUD_CONFIGURATION)
                .name("Example-Security-Monitoring_cloud")
                .isEnabled(false)
                .cases(
                    Collections.singletonList(
                        new CloudConfigurationRuleCaseCreate()
                            .status(SecurityMonitoringRuleSeverity.INFO)
                            .notifications(Collections.singletonList("channel"))))
                .options(
                    new CloudConfigurationRuleOptions()
                        .complianceRuleOptions(
                            new CloudConfigurationComplianceRuleOptions()
                                .resourceType("gcp_compute_disk")
                                .complexRule(false)
                                .regoRule(
                                    new CloudConfigurationRegoRule()
                                        .policy(
                                            """
package datadog

import data.datadog.output as dd_output

import future.keywords.contains
import future.keywords.if
import future.keywords.in

milliseconds_in_a_day := ((1000 * 60) * 60) * 24

eval(iam_service_account_key) = "skip" if {
	iam_service_account_key.disabled
} else = "pass" if {
	(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"

# This part remains unchanged for all rules
results contains result if {
	some resource in input.resources[input.main_resource_type]
	result := dd_output.format(resource, eval(resource))
}

""")
                                        .resourceTypes(
                                            Collections.singletonList("gcp_compute_disk")))))
                .message("ddd")
                .tags(Collections.singletonList("my:tag"))
                .complianceSignalOptions(
                    new CloudConfigurationRuleComplianceSignalOptions()
                        .userActivationStatus(true)
                        .userGroupByFields(Collections.singletonList("@account_id")))
                .filters(
                    Arrays.asList(
                        new SecurityMonitoringFilter()
                            .action(SecurityMonitoringFilterAction.REQUIRE)
                            .query("resource_id:helo*"),
                        new SecurityMonitoringFilter()
                            .action(SecurityMonitoringFilterAction.SUPPRESS)
                            .query("control:helo*"))));

    try {
      SecurityMonitoringRuleResponse result = apiInstance.createSecurityMonitoringRule(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

// Create a detection rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringReferenceTable;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringRuleCreatePayload body =
        new SecurityMonitoringRuleCreatePayload(
            new SecurityMonitoringStandardRuleCreatePayload()
                .name("Example-Security-Monitoring")
                .queries(
                    Collections.singletonList(
                        new SecurityMonitoringStandardRuleQuery()
                            .query("@test:true")
                            .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
                            .metric("")))
                .cases(
                    Collections.singletonList(
                        new SecurityMonitoringRuleCaseCreate()
                            .name("")
                            .status(SecurityMonitoringRuleSeverity.INFO)
                            .condition("a > 0")))
                .options(
                    new SecurityMonitoringRuleOptions()
                        .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES)
                        .keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR)
                        .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ONE_DAY))
                .message("Test rule")
                .isEnabled(true)
                .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION)
                .referenceTables(
                    Collections.singletonList(
                        new SecurityMonitoringReferenceTable()
                            .tableName("synthetics_test_reference_table_dont_delete")
                            .columnName("value")
                            .logFieldPath("testtag")
                            .checkPresence(true)
                            .ruleQueryName("a"))));

    try {
      SecurityMonitoringRuleResponse result = apiInstance.createSecurityMonitoringRule(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

// Create a detection rule with detection method 'anomaly_detection' returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleAnomalyDetectionOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardDataSource;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import java.util.Arrays;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringRuleCreatePayload body =
        new SecurityMonitoringRuleCreatePayload(
            new SecurityMonitoringStandardRuleCreatePayload()
                .name("Example-Security-Monitoring")
                .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION)
                .isEnabled(true)
                .queries(
                    Collections.singletonList(
                        new SecurityMonitoringStandardRuleQuery()
                            .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
                            .dataSource(SecurityMonitoringStandardDataSource.LOGS)
                            .groupByFields(Arrays.asList("@usr.email", "@network.client.ip"))
                            .hasOptionalGroupByFields(false)
                            .name("")
                            .query("service:app status:error")))
                .cases(
                    Collections.singletonList(
                        new SecurityMonitoringRuleCaseCreate()
                            .name("")
                            .status(SecurityMonitoringRuleSeverity.INFO)
                            .condition("a > 0.995")))
                .message("An anomaly detection rule")
                .options(
                    new SecurityMonitoringRuleOptions()
                        .detectionMethod(SecurityMonitoringRuleDetectionMethod.ANOMALY_DETECTION)
                        .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES)
                        .keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR)
                        .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ONE_DAY)
                        .anomalyDetectionOptions(
                            new SecurityMonitoringRuleAnomalyDetectionOptions()
                                .bucketDuration(
                                    SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration
                                        .FIVE_MINUTES)
                                .learningDuration(
                                    SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration
                                        .ONE_DAY)
                                .detectionTolerance(
                                    SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance
                                        .THREE)
                                .learningPeriodBaseline(10L))));

    try {
      SecurityMonitoringRuleResponse result = apiInstance.createSecurityMonitoringRule(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

"""
Create a cloud_configuration rule returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.cloud_configuration_compliance_rule_options import (
    CloudConfigurationComplianceRuleOptions,
)
from datadog_api_client.v2.model.cloud_configuration_rego_rule import CloudConfigurationRegoRule
from datadog_api_client.v2.model.cloud_configuration_rule_case_create import CloudConfigurationRuleCaseCreate
from datadog_api_client.v2.model.cloud_configuration_rule_compliance_signal_options import (
    CloudConfigurationRuleComplianceSignalOptions,
)
from datadog_api_client.v2.model.cloud_configuration_rule_create_payload import CloudConfigurationRuleCreatePayload
from datadog_api_client.v2.model.cloud_configuration_rule_options import CloudConfigurationRuleOptions
from datadog_api_client.v2.model.cloud_configuration_rule_type import CloudConfigurationRuleType
from datadog_api_client.v2.model.security_monitoring_filter import SecurityMonitoringFilter
from datadog_api_client.v2.model.security_monitoring_filter_action import SecurityMonitoringFilterAction
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity

body = CloudConfigurationRuleCreatePayload(
    type=CloudConfigurationRuleType.CLOUD_CONFIGURATION,
    name="Example-Security-Monitoring_cloud",
    is_enabled=False,
    cases=[
        CloudConfigurationRuleCaseCreate(
            status=SecurityMonitoringRuleSeverity.INFO,
            notifications=[
                "channel",
            ],
        ),
    ],
    options=CloudConfigurationRuleOptions(
        compliance_rule_options=CloudConfigurationComplianceRuleOptions(
            resource_type="gcp_compute_disk",
            complex_rule=False,
            rego_rule=CloudConfigurationRegoRule(
                policy='package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = "skip" if {\n\tiam_service_account_key.disabled\n} else = "pass" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = "fail"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n',
                resource_types=[
                    "gcp_compute_disk",
                ],
            ),
        ),
    ),
    message="ddd",
    tags=[
        "my:tag",
    ],
    compliance_signal_options=CloudConfigurationRuleComplianceSignalOptions(
        user_activation_status=True,
        user_group_by_fields=[
            "@account_id",
        ],
    ),
    filters=[
        SecurityMonitoringFilter(
            action=SecurityMonitoringFilterAction.REQUIRE,
            query="resource_id:helo*",
        ),
        SecurityMonitoringFilter(
            action=SecurityMonitoringFilterAction.SUPPRESS,
            query="control:helo*",
        ),
    ],
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.create_security_monitoring_rule(body=body)

    print(response)

"""
Create a detection rule returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_reference_table import SecurityMonitoringReferenceTable
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
    SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
    SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
    SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
from datadog_api_client.v2.model.security_monitoring_standard_rule_create_payload import (
    SecurityMonitoringStandardRuleCreatePayload,
)
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery

body = SecurityMonitoringStandardRuleCreatePayload(
    name="Example-Security-Monitoring",
    queries=[
        SecurityMonitoringStandardRuleQuery(
            query="@test:true",
            aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
            group_by_fields=[],
            distinct_fields=[],
            metric="",
        ),
    ],
    filters=[],
    cases=[
        SecurityMonitoringRuleCaseCreate(
            name="",
            status=SecurityMonitoringRuleSeverity.INFO,
            condition="a > 0",
            notifications=[],
        ),
    ],
    options=SecurityMonitoringRuleOptions(
        evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,
        keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR,
        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY,
    ),
    message="Test rule",
    tags=[],
    is_enabled=True,
    type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
    reference_tables=[
        SecurityMonitoringReferenceTable(
            table_name="synthetics_test_reference_table_dont_delete",
            column_name="value",
            log_field_path="testtag",
            check_presence=True,
            rule_query_name="a",
        ),
    ],
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.create_security_monitoring_rule(body=body)

    print(response)

"""
Create a detection rule with detection method 'anomaly_detection' returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options import (
    SecurityMonitoringRuleAnomalyDetectionOptions,
)
from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options_bucket_duration import (
    SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options_detection_tolerance import (
    SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance,
)
from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options_learning_duration import (
    SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
    SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
    SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
    SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
from datadog_api_client.v2.model.security_monitoring_standard_data_source import SecurityMonitoringStandardDataSource
from datadog_api_client.v2.model.security_monitoring_standard_rule_create_payload import (
    SecurityMonitoringStandardRuleCreatePayload,
)
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery

body = SecurityMonitoringStandardRuleCreatePayload(
    name="Example-Security-Monitoring",
    type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
    is_enabled=True,
    queries=[
        SecurityMonitoringStandardRuleQuery(
            aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
            data_source=SecurityMonitoringStandardDataSource.LOGS,
            distinct_fields=[],
            group_by_fields=[
                "@usr.email",
                "@network.client.ip",
            ],
            has_optional_group_by_fields=False,
            name="",
            query="service:app status:error",
        ),
    ],
    cases=[
        SecurityMonitoringRuleCaseCreate(
            name="",
            status=SecurityMonitoringRuleSeverity.INFO,
            notifications=[],
            condition="a > 0.995",
        ),
    ],
    message="An anomaly detection rule",
    options=SecurityMonitoringRuleOptions(
        detection_method=SecurityMonitoringRuleDetectionMethod.ANOMALY_DETECTION,
        evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,
        keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR,
        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY,
        anomaly_detection_options=SecurityMonitoringRuleAnomalyDetectionOptions(
            bucket_duration=SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration.FIVE_MINUTES,
            learning_duration=SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration.ONE_DAY,
            detection_tolerance=SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance.THREE,
            learning_period_baseline=10,
        ),
    ),
    tags=[],
    filters=[],
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.create_security_monitoring_rule(body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Create a cloud_configuration rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::CloudConfigurationRuleCreatePayload.new({
  type: DatadogAPIClient::V2::CloudConfigurationRuleType::CLOUD_CONFIGURATION,
  name: "Example-Security-Monitoring_cloud",
  is_enabled: false,
  cases: [
    DatadogAPIClient::V2::CloudConfigurationRuleCaseCreate.new({
      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
      notifications: [
        "channel",
      ],
    }),
  ],
  options: DatadogAPIClient::V2::CloudConfigurationRuleOptions.new({
    compliance_rule_options: DatadogAPIClient::V2::CloudConfigurationComplianceRuleOptions.new({
      resource_type: "gcp_compute_disk",
      complex_rule: false,
      rego_rule: DatadogAPIClient::V2::CloudConfigurationRegoRule.new({
        policy: 'package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = "skip" if {\n\tiam_service_account_key.disabled\n} else = "pass" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = "fail"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n',
        resource_types: [
          "gcp_compute_disk",
        ],
      }),
    }),
  }),
  message: "ddd",
  tags: [
    "my:tag",
  ],
  compliance_signal_options: DatadogAPIClient::V2::CloudConfigurationRuleComplianceSignalOptions.new({
    user_activation_status: true,
    user_group_by_fields: [
      "@account_id",
    ],
  }),
  filters: [
    DatadogAPIClient::V2::SecurityMonitoringFilter.new({
      action: DatadogAPIClient::V2::SecurityMonitoringFilterAction::REQUIRE,
      query: "resource_id:helo*",
    }),
    DatadogAPIClient::V2::SecurityMonitoringFilter.new({
      action: DatadogAPIClient::V2::SecurityMonitoringFilterAction::SUPPRESS,
      query: "control:helo*",
    }),
  ],
})
p api_instance.create_security_monitoring_rule(body)

# Create a detection rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringStandardRuleCreatePayload.new({
  name: "Example-Security-Monitoring",
  queries: [
    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
      query: "@test:true",
      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
      group_by_fields: [],
      distinct_fields: [],
      metric: "",
    }),
  ],
  filters: [],
  cases: [
    DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
      name: "",
      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
      condition: "a > 0",
      notifications: [],
    }),
  ],
  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR,
    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY,
  }),
  message: "Test rule",
  tags: [],
  is_enabled: true,
  type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
  reference_tables: [
    DatadogAPIClient::V2::SecurityMonitoringReferenceTable.new({
      table_name: "synthetics_test_reference_table_dont_delete",
      column_name: "value",
      log_field_path: "testtag",
      check_presence: true,
      rule_query_name: "a",
    }),
  ],
})
p api_instance.create_security_monitoring_rule(body)

# Create a detection rule with detection method 'anomaly_detection' returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringStandardRuleCreatePayload.new({
  name: "Example-Security-Monitoring",
  type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
  is_enabled: true,
  queries: [
    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
      data_source: DatadogAPIClient::V2::SecurityMonitoringStandardDataSource::LOGS,
      distinct_fields: [],
      group_by_fields: [
        "@usr.email",
        "@network.client.ip",
      ],
      has_optional_group_by_fields: false,
      name: "",
      query: "service:app status:error",
    }),
  ],
  cases: [
    DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
      name: "",
      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
      notifications: [],
      condition: "a > 0.995",
    }),
  ],
  message: "An anomaly detection rule",
  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
    detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::ANOMALY_DETECTION,
    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR,
    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY,
    anomaly_detection_options: DatadogAPIClient::V2::SecurityMonitoringRuleAnomalyDetectionOptions.new({
      bucket_duration: DatadogAPIClient::V2::SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration::FIVE_MINUTES,
      learning_duration: DatadogAPIClient::V2::SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration::ONE_DAY,
      detection_tolerance: DatadogAPIClient::V2::SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance::THREE,
      learning_period_baseline: 10,
    }),
  }),
  tags: [],
  filters: [],
})
p api_instance.create_security_monitoring_rule(body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// Create a cloud_configuration rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::CloudConfigurationComplianceRuleOptions;
use datadog_api_client::datadogV2::model::CloudConfigurationRegoRule;
use datadog_api_client::datadogV2::model::CloudConfigurationRuleCaseCreate;
use datadog_api_client::datadogV2::model::CloudConfigurationRuleComplianceSignalOptions;
use datadog_api_client::datadogV2::model::CloudConfigurationRuleCreatePayload;
use datadog_api_client::datadogV2::model::CloudConfigurationRuleOptions;
use datadog_api_client::datadogV2::model::CloudConfigurationRuleType;
use datadog_api_client::datadogV2::model::SecurityMonitoringFilter;
use datadog_api_client::datadogV2::model::SecurityMonitoringFilterAction;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCreatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;

#[tokio::main]
async fn main() {
    let body =
        SecurityMonitoringRuleCreatePayload::CloudConfigurationRuleCreatePayload(
            Box::new(
                CloudConfigurationRuleCreatePayload::new(
                    vec![
                        CloudConfigurationRuleCaseCreate::new(
                            SecurityMonitoringRuleSeverity::INFO,
                        ).notifications(vec!["channel".to_string()])
                    ],
                    CloudConfigurationRuleComplianceSignalOptions::new()
                        .user_activation_status(Some(true))
                        .user_group_by_fields(Some(vec!["@account_id".to_string()])),
                    false,
                    "ddd".to_string(),
                    "Example-Security-Monitoring_cloud".to_string(),
                    CloudConfigurationRuleOptions::new(
                        CloudConfigurationComplianceRuleOptions::new()
                            .complex_rule(false)
                            .rego_rule(
                                CloudConfigurationRegoRule::new(
                                    r#"package datadog

import data.datadog.output as dd_output

import future.keywords.contains
import future.keywords.if
import future.keywords.in

milliseconds_in_a_day := ((1000 * 60) * 60) * 24

eval(iam_service_account_key) = "skip" if {
	iam_service_account_key.disabled
} else = "pass" if {
	(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"

# This part remains unchanged for all rules
results contains result if {
	some resource in input.resources[input.main_resource_type]
	result := dd_output.format(resource, eval(resource))
}
"#.to_string(),
                                    vec!["gcp_compute_disk".to_string()],
                                ),
                            )
                            .resource_type("gcp_compute_disk".to_string()),
                    ),
                )
                    .filters(
                        vec![
                            SecurityMonitoringFilter::new()
                                .action(SecurityMonitoringFilterAction::REQUIRE)
                                .query("resource_id:helo*".to_string()),
                            SecurityMonitoringFilter::new()
                                .action(SecurityMonitoringFilterAction::SUPPRESS)
                                .query("control:helo*".to_string())
                        ],
                    )
                    .tags(vec!["my:tag".to_string()])
                    .type_(CloudConfigurationRuleType::CLOUD_CONFIGURATION),
            ),
        );
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.create_security_monitoring_rule(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

// Create a detection rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringReferenceTable;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCreatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleCreatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;

#[tokio::main]
async fn main() {
    let body =
        SecurityMonitoringRuleCreatePayload::SecurityMonitoringStandardRuleCreatePayload(Box::new(
            SecurityMonitoringStandardRuleCreatePayload::new(
                vec![
                    SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO)
                        .condition("a > 0".to_string())
                        .name("".to_string())
                        .notifications(vec![]),
                ],
                true,
                "Test rule".to_string(),
                "Example-Security-Monitoring".to_string(),
                SecurityMonitoringRuleOptions::new()
                    .evaluation_window(SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES)
                    .keep_alive(SecurityMonitoringRuleKeepAlive::ONE_HOUR)
                    .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::ONE_DAY),
                vec![SecurityMonitoringStandardRuleQuery::new()
                    .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
                    .distinct_fields(vec![])
                    .group_by_fields(vec![])
                    .metric("".to_string())
                    .query("@test:true".to_string())],
            )
            .filters(vec![])
            .reference_tables(vec![SecurityMonitoringReferenceTable::new()
                .check_presence(true)
                .column_name("value".to_string())
                .log_field_path("testtag".to_string())
                .rule_query_name("a".to_string())
                .table_name("synthetics_test_reference_table_dont_delete".to_string())])
            .tags(vec![])
            .type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION),
        ));
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.create_security_monitoring_rule(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

// Create a detection rule with detection method 'anomaly_detection' returns "OK"
// response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleAnomalyDetectionOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCreatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleDetectionMethod;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardDataSource;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleCreatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;

#[tokio::main]
async fn main() {
    let body =
        SecurityMonitoringRuleCreatePayload::SecurityMonitoringStandardRuleCreatePayload(
            Box::new(
                SecurityMonitoringStandardRuleCreatePayload::new(
                    vec![
                        SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO)
                            .condition("a > 0.995".to_string())
                            .name("".to_string())
                            .notifications(vec![])
                    ],
                    true,
                    "An anomaly detection rule".to_string(),
                    "Example-Security-Monitoring".to_string(),
                    SecurityMonitoringRuleOptions::new()
                        .anomaly_detection_options(
                            SecurityMonitoringRuleAnomalyDetectionOptions::new()
                                .bucket_duration(
                                    SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration::FIVE_MINUTES,
                                )
                                .detection_tolerance(
                                    SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance::THREE,
                                )
                                .learning_duration(
                                    SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration::ONE_DAY,
                                )
                                .learning_period_baseline(10),
                        )
                        .detection_method(SecurityMonitoringRuleDetectionMethod::ANOMALY_DETECTION)
                        .evaluation_window(SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES)
                        .keep_alive(SecurityMonitoringRuleKeepAlive::ONE_HOUR)
                        .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::ONE_DAY),
                    vec![
                        SecurityMonitoringStandardRuleQuery::new()
                            .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
                            .data_source(SecurityMonitoringStandardDataSource::LOGS)
                            .distinct_fields(vec![])
                            .group_by_fields(vec!["@usr.email".to_string(), "@network.client.ip".to_string()])
                            .has_optional_group_by_fields(false)
                            .name("".to_string())
                            .query("service:app status:error".to_string())
                    ],
                )
                    .filters(vec![])
                    .tags(vec![])
                    .type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION),
            ),
        );
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.create_security_monitoring_rule(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * Create a cloud_configuration rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest = {
  body: {
    type: "cloud_configuration",
    name: "Example-Security-Monitoring_cloud",
    isEnabled: false,
    cases: [
      {
        status: "info",
        notifications: ["channel"],
      },
    ],
    options: {
      complianceRuleOptions: {
        resourceType: "gcp_compute_disk",
        complexRule: false,
        regoRule: {
          policy: `package datadog

import data.datadog.output as dd_output

import future.keywords.contains
import future.keywords.if
import future.keywords.in

milliseconds_in_a_day := ((1000 * 60) * 60) * 24

eval(iam_service_account_key) = "skip" if {
	iam_service_account_key.disabled
} else = "pass" if {
	(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"

# This part remains unchanged for all rules
results contains result if {
	some resource in input.resources[input.main_resource_type]
	result := dd_output.format(resource, eval(resource))
}
`,
          resourceTypes: ["gcp_compute_disk"],
        },
      },
    },
    message: "ddd",
    tags: ["my:tag"],
    complianceSignalOptions: {
      userActivationStatus: true,
      userGroupByFields: ["@account_id"],
    },
    filters: [
      {
        action: "require",
        query: "resource_id:helo*",
      },
      {
        action: "suppress",
        query: "control:helo*",
      },
    ],
  },
};

apiInstance
  .createSecurityMonitoringRule(params)
  .then((data: v2.SecurityMonitoringRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

/**
 * Create a detection rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest = {
  body: {
    name: "Example-Security-Monitoring",
    queries: [
      {
        query: "@test:true",
        aggregation: "count",
        groupByFields: [],
        distinctFields: [],
        metric: "",
      },
    ],
    filters: [],
    cases: [
      {
        name: "",
        status: "info",
        condition: "a > 0",
        notifications: [],
      },
    ],
    options: {
      evaluationWindow: 900,
      keepAlive: 3600,
      maxSignalDuration: 86400,
    },
    message: "Test rule",
    tags: [],
    isEnabled: true,
    type: "log_detection",
    referenceTables: [
      {
        tableName: "synthetics_test_reference_table_dont_delete",
        columnName: "value",
        logFieldPath: "testtag",
        checkPresence: true,
        ruleQueryName: "a",
      },
    ],
  },
};

apiInstance
  .createSecurityMonitoringRule(params)
  .then((data: v2.SecurityMonitoringRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

/**
 * Create a detection rule with detection method 'anomaly_detection' returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest = {
  body: {
    name: "Example-Security-Monitoring",
    type: "log_detection",
    isEnabled: true,
    queries: [
      {
        aggregation: "count",
        dataSource: "logs",
        distinctFields: [],
        groupByFields: ["@usr.email", "@network.client.ip"],
        hasOptionalGroupByFields: false,
        name: "",
        query: "service:app status:error",
      },
    ],
    cases: [
      {
        name: "",
        status: "info",
        notifications: [],
        condition: "a > 0.995",
      },
    ],
    message: "An anomaly detection rule",
    options: {
      detectionMethod: "anomaly_detection",
      evaluationWindow: 900,
      keepAlive: 3600,
      maxSignalDuration: 86400,
      anomalyDetectionOptions: {
        bucketDuration: 300,
        learningDuration: 24,
        detectionTolerance: 3,
        learningPeriodBaseline: 10,
      },
    },
    tags: [],
    filters: [],
  },
};

apiInstance
  .createSecurityMonitoringRule(params)
  .then((data: v2.SecurityMonitoringRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Delete a custom framework

v2 (latest)

DELETE https://api.ap1.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.ap2.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.datadoghq.eu/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.ddog-gov.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.us3.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.us5.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}

概要

Delete a custom framework. This endpoint requires all of the following permissions:

security_monitoring_rules_read

security_monitoring_rules_write

OAuth apps require the security_monitoring_rules_read, security_monitoring_rules_write authorization scope to access this endpoint.

引数

パスパラメーター

名前

種類

説明

handle [required]

string

The framework handle

version [required]

string

The framework version

応答

Response object to delete a custom framework.

Expand All

フィールド

種類

説明

data [required]

object

Metadata for custom frameworks.

{
  "data": {
    "attributes": {
      "description": "this is a security description",
      "handle": "sec2",
      "icon_url": "https://example.com/icon.png",
      "name": "security-framework",
      "version": "2"
    },
    "id": "handle-version",
    "type": "custom_framework"
  }
}

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                  # Path parameters
export handle="CHANGE_ME"
export version="CHANGE_ME"
# Curl command
curl -X DELETE "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/${handle}/${version}" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                

"""
Delete a custom framework returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.delete_custom_framework(
        handle="create-framework-new",
        version="10",
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Delete a custom framework returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.delete_custom_framework("create-framework-new", "10")

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// Delete a custom framework returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.DeleteCustomFramework(ctx, "create-framework-new", "10")

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.DeleteCustomFramework`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.DeleteCustomFramework`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Delete a custom framework returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.DeleteCustomFrameworkResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      DeleteCustomFrameworkResponse result =
          apiInstance.deleteCustomFramework("create-framework-new", "10");
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#deleteCustomFramework");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

// Delete a custom framework returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .delete_custom_framework("create-framework-new".to_string(), "10".to_string())
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * Delete a custom framework returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiDeleteCustomFrameworkRequest = {
  handle: "create-framework-new",
  version: "10",
};

apiInstance
  .deleteCustomFramework(params)
  .then((data: v2.DeleteCustomFrameworkResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Get a custom framework

v2 (latest)

GET https://api.ap1.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.ap2.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.datadoghq.eu/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.ddog-gov.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.us3.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.us5.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}

概要

Get a custom framework. This endpoint requires the security_monitoring_rules_read permission.

OAuth apps require the security_monitoring_rules_read authorization scope to access this endpoint.

引数

パスパラメーター

名前

種類

説明

handle [required]

string

The framework handle

version [required]

string

The framework version

応答

Response object to get a custom framework.

Expand All

フィールド

種類

説明

data [required]

object

Contains type and attributes for custom frameworks.

{
  "data": {
    "attributes": {
      "handle": "sec2",
      "icon_url": "https://example.com/icon.png",
      "name": "security-framework",
      "requirements": [
        {
          "controls": [
            {
              "name": "A1.2",
              "rules_id": [
                "def-000-abc"
              ]
            }
          ],
          "name": "criteria"
        }
      ],
      "version": "2"
    },
    "id": "handle-version",
    "type": "custom_framework"
  }
}

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                  # Path parameters
export handle="CHANGE_ME"
export version="CHANGE_ME"
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/${handle}/${version}" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                

"""
Get a custom framework returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.get_custom_framework(
        handle="create-framework-new",
        version="10",
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Get a custom framework returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.get_custom_framework("create-framework-new", "10")

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// Get a custom framework returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.GetCustomFramework(ctx, "create-framework-new", "10")

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetCustomFramework`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetCustomFramework`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Get a custom framework returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.GetCustomFrameworkResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      GetCustomFrameworkResponse result =
          apiInstance.getCustomFramework("create-framework-new", "10");
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#getCustomFramework");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

// Get a custom framework returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .get_custom_framework("create-framework-new".to_string(), "10".to_string())
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * Get a custom framework returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiGetCustomFrameworkRequest = {
  handle: "create-framework-new",
  version: "10",
};

apiInstance
  .getCustomFramework(params)
  .then((data: v2.GetCustomFrameworkResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

List rules

v2 (latest)

GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.ap2.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.datadoghq.eu/api/v2/security_monitoring/ruleshttps://api.ddog-gov.com/api/v2/security_monitoring/ruleshttps://api.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us3.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules

概要

List rules. This endpoint requires the security_monitoring_rules_read permission.

OAuth apps require the security_monitoring_rules_read authorization scope to access this endpoint.

引数

クエリ文字列

名前

種類

説明

page[size]

integer

Size for a given page. The maximum allowed value is 100.

page[number]

integer

Specific page number to return.

query

string

A search query to filter security rules. You can filter by attributes such as type, source, tags.

応答

List of rules.

Expand All

フィールド

種類

説明

data

[ <oneOf>]

Array containing the list of rules.

Option 1

object

Rule.

options

object

Options.

Option 2

object

Rule.

options

object

Options.

meta

object

Object describing meta attributes of response.

{
  "data": [
    {
      "calculatedFields": [
        {
          "expression": "@request_end_timestamp - @request_start_timestamp",
          "name": "response_time"
        }
      ],
      "cases": [
        {
          "actions": [
            {
              "options": {
                "duration": 0,
                "flaggedIPType": "FLAGGED",
                "userBehaviorName": "string"
              },
              "type": "string"
            }
          ],
          "condition": "string",
          "customStatus": "critical",
          "name": "string",
          "notifications": [],
          "status": "critical"
        }
      ],
      "complianceSignalOptions": {
        "defaultActivationStatus": false,
        "defaultGroupByFields": [],
        "userActivationStatus": false,
        "userGroupByFields": []
      },
      "createdAt": "integer",
      "creationAuthorId": "integer",
      "customMessage": "string",
      "customName": "string",
      "defaultTags": [
        "security:attacks"
      ],
      "deprecationDate": "integer",
      "filters": [
        {
          "action": "string",
          "query": "string"
        }
      ],
      "groupSignalsBy": [
        "service"
      ],
      "hasExtendedTitle": false,
      "id": "string",
      "isDefault": false,
      "isDeleted": false,
      "isEnabled": false,
      "message": "string",
      "name": "string",
      "options": {
        "anomalyDetectionOptions": {
          "bucketDuration": 300,
          "detectionTolerance": 5,
          "learningDuration": "integer",
          "learningPeriodBaseline": "integer"
        },
        "complianceRuleOptions": {
          "complexRule": false,
          "regoRule": {
            "policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n  # Logic that evaluates to true if the resource should be skipped\n  true\n} else = \"pass\" {\n  # Logic that evaluates to true if the resource is compliant\n  true\n} else = \"fail\" {\n  # Logic that evaluates to true if the resource is not compliant\n  true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n  some resource in input.resources[input.main_resource_type]\n  result := dd_output.format(resource, eval(resource))\n}",
            "resourceTypes": [
              "gcp_iam_service_account",
              "gcp_iam_policy"
            ]
          },
          "resourceType": "aws_acm"
        },
        "decreaseCriticalityBasedOnEnv": false,
        "detectionMethod": "string",
        "evaluationWindow": "integer",
        "hardcodedEvaluatorType": "string",
        "impossibleTravelOptions": {
          "baselineUserLocations": true
        },
        "keepAlive": "integer",
        "maxSignalDuration": "integer",
        "newValueOptions": {
          "forgetAfter": "integer",
          "instantaneousBaseline": false,
          "learningDuration": "integer",
          "learningMethod": "string",
          "learningThreshold": "integer"
        },
        "sequenceDetectionOptions": {
          "stepTransitions": [
            {
              "child": "string",
              "evaluationWindow": "integer",
              "parent": "string"
            }
          ],
          "steps": [
            {
              "condition": "string",
              "evaluationWindow": "integer",
              "name": "string"
            }
          ]
        },
        "thirdPartyRuleOptions": {
          "defaultNotifications": [],
          "defaultStatus": "critical",
          "rootQueries": [
            {
              "groupByFields": [],
              "query": "source:cloudtrail"
            }
          ],
          "signalTitleTemplate": "string"
        }
      },
      "queries": [
        {
          "aggregation": "string",
          "customQueryExtension": "a > 3",
          "dataSource": "logs",
          "distinctFields": [],
          "groupByFields": [],
          "hasOptionalGroupByFields": false,
          "index": "string",
          "indexes": [],
          "metric": "string",
          "metrics": [],
          "name": "string",
          "query": "a > 3"
        }
      ],
      "referenceTables": [
        {
          "checkPresence": false,
          "columnName": "string",
          "logFieldPath": "string",
          "ruleQueryName": "string",
          "tableName": "string"
        }
      ],
      "schedulingOptions": {
        "rrule": "FREQ=HOURLY;INTERVAL=1;",
        "start": "2025-07-14T12:00:00",
        "timezone": "America/New_York"
      },
      "tags": [],
      "thirdPartyCases": [
        {
          "customStatus": "critical",
          "name": "string",
          "notifications": [],
          "query": "string",
          "status": "critical"
        }
      ],
      "type": "string",
      "updateAuthorId": "integer",
      "updatedAt": "integer",
      "version": "integer"
    }
  ],
  "meta": {
    "page": {
      "total_count": "integer",
      "total_filtered_count": "integer"
    }
  }
}

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                  # Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                

"""
List rules returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.list_security_monitoring_rules()

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# List rules returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.list_security_monitoring_rules()

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// List rules returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.ListSecurityMonitoringRules(ctx, *datadogV2.NewListSecurityMonitoringRulesOptionalParameters())

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListSecurityMonitoringRules`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListSecurityMonitoringRules`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// List rules returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringListRulesResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      SecurityMonitoringListRulesResponse result = apiInstance.listSecurityMonitoringRules();
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#listSecurityMonitoringRules");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

// List rules returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::ListSecurityMonitoringRulesOptionalParams;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .list_security_monitoring_rules(ListSecurityMonitoringRulesOptionalParams::default())
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * List rules returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

apiInstance
  .listSecurityMonitoringRules()
  .then((data: v2.SecurityMonitoringListRulesResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Update a custom framework

v2 (latest)

PUT https://api.ap1.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.ap2.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.datadoghq.eu/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.ddog-gov.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.us3.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}https://api.us5.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/{handle}/{version}

概要

Update a custom framework. This endpoint requires all of the following permissions:

security_monitoring_rules_read

security_monitoring_rules_write

OAuth apps require the security_monitoring_rules_read, security_monitoring_rules_write authorization scope to access this endpoint.

引数

パスパラメーター

名前

種類

説明

handle [required]

string

The framework handle

version [required]

string

The framework version

リクエスト

Body Data (required)

Expand All

フィールド

種類

説明

data [required]

object

Contains type and attributes for custom frameworks.

{
  "data": {
    "type": "custom_framework",
    "attributes": {
      "name": "name",
      "handle": "create-framework-new",
      "version": "10",
      "icon_url": "test-url",
      "requirements": [
        {
          "name": "requirement",
          "controls": [
            {
              "name": "control",
              "rules_id": [
                "def-000-be9"
              ]
            }
          ]
        }
      ]
    }
  }
}

応答

Response object to update a custom framework.

Expand All

フィールド

種類

説明

data [required]

object

Contains type and attributes for custom frameworks.

{
  "data": {
    "attributes": {
      "handle": "sec2",
      "version": "2"
    },
    "id": "handle-version",
    "type": "custom_framework"
  }
}

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                          # Path parameters
export handle="CHANGE_ME"
export version="CHANGE_ME"
# Curl command
curl -X PUT "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/cloud_security_management/custom_frameworks/${handle}/${version}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "type": "custom_framework",
    "attributes": {
      "name": "name",
      "handle": "create-framework-new",
      "version": "10",
      "icon_url": "test-url",
      "requirements": [
        {
          "name": "requirement",
          "controls": [
            {
              "name": "control",
              "rules_id": [
                "def-000-be9"
              ]
            }
          ]
        }
      ]
    }
  }
}
EOF

                        

// Update a custom framework returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.UpdateCustomFrameworkRequest{
		Data: datadogV2.CustomFrameworkData{
			Type: datadogV2.CUSTOMFRAMEWORKTYPE_CUSTOM_FRAMEWORK,
			Attributes: datadogV2.CustomFrameworkDataAttributes{
				Name:    "name",
				Handle:  "create-framework-new",
				Version: "10",
				IconUrl: datadog.PtrString("test-url"),
				Requirements: []datadogV2.CustomFrameworkRequirement{
					{
						Name: "requirement",
						Controls: []datadogV2.CustomFrameworkControl{
							{
								Name: "control",
								RulesId: []string{
									"def-000-be9",
								},
							},
						},
					},
				},
			},
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.UpdateCustomFramework(ctx, "create-framework-new", "10", body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.UpdateCustomFramework`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.UpdateCustomFramework`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Update a custom framework returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.CustomFrameworkControl;
import com.datadog.api.client.v2.model.CustomFrameworkData;
import com.datadog.api.client.v2.model.CustomFrameworkDataAttributes;
import com.datadog.api.client.v2.model.CustomFrameworkRequirement;
import com.datadog.api.client.v2.model.CustomFrameworkType;
import com.datadog.api.client.v2.model.UpdateCustomFrameworkRequest;
import com.datadog.api.client.v2.model.UpdateCustomFrameworkResponse;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    UpdateCustomFrameworkRequest body =
        new UpdateCustomFrameworkRequest()
            .data(
                new CustomFrameworkData()
                    .type(CustomFrameworkType.CUSTOM_FRAMEWORK)
                    .attributes(
                        new CustomFrameworkDataAttributes()
                            .name("name")
                            .handle("create-framework-new")
                            .version("10")
                            .iconUrl("test-url")
                            .requirements(
                                Collections.singletonList(
                                    new CustomFrameworkRequirement()
                                        .name("requirement")
                                        .controls(
                                            Collections.singletonList(
                                                new CustomFrameworkControl()
                                                    .name("control")
                                                    .rulesId(
                                                        Collections.singletonList(
                                                            "def-000-be9"))))))));

    try {
      UpdateCustomFrameworkResponse result =
          apiInstance.updateCustomFramework("create-framework-new", "10", body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#updateCustomFramework");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

"""
Update a custom framework returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.custom_framework_control import CustomFrameworkControl
from datadog_api_client.v2.model.custom_framework_data import CustomFrameworkData
from datadog_api_client.v2.model.custom_framework_data_attributes import CustomFrameworkDataAttributes
from datadog_api_client.v2.model.custom_framework_requirement import CustomFrameworkRequirement
from datadog_api_client.v2.model.custom_framework_type import CustomFrameworkType
from datadog_api_client.v2.model.update_custom_framework_request import UpdateCustomFrameworkRequest

body = UpdateCustomFrameworkRequest(
    data=CustomFrameworkData(
        type=CustomFrameworkType.CUSTOM_FRAMEWORK,
        attributes=CustomFrameworkDataAttributes(
            name="name",
            handle="create-framework-new",
            version="10",
            icon_url="test-url",
            requirements=[
                CustomFrameworkRequirement(
                    name="requirement",
                    controls=[
                        CustomFrameworkControl(
                            name="control",
                            rules_id=[
                                "def-000-be9",
                            ],
                        ),
                    ],
                ),
            ],
        ),
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.update_custom_framework(handle="create-framework-new", version="10", body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Update a custom framework returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::UpdateCustomFrameworkRequest.new({
  data: DatadogAPIClient::V2::CustomFrameworkData.new({
    type: DatadogAPIClient::V2::CustomFrameworkType::CUSTOM_FRAMEWORK,
    attributes: DatadogAPIClient::V2::CustomFrameworkDataAttributes.new({
      name: "name",
      handle: "create-framework-new",
      version: "10",
      icon_url: "test-url",
      requirements: [
        DatadogAPIClient::V2::CustomFrameworkRequirement.new({
          name: "requirement",
          controls: [
            DatadogAPIClient::V2::CustomFrameworkControl.new({
              name: "control",
              rules_id: [
                "def-000-be9",
              ],
            }),
          ],
        }),
      ],
    }),
  }),
})
p api_instance.update_custom_framework("create-framework-new", "10", body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// Update a custom framework returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::CustomFrameworkControl;
use datadog_api_client::datadogV2::model::CustomFrameworkData;
use datadog_api_client::datadogV2::model::CustomFrameworkDataAttributes;
use datadog_api_client::datadogV2::model::CustomFrameworkRequirement;
use datadog_api_client::datadogV2::model::CustomFrameworkType;
use datadog_api_client::datadogV2::model::UpdateCustomFrameworkRequest;

#[tokio::main]
async fn main() {
    let body = UpdateCustomFrameworkRequest::new(CustomFrameworkData::new(
        CustomFrameworkDataAttributes::new(
            "create-framework-new".to_string(),
            "name".to_string(),
            vec![CustomFrameworkRequirement::new(
                vec![CustomFrameworkControl::new(
                    "control".to_string(),
                    vec!["def-000-be9".to_string()],
                )],
                "requirement".to_string(),
            )],
            "10".to_string(),
        )
        .icon_url("test-url".to_string()),
        CustomFrameworkType::CUSTOM_FRAMEWORK,
    ));
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .update_custom_framework("create-framework-new".to_string(), "10".to_string(), body)
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * Update a custom framework returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiUpdateCustomFrameworkRequest = {
  body: {
    data: {
      type: "custom_framework",
      attributes: {
        name: "name",
        handle: "create-framework-new",
        version: "10",
        iconUrl: "test-url",
        requirements: [
          {
            name: "requirement",
            controls: [
              {
                name: "control",
                rulesId: ["def-000-be9"],
              },
            ],
          },
        ],
      },
    },
  },
  handle: "create-framework-new",
  version: "10",
};

apiInstance
  .updateCustomFramework(params)
  .then((data: v2.UpdateCustomFrameworkResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Get a rule's details

v2 (latest)

GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.ap2.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}https://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}

概要

Get a rule’s details. This endpoint requires the security_monitoring_rules_read permission.

OAuth apps require the security_monitoring_rules_read authorization scope to access this endpoint.

引数

パスパラメーター

名前

種類

説明

rule_id [required]

string

The ID of the rule.

応答

Create a new rule.

Expand All

フィールド

種類

説明

Option 1

object

Rule.

options

object

Options.

Option 2

object

Rule.

options

object

Options.

{
  "calculatedFields": [
    {
      "expression": "@request_end_timestamp - @request_start_timestamp",
      "name": "response_time"
    }
  ],
  "cases": [
    {
      "actions": [
        {
          "options": {
            "duration": 0,
            "flaggedIPType": "FLAGGED",
            "userBehaviorName": "string"
          },
          "type": "string"
        }
      ],
      "condition": "string",
      "customStatus": "critical",
      "name": "string",
      "notifications": [],
      "status": "critical"
    }
  ],
  "complianceSignalOptions": {
    "defaultActivationStatus": false,
    "defaultGroupByFields": [],
    "userActivationStatus": false,
    "userGroupByFields": []
  },
  "createdAt": "integer",
  "creationAuthorId": "integer",
  "customMessage": "string",
  "customName": "string",
  "defaultTags": [
    "security:attacks"
  ],
  "deprecationDate": "integer",
  "filters": [
    {
      "action": "string",
      "query": "string"
    }
  ],
  "groupSignalsBy": [
    "service"
  ],
  "hasExtendedTitle": false,
  "id": "string",
  "isDefault": false,
  "isDeleted": false,
  "isEnabled": false,
  "message": "string",
  "name": "string",
  "options": {
    "anomalyDetectionOptions": {
      "bucketDuration": 300,
      "detectionTolerance": 5,
      "learningDuration": "integer",
      "learningPeriodBaseline": "integer"
    },
    "complianceRuleOptions": {
      "complexRule": false,
      "regoRule": {
        "policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n  # Logic that evaluates to true if the resource should be skipped\n  true\n} else = \"pass\" {\n  # Logic that evaluates to true if the resource is compliant\n  true\n} else = \"fail\" {\n  # Logic that evaluates to true if the resource is not compliant\n  true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n  some resource in input.resources[input.main_resource_type]\n  result := dd_output.format(resource, eval(resource))\n}",
        "resourceTypes": [
          "gcp_iam_service_account",
          "gcp_iam_policy"
        ]
      },
      "resourceType": "aws_acm"
    },
    "decreaseCriticalityBasedOnEnv": false,
    "detectionMethod": "string",
    "evaluationWindow": "integer",
    "hardcodedEvaluatorType": "string",
    "impossibleTravelOptions": {
      "baselineUserLocations": true
    },
    "keepAlive": "integer",
    "maxSignalDuration": "integer",
    "newValueOptions": {
      "forgetAfter": "integer",
      "instantaneousBaseline": false,
      "learningDuration": "integer",
      "learningMethod": "string",
      "learningThreshold": "integer"
    },
    "sequenceDetectionOptions": {
      "stepTransitions": [
        {
          "child": "string",
          "evaluationWindow": "integer",
          "parent": "string"
        }
      ],
      "steps": [
        {
          "condition": "string",
          "evaluationWindow": "integer",
          "name": "string"
        }
      ]
    },
    "thirdPartyRuleOptions": {
      "defaultNotifications": [],
      "defaultStatus": "critical",
      "rootQueries": [
        {
          "groupByFields": [],
          "query": "source:cloudtrail"
        }
      ],
      "signalTitleTemplate": "string"
    }
  },
  "queries": [
    {
      "aggregation": "string",
      "customQueryExtension": "a > 3",
      "dataSource": "logs",
      "distinctFields": [],
      "groupByFields": [],
      "hasOptionalGroupByFields": false,
      "index": "string",
      "indexes": [],
      "metric": "string",
      "metrics": [],
      "name": "string",
      "query": "a > 3"
    }
  ],
  "referenceTables": [
    {
      "checkPresence": false,
      "columnName": "string",
      "logFieldPath": "string",
      "ruleQueryName": "string",
      "tableName": "string"
    }
  ],
  "schedulingOptions": {
    "rrule": "FREQ=HOURLY;INTERVAL=1;",
    "start": "2025-07-14T12:00:00",
    "timezone": "America/New_York"
  },
  "tags": [],
  "thirdPartyCases": [
    {
      "customStatus": "critical",
      "name": "string",
      "notifications": [],
      "query": "string",
      "status": "critical"
    }
  ],
  "type": "string",
  "updateAuthorId": "integer",
  "updatedAt": "integer",
  "version": "integer"
}

Not Found

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                  # Path parameters
export rule_id="CHANGE_ME"
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                

"""
Get a rule's details returns "OK" response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

# there is a valid "security_rule" in the system
SECURITY_RULE_ID = environ["SECURITY_RULE_ID"]

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.get_security_monitoring_rule(
        rule_id=SECURITY_RULE_ID,
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Get a rule's details returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

# there is a valid "security_rule" in the system
SECURITY_RULE_ID = ENV["SECURITY_RULE_ID"]
p api_instance.get_security_monitoring_rule(SECURITY_RULE_ID)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// Get a rule's details returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "security_rule" in the system
	SecurityRuleID := os.Getenv("SECURITY_RULE_ID")

	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.GetSecurityMonitoringRule(ctx, SecurityRuleID)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSecurityMonitoringRule`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Get a rule's details returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    // there is a valid "security_rule" in the system
    String SECURITY_RULE_ID = System.getenv("SECURITY_RULE_ID");

    try {
      SecurityMonitoringRuleResponse result =
          apiInstance.getSecurityMonitoringRule(SECURITY_RULE_ID);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#getSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

// Get a rule's details returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    // there is a valid "security_rule" in the system
    let security_rule_id = std::env::var("SECURITY_RULE_ID").unwrap();
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .get_security_monitoring_rule(security_rule_id.clone())
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * Get a rule's details returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

// there is a valid "security_rule" in the system
const SECURITY_RULE_ID = process.env.SECURITY_RULE_ID as string;

const params: v2.SecurityMonitoringApiGetSecurityMonitoringRuleRequest = {
  ruleId: SECURITY_RULE_ID,
};

apiInstance
  .getSecurityMonitoringRule(params)
  .then((data: v2.SecurityMonitoringRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Modify the triage assignee of a security signal

v1
v2 (latest)

PATCH https://api.ap1.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/assigneehttps://api.ap2.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/assigneehttps://api.datadoghq.eu/api/v1/security_analytics/signals/{signal_id}/assigneehttps://api.ddog-gov.com/api/v1/security_analytics/signals/{signal_id}/assigneehttps://api.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/assigneehttps://api.us3.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/assigneehttps://api.us5.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/assignee

概要

セキュリティシグナルのトリアージアサインメントを変更します。 This endpoint requires the security_monitoring_signals_write permission.

引数

パスパラメーター

名前

種類

説明

signal_id [required]

string

The ID of the signal.

リクエスト

Body Data (required)

シグナルの更新を記述する属性。

Expand All

フィールド

種類

説明

assignee [required]

string

The UUID of the user being assigned. Use empty string to return signal to unassigned.

version

int64

Version of the updated signal. If server side version is higher, update will be rejected.

{
  "assignee": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
}

応答

Updated signal data following a successfully performed update.

Expand All

フィールド

種類

説明

status

string

Status of the response.

{
  "status": "string"
}

Bad Request

Error response object.

Expand All

フィールド

種類

説明

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Forbidden

Error response object.

Expand All

フィールド

種類

説明

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

Error response object.

Expand All

フィールド

種類

説明

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

Error response object.

Expand All

フィールド

種類

説明

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                          # Path parameters
export signal_id="CHANGE_ME"
# Curl command
curl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v1/security_analytics/signals/${signal_id}/assignee" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "assignee": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
}
EOF

                        

// Modify the triage assignee of a security signal returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV1"
)

func main() {
	body := datadogV1.SignalAssigneeUpdateRequest{
		Assignee: "773b045d-ccf8-4808-bd3b-955ef6a8c940",
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV1.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.EditSecurityMonitoringSignalAssignee(ctx, "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.EditSecurityMonitoringSignalAssignee`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.EditSecurityMonitoringSignalAssignee`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"

// Modify the triage assignee of a security signal returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v1.api.SecurityMonitoringApi;
import com.datadog.api.client.v1.model.SignalAssigneeUpdateRequest;
import com.datadog.api.client.v1.model.SuccessfulSignalUpdateResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SignalAssigneeUpdateRequest body =
        new SignalAssigneeUpdateRequest().assignee("773b045d-ccf8-4808-bd3b-955ef6a8c940");

    try {
      SuccessfulSignalUpdateResponse result =
          apiInstance.editSecurityMonitoringSignalAssignee(
              "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#editSecurityMonitoringSignalAssignee");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"

"""
Modify the triage assignee of a security signal returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v1.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v1.model.signal_assignee_update_request import SignalAssigneeUpdateRequest

body = SignalAssigneeUpdateRequest(
    assignee="773b045d-ccf8-4808-bd3b-955ef6a8c940",
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.edit_security_monitoring_signal_assignee(
        signal_id="AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body=body
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"

# Modify the triage assignee of a security signal returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V1::SecurityMonitoringAPI.new

body = DatadogAPIClient::V1::SignalAssigneeUpdateRequest.new({
  assignee: "773b045d-ccf8-4808-bd3b-955ef6a8c940",
})
p api_instance.edit_security_monitoring_signal_assignee("AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"

// Modify the triage assignee of a security signal returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV1::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV1::model::SignalAssigneeUpdateRequest;

#[tokio::main]
async fn main() {
    let body = SignalAssigneeUpdateRequest::new("773b045d-ccf8-4808-bd3b-955ef6a8c940".to_string());
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .edit_security_monitoring_signal_assignee(
            "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE".to_string(),
            body,
        )
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" cargo run

/**
 * Modify the triage assignee of a security signal returns "OK" response
 */

import { client, v1 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v1.SecurityMonitoringApi(configuration);

const params: v1.SecurityMonitoringApiEditSecurityMonitoringSignalAssigneeRequest =
  {
    body: {
      assignee: "773b045d-ccf8-4808-bd3b-955ef6a8c940",
    },
    signalId: "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE",
  };

apiInstance
  .editSecurityMonitoringSignalAssignee(params)
  .then((data: v1.SuccessfulSignalUpdateResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"

PATCH https://api.ap1.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/assigneehttps://api.ap2.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/assigneehttps://api.datadoghq.eu/api/v2/security_monitoring/signals/{signal_id}/assigneehttps://api.ddog-gov.com/api/v2/security_monitoring/signals/{signal_id}/assigneehttps://api.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/assigneehttps://api.us3.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/assigneehttps://api.us5.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/assignee

概要

セキュリティシグナルのトリアージアサインメントを変更します。 This endpoint requires the security_monitoring_signals_write permission.

引数

パスパラメーター

名前

種類

説明

signal_id [required]

string

The ID of the signal.

リクエスト

Body Data (required)

シグナルの更新を記述する属性。

Expand All

フィールド

種類

説明

data [required]

object

Data containing the patch for changing the assignee of a signal.

{
  "data": {
    "attributes": {
      "assignee": {
        "uuid": ""
      }
    }
  }
}

応答

The response returned after all triage operations, containing the updated signal triage data.

Expand All

フィールド

種類

説明

data [required]

object

Data containing the updated triage attributes of the signal.

{
  "data": {
    "attributes": {
      "archive_comment": "string",
      "archive_comment_timestamp": "integer",
      "archive_comment_user": {
        "handle": "string",
        "icon": "/path/to/matching/gravatar/icon",
        "id": "integer",
        "name": "string",
        "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
      },
      "archive_reason": "string",
      "assignee": {
        "handle": "string",
        "icon": "/path/to/matching/gravatar/icon",
        "id": "integer",
        "name": "string",
        "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
      },
      "incident_ids": [
        2066
      ],
      "state": "open",
      "state_update_timestamp": "integer",
      "state_update_user": {
        "handle": "string",
        "icon": "/path/to/matching/gravatar/icon",
        "id": "integer",
        "name": "string",
        "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
      }
    },
    "id": "string",
    "type": "signal_metadata"
  }
}

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Forbidden

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                          # Path parameters
export signal_id="CHANGE_ME"
# Curl command
curl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/${signal_id}/assignee" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "assignee": {
        "uuid": ""
      }
    }
  }
}
EOF

                        

// Modify the triage assignee of a security signal returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringSignalAssigneeUpdateRequest{
		Data: datadogV2.SecurityMonitoringSignalAssigneeUpdateData{
			Attributes: datadogV2.SecurityMonitoringSignalAssigneeUpdateAttributes{
				Assignee: datadogV2.SecurityMonitoringTriageUser{
					Uuid: "",
				},
			},
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.EditSecurityMonitoringSignalAssignee(ctx, "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.EditSecurityMonitoringSignalAssignee`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.EditSecurityMonitoringSignalAssignee`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"

// Modify the triage assignee of a security signal returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalAssigneeUpdateAttributes;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalAssigneeUpdateData;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalAssigneeUpdateRequest;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalTriageUpdateResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringTriageUser;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringSignalAssigneeUpdateRequest body =
        new SecurityMonitoringSignalAssigneeUpdateRequest()
            .data(
                new SecurityMonitoringSignalAssigneeUpdateData()
                    .attributes(
                        new SecurityMonitoringSignalAssigneeUpdateAttributes()
                            .assignee(new SecurityMonitoringTriageUser().uuid(""))));

    try {
      SecurityMonitoringSignalTriageUpdateResponse result =
          apiInstance.editSecurityMonitoringSignalAssignee(
              "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#editSecurityMonitoringSignalAssignee");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"

"""
Modify the triage assignee of a security signal returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_signal_assignee_update_attributes import (
    SecurityMonitoringSignalAssigneeUpdateAttributes,
)
from datadog_api_client.v2.model.security_monitoring_signal_assignee_update_data import (
    SecurityMonitoringSignalAssigneeUpdateData,
)
from datadog_api_client.v2.model.security_monitoring_signal_assignee_update_request import (
    SecurityMonitoringSignalAssigneeUpdateRequest,
)
from datadog_api_client.v2.model.security_monitoring_triage_user import SecurityMonitoringTriageUser

body = SecurityMonitoringSignalAssigneeUpdateRequest(
    data=SecurityMonitoringSignalAssigneeUpdateData(
        attributes=SecurityMonitoringSignalAssigneeUpdateAttributes(
            assignee=SecurityMonitoringTriageUser(
                uuid="",
            ),
        ),
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.edit_security_monitoring_signal_assignee(
        signal_id="AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body=body
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"

# Modify the triage assignee of a security signal returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringSignalAssigneeUpdateRequest.new({
  data: DatadogAPIClient::V2::SecurityMonitoringSignalAssigneeUpdateData.new({
    attributes: DatadogAPIClient::V2::SecurityMonitoringSignalAssigneeUpdateAttributes.new({
      assignee: DatadogAPIClient::V2::SecurityMonitoringTriageUser.new({
        uuid: "",
      }),
    }),
  }),
})
p api_instance.edit_security_monitoring_signal_assignee("AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"

// Modify the triage assignee of a security signal returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalAssigneeUpdateAttributes;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalAssigneeUpdateData;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalAssigneeUpdateRequest;
use datadog_api_client::datadogV2::model::SecurityMonitoringTriageUser;

#[tokio::main]
async fn main() {
    let body = SecurityMonitoringSignalAssigneeUpdateRequest::new(
        SecurityMonitoringSignalAssigneeUpdateData::new(
            SecurityMonitoringSignalAssigneeUpdateAttributes::new(
                SecurityMonitoringTriageUser::new("".to_string()),
            ),
        ),
    );
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .edit_security_monitoring_signal_assignee(
            "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE".to_string(),
            body,
        )
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" cargo run

/**
 * Modify the triage assignee of a security signal returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiEditSecurityMonitoringSignalAssigneeRequest =
  {
    body: {
      data: {
        attributes: {
          assignee: {
            uuid: "",
          },
        },
      },
    },
    signalId: "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE",
  };

apiInstance
  .editSecurityMonitoringSignalAssignee(params)
  .then((data: v2.SecurityMonitoringSignalTriageUpdateResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"

Update an existing rule

v2 (latest)

PUT https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.ap2.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}https://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}

概要

Update an existing rule. When updating cases, queries or options, the whole field must be included. For example, when modifying a query all queries must be included. Default rules can only be updated to be enabled, to change notifications, or to update the tags (default tags cannot be removed). This endpoint requires the security_monitoring_rules_write permission.

OAuth apps require the security_monitoring_rules_write authorization scope to access this endpoint.

引数

パスパラメーター

名前

種類

説明

rule_id [required]

string

The ID of the rule.

リクエスト

Body Data (required)

Expand All

フィールド

種類

説明

calculatedFields

[object]

Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.

cases

[object]

Cases for generating signals.

complianceSignalOptions

object

How to generate compliance signals. Useful for cloud_configuration rules only.

customMessage

string

Custom/Overridden Message for generated signals (used in case of Default rule update).

customName

string

Custom/Overridden name (used in case of Default rule update).

filters

[object]

Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.

groupSignalsBy

[string]

Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.

hasExtendedTitle

boolean

Whether the notifications include the triggering group-by values in their title.

isEnabled

boolean

Whether the rule is enabled.

message

string

Message for generated signals.

name

string

Name of the rule.

options

object

Options.

queries

[ <oneOf>]

Queries for selecting logs which are part of the rule.

referenceTables

[object]

Reference tables for the rule.

schedulingOptions

object

Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.

応答

Create a new rule.

Expand All

フィールド

種類

説明

Option 1

object

Rule.

options

object

Options.

Option 2

object

Rule.

options

object

Options.

{
  "calculatedFields": [
    {
      "expression": "@request_end_timestamp - @request_start_timestamp",
      "name": "response_time"
    }
  ],
  "cases": [
    {
      "actions": [
        {
          "options": {
            "duration": 0,
            "flaggedIPType": "FLAGGED",
            "userBehaviorName": "string"
          },
          "type": "string"
        }
      ],
      "condition": "string",
      "customStatus": "critical",
      "name": "string",
      "notifications": [],
      "status": "critical"
    }
  ],
  "complianceSignalOptions": {
    "defaultActivationStatus": false,
    "defaultGroupByFields": [],
    "userActivationStatus": false,
    "userGroupByFields": []
  },
  "createdAt": "integer",
  "creationAuthorId": "integer",
  "customMessage": "string",
  "customName": "string",
  "defaultTags": [
    "security:attacks"
  ],
  "deprecationDate": "integer",
  "filters": [
    {
      "action": "string",
      "query": "string"
    }
  ],
  "groupSignalsBy": [
    "service"
  ],
  "hasExtendedTitle": false,
  "id": "string",
  "isDefault": false,
  "isDeleted": false,
  "isEnabled": false,
  "message": "string",
  "name": "string",
  "options": {
    "anomalyDetectionOptions": {
      "bucketDuration": 300,
      "detectionTolerance": 5,
      "learningDuration": "integer",
      "learningPeriodBaseline": "integer"
    },
    "complianceRuleOptions": {
      "complexRule": false,
      "regoRule": {
        "policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n  # Logic that evaluates to true if the resource should be skipped\n  true\n} else = \"pass\" {\n  # Logic that evaluates to true if the resource is compliant\n  true\n} else = \"fail\" {\n  # Logic that evaluates to true if the resource is not compliant\n  true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n  some resource in input.resources[input.main_resource_type]\n  result := dd_output.format(resource, eval(resource))\n}",
        "resourceTypes": [
          "gcp_iam_service_account",
          "gcp_iam_policy"
        ]
      },
      "resourceType": "aws_acm"
    },
    "decreaseCriticalityBasedOnEnv": false,
    "detectionMethod": "string",
    "evaluationWindow": "integer",
    "hardcodedEvaluatorType": "string",
    "impossibleTravelOptions": {
      "baselineUserLocations": true
    },
    "keepAlive": "integer",
    "maxSignalDuration": "integer",
    "newValueOptions": {
      "forgetAfter": "integer",
      "instantaneousBaseline": false,
      "learningDuration": "integer",
      "learningMethod": "string",
      "learningThreshold": "integer"
    },
    "sequenceDetectionOptions": {
      "stepTransitions": [
        {
          "child": "string",
          "evaluationWindow": "integer",
          "parent": "string"
        }
      ],
      "steps": [
        {
          "condition": "string",
          "evaluationWindow": "integer",
          "name": "string"
        }
      ]
    },
    "thirdPartyRuleOptions": {
      "defaultNotifications": [],
      "defaultStatus": "critical",
      "rootQueries": [
        {
          "groupByFields": [],
          "query": "source:cloudtrail"
        }
      ],
      "signalTitleTemplate": "string"
    }
  },
  "queries": [
    {
      "aggregation": "string",
      "customQueryExtension": "a > 3",
      "dataSource": "logs",
      "distinctFields": [],
      "groupByFields": [],
      "hasOptionalGroupByFields": false,
      "index": "string",
      "indexes": [],
      "metric": "string",
      "metrics": [],
      "name": "string",
      "query": "a > 3"
    }
  ],
  "referenceTables": [
    {
      "checkPresence": false,
      "columnName": "string",
      "logFieldPath": "string",
      "ruleQueryName": "string",
      "tableName": "string"
    }
  ],
  "schedulingOptions": {
    "rrule": "FREQ=HOURLY;INTERVAL=1;",
    "start": "2025-07-14T12:00:00",
    "timezone": "America/New_York"
  },
  "tags": [],
  "thirdPartyCases": [
    {
      "customStatus": "critical",
      "name": "string",
      "notifications": [],
      "query": "string",
      "status": "critical"
    }
  ],
  "type": "string",
  "updateAuthorId": "integer",
  "updatedAt": "integer",
  "version": "integer"
}

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Concurrent Modification

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                          # Path parameters
export rule_id="CHANGE_ME"
# Curl command
curl -X PUT "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "name": "Example-Security-Monitoring_cloud_updated",
  "isEnabled": false,
  "cases": [
    {
      "status": "info",
      "notifications": []
    }
  ],
  "options": {
    "complianceRuleOptions": {
      "resourceType": "gcp_compute_disk",
      "regoRule": {
        "policy": "package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n",
        "resourceTypes": [
          "gcp_compute_disk"
        ]
      }
    }
  },
  "message": "ddd",
  "tags": [],
  "complianceSignalOptions": {
    "userActivationStatus": false,
    "userGroupByFields": []
  }
}
EOF

                        
                          # Path parameters
export rule_id="CHANGE_ME"
# Curl command
curl -X PUT "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "name": "Example-Security-Monitoring-Updated",
  "queries": [
    {
      "query": "@test:true",
      "aggregation": "count",
      "groupByFields": [],
      "distinctFields": [],
      "metrics": []
    }
  ],
  "filters": [],
  "cases": [
    {
      "name": "",
      "status": "info",
      "condition": "a > 0",
      "notifications": []
    }
  ],
  "options": {
    "evaluationWindow": 900,
    "keepAlive": 3600,
    "maxSignalDuration": 86400
  },
  "message": "Test rule",
  "tags": [],
  "isEnabled": true
}
EOF

                        

// Update a cloud configuration rule's details returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "cloud_configuration_rule" in the system
	CloudConfigurationRuleID := os.Getenv("CLOUD_CONFIGURATION_RULE_ID")

	body := datadogV2.SecurityMonitoringRuleUpdatePayload{
		Name:      datadog.PtrString("Example-Security-Monitoring_cloud_updated"),
		IsEnabled: datadog.PtrBool(false),
		Cases: []datadogV2.SecurityMonitoringRuleCase{
			{
				Status:        datadogV2.SECURITYMONITORINGRULESEVERITY_INFO.Ptr(),
				Notifications: []string{},
			},
		},
		Options: &datadogV2.SecurityMonitoringRuleOptions{
			ComplianceRuleOptions: &datadogV2.CloudConfigurationComplianceRuleOptions{
				ResourceType: datadog.PtrString("gcp_compute_disk"),
				RegoRule: &datadogV2.CloudConfigurationRegoRule{
					Policy: `package datadog

import data.datadog.output as dd_output

import future.keywords.contains
import future.keywords.if
import future.keywords.in

milliseconds_in_a_day := ((1000 * 60) * 60) * 24

eval(iam_service_account_key) = "skip" if {
	iam_service_account_key.disabled
} else = "pass" if {
	(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"

# This part remains unchanged for all rules
results contains result if {
	some resource in input.resources[input.main_resource_type]
	result := dd_output.format(resource, eval(resource))
}
`,
					ResourceTypes: []string{
						"gcp_compute_disk",
					},
				},
			},
		},
		Message: datadog.PtrString("ddd"),
		Tags:    []string{},
		ComplianceSignalOptions: &datadogV2.CloudConfigurationRuleComplianceSignalOptions{
			UserActivationStatus: *datadog.NewNullableBool(datadog.PtrBool(false)),
			UserGroupByFields:    *datadog.NewNullableList(&[]string{}),
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.UpdateSecurityMonitoringRule(ctx, CloudConfigurationRuleID, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.UpdateSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.UpdateSecurityMonitoringRule`:\n%s\n", responseContent)
}

// Update an existing rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "security_rule" in the system
	SecurityRuleID := os.Getenv("SECURITY_RULE_ID")

	body := datadogV2.SecurityMonitoringRuleUpdatePayload{
		Name: datadog.PtrString("Example-Security-Monitoring-Updated"),
		Queries: []datadogV2.SecurityMonitoringRuleQuery{
			datadogV2.SecurityMonitoringRuleQuery{
				SecurityMonitoringStandardRuleQuery: &datadogV2.SecurityMonitoringStandardRuleQuery{
					Query:          datadog.PtrString("@test:true"),
					Aggregation:    datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
					GroupByFields:  []string{},
					DistinctFields: []string{},
					Metrics:        []string{},
				}},
		},
		Filters: []datadogV2.SecurityMonitoringFilter{},
		Cases: []datadogV2.SecurityMonitoringRuleCase{
			{
				Name:          datadog.PtrString(""),
				Status:        datadogV2.SECURITYMONITORINGRULESEVERITY_INFO.Ptr(),
				Condition:     datadog.PtrString("a > 0"),
				Notifications: []string{},
			},
		},
		Options: &datadogV2.SecurityMonitoringRuleOptions{
			EvaluationWindow:  datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(),
			KeepAlive:         datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(),
			MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(),
		},
		Message:   datadog.PtrString("Test rule"),
		Tags:      []string{},
		IsEnabled: datadog.PtrBool(true),
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.UpdateSecurityMonitoringRule(ctx, SecurityRuleID, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.UpdateSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.UpdateSecurityMonitoringRule`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Update a cloud configuration rule's details returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.CloudConfigurationComplianceRuleOptions;
import com.datadog.api.client.v2.model.CloudConfigurationRegoRule;
import com.datadog.api.client.v2.model.CloudConfigurationRuleComplianceSignalOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCase;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleUpdatePayload;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    // there is a valid "cloud_configuration_rule" in the system
    String CLOUD_CONFIGURATION_RULE_ID = System.getenv("CLOUD_CONFIGURATION_RULE_ID");

    SecurityMonitoringRuleUpdatePayload body =
        new SecurityMonitoringRuleUpdatePayload()
            .name("Example-Security-Monitoring_cloud_updated")
            .isEnabled(false)
            .cases(
                Collections.singletonList(
                    new SecurityMonitoringRuleCase().status(SecurityMonitoringRuleSeverity.INFO)))
            .options(
                new SecurityMonitoringRuleOptions()
                    .complianceRuleOptions(
                        new CloudConfigurationComplianceRuleOptions()
                            .resourceType("gcp_compute_disk")
                            .regoRule(
                                new CloudConfigurationRegoRule()
                                    .policy(
                                        """
package datadog

import data.datadog.output as dd_output

import future.keywords.contains
import future.keywords.if
import future.keywords.in

milliseconds_in_a_day := ((1000 * 60) * 60) * 24

eval(iam_service_account_key) = "skip" if {
	iam_service_account_key.disabled
} else = "pass" if {
	(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"

# This part remains unchanged for all rules
results contains result if {
	some resource in input.resources[input.main_resource_type]
	result := dd_output.format(resource, eval(resource))
}

""")
                                    .resourceTypes(Collections.singletonList("gcp_compute_disk")))))
            .message("ddd")
            .complianceSignalOptions(
                new CloudConfigurationRuleComplianceSignalOptions().userActivationStatus(false));

    try {
      SecurityMonitoringRuleResponse result =
          apiInstance.updateSecurityMonitoringRule(CLOUD_CONFIGURATION_RULE_ID, body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#updateSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

// Update an existing rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCase;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQuery;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleUpdatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    // there is a valid "security_rule" in the system
    String SECURITY_RULE_ID = System.getenv("SECURITY_RULE_ID");

    SecurityMonitoringRuleUpdatePayload body =
        new SecurityMonitoringRuleUpdatePayload()
            .name("Example-Security-Monitoring-Updated")
            .queries(
                Collections.singletonList(
                    new SecurityMonitoringRuleQuery(
                        new SecurityMonitoringStandardRuleQuery()
                            .query("@test:true")
                            .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT))))
            .cases(
                Collections.singletonList(
                    new SecurityMonitoringRuleCase()
                        .name("")
                        .status(SecurityMonitoringRuleSeverity.INFO)
                        .condition("a > 0")))
            .options(
                new SecurityMonitoringRuleOptions()
                    .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES)
                    .keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR)
                    .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ONE_DAY))
            .message("Test rule")
            .isEnabled(true);

    try {
      SecurityMonitoringRuleResponse result =
          apiInstance.updateSecurityMonitoringRule(SECURITY_RULE_ID, body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#updateSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

"""
Update a cloud configuration rule's details returns "OK" response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.cloud_configuration_compliance_rule_options import (
    CloudConfigurationComplianceRuleOptions,
)
from datadog_api_client.v2.model.cloud_configuration_rego_rule import CloudConfigurationRegoRule
from datadog_api_client.v2.model.cloud_configuration_rule_compliance_signal_options import (
    CloudConfigurationRuleComplianceSignalOptions,
)
from datadog_api_client.v2.model.security_monitoring_rule_case import SecurityMonitoringRuleCase
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_update_payload import SecurityMonitoringRuleUpdatePayload

# there is a valid "cloud_configuration_rule" in the system
CLOUD_CONFIGURATION_RULE_ID = environ["CLOUD_CONFIGURATION_RULE_ID"]

body = SecurityMonitoringRuleUpdatePayload(
    name="Example-Security-Monitoring_cloud_updated",
    is_enabled=False,
    cases=[
        SecurityMonitoringRuleCase(
            status=SecurityMonitoringRuleSeverity.INFO,
            notifications=[],
        ),
    ],
    options=SecurityMonitoringRuleOptions(
        compliance_rule_options=CloudConfigurationComplianceRuleOptions(
            resource_type="gcp_compute_disk",
            rego_rule=CloudConfigurationRegoRule(
                policy='package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = "skip" if {\n\tiam_service_account_key.disabled\n} else = "pass" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = "fail"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n',
                resource_types=[
                    "gcp_compute_disk",
                ],
            ),
        ),
    ),
    message="ddd",
    tags=[],
    compliance_signal_options=CloudConfigurationRuleComplianceSignalOptions(
        user_activation_status=False,
        user_group_by_fields=[],
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.update_security_monitoring_rule(rule_id=CLOUD_CONFIGURATION_RULE_ID, body=body)

    print(response)

"""
Update an existing rule returns "OK" response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_case import SecurityMonitoringRuleCase
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
    SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
    SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
    SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_update_payload import SecurityMonitoringRuleUpdatePayload
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery

# there is a valid "security_rule" in the system
SECURITY_RULE_ID = environ["SECURITY_RULE_ID"]

body = SecurityMonitoringRuleUpdatePayload(
    name="Example-Security-Monitoring-Updated",
    queries=[
        SecurityMonitoringStandardRuleQuery(
            query="@test:true",
            aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
            group_by_fields=[],
            distinct_fields=[],
            metrics=[],
        ),
    ],
    filters=[],
    cases=[
        SecurityMonitoringRuleCase(
            name="",
            status=SecurityMonitoringRuleSeverity.INFO,
            condition="a > 0",
            notifications=[],
        ),
    ],
    options=SecurityMonitoringRuleOptions(
        evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,
        keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR,
        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY,
    ),
    message="Test rule",
    tags=[],
    is_enabled=True,
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.update_security_monitoring_rule(rule_id=SECURITY_RULE_ID, body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Update a cloud configuration rule's details returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

# there is a valid "cloud_configuration_rule" in the system
CLOUD_CONFIGURATION_RULE_ID = ENV["CLOUD_CONFIGURATION_RULE_ID"]

body = DatadogAPIClient::V2::SecurityMonitoringRuleUpdatePayload.new({
  name: "Example-Security-Monitoring_cloud_updated",
  is_enabled: false,
  cases: [
    DatadogAPIClient::V2::SecurityMonitoringRuleCase.new({
      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
      notifications: [],
    }),
  ],
  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
    compliance_rule_options: DatadogAPIClient::V2::CloudConfigurationComplianceRuleOptions.new({
      resource_type: "gcp_compute_disk",
      rego_rule: DatadogAPIClient::V2::CloudConfigurationRegoRule.new({
        policy: 'package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = "skip" if {\n\tiam_service_account_key.disabled\n} else = "pass" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = "fail"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n',
        resource_types: [
          "gcp_compute_disk",
        ],
      }),
    }),
  }),
  message: "ddd",
  tags: [],
  compliance_signal_options: DatadogAPIClient::V2::CloudConfigurationRuleComplianceSignalOptions.new({
    user_activation_status: false,
    user_group_by_fields: [],
  }),
})
p api_instance.update_security_monitoring_rule(CLOUD_CONFIGURATION_RULE_ID, body)

# Update an existing rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

# there is a valid "security_rule" in the system
SECURITY_RULE_ID = ENV["SECURITY_RULE_ID"]

body = DatadogAPIClient::V2::SecurityMonitoringRuleUpdatePayload.new({
  name: "Example-Security-Monitoring-Updated",
  queries: [
    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
      query: "@test:true",
      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
      group_by_fields: [],
      distinct_fields: [],
      metrics: [],
    }),
  ],
  filters: [],
  cases: [
    DatadogAPIClient::V2::SecurityMonitoringRuleCase.new({
      name: "",
      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
      condition: "a > 0",
      notifications: [],
    }),
  ],
  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR,
    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY,
  }),
  message: "Test rule",
  tags: [],
  is_enabled: true,
})
p api_instance.update_security_monitoring_rule(SECURITY_RULE_ID, body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// Update a cloud configuration rule's details returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::CloudConfigurationComplianceRuleOptions;
use datadog_api_client::datadogV2::model::CloudConfigurationRegoRule;
use datadog_api_client::datadogV2::model::CloudConfigurationRuleComplianceSignalOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCase;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleUpdatePayload;

#[tokio::main]
async fn main() {
    // there is a valid "cloud_configuration_rule" in the system
    let cloud_configuration_rule_id = std::env::var("CLOUD_CONFIGURATION_RULE_ID").unwrap();
    let body =
        SecurityMonitoringRuleUpdatePayload::new()
            .cases(
                vec![
                    SecurityMonitoringRuleCase::new()
                        .notifications(vec![])
                        .status(SecurityMonitoringRuleSeverity::INFO)
                ],
            )
            .compliance_signal_options(
                CloudConfigurationRuleComplianceSignalOptions::new()
                    .user_activation_status(Some(false))
                    .user_group_by_fields(Some(vec![])),
            )
            .is_enabled(false)
            .message("ddd".to_string())
            .name("Example-Security-Monitoring_cloud_updated".to_string())
            .options(
                SecurityMonitoringRuleOptions
                ::new().compliance_rule_options(
                    CloudConfigurationComplianceRuleOptions::new()
                        .rego_rule(
                            CloudConfigurationRegoRule::new(
                                r#"package datadog

import data.datadog.output as dd_output

import future.keywords.contains
import future.keywords.if
import future.keywords.in

milliseconds_in_a_day := ((1000 * 60) * 60) * 24

eval(iam_service_account_key) = "skip" if {
	iam_service_account_key.disabled
} else = "pass" if {
	(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"

# This part remains unchanged for all rules
results contains result if {
	some resource in input.resources[input.main_resource_type]
	result := dd_output.format(resource, eval(resource))
}
"#.to_string(),
                                vec!["gcp_compute_disk".to_string()],
                            ),
                        )
                        .resource_type("gcp_compute_disk".to_string()),
                ),
            )
            .tags(vec![]);
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .update_security_monitoring_rule(cloud_configuration_rule_id.clone(), body)
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

// Update an existing rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCase;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQuery;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleUpdatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;

#[tokio::main]
async fn main() {
    // there is a valid "security_rule" in the system
    let security_rule_id = std::env::var("SECURITY_RULE_ID").unwrap();
    let body = SecurityMonitoringRuleUpdatePayload::new()
        .cases(vec![SecurityMonitoringRuleCase::new()
            .condition("a > 0".to_string())
            .name("".to_string())
            .notifications(vec![])
            .status(SecurityMonitoringRuleSeverity::INFO)])
        .filters(vec![])
        .is_enabled(true)
        .message("Test rule".to_string())
        .name("Example-Security-Monitoring-Updated".to_string())
        .options(
            SecurityMonitoringRuleOptions::new()
                .evaluation_window(SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES)
                .keep_alive(SecurityMonitoringRuleKeepAlive::ONE_HOUR)
                .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::ONE_DAY),
        )
        .queries(vec![
            SecurityMonitoringRuleQuery::SecurityMonitoringStandardRuleQuery(Box::new(
                SecurityMonitoringStandardRuleQuery::new()
                    .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
                    .distinct_fields(vec![])
                    .group_by_fields(vec![])
                    .metrics(vec![])
                    .query("@test:true".to_string()),
            )),
        ])
        .tags(vec![]);
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .update_security_monitoring_rule(security_rule_id.clone(), body)
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * Update a cloud configuration rule's details returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

// there is a valid "cloud_configuration_rule" in the system
const CLOUD_CONFIGURATION_RULE_ID = process.env
  .CLOUD_CONFIGURATION_RULE_ID as string;

const params: v2.SecurityMonitoringApiUpdateSecurityMonitoringRuleRequest = {
  body: {
    name: "Example-Security-Monitoring_cloud_updated",
    isEnabled: false,
    cases: [
      {
        status: "info",
        notifications: [],
      },
    ],
    options: {
      complianceRuleOptions: {
        resourceType: "gcp_compute_disk",
        regoRule: {
          policy: `package datadog

import data.datadog.output as dd_output

import future.keywords.contains
import future.keywords.if
import future.keywords.in

milliseconds_in_a_day := ((1000 * 60) * 60) * 24

eval(iam_service_account_key) = "skip" if {
	iam_service_account_key.disabled
} else = "pass" if {
	(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"

# This part remains unchanged for all rules
results contains result if {
	some resource in input.resources[input.main_resource_type]
	result := dd_output.format(resource, eval(resource))
}
`,
          resourceTypes: ["gcp_compute_disk"],
        },
      },
    },
    message: "ddd",
    tags: [],
    complianceSignalOptions: {
      userActivationStatus: false,
      userGroupByFields: [],
    },
  },
  ruleId: CLOUD_CONFIGURATION_RULE_ID,
};

apiInstance
  .updateSecurityMonitoringRule(params)
  .then((data: v2.SecurityMonitoringRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

/**
 * Update an existing rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

// there is a valid "security_rule" in the system
const SECURITY_RULE_ID = process.env.SECURITY_RULE_ID as string;

const params: v2.SecurityMonitoringApiUpdateSecurityMonitoringRuleRequest = {
  body: {
    name: "Example-Security-Monitoring-Updated",
    queries: [
      {
        query: "@test:true",
        aggregation: "count",
        groupByFields: [],
        distinctFields: [],
        metrics: [],
      },
    ],
    filters: [],
    cases: [
      {
        name: "",
        status: "info",
        condition: "a > 0",
        notifications: [],
      },
    ],
    options: {
      evaluationWindow: 900,
      keepAlive: 3600,
      maxSignalDuration: 86400,
    },
    message: "Test rule",
    tags: [],
    isEnabled: true,
  },
  ruleId: SECURITY_RULE_ID,
};

apiInstance
  .updateSecurityMonitoringRule(params)
  .then((data: v2.SecurityMonitoringRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Delete an existing rule

v2 (latest)

DELETE https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.ap2.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}https://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}

概要

Delete an existing rule. Default rules cannot be deleted. This endpoint requires the security_monitoring_rules_write permission.

OAuth apps require the security_monitoring_rules_write authorization scope to access this endpoint.

引数

パスパラメーター

名前

種類

説明

rule_id [required]

string

The ID of the rule.

応答

Not Authorized

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                  # Path parameters
export rule_id="CHANGE_ME"
# Curl command
curl -X DELETE "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                

"""
Delete an existing rule returns "OK" response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

# there is a valid "security_rule" in the system
SECURITY_RULE_ID = environ["SECURITY_RULE_ID"]

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    api_instance.delete_security_monitoring_rule(
        rule_id=SECURITY_RULE_ID,
    )

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Delete an existing rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

# there is a valid "security_rule" in the system
SECURITY_RULE_ID = ENV["SECURITY_RULE_ID"]
api_instance.delete_security_monitoring_rule(SECURITY_RULE_ID)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// Delete an existing rule returns "OK" response

package main

import (
	"context"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "security_rule" in the system
	SecurityRuleID := os.Getenv("SECURITY_RULE_ID")

	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	r, err := api.DeleteSecurityMonitoringRule(ctx, SecurityRuleID)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.DeleteSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Delete an existing rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    // there is a valid "security_rule" in the system
    String SECURITY_RULE_ID = System.getenv("SECURITY_RULE_ID");

    try {
      apiInstance.deleteSecurityMonitoringRule(SECURITY_RULE_ID);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#deleteSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

// Delete an existing rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    // there is a valid "security_rule" in the system
    let security_rule_id = std::env::var("SECURITY_RULE_ID").unwrap();
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .delete_security_monitoring_rule(security_rule_id.clone())
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * Delete an existing rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

// there is a valid "security_rule" in the system
const SECURITY_RULE_ID = process.env.SECURITY_RULE_ID as string;

const params: v2.SecurityMonitoringApiDeleteSecurityMonitoringRuleRequest = {
  ruleId: SECURITY_RULE_ID,
};

apiInstance
  .deleteSecurityMonitoringRule(params)
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Test an existing rule

v2 (latest)

POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/testhttps://api.ap2.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/testhttps://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}/testhttps://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id}/testhttps://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/testhttps://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/testhttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/test

概要

Test an existing rule. This endpoint requires the security_monitoring_rules_write permission.

OAuth apps require the security_monitoring_rules_write authorization scope to access this endpoint.

引数

パスパラメーター

名前

種類

説明

rule_id [required]

string

The ID of the rule.

リクエスト

Body Data (required)

Expand All

フィールド

種類

説明

rule

<oneOf>

Test a rule.

Option 1

object

The payload of a rule to test

options [required]

object

Options.

ruleQueryPayloads

[object]

Data payloads used to test rules query with the expected result.

{
  "rule": {
    "calculatedFields": [
      {
        "expression": "@request_end_timestamp - @request_start_timestamp",
        "name": "response_time"
      }
    ],
    "cases": [
      {
        "actions": [
          {
            "options": {
              "duration": 0,
              "flaggedIPType": "FLAGGED",
              "userBehaviorName": "string"
            },
            "type": "string"
          }
        ],
        "condition": "string",
        "name": "string",
        "notifications": [],
        "status": "critical"
      }
    ],
    "filters": [
      {
        "action": "string",
        "query": "string"
      }
    ],
    "groupSignalsBy": [
      "service"
    ],
    "hasExtendedTitle": true,
    "isEnabled": true,
    "message": "",
    "name": "My security monitoring rule.",
    "options": {
      "anomalyDetectionOptions": {
        "bucketDuration": 300,
        "detectionTolerance": 5,
        "learningDuration": "integer",
        "learningPeriodBaseline": "integer"
      },
      "complianceRuleOptions": {
        "complexRule": false,
        "regoRule": {
          "policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n  # Logic that evaluates to true if the resource should be skipped\n  true\n} else = \"pass\" {\n  # Logic that evaluates to true if the resource is compliant\n  true\n} else = \"fail\" {\n  # Logic that evaluates to true if the resource is not compliant\n  true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n  some resource in input.resources[input.main_resource_type]\n  result := dd_output.format(resource, eval(resource))\n}",
          "resourceTypes": [
            "gcp_iam_service_account",
            "gcp_iam_policy"
          ]
        },
        "resourceType": "aws_acm"
      },
      "decreaseCriticalityBasedOnEnv": false,
      "detectionMethod": "string",
      "evaluationWindow": "integer",
      "hardcodedEvaluatorType": "string",
      "impossibleTravelOptions": {
        "baselineUserLocations": true
      },
      "keepAlive": "integer",
      "maxSignalDuration": "integer",
      "newValueOptions": {
        "forgetAfter": "integer",
        "instantaneousBaseline": false,
        "learningDuration": "integer",
        "learningMethod": "string",
        "learningThreshold": "integer"
      },
      "sequenceDetectionOptions": {
        "stepTransitions": [
          {
            "child": "string",
            "evaluationWindow": "integer",
            "parent": "string"
          }
        ],
        "steps": [
          {
            "condition": "string",
            "evaluationWindow": "integer",
            "name": "string"
          }
        ]
      },
      "thirdPartyRuleOptions": {
        "defaultNotifications": [],
        "defaultStatus": "critical",
        "rootQueries": [
          {
            "groupByFields": [],
            "query": "source:cloudtrail"
          }
        ],
        "signalTitleTemplate": "string"
      }
    },
    "queries": [
      {
        "aggregation": "string",
        "customQueryExtension": "a > 3",
        "dataSource": "logs",
        "distinctFields": [],
        "groupByFields": [],
        "hasOptionalGroupByFields": false,
        "index": "string",
        "indexes": [],
        "metric": "string",
        "metrics": [],
        "name": "string",
        "query": "a > 3"
      }
    ],
    "referenceTables": [
      {
        "checkPresence": false,
        "columnName": "string",
        "logFieldPath": "string",
        "ruleQueryName": "string",
        "tableName": "string"
      }
    ],
    "schedulingOptions": {
      "rrule": "FREQ=HOURLY;INTERVAL=1;",
      "start": "2025-07-14T12:00:00",
      "timezone": "America/New_York"
    },
    "tags": [
      "env:prod",
      "team:security"
    ],
    "thirdPartyCases": [
      {
        "name": "string",
        "notifications": [],
        "query": "string",
        "status": "critical"
      }
    ],
    "type": "string"
  },
  "ruleQueryPayloads": [
    {
      "expectedResult": true,
      "index": 0,
      "payload": {
        "ddsource": "nginx",
        "ddtags": "env:staging,version:5.1",
        "hostname": "i-012345678",
        "message": "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",
        "service": "payment"
      }
    }
  ]
}

応答

Result of the test of the rule queries.

Expand All

フィールド

種類

説明

results

[boolean]

Assert results are returned in the same order as the rule query payloads. For each payload, it returns True if the result matched the expected result, False otherwise.

{
  "results": []
}

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Concurrent Modification

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                  # Path parameters
export rule_id="CHANGE_ME"
# Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}/test" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "rule": {
    "calculatedFields": [
      {
        "expression": "@request_end_timestamp - @request_start_timestamp",
        "name": "response_time"
      }
    ],
    "cases": [
      {
        "status": "critical"
      }
    ],
    "options": {
      "complianceRuleOptions": {
        "regoRule": {
          "policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n  # Logic that evaluates to true if the resource should be skipped\n  true\n} else = \"pass\" {\n  # Logic that evaluates to true if the resource is compliant\n  true\n} else = \"fail\" {\n  # Logic that evaluates to true if the resource is not compliant\n  true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n  some resource in input.resources[input.main_resource_type]\n  result := dd_output.format(resource, eval(resource))\n}",
          "resourceTypes": [
            "gcp_iam_service_account",
            "gcp_iam_policy"
          ]
        }
      }
    },
    "thirdPartyCases": [
      {
        "status": "critical"
      }
    ]
  }
}
EOF

                

"""
Test an existing rule returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_query_payload import SecurityMonitoringRuleQueryPayload
from datadog_api_client.v2.model.security_monitoring_rule_query_payload_data import (
    SecurityMonitoringRuleQueryPayloadData,
)
from datadog_api_client.v2.model.security_monitoring_rule_test_request import SecurityMonitoringRuleTestRequest

body = SecurityMonitoringRuleTestRequest(
    rule_query_payloads=[
        SecurityMonitoringRuleQueryPayload(
            expected_result=True,
            index=0,
            payload=SecurityMonitoringRuleQueryPayloadData(
                ddsource="nginx",
                ddtags="env:staging,version:5.1",
                hostname="i-012345678",
                message="2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",
                service="payment",
            ),
        ),
    ],
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.test_existing_security_monitoring_rule(rule_id="rule_id", body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Test an existing rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringRuleTestRequest.new({
  rule_query_payloads: [
    DatadogAPIClient::V2::SecurityMonitoringRuleQueryPayload.new({
      expected_result: true,
      index: 0,
      payload: DatadogAPIClient::V2::SecurityMonitoringRuleQueryPayloadData.new({
        ddsource: "nginx",
        ddtags: "env:staging,version:5.1",
        hostname: "i-012345678",
        message: "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",
        service: "payment",
      }),
    }),
  ],
})
p api_instance.test_existing_security_monitoring_rule("rule_id", body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// Test an existing rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringRuleTestRequest{
		RuleQueryPayloads: []datadogV2.SecurityMonitoringRuleQueryPayload{
			{
				ExpectedResult: datadog.PtrBool(true),
				Index:          datadog.PtrInt64(0),
				Payload: &datadogV2.SecurityMonitoringRuleQueryPayloadData{
					Ddsource: datadog.PtrString("nginx"),
					Ddtags:   datadog.PtrString("env:staging,version:5.1"),
					Hostname: datadog.PtrString("i-012345678"),
					Message:  datadog.PtrString("2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World"),
					Service:  datadog.PtrString("payment"),
				},
			},
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.TestExistingSecurityMonitoringRule(ctx, "rule_id", body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.TestExistingSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.TestExistingSecurityMonitoringRule`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Test an existing rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryPayload;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryPayloadData;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTestRequest;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTestResponse;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringRuleTestRequest body =
        new SecurityMonitoringRuleTestRequest()
            .ruleQueryPayloads(
                Collections.singletonList(
                    new SecurityMonitoringRuleQueryPayload()
                        .expectedResult(true)
                        .index(0L)
                        .payload(
                            new SecurityMonitoringRuleQueryPayloadData()
                                .ddsource("nginx")
                                .ddtags("env:staging,version:5.1")
                                .hostname("i-012345678")
                                .message(
                                    "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello"
                                        + " World")
                                .service("payment"))));

    try {
      SecurityMonitoringRuleTestResponse result =
          apiInstance.testExistingSecurityMonitoringRule("rule_id", body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#testExistingSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

// Test an existing rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryPayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryPayloadData;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTestRequest;

#[tokio::main]
async fn main() {
    let body = SecurityMonitoringRuleTestRequest::new().rule_query_payloads(vec![
        SecurityMonitoringRuleQueryPayload::new()
            .expected_result(true)
            .index(0)
            .payload(
                SecurityMonitoringRuleQueryPayloadData::new()
                    .ddsource("nginx".to_string())
                    .ddtags("env:staging,version:5.1".to_string())
                    .hostname("i-012345678".to_string())
                    .message(
                        "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World"
                            .to_string(),
                    )
                    .service("payment".to_string()),
            ),
    ]);
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .test_existing_security_monitoring_rule("rule_id".to_string(), body)
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * Test an existing rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiTestExistingSecurityMonitoringRuleRequest =
  {
    body: {
      ruleQueryPayloads: [
        {
          expectedResult: true,
          index: 0,
          payload: {
            ddsource: "nginx",
            ddtags: "env:staging,version:5.1",
            hostname: "i-012345678",
            message:
              "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",
            service: "payment",
          },
        },
      ],
    },
    ruleId: "rule_id",
  };

apiInstance
  .testExistingSecurityMonitoringRule(params)
  .then((data: v2.SecurityMonitoringRuleTestResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Test a rule

v2 (latest)

POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/testhttps://api.ap2.datadoghq.com/api/v2/security_monitoring/rules/testhttps://api.datadoghq.eu/api/v2/security_monitoring/rules/testhttps://api.ddog-gov.com/api/v2/security_monitoring/rules/testhttps://api.datadoghq.com/api/v2/security_monitoring/rules/testhttps://api.us3.datadoghq.com/api/v2/security_monitoring/rules/testhttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules/test

概要

Test a rule. This endpoint requires the security_monitoring_rules_write permission.

OAuth apps require the security_monitoring_rules_write authorization scope to access this endpoint.

リクエスト

Body Data (required)

Expand All

フィールド

種類

説明

rule

<oneOf>

Test a rule.

Option 1

object

The payload of a rule to test

options [required]

object

Options.

ruleQueryPayloads

[object]

Data payloads used to test rules query with the expected result.

{
  "rule": {
    "cases": [
      {
        "name": "",
        "status": "info",
        "notifications": [],
        "condition": "a > 0"
      }
    ],
    "hasExtendedTitle": true,
    "isEnabled": true,
    "message": "My security monitoring rule message.",
    "name": "My security monitoring rule.",
    "options": {
      "decreaseCriticalityBasedOnEnv": false,
      "detectionMethod": "threshold",
      "evaluationWindow": 0,
      "keepAlive": 0,
      "maxSignalDuration": 0
    },
    "queries": [
      {
        "query": "source:source_here",
        "groupByFields": [
          "@userIdentity.assumed_role"
        ],
        "distinctFields": [],
        "aggregation": "count",
        "name": ""
      }
    ],
    "tags": [
      "env:prod",
      "team:security"
    ],
    "type": "log_detection"
  },
  "ruleQueryPayloads": [
    {
      "expectedResult": true,
      "index": 0,
      "payload": {
        "ddsource": "source_here",
        "ddtags": "env:staging,version:5.1",
        "hostname": "i-012345678",
        "message": "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",
        "service": "payment",
        "userIdentity": {
          "assumed_role": "fake assumed_role"
        }
      }
    }
  ]
}

応答

Result of the test of the rule queries.

Expand All

フィールド

種類

説明

results

[boolean]

Assert results are returned in the same order as the rule query payloads. For each payload, it returns True if the result matched the expected result, False otherwise.

{
  "results": []
}

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Concurrent Modification

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                          # Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/test" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "rule": {
    "cases": [
      {
        "name": "",
        "status": "info",
        "notifications": [],
        "condition": "a > 0"
      }
    ],
    "hasExtendedTitle": true,
    "isEnabled": true,
    "message": "My security monitoring rule message.",
    "name": "My security monitoring rule.",
    "options": {
      "decreaseCriticalityBasedOnEnv": false,
      "detectionMethod": "threshold",
      "evaluationWindow": 0,
      "keepAlive": 0,
      "maxSignalDuration": 0
    },
    "queries": [
      {
        "query": "source:source_here",
        "groupByFields": [
          "@userIdentity.assumed_role"
        ],
        "distinctFields": [],
        "aggregation": "count",
        "name": ""
      }
    ],
    "tags": [
      "env:prod",
      "team:security"
    ],
    "type": "log_detection"
  },
  "ruleQueryPayloads": [
    {
      "expectedResult": true,
      "index": 0,
      "payload": {
        "ddsource": "source_here",
        "ddtags": "env:staging,version:5.1",
        "hostname": "i-012345678",
        "message": "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",
        "service": "payment",
        "userIdentity": {
          "assumed_role": "fake assumed_role"
        }
      }
    }
  ]
}
EOF

                        

// Test a rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringRuleTestRequest{
		Rule: &datadogV2.SecurityMonitoringRuleTestPayload{
			SecurityMonitoringStandardRuleTestPayload: &datadogV2.SecurityMonitoringStandardRuleTestPayload{
				Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{
					{
						Name:          datadog.PtrString(""),
						Status:        datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
						Notifications: []string{},
						Condition:     datadog.PtrString("a > 0"),
					},
				},
				HasExtendedTitle: datadog.PtrBool(true),
				IsEnabled:        true,
				Message:          "My security monitoring rule message.",
				Name:             "My security monitoring rule.",
				Options: datadogV2.SecurityMonitoringRuleOptions{
					DecreaseCriticalityBasedOnEnv: datadog.PtrBool(false),
					DetectionMethod:               datadogV2.SECURITYMONITORINGRULEDETECTIONMETHOD_THRESHOLD.Ptr(),
					EvaluationWindow:              datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_ZERO_MINUTES.Ptr(),
					KeepAlive:                     datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ZERO_MINUTES.Ptr(),
					MaxSignalDuration:             datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ZERO_MINUTES.Ptr(),
				},
				Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{
					{
						Query: datadog.PtrString("source:source_here"),
						GroupByFields: []string{
							"@userIdentity.assumed_role",
						},
						DistinctFields: []string{},
						Aggregation:    datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
						Name:           datadog.PtrString(""),
					},
				},
				Tags: []string{
					"env:prod",
					"team:security",
				},
				Type: datadogV2.SECURITYMONITORINGRULETYPETEST_LOG_DETECTION.Ptr(),
			}},
		RuleQueryPayloads: []datadogV2.SecurityMonitoringRuleQueryPayload{
			{
				ExpectedResult: datadog.PtrBool(true),
				Index:          datadog.PtrInt64(0),
				Payload: &datadogV2.SecurityMonitoringRuleQueryPayloadData{
					Ddsource: datadog.PtrString("source_here"),
					Ddtags:   datadog.PtrString("env:staging,version:5.1"),
					Hostname: datadog.PtrString("i-012345678"),
					Message:  datadog.PtrString("2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World"),
					Service:  datadog.PtrString("payment"),
				},
			},
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.TestSecurityMonitoringRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.TestSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.TestSecurityMonitoringRule`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Test a rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryPayload;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryPayloadData;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTestPayload;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTestRequest;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTestResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeTest;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleTestPayload;
import java.util.Arrays;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringRuleTestRequest body =
        new SecurityMonitoringRuleTestRequest()
            .rule(
                new SecurityMonitoringRuleTestPayload(
                    new SecurityMonitoringStandardRuleTestPayload()
                        .cases(
                            Collections.singletonList(
                                new SecurityMonitoringRuleCaseCreate()
                                    .name("")
                                    .status(SecurityMonitoringRuleSeverity.INFO)
                                    .condition("a > 0")))
                        .hasExtendedTitle(true)
                        .isEnabled(true)
                        .message("My security monitoring rule message.")
                        .name("My security monitoring rule.")
                        .options(
                            new SecurityMonitoringRuleOptions()
                                .decreaseCriticalityBasedOnEnv(false)
                                .detectionMethod(SecurityMonitoringRuleDetectionMethod.THRESHOLD)
                                .evaluationWindow(
                                    SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES)
                                .keepAlive(SecurityMonitoringRuleKeepAlive.ZERO_MINUTES)
                                .maxSignalDuration(
                                    SecurityMonitoringRuleMaxSignalDuration.ZERO_MINUTES))
                        .queries(
                            Collections.singletonList(
                                new SecurityMonitoringStandardRuleQuery()
                                    .query("source:source_here")
                                    .groupByFields(
                                        Collections.singletonList("@userIdentity.assumed_role"))
                                    .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
                                    .name("")))
                        .tags(Arrays.asList("env:prod", "team:security"))
                        .type(SecurityMonitoringRuleTypeTest.LOG_DETECTION)))
            .ruleQueryPayloads(
                Collections.singletonList(
                    new SecurityMonitoringRuleQueryPayload()
                        .expectedResult(true)
                        .index(0L)
                        .payload(
                            new SecurityMonitoringRuleQueryPayloadData()
                                .ddsource("source_here")
                                .ddtags("env:staging,version:5.1")
                                .hostname("i-012345678")
                                .message(
                                    "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello"
                                        + " World")
                                .service("payment"))));

    try {
      SecurityMonitoringRuleTestResponse result = apiInstance.testSecurityMonitoringRule(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#testSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

"""
Test a rule returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
    SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
    SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
    SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_query_payload import SecurityMonitoringRuleQueryPayload
from datadog_api_client.v2.model.security_monitoring_rule_query_payload_data import (
    SecurityMonitoringRuleQueryPayloadData,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_test_request import SecurityMonitoringRuleTestRequest
from datadog_api_client.v2.model.security_monitoring_rule_type_test import SecurityMonitoringRuleTypeTest
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery
from datadog_api_client.v2.model.security_monitoring_standard_rule_test_payload import (
    SecurityMonitoringStandardRuleTestPayload,
)

body = SecurityMonitoringRuleTestRequest(
    rule=SecurityMonitoringStandardRuleTestPayload(
        cases=[
            SecurityMonitoringRuleCaseCreate(
                name="",
                status=SecurityMonitoringRuleSeverity.INFO,
                notifications=[],
                condition="a > 0",
            ),
        ],
        has_extended_title=True,
        is_enabled=True,
        message="My security monitoring rule message.",
        name="My security monitoring rule.",
        options=SecurityMonitoringRuleOptions(
            decrease_criticality_based_on_env=False,
            detection_method=SecurityMonitoringRuleDetectionMethod.THRESHOLD,
            evaluation_window=SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES,
            keep_alive=SecurityMonitoringRuleKeepAlive.ZERO_MINUTES,
            max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ZERO_MINUTES,
        ),
        queries=[
            SecurityMonitoringStandardRuleQuery(
                query="source:source_here",
                group_by_fields=[
                    "@userIdentity.assumed_role",
                ],
                distinct_fields=[],
                aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
                name="",
            ),
        ],
        tags=[
            "env:prod",
            "team:security",
        ],
        type=SecurityMonitoringRuleTypeTest.LOG_DETECTION,
    ),
    rule_query_payloads=[
        SecurityMonitoringRuleQueryPayload(
            expected_result=True,
            index=0,
            payload=SecurityMonitoringRuleQueryPayloadData(
                ddsource="source_here",
                ddtags="env:staging,version:5.1",
                hostname="i-012345678",
                message="2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",
                service="payment",
                user_identity=dict([("assumed_role", "fake assumed_role")]),
            ),
        ),
    ],
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.test_security_monitoring_rule(body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Test a rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringRuleTestRequest.new({
  rule: DatadogAPIClient::V2::SecurityMonitoringStandardRuleTestPayload.new({
    cases: [
      DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
        name: "",
        status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
        notifications: [],
        condition: "a > 0",
      }),
    ],
    has_extended_title: true,
    is_enabled: true,
    message: "My security monitoring rule message.",
    name: "My security monitoring rule.",
    options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
      decrease_criticality_based_on_env: false,
      detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::THRESHOLD,
      evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES,
      keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ZERO_MINUTES,
      max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ZERO_MINUTES,
    }),
    queries: [
      DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
        query: "source:source_here",
        group_by_fields: [
          "@userIdentity.assumed_role",
        ],
        distinct_fields: [],
        aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
        name: "",
      }),
    ],
    tags: [
      "env:prod",
      "team:security",
    ],
    type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeTest::LOG_DETECTION,
  }),
  rule_query_payloads: [
    DatadogAPIClient::V2::SecurityMonitoringRuleQueryPayload.new({
      expected_result: true,
      index: 0,
      payload: DatadogAPIClient::V2::SecurityMonitoringRuleQueryPayloadData.new({
        ddsource: "source_here",
        ddtags: "env:staging,version:5.1",
        hostname: "i-012345678",
        message: "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",
        service: "payment",
      }),
    }),
  ],
})
p api_instance.test_security_monitoring_rule(body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// Test a rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleDetectionMethod;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryPayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryPayloadData;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTestPayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTestRequest;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeTest;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleTestPayload;

#[tokio::main]
async fn main() {
    let body = SecurityMonitoringRuleTestRequest::new()
        .rule(
            SecurityMonitoringRuleTestPayload::SecurityMonitoringStandardRuleTestPayload(Box::new(
                SecurityMonitoringStandardRuleTestPayload::new(
                    vec![SecurityMonitoringRuleCaseCreate::new(
                        SecurityMonitoringRuleSeverity::INFO,
                    )
                    .condition("a > 0".to_string())
                    .name("".to_string())
                    .notifications(vec![])],
                    true,
                    "My security monitoring rule message.".to_string(),
                    "My security monitoring rule.".to_string(),
                    SecurityMonitoringRuleOptions::new()
                        .decrease_criticality_based_on_env(false)
                        .detection_method(SecurityMonitoringRuleDetectionMethod::THRESHOLD)
                        .evaluation_window(SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES)
                        .keep_alive(SecurityMonitoringRuleKeepAlive::ZERO_MINUTES)
                        .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::ZERO_MINUTES),
                    vec![SecurityMonitoringStandardRuleQuery::new()
                        .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
                        .distinct_fields(vec![])
                        .group_by_fields(vec!["@userIdentity.assumed_role".to_string()])
                        .name("".to_string())
                        .query("source:source_here".to_string())],
                )
                .has_extended_title(true)
                .tags(vec!["env:prod".to_string(), "team:security".to_string()])
                .type_(SecurityMonitoringRuleTypeTest::LOG_DETECTION),
            )),
        )
        .rule_query_payloads(vec![SecurityMonitoringRuleQueryPayload::new()
            .expected_result(true)
            .index(0)
            .payload(
                SecurityMonitoringRuleQueryPayloadData::new()
                    .ddsource("source_here".to_string())
                    .ddtags("env:staging,version:5.1".to_string())
                    .hostname("i-012345678".to_string())
                    .message(
                        "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World"
                            .to_string(),
                    )
                    .service("payment".to_string()),
            )]);
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.test_security_monitoring_rule(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * Test a rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiTestSecurityMonitoringRuleRequest = {
  body: {
    rule: {
      cases: [
        {
          name: "",
          status: "info",
          notifications: [],
          condition: "a > 0",
        },
      ],
      hasExtendedTitle: true,
      isEnabled: true,
      message: "My security monitoring rule message.",
      name: "My security monitoring rule.",
      options: {
        decreaseCriticalityBasedOnEnv: false,
        detectionMethod: "threshold",
        evaluationWindow: 0,
        keepAlive: 0,
        maxSignalDuration: 0,
      },
      queries: [
        {
          query: "source:source_here",
          groupByFields: ["@userIdentity.assumed_role"],
          distinctFields: [],
          aggregation: "count",
          name: "",
        },
      ],
      tags: ["env:prod", "team:security"],
      type: "log_detection",
    },
    ruleQueryPayloads: [
      {
        expectedResult: true,
        index: 0,
        payload: {
          ddsource: "source_here",
          ddtags: "env:staging,version:5.1",
          hostname: "i-012345678",
          message:
            "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",
          service: "payment",
        },
      },
    ],
  },
};

apiInstance
  .testSecurityMonitoringRule(params)
  .then((data: v2.SecurityMonitoringRuleTestResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Validate a detection rule

v2 (latest)

POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/validationhttps://api.ap2.datadoghq.com/api/v2/security_monitoring/rules/validationhttps://api.datadoghq.eu/api/v2/security_monitoring/rules/validationhttps://api.ddog-gov.com/api/v2/security_monitoring/rules/validationhttps://api.datadoghq.com/api/v2/security_monitoring/rules/validationhttps://api.us3.datadoghq.com/api/v2/security_monitoring/rules/validationhttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules/validation

概要

Validate a detection rule. This endpoint requires the security_monitoring_rules_write permission.

OAuth apps require the security_monitoring_rules_write authorization scope to access this endpoint.

リクエスト

Body Data (required)

Expand All

フィールド

種類

説明

Option 1

object

The payload of a rule.

options [required]

object

Options.

Option 2

object

The payload of a signal correlation rule.

options [required]

object

Options.

Option 3

object

The payload of a cloud configuration rule.

{
  "cases": [
    {
      "name": "",
      "status": "info",
      "notifications": [],
      "condition": "a > 0"
    }
  ],
  "hasExtendedTitle": true,
  "isEnabled": true,
  "message": "My security monitoring rule",
  "name": "My security monitoring rule",
  "options": {
    "evaluationWindow": 1800,
    "keepAlive": 1800,
    "maxSignalDuration": 1800,
    "detectionMethod": "threshold"
  },
  "queries": [
    {
      "query": "source:source_here",
      "groupByFields": [
        "@userIdentity.assumed_role"
      ],
      "distinctFields": [],
      "aggregation": "count",
      "name": ""
    }
  ],
  "tags": [
    "env:prod",
    "team:security"
  ],
  "type": "log_detection"
}
{
  "cases": [
    {
      "name": "",
      "status": "info",
      "notifications": []
    }
  ],
  "hasExtendedTitle": true,
  "isEnabled": true,
  "message": "My security monitoring rule",
  "name": "My security monitoring rule",
  "options": {
    "evaluationWindow": 0,
    "keepAlive": 300,
    "maxSignalDuration": 600,
    "detectionMethod": "new_value",
    "newValueOptions": {
      "forgetAfter": 7,
      "instantaneousBaseline": true,
      "learningDuration": 1,
      "learningThreshold": 0,
      "learningMethod": "duration"
    }
  },
  "queries": [
    {
      "query": "source:source_here",
      "groupByFields": [
        "@userIdentity.assumed_role"
      ],
      "distinctFields": [],
      "metric": "name",
      "metrics": [
        "name"
      ],
      "aggregation": "new_value",
      "name": "",
      "dataSource": "logs"
    }
  ],
  "tags": [
    "env:prod",
    "team:security"
  ],
  "type": "log_detection"
}
{
  "cases": [
    {
      "name": "",
      "status": "info",
      "notifications": [],
      "condition": "step_b > 0"
    }
  ],
  "hasExtendedTitle": true,
  "isEnabled": true,
  "message": "My security monitoring rule",
  "name": "My security monitoring rule",
  "options": {
    "evaluationWindow": 0,
    "keepAlive": 300,
    "maxSignalDuration": 600,
    "detectionMethod": "sequence_detection",
    "sequenceDetectionOptions": {
      "stepTransitions": [
        {
          "child": "step_b",
          "evaluationWindow": 900,
          "parent": "step_a"
        }
      ],
      "steps": [
        {
          "condition": "a > 0",
          "evaluationWindow": 60,
          "name": "step_a"
        },
        {
          "condition": "b > 0",
          "evaluationWindow": 60,
          "name": "step_b"
        }
      ]
    }
  },
  "queries": [
    {
      "query": "source:source_here",
      "groupByFields": [
        "@userIdentity.assumed_role"
      ],
      "distinctFields": [],
      "aggregation": "count",
      "name": ""
    },
    {
      "query": "source:source_here2",
      "groupByFields": [],
      "distinctFields": [],
      "aggregation": "count",
      "name": ""
    }
  ],
  "tags": [
    "env:prod",
    "team:security"
  ],
  "type": "log_detection"
}

応答

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                          # Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/validation" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "cases": [
    {
      "name": "",
      "status": "info",
      "notifications": [],
      "condition": "a > 0"
    }
  ],
  "hasExtendedTitle": true,
  "isEnabled": true,
  "message": "My security monitoring rule",
  "name": "My security monitoring rule",
  "options": {
    "evaluationWindow": 1800,
    "keepAlive": 1800,
    "maxSignalDuration": 1800,
    "detectionMethod": "threshold"
  },
  "queries": [
    {
      "query": "source:source_here",
      "groupByFields": [
        "@userIdentity.assumed_role"
      ],
      "distinctFields": [],
      "aggregation": "count",
      "name": ""
    }
  ],
  "tags": [
    "env:prod",
    "team:security"
  ],
  "type": "log_detection"
}
EOF

                        
                          # Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/validation" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "cases": [
    {
      "name": "",
      "status": "info",
      "notifications": []
    }
  ],
  "hasExtendedTitle": true,
  "isEnabled": true,
  "message": "My security monitoring rule",
  "name": "My security monitoring rule",
  "options": {
    "evaluationWindow": 0,
    "keepAlive": 300,
    "maxSignalDuration": 600,
    "detectionMethod": "new_value",
    "newValueOptions": {
      "forgetAfter": 7,
      "instantaneousBaseline": true,
      "learningDuration": 1,
      "learningThreshold": 0,
      "learningMethod": "duration"
    }
  },
  "queries": [
    {
      "query": "source:source_here",
      "groupByFields": [
        "@userIdentity.assumed_role"
      ],
      "distinctFields": [],
      "metric": "name",
      "metrics": [
        "name"
      ],
      "aggregation": "new_value",
      "name": "",
      "dataSource": "logs"
    }
  ],
  "tags": [
    "env:prod",
    "team:security"
  ],
  "type": "log_detection"
}
EOF

                        
                          # Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/validation" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "cases": [
    {
      "name": "",
      "status": "info",
      "notifications": [],
      "condition": "step_b > 0"
    }
  ],
  "hasExtendedTitle": true,
  "isEnabled": true,
  "message": "My security monitoring rule",
  "name": "My security monitoring rule",
  "options": {
    "evaluationWindow": 0,
    "keepAlive": 300,
    "maxSignalDuration": 600,
    "detectionMethod": "sequence_detection",
    "sequenceDetectionOptions": {
      "stepTransitions": [
        {
          "child": "step_b",
          "evaluationWindow": 900,
          "parent": "step_a"
        }
      ],
      "steps": [
        {
          "condition": "a > 0",
          "evaluationWindow": 60,
          "name": "step_a"
        },
        {
          "condition": "b > 0",
          "evaluationWindow": 60,
          "name": "step_b"
        }
      ]
    }
  },
  "queries": [
    {
      "query": "source:source_here",
      "groupByFields": [
        "@userIdentity.assumed_role"
      ],
      "distinctFields": [],
      "aggregation": "count",
      "name": ""
    },
    {
      "query": "source:source_here2",
      "groupByFields": [],
      "distinctFields": [],
      "aggregation": "count",
      "name": ""
    }
  ],
  "tags": [
    "env:prod",
    "team:security"
  ],
  "type": "log_detection"
}
EOF

                        

// Validate a detection rule returns "OK" response

package main

import (
	"context"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringRuleValidatePayload{
		SecurityMonitoringStandardRulePayload: &datadogV2.SecurityMonitoringStandardRulePayload{
			Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{
				{
					Name:          datadog.PtrString(""),
					Status:        datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
					Notifications: []string{},
					Condition:     datadog.PtrString("a > 0"),
				},
			},
			HasExtendedTitle: datadog.PtrBool(true),
			IsEnabled:        true,
			Message:          "My security monitoring rule",
			Name:             "My security monitoring rule",
			Options: datadogV2.SecurityMonitoringRuleOptions{
				EvaluationWindow:  datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_THIRTY_MINUTES.Ptr(),
				KeepAlive:         datadogV2.SECURITYMONITORINGRULEKEEPALIVE_THIRTY_MINUTES.Ptr(),
				MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_THIRTY_MINUTES.Ptr(),
				DetectionMethod:   datadogV2.SECURITYMONITORINGRULEDETECTIONMETHOD_THRESHOLD.Ptr(),
			},
			Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{
				{
					Query: datadog.PtrString("source:source_here"),
					GroupByFields: []string{
						"@userIdentity.assumed_role",
					},
					DistinctFields: []string{},
					Aggregation:    datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
					Name:           datadog.PtrString(""),
				},
			},
			Tags: []string{
				"env:prod",
				"team:security",
			},
			Type: datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(),
		}}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	r, err := api.ValidateSecurityMonitoringRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ValidateSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}
}

// Validate a detection rule with detection method 'new_value' with enabled feature 'instantaneousBaseline' returns "OK"
// response

package main

import (
	"context"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringRuleValidatePayload{
		SecurityMonitoringStandardRulePayload: &datadogV2.SecurityMonitoringStandardRulePayload{
			Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{
				{
					Name:          datadog.PtrString(""),
					Status:        datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
					Notifications: []string{},
				},
			},
			HasExtendedTitle: datadog.PtrBool(true),
			IsEnabled:        true,
			Message:          "My security monitoring rule",
			Name:             "My security monitoring rule",
			Options: datadogV2.SecurityMonitoringRuleOptions{
				EvaluationWindow:  datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_ZERO_MINUTES.Ptr(),
				KeepAlive:         datadogV2.SECURITYMONITORINGRULEKEEPALIVE_FIVE_MINUTES.Ptr(),
				MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_TEN_MINUTES.Ptr(),
				DetectionMethod:   datadogV2.SECURITYMONITORINGRULEDETECTIONMETHOD_NEW_VALUE.Ptr(),
				NewValueOptions: &datadogV2.SecurityMonitoringRuleNewValueOptions{
					ForgetAfter:           datadogV2.SECURITYMONITORINGRULENEWVALUEOPTIONSFORGETAFTER_ONE_WEEK.Ptr(),
					InstantaneousBaseline: datadog.PtrBool(true),
					LearningDuration:      datadogV2.SECURITYMONITORINGRULENEWVALUEOPTIONSLEARNINGDURATION_ONE_DAY.Ptr(),
					LearningThreshold:     datadogV2.SECURITYMONITORINGRULENEWVALUEOPTIONSLEARNINGTHRESHOLD_ZERO_OCCURRENCES.Ptr(),
					LearningMethod:        datadogV2.SECURITYMONITORINGRULENEWVALUEOPTIONSLEARNINGMETHOD_DURATION.Ptr(),
				},
			},
			Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{
				{
					Query: datadog.PtrString("source:source_here"),
					GroupByFields: []string{
						"@userIdentity.assumed_role",
					},
					DistinctFields: []string{},
					Metric:         datadog.PtrString("name"),
					Metrics: []string{
						"name",
					},
					Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_NEW_VALUE.Ptr(),
					Name:        datadog.PtrString(""),
					DataSource:  datadogV2.SECURITYMONITORINGSTANDARDDATASOURCE_LOGS.Ptr(),
				},
			},
			Tags: []string{
				"env:prod",
				"team:security",
			},
			Type: datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(),
		}}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	r, err := api.ValidateSecurityMonitoringRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ValidateSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}
}

// Validate a detection rule with detection method 'sequence_detection' returns "OK" response

package main

import (
	"context"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringRuleValidatePayload{
		SecurityMonitoringStandardRulePayload: &datadogV2.SecurityMonitoringStandardRulePayload{
			Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{
				{
					Name:          datadog.PtrString(""),
					Status:        datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
					Notifications: []string{},
					Condition:     datadog.PtrString("step_b > 0"),
				},
			},
			HasExtendedTitle: datadog.PtrBool(true),
			IsEnabled:        true,
			Message:          "My security monitoring rule",
			Name:             "My security monitoring rule",
			Options: datadogV2.SecurityMonitoringRuleOptions{
				EvaluationWindow:  datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_ZERO_MINUTES.Ptr(),
				KeepAlive:         datadogV2.SECURITYMONITORINGRULEKEEPALIVE_FIVE_MINUTES.Ptr(),
				MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_TEN_MINUTES.Ptr(),
				DetectionMethod:   datadogV2.SECURITYMONITORINGRULEDETECTIONMETHOD_SEQUENCE_DETECTION.Ptr(),
				SequenceDetectionOptions: &datadogV2.SecurityMonitoringRuleSequenceDetectionOptions{
					StepTransitions: []datadogV2.SecurityMonitoringRuleSequenceDetectionStepTransition{
						{
							Child:            datadog.PtrString("step_b"),
							EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(),
							Parent:           datadog.PtrString("step_a"),
						},
					},
					Steps: []datadogV2.SecurityMonitoringRuleSequenceDetectionStep{
						{
							Condition:        datadog.PtrString("a > 0"),
							EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_ONE_MINUTE.Ptr(),
							Name:             datadog.PtrString("step_a"),
						},
						{
							Condition:        datadog.PtrString("b > 0"),
							EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_ONE_MINUTE.Ptr(),
							Name:             datadog.PtrString("step_b"),
						},
					},
				},
			},
			Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{
				{
					Query: datadog.PtrString("source:source_here"),
					GroupByFields: []string{
						"@userIdentity.assumed_role",
					},
					DistinctFields: []string{},
					Aggregation:    datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
					Name:           datadog.PtrString(""),
				},
				{
					Query:          datadog.PtrString("source:source_here2"),
					GroupByFields:  []string{},
					DistinctFields: []string{},
					Aggregation:    datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
					Name:           datadog.PtrString(""),
				},
			},
			Tags: []string{
				"env:prod",
				"team:security",
			},
			Type: datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(),
		}}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	r, err := api.ValidateSecurityMonitoringRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ValidateSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Validate a detection rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleValidatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRulePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import java.util.Arrays;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringRuleValidatePayload body =
        new SecurityMonitoringRuleValidatePayload(
            new SecurityMonitoringStandardRulePayload()
                .cases(
                    Collections.singletonList(
                        new SecurityMonitoringRuleCaseCreate()
                            .name("")
                            .status(SecurityMonitoringRuleSeverity.INFO)
                            .condition("a > 0")))
                .hasExtendedTitle(true)
                .isEnabled(true)
                .message("My security monitoring rule")
                .name("My security monitoring rule")
                .options(
                    new SecurityMonitoringRuleOptions()
                        .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.THIRTY_MINUTES)
                        .keepAlive(SecurityMonitoringRuleKeepAlive.THIRTY_MINUTES)
                        .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.THIRTY_MINUTES)
                        .detectionMethod(SecurityMonitoringRuleDetectionMethod.THRESHOLD))
                .queries(
                    Collections.singletonList(
                        new SecurityMonitoringStandardRuleQuery()
                            .query("source:source_here")
                            .groupByFields(Collections.singletonList("@userIdentity.assumed_role"))
                            .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
                            .name("")))
                .tags(Arrays.asList("env:prod", "team:security"))
                .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION));

    try {
      apiInstance.validateSecurityMonitoringRule(body);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#validateSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

// Validate a detection rule with detection method 'new_value' with enabled feature
// 'instantaneousBaseline' returns "OK"
// response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleNewValueOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleNewValueOptionsForgetAfter;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleNewValueOptionsLearningDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleNewValueOptionsLearningMethod;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleNewValueOptionsLearningThreshold;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleValidatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardDataSource;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRulePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import java.util.Arrays;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringRuleValidatePayload body =
        new SecurityMonitoringRuleValidatePayload(
            new SecurityMonitoringStandardRulePayload()
                .cases(
                    Collections.singletonList(
                        new SecurityMonitoringRuleCaseCreate()
                            .name("")
                            .status(SecurityMonitoringRuleSeverity.INFO)))
                .hasExtendedTitle(true)
                .isEnabled(true)
                .message("My security monitoring rule")
                .name("My security monitoring rule")
                .options(
                    new SecurityMonitoringRuleOptions()
                        .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES)
                        .keepAlive(SecurityMonitoringRuleKeepAlive.FIVE_MINUTES)
                        .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.TEN_MINUTES)
                        .detectionMethod(SecurityMonitoringRuleDetectionMethod.NEW_VALUE)
                        .newValueOptions(
                            new SecurityMonitoringRuleNewValueOptions()
                                .forgetAfter(
                                    SecurityMonitoringRuleNewValueOptionsForgetAfter.ONE_WEEK)
                                .instantaneousBaseline(true)
                                .learningDuration(
                                    SecurityMonitoringRuleNewValueOptionsLearningDuration.ONE_DAY)
                                .learningThreshold(
                                    SecurityMonitoringRuleNewValueOptionsLearningThreshold
                                        .ZERO_OCCURRENCES)
                                .learningMethod(
                                    SecurityMonitoringRuleNewValueOptionsLearningMethod.DURATION)))
                .queries(
                    Collections.singletonList(
                        new SecurityMonitoringStandardRuleQuery()
                            .query("source:source_here")
                            .groupByFields(Collections.singletonList("@userIdentity.assumed_role"))
                            .metric("name")
                            .metrics(Collections.singletonList("name"))
                            .aggregation(SecurityMonitoringRuleQueryAggregation.NEW_VALUE)
                            .name("")
                            .dataSource(SecurityMonitoringStandardDataSource.LOGS)))
                .tags(Arrays.asList("env:prod", "team:security"))
                .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION));

    try {
      apiInstance.validateSecurityMonitoringRule(body);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#validateSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

// Validate a detection rule with detection method 'sequence_detection' returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSequenceDetectionOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSequenceDetectionStep;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSequenceDetectionStepTransition;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleValidatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRulePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import java.util.Arrays;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringRuleValidatePayload body =
        new SecurityMonitoringRuleValidatePayload(
            new SecurityMonitoringStandardRulePayload()
                .cases(
                    Collections.singletonList(
                        new SecurityMonitoringRuleCaseCreate()
                            .name("")
                            .status(SecurityMonitoringRuleSeverity.INFO)
                            .condition("step_b > 0")))
                .hasExtendedTitle(true)
                .isEnabled(true)
                .message("My security monitoring rule")
                .name("My security monitoring rule")
                .options(
                    new SecurityMonitoringRuleOptions()
                        .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES)
                        .keepAlive(SecurityMonitoringRuleKeepAlive.FIVE_MINUTES)
                        .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.TEN_MINUTES)
                        .detectionMethod(SecurityMonitoringRuleDetectionMethod.SEQUENCE_DETECTION)
                        .sequenceDetectionOptions(
                            new SecurityMonitoringRuleSequenceDetectionOptions()
                                .stepTransitions(
                                    Collections.singletonList(
                                        new SecurityMonitoringRuleSequenceDetectionStepTransition()
                                            .child("step_b")
                                            .evaluationWindow(
                                                SecurityMonitoringRuleEvaluationWindow
                                                    .FIFTEEN_MINUTES)
                                            .parent("step_a")))
                                .steps(
                                    Arrays.asList(
                                        new SecurityMonitoringRuleSequenceDetectionStep()
                                            .condition("a > 0")
                                            .evaluationWindow(
                                                SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE)
                                            .name("step_a"),
                                        new SecurityMonitoringRuleSequenceDetectionStep()
                                            .condition("b > 0")
                                            .evaluationWindow(
                                                SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE)
                                            .name("step_b")))))
                .queries(
                    Arrays.asList(
                        new SecurityMonitoringStandardRuleQuery()
                            .query("source:source_here")
                            .groupByFields(Collections.singletonList("@userIdentity.assumed_role"))
                            .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
                            .name(""),
                        new SecurityMonitoringStandardRuleQuery()
                            .query("source:source_here2")
                            .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
                            .name("")))
                .tags(Arrays.asList("env:prod", "team:security"))
                .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION));

    try {
      apiInstance.validateSecurityMonitoringRule(body);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#validateSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

"""
Validate a detection rule returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
    SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
    SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
    SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
from datadog_api_client.v2.model.security_monitoring_standard_rule_payload import SecurityMonitoringStandardRulePayload
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery

body = SecurityMonitoringStandardRulePayload(
    cases=[
        SecurityMonitoringRuleCaseCreate(
            name="",
            status=SecurityMonitoringRuleSeverity.INFO,
            notifications=[],
            condition="a > 0",
        ),
    ],
    has_extended_title=True,
    is_enabled=True,
    message="My security monitoring rule",
    name="My security monitoring rule",
    options=SecurityMonitoringRuleOptions(
        evaluation_window=SecurityMonitoringRuleEvaluationWindow.THIRTY_MINUTES,
        keep_alive=SecurityMonitoringRuleKeepAlive.THIRTY_MINUTES,
        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.THIRTY_MINUTES,
        detection_method=SecurityMonitoringRuleDetectionMethod.THRESHOLD,
    ),
    queries=[
        SecurityMonitoringStandardRuleQuery(
            query="source:source_here",
            group_by_fields=[
                "@userIdentity.assumed_role",
            ],
            distinct_fields=[],
            aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
            name="",
        ),
    ],
    tags=[
        "env:prod",
        "team:security",
    ],
    type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    api_instance.validate_security_monitoring_rule(body=body)

"""
Validate a detection rule with detection method 'new_value' with enabled feature 'instantaneousBaseline' returns "OK"
response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
    SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
    SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_new_value_options import SecurityMonitoringRuleNewValueOptions
from datadog_api_client.v2.model.security_monitoring_rule_new_value_options_forget_after import (
    SecurityMonitoringRuleNewValueOptionsForgetAfter,
)
from datadog_api_client.v2.model.security_monitoring_rule_new_value_options_learning_duration import (
    SecurityMonitoringRuleNewValueOptionsLearningDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_new_value_options_learning_method import (
    SecurityMonitoringRuleNewValueOptionsLearningMethod,
)
from datadog_api_client.v2.model.security_monitoring_rule_new_value_options_learning_threshold import (
    SecurityMonitoringRuleNewValueOptionsLearningThreshold,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
    SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
from datadog_api_client.v2.model.security_monitoring_standard_data_source import SecurityMonitoringStandardDataSource
from datadog_api_client.v2.model.security_monitoring_standard_rule_payload import SecurityMonitoringStandardRulePayload
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery

body = SecurityMonitoringStandardRulePayload(
    cases=[
        SecurityMonitoringRuleCaseCreate(
            name="",
            status=SecurityMonitoringRuleSeverity.INFO,
            notifications=[],
        ),
    ],
    has_extended_title=True,
    is_enabled=True,
    message="My security monitoring rule",
    name="My security monitoring rule",
    options=SecurityMonitoringRuleOptions(
        evaluation_window=SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES,
        keep_alive=SecurityMonitoringRuleKeepAlive.FIVE_MINUTES,
        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.TEN_MINUTES,
        detection_method=SecurityMonitoringRuleDetectionMethod.NEW_VALUE,
        new_value_options=SecurityMonitoringRuleNewValueOptions(
            forget_after=SecurityMonitoringRuleNewValueOptionsForgetAfter.ONE_WEEK,
            instantaneous_baseline=True,
            learning_duration=SecurityMonitoringRuleNewValueOptionsLearningDuration.ONE_DAY,
            learning_threshold=SecurityMonitoringRuleNewValueOptionsLearningThreshold.ZERO_OCCURRENCES,
            learning_method=SecurityMonitoringRuleNewValueOptionsLearningMethod.DURATION,
        ),
    ),
    queries=[
        SecurityMonitoringStandardRuleQuery(
            query="source:source_here",
            group_by_fields=[
                "@userIdentity.assumed_role",
            ],
            distinct_fields=[],
            metric="name",
            metrics=[
                "name",
            ],
            aggregation=SecurityMonitoringRuleQueryAggregation.NEW_VALUE,
            name="",
            data_source=SecurityMonitoringStandardDataSource.LOGS,
        ),
    ],
    tags=[
        "env:prod",
        "team:security",
    ],
    type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    api_instance.validate_security_monitoring_rule(body=body)

"""
Validate a detection rule with detection method 'sequence_detection' returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
    SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
    SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
    SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_sequence_detection_options import (
    SecurityMonitoringRuleSequenceDetectionOptions,
)
from datadog_api_client.v2.model.security_monitoring_rule_sequence_detection_step import (
    SecurityMonitoringRuleSequenceDetectionStep,
)
from datadog_api_client.v2.model.security_monitoring_rule_sequence_detection_step_transition import (
    SecurityMonitoringRuleSequenceDetectionStepTransition,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
from datadog_api_client.v2.model.security_monitoring_standard_rule_payload import SecurityMonitoringStandardRulePayload
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery

body = SecurityMonitoringStandardRulePayload(
    cases=[
        SecurityMonitoringRuleCaseCreate(
            name="",
            status=SecurityMonitoringRuleSeverity.INFO,
            notifications=[],
            condition="step_b > 0",
        ),
    ],
    has_extended_title=True,
    is_enabled=True,
    message="My security monitoring rule",
    name="My security monitoring rule",
    options=SecurityMonitoringRuleOptions(
        evaluation_window=SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES,
        keep_alive=SecurityMonitoringRuleKeepAlive.FIVE_MINUTES,
        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.TEN_MINUTES,
        detection_method=SecurityMonitoringRuleDetectionMethod.SEQUENCE_DETECTION,
        sequence_detection_options=SecurityMonitoringRuleSequenceDetectionOptions(
            step_transitions=[
                SecurityMonitoringRuleSequenceDetectionStepTransition(
                    child="step_b",
                    evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,
                    parent="step_a",
                ),
            ],
            steps=[
                SecurityMonitoringRuleSequenceDetectionStep(
                    condition="a > 0",
                    evaluation_window=SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE,
                    name="step_a",
                ),
                SecurityMonitoringRuleSequenceDetectionStep(
                    condition="b > 0",
                    evaluation_window=SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE,
                    name="step_b",
                ),
            ],
        ),
    ),
    queries=[
        SecurityMonitoringStandardRuleQuery(
            query="source:source_here",
            group_by_fields=[
                "@userIdentity.assumed_role",
            ],
            distinct_fields=[],
            aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
            name="",
        ),
        SecurityMonitoringStandardRuleQuery(
            query="source:source_here2",
            group_by_fields=[],
            distinct_fields=[],
            aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
            name="",
        ),
    ],
    tags=[
        "env:prod",
        "team:security",
    ],
    type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    api_instance.validate_security_monitoring_rule(body=body)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Validate a detection rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringStandardRulePayload.new({
  cases: [
    DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
      name: "",
      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
      notifications: [],
      condition: "a > 0",
    }),
  ],
  has_extended_title: true,
  is_enabled: true,
  message: "My security monitoring rule",
  name: "My security monitoring rule",
  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::THIRTY_MINUTES,
    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::THIRTY_MINUTES,
    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::THIRTY_MINUTES,
    detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::THRESHOLD,
  }),
  queries: [
    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
      query: "source:source_here",
      group_by_fields: [
        "@userIdentity.assumed_role",
      ],
      distinct_fields: [],
      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
      name: "",
    }),
  ],
  tags: [
    "env:prod",
    "team:security",
  ],
  type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
})
api_instance.validate_security_monitoring_rule(body)

# Validate a detection rule with detection method 'new_value' with enabled feature 'instantaneousBaseline' returns "OK"
response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringStandardRulePayload.new({
  cases: [
    DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
      name: "",
      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
      notifications: [],
    }),
  ],
  has_extended_title: true,
  is_enabled: true,
  message: "My security monitoring rule",
  name: "My security monitoring rule",
  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES,
    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::FIVE_MINUTES,
    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES,
    detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::NEW_VALUE,
    new_value_options: DatadogAPIClient::V2::SecurityMonitoringRuleNewValueOptions.new({
      forget_after: DatadogAPIClient::V2::SecurityMonitoringRuleNewValueOptionsForgetAfter::ONE_WEEK,
      instantaneous_baseline: true,
      learning_duration: DatadogAPIClient::V2::SecurityMonitoringRuleNewValueOptionsLearningDuration::ONE_DAY,
      learning_threshold: DatadogAPIClient::V2::SecurityMonitoringRuleNewValueOptionsLearningThreshold::ZERO_OCCURRENCES,
      learning_method: DatadogAPIClient::V2::SecurityMonitoringRuleNewValueOptionsLearningMethod::DURATION,
    }),
  }),
  queries: [
    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
      query: "source:source_here",
      group_by_fields: [
        "@userIdentity.assumed_role",
      ],
      distinct_fields: [],
      metric: "name",
      metrics: [
        "name",
      ],
      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::NEW_VALUE,
      name: "",
      data_source: DatadogAPIClient::V2::SecurityMonitoringStandardDataSource::LOGS,
    }),
  ],
  tags: [
    "env:prod",
    "team:security",
  ],
  type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
})
api_instance.validate_security_monitoring_rule(body)

# Validate a detection rule with detection method 'sequence_detection' returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringStandardRulePayload.new({
  cases: [
    DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
      name: "",
      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
      notifications: [],
      condition: "step_b > 0",
    }),
  ],
  has_extended_title: true,
  is_enabled: true,
  message: "My security monitoring rule",
  name: "My security monitoring rule",
  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES,
    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::FIVE_MINUTES,
    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES,
    detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::SEQUENCE_DETECTION,
    sequence_detection_options: DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionOptions.new({
      step_transitions: [
        DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionStepTransition.new({
          child: "step_b",
          evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
          parent: "step_a",
        }),
      ],
      steps: [
        DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionStep.new({
          condition: "a > 0",
          evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE,
          name: "step_a",
        }),
        DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionStep.new({
          condition: "b > 0",
          evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE,
          name: "step_b",
        }),
      ],
    }),
  }),
  queries: [
    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
      query: "source:source_here",
      group_by_fields: [
        "@userIdentity.assumed_role",
      ],
      distinct_fields: [],
      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
      name: "",
    }),
    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
      query: "source:source_here2",
      group_by_fields: [],
      distinct_fields: [],
      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
      name: "",
    }),
  ],
  tags: [
    "env:prod",
    "team:security",
  ],
  type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
})
api_instance.validate_security_monitoring_rule(body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// Validate a detection rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleDetectionMethod;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleValidatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRulePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;

#[tokio::main]
async fn main() {
    let body =
        SecurityMonitoringRuleValidatePayload::SecurityMonitoringStandardRulePayload(Box::new(
            SecurityMonitoringStandardRulePayload::new(
                vec![
                    SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO)
                        .condition("a > 0".to_string())
                        .name("".to_string())
                        .notifications(vec![]),
                ],
                true,
                "My security monitoring rule".to_string(),
                "My security monitoring rule".to_string(),
                SecurityMonitoringRuleOptions::new()
                    .detection_method(SecurityMonitoringRuleDetectionMethod::THRESHOLD)
                    .evaluation_window(SecurityMonitoringRuleEvaluationWindow::THIRTY_MINUTES)
                    .keep_alive(SecurityMonitoringRuleKeepAlive::THIRTY_MINUTES)
                    .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::THIRTY_MINUTES),
                vec![SecurityMonitoringStandardRuleQuery::new()
                    .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
                    .distinct_fields(vec![])
                    .group_by_fields(vec!["@userIdentity.assumed_role".to_string()])
                    .name("".to_string())
                    .query("source:source_here".to_string())],
            )
            .has_extended_title(true)
            .tags(vec!["env:prod".to_string(), "team:security".to_string()])
            .type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION),
        ));
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.validate_security_monitoring_rule(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

// Validate a detection rule with detection method 'new_value' with enabled
// feature 'instantaneousBaseline' returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleDetectionMethod;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleNewValueOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleNewValueOptionsForgetAfter;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleNewValueOptionsLearningDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleNewValueOptionsLearningMethod;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleNewValueOptionsLearningThreshold;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleValidatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardDataSource;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRulePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;

#[tokio::main]
async fn main() {
    let body =
        SecurityMonitoringRuleValidatePayload::SecurityMonitoringStandardRulePayload(
            Box::new(
                SecurityMonitoringStandardRulePayload::new(
                    vec![
                        SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO)
                            .name("".to_string())
                            .notifications(vec![])
                    ],
                    true,
                    "My security monitoring rule".to_string(),
                    "My security monitoring rule".to_string(),
                    SecurityMonitoringRuleOptions::new()
                        .detection_method(SecurityMonitoringRuleDetectionMethod::NEW_VALUE)
                        .evaluation_window(SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES)
                        .keep_alive(SecurityMonitoringRuleKeepAlive::FIVE_MINUTES)
                        .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES)
                        .new_value_options(
                            SecurityMonitoringRuleNewValueOptions::new()
                                .forget_after(SecurityMonitoringRuleNewValueOptionsForgetAfter::ONE_WEEK)
                                .instantaneous_baseline(true)
                                .learning_duration(SecurityMonitoringRuleNewValueOptionsLearningDuration::ONE_DAY)
                                .learning_method(SecurityMonitoringRuleNewValueOptionsLearningMethod::DURATION)
                                .learning_threshold(
                                    SecurityMonitoringRuleNewValueOptionsLearningThreshold::ZERO_OCCURRENCES,
                                ),
                        ),
                    vec![
                        SecurityMonitoringStandardRuleQuery::new()
                            .aggregation(SecurityMonitoringRuleQueryAggregation::NEW_VALUE)
                            .data_source(SecurityMonitoringStandardDataSource::LOGS)
                            .distinct_fields(vec![])
                            .group_by_fields(vec!["@userIdentity.assumed_role".to_string()])
                            .metric("name".to_string())
                            .metrics(vec!["name".to_string()])
                            .name("".to_string())
                            .query("source:source_here".to_string())
                    ],
                )
                    .has_extended_title(true)
                    .tags(vec!["env:prod".to_string(), "team:security".to_string()])
                    .type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION),
            ),
        );
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.validate_security_monitoring_rule(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

// Validate a detection rule with detection method 'sequence_detection' returns
// "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleDetectionMethod;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSequenceDetectionOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSequenceDetectionStep;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSequenceDetectionStepTransition;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleValidatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRulePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;

#[tokio::main]
async fn main() {
    let body =
        SecurityMonitoringRuleValidatePayload::SecurityMonitoringStandardRulePayload(Box::new(
            SecurityMonitoringStandardRulePayload::new(
                vec![
                    SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO)
                        .condition("step_b > 0".to_string())
                        .name("".to_string())
                        .notifications(vec![]),
                ],
                true,
                "My security monitoring rule".to_string(),
                "My security monitoring rule".to_string(),
                SecurityMonitoringRuleOptions::new()
                    .detection_method(SecurityMonitoringRuleDetectionMethod::SEQUENCE_DETECTION)
                    .evaluation_window(SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES)
                    .keep_alive(SecurityMonitoringRuleKeepAlive::FIVE_MINUTES)
                    .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES)
                    .sequence_detection_options(
                        SecurityMonitoringRuleSequenceDetectionOptions::new()
                            .step_transitions(vec![
                                SecurityMonitoringRuleSequenceDetectionStepTransition::new()
                                    .child("step_b".to_string())
                                    .evaluation_window(
                                        SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
                                    )
                                    .parent("step_a".to_string()),
                            ])
                            .steps(vec![
                                SecurityMonitoringRuleSequenceDetectionStep::new()
                                    .condition("a > 0".to_string())
                                    .evaluation_window(
                                        SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE,
                                    )
                                    .name("step_a".to_string()),
                                SecurityMonitoringRuleSequenceDetectionStep::new()
                                    .condition("b > 0".to_string())
                                    .evaluation_window(
                                        SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE,
                                    )
                                    .name("step_b".to_string()),
                            ]),
                    ),
                vec![
                    SecurityMonitoringStandardRuleQuery::new()
                        .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
                        .distinct_fields(vec![])
                        .group_by_fields(vec!["@userIdentity.assumed_role".to_string()])
                        .name("".to_string())
                        .query("source:source_here".to_string()),
                    SecurityMonitoringStandardRuleQuery::new()
                        .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
                        .distinct_fields(vec![])
                        .group_by_fields(vec![])
                        .name("".to_string())
                        .query("source:source_here2".to_string()),
                ],
            )
            .has_extended_title(true)
            .tags(vec!["env:prod".to_string(), "team:security".to_string()])
            .type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION),
        ));
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api.validate_security_monitoring_rule(body).await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * Validate a detection rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiValidateSecurityMonitoringRuleRequest = {
  body: {
    cases: [
      {
        name: "",
        status: "info",
        notifications: [],
        condition: "a > 0",
      },
    ],
    hasExtendedTitle: true,
    isEnabled: true,
    message: "My security monitoring rule",
    name: "My security monitoring rule",
    options: {
      evaluationWindow: 1800,
      keepAlive: 1800,
      maxSignalDuration: 1800,
      detectionMethod: "threshold",
    },
    queries: [
      {
        query: "source:source_here",
        groupByFields: ["@userIdentity.assumed_role"],
        distinctFields: [],
        aggregation: "count",
        name: "",
      },
    ],
    tags: ["env:prod", "team:security"],
    type: "log_detection",
  },
};

apiInstance
  .validateSecurityMonitoringRule(params)
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

/**
 * Validate a detection rule with detection method 'new_value' with enabled feature 'instantaneousBaseline' returns "OK"
 * response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiValidateSecurityMonitoringRuleRequest = {
  body: {
    cases: [
      {
        name: "",
        status: "info",
        notifications: [],
      },
    ],
    hasExtendedTitle: true,
    isEnabled: true,
    message: "My security monitoring rule",
    name: "My security monitoring rule",
    options: {
      evaluationWindow: 0,
      keepAlive: 300,
      maxSignalDuration: 600,
      detectionMethod: "new_value",
      newValueOptions: {
        forgetAfter: 7,
        instantaneousBaseline: true,
        learningDuration: 1,
        learningThreshold: 0,
        learningMethod: "duration",
      },
    },
    queries: [
      {
        query: "source:source_here",
        groupByFields: ["@userIdentity.assumed_role"],
        distinctFields: [],
        metric: "name",
        metrics: ["name"],
        aggregation: "new_value",
        name: "",
        dataSource: "logs",
      },
    ],
    tags: ["env:prod", "team:security"],
    type: "log_detection",
  },
};

apiInstance
  .validateSecurityMonitoringRule(params)
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

/**
 * Validate a detection rule with detection method 'sequence_detection' returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiValidateSecurityMonitoringRuleRequest = {
  body: {
    cases: [
      {
        name: "",
        status: "info",
        notifications: [],
        condition: "step_b > 0",
      },
    ],
    hasExtendedTitle: true,
    isEnabled: true,
    message: "My security monitoring rule",
    name: "My security monitoring rule",
    options: {
      evaluationWindow: 0,
      keepAlive: 300,
      maxSignalDuration: 600,
      detectionMethod: "sequence_detection",
      sequenceDetectionOptions: {
        stepTransitions: [
          {
            child: "step_b",
            evaluationWindow: 900,
            parent: "step_a",
          },
        ],
        steps: [
          {
            condition: "a > 0",
            evaluationWindow: 60,
            name: "step_a",
          },
          {
            condition: "b > 0",
            evaluationWindow: 60,
            name: "step_b",
          },
        ],
      },
    },
    queries: [
      {
        query: "source:source_here",
        groupByFields: ["@userIdentity.assumed_role"],
        distinctFields: [],
        aggregation: "count",
        name: "",
      },
      {
        query: "source:source_here2",
        groupByFields: [],
        distinctFields: [],
        aggregation: "count",
        name: "",
      },
    ],
    tags: ["env:prod", "team:security"],
    type: "log_detection",
  },
};

apiInstance
  .validateSecurityMonitoringRule(params)
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

v2 (latest)

PATCH https://api.ap1.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/incidentshttps://api.ap2.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/incidentshttps://api.datadoghq.eu/api/v2/security_monitoring/signals/{signal_id}/incidentshttps://api.ddog-gov.com/api/v2/security_monitoring/signals/{signal_id}/incidentshttps://api.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/incidentshttps://api.us3.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/incidentshttps://api.us5.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/incidents

概要

Change the related incidents for a security signal. This endpoint requires the security_monitoring_signals_write permission.

引数

パスパラメーター

名前

種類

説明

signal_id [required]

string

The ID of the signal.

リクエスト

Body Data (required)

Attributes describing the signal update.

Expand All

フィールド

種類

説明

data [required]

object

Data containing the patch for changing the related incidents of a signal.

{
  "data": {
    "attributes": {
      "incident_ids": [
        2066
      ]
    }
  }
}

応答

The response returned after all triage operations, containing the updated signal triage data.

Expand All

フィールド

種類

説明

data [required]

object

Data containing the updated triage attributes of the signal.

{
  "data": {
    "attributes": {
      "archive_comment": "string",
      "archive_comment_timestamp": "integer",
      "archive_comment_user": {
        "handle": "string",
        "icon": "/path/to/matching/gravatar/icon",
        "id": "integer",
        "name": "string",
        "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
      },
      "archive_reason": "string",
      "assignee": {
        "handle": "string",
        "icon": "/path/to/matching/gravatar/icon",
        "id": "integer",
        "name": "string",
        "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
      },
      "incident_ids": [
        2066
      ],
      "state": "open",
      "state_update_timestamp": "integer",
      "state_update_user": {
        "handle": "string",
        "icon": "/path/to/matching/gravatar/icon",
        "id": "integer",
        "name": "string",
        "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
      }
    },
    "id": "string",
    "type": "signal_metadata"
  }
}

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Forbidden

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                          # Path parameters
export signal_id="CHANGE_ME"
# Curl command
curl -X PATCH "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/${signal_id}/incidents" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "incident_ids": [
        2066
      ]
    }
  }
}
EOF

                        

// Change the related incidents of a security signal returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringSignalIncidentsUpdateRequest{
		Data: datadogV2.SecurityMonitoringSignalIncidentsUpdateData{
			Attributes: datadogV2.SecurityMonitoringSignalIncidentsUpdateAttributes{
				IncidentIds: []int64{
					2066,
				},
			},
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.EditSecurityMonitoringSignalIncidents(ctx, "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.EditSecurityMonitoringSignalIncidents`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.EditSecurityMonitoringSignalIncidents`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"

// Change the related incidents of a security signal returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalIncidentsUpdateAttributes;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalIncidentsUpdateData;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalIncidentsUpdateRequest;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalTriageUpdateResponse;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringSignalIncidentsUpdateRequest body =
        new SecurityMonitoringSignalIncidentsUpdateRequest()
            .data(
                new SecurityMonitoringSignalIncidentsUpdateData()
                    .attributes(
                        new SecurityMonitoringSignalIncidentsUpdateAttributes()
                            .incidentIds(Collections.singletonList(2066L))));

    try {
      SecurityMonitoringSignalTriageUpdateResponse result =
          apiInstance.editSecurityMonitoringSignalIncidents(
              "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#editSecurityMonitoringSignalIncidents");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"

"""
Change the related incidents of a security signal returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_signal_incident_ids import SecurityMonitoringSignalIncidentIds
from datadog_api_client.v2.model.security_monitoring_signal_incidents_update_attributes import (
    SecurityMonitoringSignalIncidentsUpdateAttributes,
)
from datadog_api_client.v2.model.security_monitoring_signal_incidents_update_data import (
    SecurityMonitoringSignalIncidentsUpdateData,
)
from datadog_api_client.v2.model.security_monitoring_signal_incidents_update_request import (
    SecurityMonitoringSignalIncidentsUpdateRequest,
)

body = SecurityMonitoringSignalIncidentsUpdateRequest(
    data=SecurityMonitoringSignalIncidentsUpdateData(
        attributes=SecurityMonitoringSignalIncidentsUpdateAttributes(
            incident_ids=SecurityMonitoringSignalIncidentIds(
                [
                    2066,
                ]
            ),
        ),
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.edit_security_monitoring_signal_incidents(
        signal_id="AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body=body
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"

# Change the related incidents of a security signal returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringSignalIncidentsUpdateRequest.new({
  data: DatadogAPIClient::V2::SecurityMonitoringSignalIncidentsUpdateData.new({
    attributes: DatadogAPIClient::V2::SecurityMonitoringSignalIncidentsUpdateAttributes.new({
      incident_ids: [
        2066,
      ],
    }),
  }),
})
p api_instance.edit_security_monitoring_signal_incidents("AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"

// Change the related incidents of a security signal returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalIncidentsUpdateAttributes;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalIncidentsUpdateData;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalIncidentsUpdateRequest;

#[tokio::main]
async fn main() {
    let body = SecurityMonitoringSignalIncidentsUpdateRequest::new(
        SecurityMonitoringSignalIncidentsUpdateData::new(
            SecurityMonitoringSignalIncidentsUpdateAttributes::new(vec![2066]),
        ),
    );
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .edit_security_monitoring_signal_incidents(
            "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE".to_string(),
            body,
        )
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" cargo run

/**
 * Change the related incidents of a security signal returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiEditSecurityMonitoringSignalIncidentsRequest =
  {
    body: {
      data: {
        attributes: {
          incidentIds: [2066],
        },
      },
    },
    signalId: "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE",
  };

apiInstance
  .editSecurityMonitoringSignalIncidents(params)
  .then((data: v2.SecurityMonitoringSignalTriageUpdateResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"

Convert an existing rule from JSON to Terraform

v2 (latest)

GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/converthttps://api.ap2.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/converthttps://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}/converthttps://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id}/converthttps://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/converthttps://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/converthttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/convert

概要

Convert an existing rule from JSON to Terraform for Datadog provider resource datadog_security_monitoring_rule. You can do so for the following rule types:

App and API Protection
Cloud SIEM (log detection and signal correlation)
Workload Protection

You can convert Cloud Security configuration rules using Terraform’s Datadog Cloud Configuration Rule resource.

This endpoint requires the security_monitoring_rules_read permission.

OAuth apps require the security_monitoring_rules_read authorization scope to access this endpoint.

引数

パスパラメーター

名前

種類

説明

rule_id [required]

string

The ID of the rule.

応答

Result of the convert rule request containing Terraform content.

Expand All

フィールド

種類

説明

ruleId

string

the ID of the rule.

terraformContent

string

Terraform string as a result of converting the rule from JSON.

{
  "ruleId": "string",
  "terraformContent": "string"
}

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                  # Path parameters
export rule_id="CHANGE_ME"
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}/convert" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                

"""
Convert an existing rule from JSON to Terraform returns "OK" response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

# there is a valid "security_rule_hash" in the system
SECURITY_RULE_HASH_ID = environ["SECURITY_RULE_HASH_ID"]

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.convert_existing_security_monitoring_rule(
        rule_id=SECURITY_RULE_HASH_ID,
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Convert an existing rule from JSON to Terraform returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

# there is a valid "security_rule_hash" in the system
SECURITY_RULE_HASH_ID = ENV["SECURITY_RULE_HASH_ID"]
p api_instance.convert_existing_security_monitoring_rule(SECURITY_RULE_HASH_ID)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// Convert an existing rule from JSON to Terraform returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "security_rule_hash" in the system
	SecurityRuleHashID := os.Getenv("SECURITY_RULE_HASH_ID")

	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.ConvertExistingSecurityMonitoringRule(ctx, SecurityRuleHashID)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ConvertExistingSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ConvertExistingSecurityMonitoringRule`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Convert an existing rule from JSON to Terraform returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleConvertResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    // there is a valid "security_rule_hash" in the system
    String SECURITY_RULE_HASH_ID = System.getenv("SECURITY_RULE_HASH_ID");

    try {
      SecurityMonitoringRuleConvertResponse result =
          apiInstance.convertExistingSecurityMonitoringRule(SECURITY_RULE_HASH_ID);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#convertExistingSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

// Convert an existing rule from JSON to Terraform returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    // there is a valid "security_rule_hash" in the system
    let security_rule_hash_id = std::env::var("SECURITY_RULE_HASH_ID").unwrap();
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .convert_existing_security_monitoring_rule(security_rule_hash_id.clone())
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * Convert an existing rule from JSON to Terraform returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

// there is a valid "security_rule_hash" in the system
const SECURITY_RULE_HASH_ID = process.env.SECURITY_RULE_HASH_ID as string;

const params: v2.SecurityMonitoringApiConvertExistingSecurityMonitoringRuleRequest =
  {
    ruleId: SECURITY_RULE_HASH_ID,
  };

apiInstance
  .convertExistingSecurityMonitoringRule(params)
  .then((data: v2.SecurityMonitoringRuleConvertResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Convert a rule from JSON to Terraform

v2 (latest)

POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/converthttps://api.ap2.datadoghq.com/api/v2/security_monitoring/rules/converthttps://api.datadoghq.eu/api/v2/security_monitoring/rules/converthttps://api.ddog-gov.com/api/v2/security_monitoring/rules/converthttps://api.datadoghq.com/api/v2/security_monitoring/rules/converthttps://api.us3.datadoghq.com/api/v2/security_monitoring/rules/converthttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules/convert

概要

Convert a rule that doesn’t (yet) exist from JSON to Terraform for Datadog provider resource datadog_security_monitoring_rule. You can do so for the following rule types:

App and API Protection
Cloud SIEM (log detection and signal correlation)
Workload Protection

You can convert Cloud Security configuration rules using Terraform’s Datadog Cloud Configuration Rule resource.

This endpoint requires the security_monitoring_rules_write permission.

OAuth apps require the security_monitoring_rules_write authorization scope to access this endpoint.

リクエスト

Body Data (required)

Expand All

フィールド

種類

説明

Option 1

object

The payload of a rule.

options [required]

object

Options.

Option 2

object

The payload of a signal correlation rule.

options [required]

object

Options.

{
  "name": "_49768568946de993",
  "queries": [
    {
      "query": "@test:true",
      "aggregation": "count",
      "groupByFields": [],
      "distinctFields": [],
      "metric": ""
    }
  ],
  "filters": [],
  "cases": [
    {
      "name": "",
      "status": "info",
      "condition": "a > 0",
      "notifications": []
    }
  ],
  "options": {
    "evaluationWindow": 900,
    "keepAlive": 3600,
    "maxSignalDuration": 86400
  },
  "message": "Test rule",
  "tags": [],
  "isEnabled": true,
  "type": "log_detection"
}

応答

Result of the convert rule request containing Terraform content.

Expand All

フィールド

種類

説明

ruleId

string

the ID of the rule.

terraformContent

string

Terraform string as a result of converting the rule from JSON.

{
  "ruleId": "string",
  "terraformContent": "string"
}

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Concurrent Modification

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                          # Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/convert" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "name": "_49768568946de993",
  "queries": [
    {
      "query": "@test:true",
      "aggregation": "count",
      "groupByFields": [],
      "distinctFields": [],
      "metric": ""
    }
  ],
  "filters": [],
  "cases": [
    {
      "name": "",
      "status": "info",
      "condition": "a > 0",
      "notifications": []
    }
  ],
  "options": {
    "evaluationWindow": 900,
    "keepAlive": 3600,
    "maxSignalDuration": 86400
  },
  "message": "Test rule",
  "tags": [],
  "isEnabled": true,
  "type": "log_detection"
}
EOF

                        

// Convert a rule from JSON to Terraform returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringRuleConvertPayload{
		SecurityMonitoringStandardRulePayload: &datadogV2.SecurityMonitoringStandardRulePayload{
			Name: "_49768568946de993",
			Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{
				{
					Query:          datadog.PtrString("@test:true"),
					Aggregation:    datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
					GroupByFields:  []string{},
					DistinctFields: []string{},
					Metric:         datadog.PtrString(""),
				},
			},
			Filters: []datadogV2.SecurityMonitoringFilter{},
			Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{
				{
					Name:          datadog.PtrString(""),
					Status:        datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
					Condition:     datadog.PtrString("a > 0"),
					Notifications: []string{},
				},
			},
			Options: datadogV2.SecurityMonitoringRuleOptions{
				EvaluationWindow:  datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(),
				KeepAlive:         datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(),
				MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(),
			},
			Message:   "Test rule",
			Tags:      []string{},
			IsEnabled: true,
			Type:      datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(),
		}}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.ConvertSecurityMonitoringRuleFromJSONToTerraform(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ConvertSecurityMonitoringRuleFromJSONToTerraform`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ConvertSecurityMonitoringRuleFromJSONToTerraform`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Convert a rule from JSON to Terraform returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleConvertPayload;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleConvertResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRulePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringRuleConvertPayload body =
        new SecurityMonitoringRuleConvertPayload(
            new SecurityMonitoringStandardRulePayload()
                .name("_49768568946de993")
                .queries(
                    Collections.singletonList(
                        new SecurityMonitoringStandardRuleQuery()
                            .query("@test:true")
                            .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
                            .metric("")))
                .cases(
                    Collections.singletonList(
                        new SecurityMonitoringRuleCaseCreate()
                            .name("")
                            .status(SecurityMonitoringRuleSeverity.INFO)
                            .condition("a > 0")))
                .options(
                    new SecurityMonitoringRuleOptions()
                        .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES)
                        .keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR)
                        .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ONE_DAY))
                .message("Test rule")
                .isEnabled(true)
                .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION));

    try {
      SecurityMonitoringRuleConvertResponse result =
          apiInstance.convertSecurityMonitoringRuleFromJSONToTerraform(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling"
              + " SecurityMonitoringApi#convertSecurityMonitoringRuleFromJSONToTerraform");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

"""
Convert a rule from JSON to Terraform returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
    SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
    SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
    SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
from datadog_api_client.v2.model.security_monitoring_standard_rule_payload import SecurityMonitoringStandardRulePayload
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery

body = SecurityMonitoringStandardRulePayload(
    name="_49768568946de993",
    queries=[
        SecurityMonitoringStandardRuleQuery(
            query="@test:true",
            aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
            group_by_fields=[],
            distinct_fields=[],
            metric="",
        ),
    ],
    filters=[],
    cases=[
        SecurityMonitoringRuleCaseCreate(
            name="",
            status=SecurityMonitoringRuleSeverity.INFO,
            condition="a > 0",
            notifications=[],
        ),
    ],
    options=SecurityMonitoringRuleOptions(
        evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,
        keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR,
        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY,
    ),
    message="Test rule",
    tags=[],
    is_enabled=True,
    type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.convert_security_monitoring_rule_from_json_to_terraform(body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Convert a rule from JSON to Terraform returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringStandardRulePayload.new({
  name: "_49768568946de993",
  queries: [
    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
      query: "@test:true",
      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
      group_by_fields: [],
      distinct_fields: [],
      metric: "",
    }),
  ],
  filters: [],
  cases: [
    DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
      name: "",
      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
      condition: "a > 0",
      notifications: [],
    }),
  ],
  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR,
    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY,
  }),
  message: "Test rule",
  tags: [],
  is_enabled: true,
  type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
})
p api_instance.convert_security_monitoring_rule_from_json_to_terraform(body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// Convert a rule from JSON to Terraform returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleConvertPayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRulePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;

#[tokio::main]
async fn main() {
    let body =
        SecurityMonitoringRuleConvertPayload::SecurityMonitoringStandardRulePayload(Box::new(
            SecurityMonitoringStandardRulePayload::new(
                vec![
                    SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO)
                        .condition("a > 0".to_string())
                        .name("".to_string())
                        .notifications(vec![]),
                ],
                true,
                "Test rule".to_string(),
                "_49768568946de993".to_string(),
                SecurityMonitoringRuleOptions::new()
                    .evaluation_window(SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES)
                    .keep_alive(SecurityMonitoringRuleKeepAlive::ONE_HOUR)
                    .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::ONE_DAY),
                vec![SecurityMonitoringStandardRuleQuery::new()
                    .aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
                    .distinct_fields(vec![])
                    .group_by_fields(vec![])
                    .metric("".to_string())
                    .query("@test:true".to_string())],
            )
            .filters(vec![])
            .tags(vec![])
            .type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION),
        ));
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .convert_security_monitoring_rule_from_json_to_terraform(body)
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * Convert a rule from JSON to Terraform returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiConvertSecurityMonitoringRuleFromJSONToTerraformRequest =
  {
    body: {
      name: "_49768568946de993",
      queries: [
        {
          query: "@test:true",
          aggregation: "count",
          groupByFields: [],
          distinctFields: [],
          metric: "",
        },
      ],
      filters: [],
      cases: [
        {
          name: "",
          status: "info",
          condition: "a > 0",
          notifications: [],
        },
      ],
      options: {
        evaluationWindow: 900,
        keepAlive: 3600,
        maxSignalDuration: 86400,
      },
      message: "Test rule",
      tags: [],
      isEnabled: true,
      type: "log_detection",
    },
  };

apiInstance
  .convertSecurityMonitoringRuleFromJSONToTerraform(params)
  .then((data: v2.SecurityMonitoringRuleConvertResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Get a list of security signals

v2 (latest)

POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/signals/searchhttps://api.ap2.datadoghq.com/api/v2/security_monitoring/signals/searchhttps://api.datadoghq.eu/api/v2/security_monitoring/signals/searchhttps://api.ddog-gov.com/api/v2/security_monitoring/signals/searchhttps://api.datadoghq.com/api/v2/security_monitoring/signals/searchhttps://api.us3.datadoghq.com/api/v2/security_monitoring/signals/searchhttps://api.us5.datadoghq.com/api/v2/security_monitoring/signals/search

概要

Returns security signals that match a search query. Both this endpoint and the GET endpoint can be used interchangeably for listing security signals. This endpoint requires the security_monitoring_signals_read permission.

OAuth apps require the security_monitoring_signals_read authorization scope to access this endpoint.

リクエスト

Body Data

Expand All

フィールド

種類

説明

filter

object

Search filters for listing security signals.

page

object

The paging attributes for listing security signals.

sort

enum

The sort parameters used for querying security signals. Allowed enum values: timestamp,-timestamp

{
  "filter": {
    "from": "2021-11-11T10:56:11+00:00",
    "query": "security:attack status:high",
    "to": "2021-11-11T11:11:11+00:00"
  },
  "page": {
    "limit": 2
  },
  "sort": "timestamp"
}

応答

The response object with all security signals matching the request and pagination information.

Expand All

フィールド

種類

説明

data

[object]

An array of security signals matching the request.

links

object

Links attributes.

meta

object

Meta attributes.

{
  "data": [
    {
      "attributes": {
        "custom": {
          "workflow": {
            "first_seen": "2020-06-23T14:46:01.000Z",
            "last_seen": "2020-06-23T14:46:49.000Z",
            "rule": {
              "id": "0f5-e0c-805",
              "name": "Brute Force Attack Grouped By User ",
              "version": 12
            }
          }
        },
        "message": "Detect Account Take Over (ATO) through brute force attempts",
        "tags": [
          "security:attack",
          "technique:T1110-brute-force"
        ],
        "timestamp": "2019-01-02T09:42:36.320Z"
      },
      "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA",
      "type": "signal"
    }
  ],
  "links": {
    "next": "https://app.datadoghq.com/api/v2/security_monitoring/signals?filter[query]=foo\u0026page[cursor]=eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
  },
  "meta": {
    "page": {
      "after": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
    }
  }
}

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                          # Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/search" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "filter": {
    "from": "2021-11-11T10:56:11+00:00",
    "query": "security:attack status:high",
    "to": "2021-11-11T11:11:11+00:00"
  },
  "page": {
    "limit": 2
  },
  "sort": "timestamp"
}
EOF

                        

// Get a list of security signals returns "OK" response with pagination

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"
	"time"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringSignalListRequest{
		Filter: &datadogV2.SecurityMonitoringSignalListRequestFilter{
			From:  datadog.PtrTime(time.Now().Add(time.Minute * -15)),
			Query: datadog.PtrString("security:attack status:high"),
			To:    datadog.PtrTime(time.Now()),
		},
		Page: &datadogV2.SecurityMonitoringSignalListRequestPage{
			Limit: datadog.PtrInt32(2),
		},
		Sort: datadogV2.SECURITYMONITORINGSIGNALSSORT_TIMESTAMP_ASCENDING.Ptr(),
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, _ := api.SearchSecurityMonitoringSignalsWithPagination(ctx, *datadogV2.NewSearchSecurityMonitoringSignalsOptionalParameters().WithBody(body))

	for paginationResult := range resp {
		if paginationResult.Error != nil {
			fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.SearchSecurityMonitoringSignals`: %v\n", paginationResult.Error)
		}
		responseContent, _ := json.MarshalIndent(paginationResult.Item, "", "  ")
		fmt.Fprintf(os.Stdout, "%s\n", responseContent)
	}
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Get a list of security signals returns "OK" response with pagination
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.PaginationIterable;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.api.SecurityMonitoringApi.SearchSecurityMonitoringSignalsOptionalParameters;
import com.datadog.api.client.v2.model.SecurityMonitoringSignal;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalListRequest;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalListRequestFilter;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalListRequestPage;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalsSort;
import java.time.OffsetDateTime;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringSignalListRequest body =
        new SecurityMonitoringSignalListRequest()
            .filter(
                new SecurityMonitoringSignalListRequestFilter()
                    .from(OffsetDateTime.now().plusMinutes(-15))
                    .query("security:attack status:high")
                    .to(OffsetDateTime.now()))
            .page(new SecurityMonitoringSignalListRequestPage().limit(2))
            .sort(SecurityMonitoringSignalsSort.TIMESTAMP_ASCENDING);

    try {
      PaginationIterable<SecurityMonitoringSignal> iterable =
          apiInstance.searchSecurityMonitoringSignalsWithPagination(
              new SearchSecurityMonitoringSignalsOptionalParameters().body(body));

      for (SecurityMonitoringSignal item : iterable) {
        System.out.println(item);
      }
    } catch (RuntimeException e) {
      System.err.println(
          "Exception when calling"
              + " SecurityMonitoringApi#searchSecurityMonitoringSignalsWithPagination");
      System.err.println("Reason: " + e.getMessage());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

"""
Get a list of security signals returns "OK" response with pagination
"""

from datetime import datetime
from dateutil.relativedelta import relativedelta
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_signal_list_request import SecurityMonitoringSignalListRequest
from datadog_api_client.v2.model.security_monitoring_signal_list_request_filter import (
    SecurityMonitoringSignalListRequestFilter,
)
from datadog_api_client.v2.model.security_monitoring_signal_list_request_page import (
    SecurityMonitoringSignalListRequestPage,
)
from datadog_api_client.v2.model.security_monitoring_signals_sort import SecurityMonitoringSignalsSort

body = SecurityMonitoringSignalListRequest(
    filter=SecurityMonitoringSignalListRequestFilter(
        _from=(datetime.now() + relativedelta(minutes=-15)),
        query="security:attack status:high",
        to=datetime.now(),
    ),
    page=SecurityMonitoringSignalListRequestPage(
        limit=2,
    ),
    sort=SecurityMonitoringSignalsSort.TIMESTAMP_ASCENDING,
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    items = api_instance.search_security_monitoring_signals_with_pagination(body=body)
    for item in items:
        print(item)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Get a list of security signals returns "OK" response with pagination

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringSignalListRequest.new({
  filter: DatadogAPIClient::V2::SecurityMonitoringSignalListRequestFilter.new({
    from: (Time.now + -15 * 60),
    query: "security:attack status:high",
    to: Time.now,
  }),
  page: DatadogAPIClient::V2::SecurityMonitoringSignalListRequestPage.new({
    limit: 2,
  }),
  sort: DatadogAPIClient::V2::SecurityMonitoringSignalsSort::TIMESTAMP_ASCENDING,
})
opts = {
  body: body,
}
api_instance.search_security_monitoring_signals_with_pagination(opts) { |item| puts item }

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// Get a list of security signals returns "OK" response with pagination
use chrono::{DateTime, Utc};
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SearchSecurityMonitoringSignalsOptionalParams;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalListRequest;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalListRequestFilter;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalListRequestPage;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalsSort;
use futures_util::pin_mut;
use futures_util::stream::StreamExt;

#[tokio::main]
async fn main() {
    let body = SecurityMonitoringSignalListRequest::new()
        .filter(
            SecurityMonitoringSignalListRequestFilter::new()
                .from(
                    DateTime::parse_from_rfc3339("2021-11-11T10:56:11+00:00")
                        .expect("Failed to parse datetime")
                        .with_timezone(&Utc),
                )
                .query("security:attack status:high".to_string())
                .to(DateTime::parse_from_rfc3339("2021-11-11T11:11:11+00:00")
                    .expect("Failed to parse datetime")
                    .with_timezone(&Utc)),
        )
        .page(SecurityMonitoringSignalListRequestPage::new().limit(2))
        .sort(SecurityMonitoringSignalsSort::TIMESTAMP_ASCENDING);
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let response = api.search_security_monitoring_signals_with_pagination(
        SearchSecurityMonitoringSignalsOptionalParams::default().body(body),
    );
    pin_mut!(response);
    while let Some(resp) = response.next().await {
        if let Ok(value) = resp {
            println!("{:#?}", value);
        } else {
            println!("{:#?}", resp.unwrap_err());
        }
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * Get a list of security signals returns "OK" response with pagination
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiSearchSecurityMonitoringSignalsRequest = {
  body: {
    filter: {
      from: new Date(new Date().getTime() + -15 * 60 * 1000),
      query: "security:attack status:high",
      to: new Date(),
    },
    page: {
      limit: 2,
    },
    sort: "timestamp",
  },
};

(async () => {
  try {
    for await (const item of apiInstance.searchSecurityMonitoringSignalsWithPagination(
      params
    )) {
      console.log(item);
    }
  } catch (error) {
    console.error(error);
  }
})();

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Get a signal's details

v2 (latest)

GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}https://api.ap2.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}https://api.datadoghq.eu/api/v2/security_monitoring/signals/{signal_id}https://api.ddog-gov.com/api/v2/security_monitoring/signals/{signal_id}https://api.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}

概要

Get a signal’s details. This endpoint requires the security_monitoring_signals_read permission.

OAuth apps require the security_monitoring_signals_read authorization scope to access this endpoint.

引数

パスパラメーター

名前

種類

説明

signal_id [required]

string

The ID of the signal.

応答

Security Signal response data object.

Expand All

フィールド

種類

説明

data

object

Object description of a security signal.

{
  "data": {
    "attributes": {
      "custom": {
        "workflow": {
          "first_seen": "2020-06-23T14:46:01.000Z",
          "last_seen": "2020-06-23T14:46:49.000Z",
          "rule": {
            "id": "0f5-e0c-805",
            "name": "Brute Force Attack Grouped By User ",
            "version": 12
          }
        }
      },
      "message": "Detect Account Take Over (ATO) through brute force attempts",
      "tags": [
        "security:attack",
        "technique:T1110-brute-force"
      ],
      "timestamp": "2019-01-02T09:42:36.320Z"
    },
    "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA",
    "type": "signal"
  }
}

Not Found

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                  # Path parameters
export signal_id="CHANGE_ME"
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/${signal_id}" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                

"""
Get a signal's details returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.get_security_monitoring_signal(
        signal_id="AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE",
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Get a signal's details returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.get_security_monitoring_signal("AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE")

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// Get a signal's details returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.GetSecurityMonitoringSignal(ctx, "AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE")

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSecurityMonitoringSignal`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSecurityMonitoringSignal`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Get a signal's details returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      SecurityMonitoringSignalResponse result =
          apiInstance.getSecurityMonitoringSignal(
              "AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE");
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#getSecurityMonitoringSignal");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

// Get a signal's details returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .get_security_monitoring_signal(
            "AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE".to_string(),
        )
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * Get a signal's details returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiGetSecurityMonitoringSignalRequest = {
  signalId: "AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE",
};

apiInstance
  .getSecurityMonitoringSignal(params)
  .then((data: v2.SecurityMonitoringSignalResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Delete a security filter

v2 (latest)

DELETE https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.ap2.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}

概要

Delete a specific security filter. This endpoint requires the security_monitoring_filters_write permission.

OAuth apps require the security_monitoring_filters_write authorization scope to access this endpoint.

引数

パスパラメーター

名前

種類

説明

security_filter_id [required]

string

The ID of the security filter.

応答

Not Authorized

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

                  # Path parameters
export security_filter_id="CHANGE_ME"
# Curl command
curl -X DELETE "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/${security_filter_id}" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                

"""
Delete a security filter returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    api_instance.delete_security_filter(
        security_filter_id="security_filter_id",
    )

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Delete a security filter returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
api_instance.delete_security_filter("security_filter_id")

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// Delete a security filter returns "OK" response

package main

import (
	"context"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	r, err := api.DeleteSecurityFilter(ctx, "security_filter_id")

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.DeleteSecurityFilter`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Delete a security filter returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      apiInstance.deleteSecurityFilter("security_filter_id");
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#deleteSecurityFilter");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

// Delete a security filter returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;

#[tokio::main]
async fn main() {
    let configuration = datadog::Configuration::new();
    let api = SecurityMonitoringAPI::with_config(configuration);
    let resp = api
        .delete_security_filter("security_filter_id".to_string())
        .await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run

/**
 * Delete a security filter returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiDeleteSecurityFilterRequest = {
  securityFilterId: "security_filter_id",
};

apiInstance
  .deleteSecurityFilter(params)
  .then((data: any) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Get a quick list of security signals

v2 (latest)

GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/signalshttps://api.ap2.datadoghq.com/api/v2/security_monitoring/signalshttps://api.datadoghq.eu/api/v2/security_monitoring/signalshttps://api.ddog-gov.com/api/v2/security_monitoring/signalshttps://api.datadoghq.com/api/v2/security_monitoring/signalshttps://api.us3.datadoghq.com/api/v2/security_monitoring/signalshttps://api.us5.datadoghq.com/api/v2/security_monitoring/signals

概要

The list endpoint returns security signals that match a search query. Both this endpoint and the POST endpoint can be used interchangeably when listing security signals. This endpoint requires the security_monitoring_signals_read permission.

OAuth apps require the security_monitoring_signals_read authorization scope to access this endpoint.

引数

クエリ文字列

名前

種類

説明

filter[query]

string

The search query for security signals.

filter[from]

string

The minimum timestamp for requested security signals.

filter[to]

string

The maximum timestamp for requested security signals.

sort

enum

The order of the security signals in results.
Allowed enum values: timestamp, -timestamp

page[cursor]

string

A list of results using the cursor provided in the previous query.

page[limit]

integer

The maximum number of security signals in the response.

応答

The response object with all security signals matching the request and pagination information.

Expand All

フィールド

種類

説明

data

[object]

An array of security signals matching the request.

links

object

Links attributes.

meta

object

Meta attributes.

{
  "data": [
    {
      "attributes": {
        "custom": {
          "workflow": {
            "first_seen": "2020-06-23T14:46:01.000Z",
            "last_seen": "2020-06-23T14:46:49.000Z",
            "rule": {
              "id": "0f5-e0c-805",
              "name": "Brute Force Attack Grouped By User ",
              "version": 12
            }
          }
        },
        "message": "Detect Account Take Over (ATO) through brute force attempts",
        "tags": [
          "security:attack",
          "technique:T1110-brute-force"
        ],
        "timestamp": "2019-01-02T09:42:36.320Z"
      },
      "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA",
      "type": "signal"
    }
  ],
  "links": {
    "next": "https://app.datadoghq.com/api/v2/security_monitoring/signals?filter[query]=foo\u0026page[cursor]=eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
  },
  "meta": {
    "page": {
      "after": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
    }
  }
}

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

セキュリティモニタリング

概要

リクエスト

Body Data (required)

応答

コード例

Create a critical asset returns "OK" response

概要

リクエスト

Body Data (required)

Create a suppression rule returns "OK" response

Create a suppression rule with an exclusion query returns "OK" response

応答

コード例

Create a suppression rule returns "OK" response

Create a suppression rule with an exclusion query returns "OK" response

Create a suppression rule returns "OK" response

Create a suppression rule with an exclusion query returns "OK" response

Instructions

Create a suppression rule returns "OK" response

Create a suppression rule with an exclusion query returns "OK" response

Instructions

Create a suppression rule returns "OK" response

Create a suppression rule with an exclusion query returns "OK" response

Instructions

Create a suppression rule returns "OK" response

Create a suppression rule with an exclusion query returns "OK" response

Instructions

Create a suppression rule returns "OK" response

Create a suppression rule with an exclusion query returns "OK" response

Instructions

Create a suppression rule returns "OK" response

Create a suppression rule with an exclusion query returns "OK" response

Instructions

概要

引数

パスパラメーター

応答

コード例

Delete a critical asset

概要

引数

パスパラメーター

応答

コード例

Delete a suppression rule

Delete a suppression rule

Instructions

Delete a suppression rule

Instructions

Delete a suppression rule

Instructions

Delete a suppression rule

Instructions

Delete a suppression rule

Instructions

Delete a suppression rule

Instructions

概要

引数

パスパラメーター

応答

コード例

Get a critical asset

概要

引数

パスパラメーター

応答

コード例

Get a suppression rule

Get a suppression rule

Instructions

Get a suppression rule

Instructions

Get a suppression rule

Instructions

Get a suppression rule

Instructions

Get a suppression rule

Instructions