Language
Site
Detection rules for generating signals and listing of generated signals.
POST https://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filtershttps://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filtershttps://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filtershttps://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filtershttps://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters
Create a security filter.
See the security filter guide for more examples.
This endpoint requires thesecurity_monitoring_filters_write authorization scope.
The definition of the new security filter.
フィールド
種類
説明
data [required]
object
Object for a single security filter.
attributes [required]
object
Object containing the attributes of the security filter to be created.
exclusion_filters [required]
[object]
Exclusion filters to exclude some logs from the security filter.
name [required]
string
Exclusion filter name.
query [required]
string
Exclusion filter query. Logs that match this query are excluded from the security filter.
filtered_data_type [required]
enum
The filtered data type.
Allowed enum values: logs
is_enabled [required]
boolean
Whether the security filter is enabled.
name [required]
string
The name of the security filter.
query [required]
string
The query of the security filter.
type [required]
enum
The type of the resource. The value should always be security_filters.
Allowed enum values: security_filters
{
"data": {
"attributes": {
"exclusion_filters": [
{
"name": "Exclude staging",
"query": "source:staging"
}
],
"filtered_data_type": "logs",
"is_enabled": true,
"name": "Example-Create_a_security_filter_returns_OK_response",
"query": "service:ExampleCreateasecurityfilterreturnsOKresponse"
},
"type": "security_filters"
}
}OK
Response object which includes a single security filter.
フィールド
種類
説明
data
object
The security filter's properties.
attributes
object
The object describing a security filter.
exclusion_filters
[object]
The list of exclusion filters applied in this security filter.
name
string
The exclusion filter name.
query
string
The exclusion filter query.
filtered_data_type
enum
The filtered data type.
Allowed enum values: logs
is_builtin
boolean
Whether the security filter is the built-in filter.
is_enabled
boolean
Whether the security filter is enabled.
name
string
The security filter name.
query
string
The security filter query. Logs accepted by this query will be accepted by this filter.
version
int32
The version of the security filter.
id
string
The ID of the security filter.
type
enum
The type of the resource. The value should always be security_filters.
Allowed enum values: security_filters
meta
object
Optional metadata associated to the response.
warning
string
A warning message.
{
"data": {
"attributes": {
"exclusion_filters": [
{
"name": "Exclude staging",
"query": "source:staging"
}
],
"filtered_data_type": "logs",
"is_builtin": false,
"is_enabled": false,
"name": "Custom security filter",
"query": "service:api",
"version": 1
},
"id": "3dd-0uc-h1s",
"type": "security_filters"
},
"meta": {
"warning": "All the security filters are disabled. As a result, no logs are being analyzed."
}
}Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}Conflict
API error response.
{
"errors": [
"Bad Request"
]
}Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Curl command
curl -X POST "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
"data": {
"attributes": {
"exclusion_filters": [
{
"name": "Exclude staging",
"query": "source:staging"
}
],
"filtered_data_type": "logs",
"is_enabled": true,
"name": "Custom security filter",
"query": "service:api"
},
"type": "security_filters"
}
}
EOF
"""
Create a security filter returns "OK" response
"""
from datadog_api_client.v2 import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_filter_create_attributes import SecurityFilterCreateAttributes
from datadog_api_client.v2.model.security_filter_create_data import SecurityFilterCreateData
from datadog_api_client.v2.model.security_filter_create_request import SecurityFilterCreateRequest
from datadog_api_client.v2.model.security_filter_exclusion_filter import SecurityFilterExclusionFilter
from datadog_api_client.v2.model.security_filter_filtered_data_type import SecurityFilterFilteredDataType
from datadog_api_client.v2.model.security_filter_type import SecurityFilterType
body = SecurityFilterCreateRequest(
data=SecurityFilterCreateData(
attributes=SecurityFilterCreateAttributes(
exclusion_filters=[SecurityFilterExclusionFilter(name="Exclude staging", query="source:staging")],
filtered_data_type=SecurityFilterFilteredDataType("logs"),
is_enabled=True,
name="Example-Create_a_security_filter_returns_OK_response",
query="service:ExampleCreateasecurityfilterreturnsOKresponse",
),
type=SecurityFilterType("security_filters"),
)
)
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.create_security_filter(body=body)
print(response)
First install the library and its dependencies and then save the example to example.py and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Create a security filter returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
body = DatadogAPIClient::V2::SecurityFilterCreateRequest.new({
data: DatadogAPIClient::V2::SecurityFilterCreateData.new({
attributes: DatadogAPIClient::V2::SecurityFilterCreateAttributes.new({
exclusion_filters: [
DatadogAPIClient::V2::SecurityFilterExclusionFilter.new({
name: "Exclude staging",
query: "source:staging",
}),
],
filtered_data_type: DatadogAPIClient::V2::SecurityFilterFilteredDataType::LOGS,
is_enabled: true,
name: "Example-Create_a_security_filter_returns_OK_response",
query: "service:ExampleCreateasecurityfilterreturnsOKresponse",
}),
type: DatadogAPIClient::V2::SecurityFilterType::SECURITY_FILTERS,
}),
})
p api_instance.create_security_filter(body)
First install the library and its dependencies and then save the example to example.rb and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
/**
* Create a security filter returns "OK" response
*/
import { v2 } from "@datadog/datadog-api-client";
const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
let params: v2.SecurityMonitoringApiCreateSecurityFilterRequest = {
body: {
data: {
attributes: {
exclusionFilters: [
{
name: "Exclude staging",
query: "source:staging",
},
],
filteredDataType: "logs",
isEnabled: true,
name: "Example-Create_a_security_filter_returns_OK_response",
query: "service:ExampleCreateasecurityfilterreturnsOKresponse",
},
type: "security_filters",
},
},
};
apiInstance
.createSecurityFilter(params)
.then((data: any) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
// Create a security filter returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)
func main() {
body := datadog.SecurityFilterCreateRequest{
Data: datadog.SecurityFilterCreateData{
Attributes: datadog.SecurityFilterCreateAttributes{
ExclusionFilters: []datadog.SecurityFilterExclusionFilter{
{
Name: "Exclude staging",
Query: "source:staging",
},
},
FilteredDataType: datadog.SECURITYFILTERFILTEREDDATATYPE_LOGS,
IsEnabled: true,
Name: "Example-Create_a_security_filter_returns_OK_response",
Query: "service:ExampleCreateasecurityfilterreturnsOKresponse",
},
Type: datadog.SECURITYFILTERTYPE_SECURITY_FILTERS,
},
}
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
resp, r, err := apiClient.SecurityMonitoringApi.CreateSecurityFilter(ctx, body)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityFilter`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityFilter`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Create a security filter returns "OK" response
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;
import com.datadog.api.v2.client.model.SecurityFilterCreateAttributes;
import com.datadog.api.v2.client.model.SecurityFilterCreateData;
import com.datadog.api.v2.client.model.SecurityFilterCreateRequest;
import com.datadog.api.v2.client.model.SecurityFilterExclusionFilter;
import com.datadog.api.v2.client.model.SecurityFilterFilteredDataType;
import com.datadog.api.v2.client.model.SecurityFilterResponse;
import com.datadog.api.v2.client.model.SecurityFilterType;
import java.time.*;
import java.util.*;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = Configuration.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
SecurityFilterCreateRequest body =
new SecurityFilterCreateRequest()
.data(
new SecurityFilterCreateData()
.attributes(
new SecurityFilterCreateAttributes()
.exclusionFilters(
new ArrayList<SecurityFilterExclusionFilter>() {
{
add(
new SecurityFilterExclusionFilter()
.name("Exclude staging")
.query("source:staging"));
}
})
.filteredDataType(SecurityFilterFilteredDataType.LOGS)
.isEnabled(true)
.name("Example-Create_a_security_filter_returns_OK_response")
.query("service:ExampleCreateasecurityfilterreturnsOKresponse"))
.type(SecurityFilterType.SECURITY_FILTERS));
try {
SecurityFilterResponse result = apiInstance.createSecurityFilter(body);
System.out.println(result);
} catch (ApiException e) {
System.err.println("Exception when calling SecurityMonitoringApi#createSecurityFilter");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
DELETE https://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}
Delete a specific security filter.
This endpoint requires the security_monitoring_filters_write authorization scope.
名前
種類
説明
security_filter_id [required]
string
The ID of the security filter.
OK
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}Not Found
API error response.
{
"errors": [
"Bad Request"
]
}Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Path parameters
export security_filter_id="CHANGE_ME"
# Curl command
curl -X DELETE "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/${security_filter_id}" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
import os
from dateutil.parser import parse as dateutil_parser
from datadog_api_client.v2 import ApiClient, ApiException, Configuration
from datadog_api_client.v2.api import security_monitoring_api
from datadog_api_client.v2.models import *
from pprint import pprint
# See configuration.py for a list of all supported configuration parameters.
configuration = Configuration()
# Enter a context with an instance of the API client
with ApiClient(configuration) as api_client:
# Create an instance of the API class
api_instance = security_monitoring_api.SecurityMonitoringApi(api_client)
security_filter_id = "security_filter_id_example" # str | The ID of the security filter.
# example passing only required values which don't have defaults set
try:
# Delete a security filter
api_instance.delete_security_filter(security_filter_id)
except ApiException as e:
print("Exception when calling SecurityMonitoringApi->delete_security_filter: %s\n" % e)
First install the library and its dependencies and then save the example to example.py and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
require 'datadog_api_client'
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
security_filter_id = 'security_filter_id_example' # String | The ID of the security filter.
begin
# Delete a security filter
api_instance.delete_security_filter(security_filter_id)
rescue DatadogAPIClient::V2::APIError => e
puts "Error when calling SecurityMonitoringAPI->delete_security_filter: #{e}"
end
First install the library and its dependencies and then save the example to example.rb and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
import { v2 } from "@datadog/datadog-api-client";
import * as fs from "fs";
const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
let params: v2.SecurityMonitoringApiDeleteSecurityFilterRequest = {
// string | The ID of the security filter.
securityFilterId: "security_filter_id_example",
};
apiInstance
.deleteSecurityFilter(params)
.then((data: any) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
package main
import (
"context"
"fmt"
"os"
datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)
func main() {
ctx := datadog.NewDefaultContext(context.Background())
securityFilterId := "securityFilterId_example" // string | The ID of the security filter.
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
r, err := apiClient.SecurityMonitoringApi.DeleteSecurityFilter(ctx, securityFilterId)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.DeleteSecurityFilter`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
}
First install the library and its dependencies and then save the example to main.go and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
import java.util.*;
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.model.*;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = Configuration.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
String securityFilterId = "securityFilterId_example"; // String | The ID of the security filter.
try {
apiInstance.deleteSecurityFilter(securityFilterId);
} catch (ApiException e) {
System.err.println("Exception when calling SecurityMonitoringApi#deleteSecurityFilter");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
PATCH https://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}
Update a specific security filter.
Returns the security filter object when the request is successful.
This endpoint requires the security_monitoring_filters_write authorization scope.
名前
種類
説明
security_filter_id [required]
string
The ID of the security filter.
New definition of the security filter.
フィールド
種類
説明
data [required]
object
The new security filter properties.
attributes [required]
object
The security filters properties to be updated.
exclusion_filters
[object]
Exclusion filters to exclude some logs from the security filter.
name [required]
string
Exclusion filter name.
query [required]
string
Exclusion filter query. Logs that match this query are excluded from the security filter.
filtered_data_type
enum
The filtered data type.
Allowed enum values: logs
is_enabled
boolean
Whether the security filter is enabled.
name
string
The name of the security filter.
query
string
The query of the security filter.
version
int32
The version of the security filter to update.
type [required]
enum
The type of the resource. The value should always be security_filters.
Allowed enum values: security_filters
{
"data": {
"attributes": {
"exclusion_filters": [],
"filtered_data_type": "logs",
"is_enabled": true,
"name": "Example-Update_a_security_filter_returns_OK_response",
"query": "service:ExampleUpdateasecurityfilterreturnsOKresponse",
"version": 1
},
"type": "security_filters"
}
}OK
Response object which includes a single security filter.
フィールド
種類
説明
data
object
The security filter's properties.
attributes
object
The object describing a security filter.
exclusion_filters
[object]
The list of exclusion filters applied in this security filter.
name
string
The exclusion filter name.
query
string
The exclusion filter query.
filtered_data_type
enum
The filtered data type.
Allowed enum values: logs
is_builtin
boolean
Whether the security filter is the built-in filter.
is_enabled
boolean
Whether the security filter is enabled.
name
string
The security filter name.
query
string
The security filter query. Logs accepted by this query will be accepted by this filter.
version
int32
The version of the security filter.
id
string
The ID of the security filter.
type
enum
The type of the resource. The value should always be security_filters.
Allowed enum values: security_filters
meta
object
Optional metadata associated to the response.
warning
string
A warning message.
{
"data": {
"attributes": {
"exclusion_filters": [
{
"name": "Exclude staging",
"query": "source:staging"
}
],
"filtered_data_type": "logs",
"is_builtin": false,
"is_enabled": false,
"name": "Custom security filter",
"query": "service:api",
"version": 1
},
"id": "3dd-0uc-h1s",
"type": "security_filters"
},
"meta": {
"warning": "All the security filters are disabled. As a result, no logs are being analyzed."
}
}Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}Not Found
API error response.
{
"errors": [
"Bad Request"
]
}Concurrent Modification
API error response.
{
"errors": [
"Bad Request"
]
}Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Path parameters
export security_filter_id="CHANGE_ME"
# Curl command
curl -X PATCH "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/${security_filter_id}" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
"data": {
"attributes": {
"exclusion_filters": [
{
"name": "Exclude staging",
"query": "source:staging"
}
]
},
"type": "security_filters"
}
}
EOF
"""
Update a security filter returns "OK" response
"""
from os import environ
from datadog_api_client.v2 import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_filter_filtered_data_type import SecurityFilterFilteredDataType
from datadog_api_client.v2.model.security_filter_type import SecurityFilterType
from datadog_api_client.v2.model.security_filter_update_attributes import SecurityFilterUpdateAttributes
from datadog_api_client.v2.model.security_filter_update_data import SecurityFilterUpdateData
from datadog_api_client.v2.model.security_filter_update_request import SecurityFilterUpdateRequest
# there is a valid "security_filter" in the system
SECURITY_FILTER_DATA_ID = environ["SECURITY_FILTER_DATA_ID"]
body = SecurityFilterUpdateRequest(
data=SecurityFilterUpdateData(
attributes=SecurityFilterUpdateAttributes(
exclusion_filters=[],
filtered_data_type=SecurityFilterFilteredDataType("logs"),
is_enabled=True,
name="Example-Update_a_security_filter_returns_OK_response",
query="service:ExampleUpdateasecurityfilterreturnsOKresponse",
version=1,
),
type=SecurityFilterType("security_filters"),
)
)
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.update_security_filter(security_filter_id=SECURITY_FILTER_DATA_ID, body=body)
print(response)
First install the library and its dependencies and then save the example to example.py and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Update a security filter returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
# there is a valid "security_filter" in the system
SECURITY_FILTER_DATA_ID = ENV["SECURITY_FILTER_DATA_ID"]
body = DatadogAPIClient::V2::SecurityFilterUpdateRequest.new({
data: DatadogAPIClient::V2::SecurityFilterUpdateData.new({
attributes: DatadogAPIClient::V2::SecurityFilterUpdateAttributes.new({
exclusion_filters: [],
filtered_data_type: DatadogAPIClient::V2::SecurityFilterFilteredDataType::LOGS,
is_enabled: true,
name: "Example-Update_a_security_filter_returns_OK_response",
query: "service:ExampleUpdateasecurityfilterreturnsOKresponse",
version: 1,
}),
type: DatadogAPIClient::V2::SecurityFilterType::SECURITY_FILTERS,
}),
})
p api_instance.update_security_filter(SECURITY_FILTER_DATA_ID, body)
First install the library and its dependencies and then save the example to example.rb and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
/**
* Update a security filter returns "OK" response
*/
import { v2 } from "@datadog/datadog-api-client";
const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
// there is a valid "security_filter" in the system
let SECURITY_FILTER_DATA_ID = process.env.SECURITY_FILTER_DATA_ID as string;
let params: v2.SecurityMonitoringApiUpdateSecurityFilterRequest = {
body: {
data: {
attributes: {
exclusionFilters: [],
filteredDataType: "logs",
isEnabled: true,
name: "Example-Update_a_security_filter_returns_OK_response",
query: "service:ExampleUpdateasecurityfilterreturnsOKresponse",
version: 1,
},
type: "security_filters",
},
},
securityFilterId: SECURITY_FILTER_DATA_ID,
};
apiInstance
.updateSecurityFilter(params)
.then((data: any) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
// Update a security filter returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)
func main() {
// there is a valid "security_filter" in the system
SecurityFilterDataID := os.Getenv("SECURITY_FILTER_DATA_ID")
body := datadog.SecurityFilterUpdateRequest{
Data: datadog.SecurityFilterUpdateData{
Attributes: datadog.SecurityFilterUpdateAttributes{
ExclusionFilters: &[]datadog.SecurityFilterExclusionFilter{},
FilteredDataType: datadog.SECURITYFILTERFILTEREDDATATYPE_LOGS.Ptr(),
IsEnabled: datadog.PtrBool(true),
Name: datadog.PtrString("Example-Update_a_security_filter_returns_OK_response"),
Query: datadog.PtrString("service:ExampleUpdateasecurityfilterreturnsOKresponse"),
Version: datadog.PtrInt32(1),
},
Type: datadog.SECURITYFILTERTYPE_SECURITY_FILTERS,
},
}
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
resp, r, err := apiClient.SecurityMonitoringApi.UpdateSecurityFilter(ctx, SecurityFilterDataID, body)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.UpdateSecurityFilter`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.UpdateSecurityFilter`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Update a security filter returns "OK" response
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;
import com.datadog.api.v2.client.model.SecurityFilterExclusionFilter;
import com.datadog.api.v2.client.model.SecurityFilterFilteredDataType;
import com.datadog.api.v2.client.model.SecurityFilterResponse;
import com.datadog.api.v2.client.model.SecurityFilterType;
import com.datadog.api.v2.client.model.SecurityFilterUpdateAttributes;
import com.datadog.api.v2.client.model.SecurityFilterUpdateData;
import com.datadog.api.v2.client.model.SecurityFilterUpdateRequest;
import java.time.*;
import java.util.*;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = Configuration.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
// there is a valid "security_filter" in the system
String SECURITY_FILTER_DATA_ID = System.getenv("SECURITY_FILTER_DATA_ID");
SecurityFilterUpdateRequest body =
new SecurityFilterUpdateRequest()
.data(
new SecurityFilterUpdateData()
.attributes(
new SecurityFilterUpdateAttributes()
.exclusionFilters(
new ArrayList<SecurityFilterExclusionFilter>() {
{
;
}
})
.filteredDataType(SecurityFilterFilteredDataType.LOGS)
.isEnabled(true)
.name("Example-Update_a_security_filter_returns_OK_response")
.query("service:ExampleUpdateasecurityfilterreturnsOKresponse")
.version(1))
.type(SecurityFilterType.SECURITY_FILTERS));
try {
SecurityFilterResponse result =
apiInstance.updateSecurityFilter(SECURITY_FILTER_DATA_ID, body);
System.out.println(result);
} catch (ApiException e) {
System.err.println("Exception when calling SecurityMonitoringApi#updateSecurityFilter");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
GET https://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}
Get the details of a specific security filter.
See the security filter guide for more examples.
This endpoint requires thesecurity_monitoring_filters_read authorization scope.
名前
種類
説明
security_filter_id [required]
string
The ID of the security filter.
OK
Response object which includes a single security filter.
フィールド
種類
説明
data
object
The security filter's properties.
attributes
object
The object describing a security filter.
exclusion_filters
[object]
The list of exclusion filters applied in this security filter.
name
string
The exclusion filter name.
query
string
The exclusion filter query.
filtered_data_type
enum
The filtered data type.
Allowed enum values: logs
is_builtin
boolean
Whether the security filter is the built-in filter.
is_enabled
boolean
Whether the security filter is enabled.
name
string
The security filter name.
query
string
The security filter query. Logs accepted by this query will be accepted by this filter.
version
int32
The version of the security filter.
id
string
The ID of the security filter.
type
enum
The type of the resource. The value should always be security_filters.
Allowed enum values: security_filters
meta
object
Optional metadata associated to the response.
warning
string
A warning message.
{
"data": {
"attributes": {
"exclusion_filters": [
{
"name": "Exclude staging",
"query": "source:staging"
}
],
"filtered_data_type": "logs",
"is_builtin": false,
"is_enabled": false,
"name": "Custom security filter",
"query": "service:api",
"version": 1
},
"id": "3dd-0uc-h1s",
"type": "security_filters"
},
"meta": {
"warning": "All the security filters are disabled. As a result, no logs are being analyzed."
}
}Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}Not Found
API error response.
{
"errors": [
"Bad Request"
]
}Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Path parameters
export security_filter_id="CHANGE_ME"
# Curl command
curl -X GET "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/${security_filter_id}" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
"""
Get a security filter returns "OK" response
"""
from os import environ
from datadog_api_client.v2 import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
# there is a valid "security_filter" in the system
SECURITY_FILTER_DATA_ID = environ["SECURITY_FILTER_DATA_ID"]
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.get_security_filter(security_filter_id=SECURITY_FILTER_DATA_ID)
print(response)
First install the library and its dependencies and then save the example to example.py and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Get a security filter returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
# there is a valid "security_filter" in the system
SECURITY_FILTER_DATA_ID = ENV["SECURITY_FILTER_DATA_ID"]
p api_instance.get_security_filter(SECURITY_FILTER_DATA_ID)
First install the library and its dependencies and then save the example to example.rb and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
/**
* Get a security filter returns "OK" response
*/
import { v2 } from "@datadog/datadog-api-client";
const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
// there is a valid "security_filter" in the system
let SECURITY_FILTER_DATA_ID = process.env.SECURITY_FILTER_DATA_ID as string;
let params: v2.SecurityMonitoringApiGetSecurityFilterRequest = {
securityFilterId: SECURITY_FILTER_DATA_ID,
};
apiInstance
.getSecurityFilter(params)
.then((data: any) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
// Get a security filter returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)
func main() {
// there is a valid "security_filter" in the system
SecurityFilterDataID := os.Getenv("SECURITY_FILTER_DATA_ID")
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
resp, r, err := apiClient.SecurityMonitoringApi.GetSecurityFilter(ctx, SecurityFilterDataID)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSecurityFilter`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSecurityFilter`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Get a security filter returns "OK" response
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;
import com.datadog.api.v2.client.model.SecurityFilterResponse;
import java.time.*;
import java.util.*;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = Configuration.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
// there is a valid "security_filter" in the system
String SECURITY_FILTER_DATA_ID = System.getenv("SECURITY_FILTER_DATA_ID");
try {
SecurityFilterResponse result = apiInstance.getSecurityFilter(SECURITY_FILTER_DATA_ID);
System.out.println(result);
} catch (ApiException e) {
System.err.println("Exception when calling SecurityMonitoringApi#getSecurityFilter");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
GET https://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filtershttps://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filtershttps://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filtershttps://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filtershttps://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters
Get the list of configured security filters with their definitions.
This endpoint requires the security_monitoring_filters_read authorization scope.
OK
All the available security filters objects.
フィールド
種類
説明
data
[object]
A list of security filters objects.
attributes
object
The object describing a security filter.
exclusion_filters
[object]
The list of exclusion filters applied in this security filter.
name
string
The exclusion filter name.
query
string
The exclusion filter query.
filtered_data_type
enum
The filtered data type.
Allowed enum values: logs
is_builtin
boolean
Whether the security filter is the built-in filter.
is_enabled
boolean
Whether the security filter is enabled.
name
string
The security filter name.
query
string
The security filter query. Logs accepted by this query will be accepted by this filter.
version
int32
The version of the security filter.
id
string
The ID of the security filter.
type
enum
The type of the resource. The value should always be security_filters.
Allowed enum values: security_filters
meta
object
Optional metadata associated to the response.
warning
string
A warning message.
{
"data": [
{
"attributes": {
"exclusion_filters": [
{
"name": "Exclude staging",
"query": "source:staging"
}
],
"filtered_data_type": "logs",
"is_builtin": false,
"is_enabled": false,
"name": "Custom security filter",
"query": "service:api",
"version": 1
},
"id": "3dd-0uc-h1s",
"type": "security_filters"
}
],
"meta": {
"warning": "All the security filters are disabled. As a result, no logs are being analyzed."
}
}Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Curl command
curl -X GET "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
"""
Get all security filters returns "OK" response
"""
from datadog_api_client.v2 import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.list_security_filters()
print(response)
First install the library and its dependencies and then save the example to example.py and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Get all security filters returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.list_security_filters()
First install the library and its dependencies and then save the example to example.rb and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
/**
* Get all security filters returns "OK" response
*/
import { v2 } from "@datadog/datadog-api-client";
const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
apiInstance
.listSecurityFilters()
.then((data: any) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
// Get all security filters returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)
func main() {
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
resp, r, err := apiClient.SecurityMonitoringApi.ListSecurityFilters(ctx)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListSecurityFilters`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListSecurityFilters`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Get all security filters returns "OK" response
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;
import com.datadog.api.v2.client.model.SecurityFiltersResponse;
import java.time.*;
import java.util.*;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = Configuration.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
try {
SecurityFiltersResponse result = apiInstance.listSecurityFilters();
System.out.println(result);
} catch (ApiException e) {
System.err.println("Exception when calling SecurityMonitoringApi#listSecurityFilters");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
GET https://api.datadoghq.eu/api/v2/security_monitoring/ruleshttps://api.ddog-gov.com/api/v2/security_monitoring/ruleshttps://api.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us3.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules
List rules.
This endpoint requires the security_monitoring_rules_read authorization scope.
名前
種類
説明
page[size]
integer
Size for a given page.
page[number]
integer
Specific page number to return.
OK
List of rules.
フィールド
種類
説明
data
[]
Array containing the list of rules.
cases
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
createdAt
int64
When the rule was created, timestamp in milliseconds.
creationAuthorId
int64
User ID of the user who created the rule.
filters
[object]
Additional queries to filter matched events before they are processed.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
id
string
The ID of the rule.
isDefault
boolean
Whether the rule is included by default.
isDeleted
boolean
Whether the rule has been deleted.
isEnabled
boolean
Whether the rule is enabled.
message
string
Message for generated signals.
name
string
The name of the rule.
options
object
Options on rules.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
queries
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
metric
string
The target field to aggregate over when using the sum or max aggregations.
name
string
Name of the query.
query
string
Query to run on logs.
tags
[string]
Tags for generated signals.
type
enum
The rule type.
Allowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration
updateAuthorId
int64
User ID of the user who updated the rule.
version
int64
The version of the rule.
meta
object
Object describing meta attributes of response.
page
object
Pagination object.
total_count
int64
Total count.
total_filtered_count
int64
Total count of elements matched by the filter.
{
"data": [
{
"cases": [
{
"condition": "string",
"name": "string",
"notifications": [],
"status": "critical"
}
],
"createdAt": "integer",
"creationAuthorId": "integer",
"filters": [
{
"action": "string",
"query": "string"
}
],
"hasExtendedTitle": false,
"id": "string",
"isDefault": false,
"isDeleted": false,
"isEnabled": false,
"message": "string",
"name": "string",
"options": {
"detectionMethod": "string",
"evaluationWindow": "integer",
"keepAlive": "integer",
"maxSignalDuration": "integer",
"newValueOptions": {
"forgetAfter": "integer",
"learningDuration": "integer"
}
},
"queries": [
{
"aggregation": "string",
"distinctFields": [],
"groupByFields": [],
"metric": "string",
"name": "string",
"query": "string"
}
],
"tags": [],
"type": "string",
"updateAuthorId": "integer",
"version": "integer"
}
],
"meta": {
"page": {
"total_count": "integer",
"total_filtered_count": "integer"
}
}
}Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Curl command
curl -X GET "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
import os
from dateutil.parser import parse as dateutil_parser
from datadog_api_client.v2 import ApiClient, ApiException, Configuration
from datadog_api_client.v2.api import security_monitoring_api
from datadog_api_client.v2.models import *
from pprint import pprint
# See configuration.py for a list of all supported configuration parameters.
configuration = Configuration()
# Enter a context with an instance of the API client
with ApiClient(configuration) as api_client:
# Create an instance of the API class
api_instance = security_monitoring_api.SecurityMonitoringApi(api_client)
page_size = 10 # int | Size for a given page. (optional) if omitted the server will use the default value of 10
page_number = 0 # int | Specific page number to return. (optional) if omitted the server will use the default value of 0
# example passing only required values which don't have defaults set
# and optional values
try:
# List rules
api_response = api_instance.list_security_monitoring_rules(page_size=page_size, page_number=page_number)
pprint(api_response)
except ApiException as e:
print("Exception when calling SecurityMonitoringApi->list_security_monitoring_rules: %s\n" % e)
First install the library and its dependencies and then save the example to example.py and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
require 'datadog_api_client'
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
opts = {
page_size: 10, # Integer | Size for a given page.
page_number: 0 # Integer | Specific page number to return.
}
begin
# List rules
result = api_instance.list_security_monitoring_rules(opts)
p result
rescue DatadogAPIClient::V2::APIError => e
puts "Error when calling SecurityMonitoringAPI->list_security_monitoring_rules: #{e}"
end
First install the library and its dependencies and then save the example to example.rb and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
import { v2 } from "@datadog/datadog-api-client";
import * as fs from "fs";
const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
let params: v2.SecurityMonitoringApiListSecurityMonitoringRulesRequest = {
// number | Size for a given page. (optional)
pageSize: 10,
// number | Specific page number to return. (optional)
pageNumber: 0,
};
apiInstance
.listSecurityMonitoringRules(params)
.then((data: any) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
package main
import (
"context"
"encoding/json"
"fmt"
"os"
datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)
func main() {
ctx := datadog.NewDefaultContext(context.Background())
pageSize := int64(10) // int64 | Size for a given page. (optional) (default to 10)
pageNumber := int64(0) // int64 | Specific page number to return. (optional) (default to 0)
optionalParams := datadog.ListSecurityMonitoringRulesOptionalParameters{
PageSize: &pageSize,
PageNumber: &pageNumber,
}
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
resp, r, err := apiClient.SecurityMonitoringApi.ListSecurityMonitoringRules(ctx, optionalParams)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListSecurityMonitoringRules`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
// response from `ListSecurityMonitoringRules`: SecurityMonitoringListRulesResponse
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from SecurityMonitoringApi.ListSecurityMonitoringRules:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
import java.util.*;
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.model.*;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = Configuration.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
Long pageSize = 10L; // Long | Size for a given page.
Long pageNumber = 0L; // Long | Specific page number to return.
try {
SecurityMonitoringListRulesResponse result = apiInstance.listSecurityMonitoringRules(new SecurityMonitoringApi.ListSecurityMonitoringRulesOptionalParameters()
.pageSize(pageSize)
.pageNumber(pageNumber));
System.out.println(result);
} catch (ApiException e) {
System.err.println("Exception when calling SecurityMonitoringApi#listSecurityMonitoringRules");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
POST https://api.datadoghq.eu/api/v2/security_monitoring/ruleshttps://api.ddog-gov.com/api/v2/security_monitoring/ruleshttps://api.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us3.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules
Create a detection rule.
This endpoint requires the security_monitoring_rules_write authorization scope.
フィールド
種類
説明
cases [required]
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
filters
[object]
Additional queries to filter matched events before they are processed.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
boolean
Whether the rule is enabled.
message [required]
string
Message for generated signals.
name [required]
string
The name of the rule.
options [required]
object
Options on rules.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
queries [required]
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
metric
string
The target field to aggregate over when using the sum or max aggregations.
name
string
Name of the query.
query [required]
string
Query to run on logs.
tags
[string]
Tags for generated signals.
type
enum
The rule type.
Allowed enum values: log_detection,workload_security
{
"name": "Example-Create_a_detection_rule_returns_OK_response",
"queries": [
{
"query": "@test:true",
"aggregation": "count",
"groupByFields": [],
"distinctFields": [],
"metric": ""
}
],
"filters": [],
"cases": [
{
"name": "",
"status": "info",
"condition": "a > 0",
"notifications": []
}
],
"options": {
"evaluationWindow": 900,
"keepAlive": 3600,
"maxSignalDuration": 86400
},
"message": "Test rule",
"tags": [],
"isEnabled": true
}OK
Rule.
フィールド
種類
説明
cases
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
createdAt
int64
When the rule was created, timestamp in milliseconds.
creationAuthorId
int64
User ID of the user who created the rule.
filters
[object]
Additional queries to filter matched events before they are processed.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
id
string
The ID of the rule.
isDefault
boolean
Whether the rule is included by default.
isDeleted
boolean
Whether the rule has been deleted.
isEnabled
boolean
Whether the rule is enabled.
message
string
Message for generated signals.
name
string
The name of the rule.
options
object
Options on rules.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
queries
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
metric
string
The target field to aggregate over when using the sum or max aggregations.
name
string
Name of the query.
query
string
Query to run on logs.
tags
[string]
Tags for generated signals.
type
enum
The rule type.
Allowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration
updateAuthorId
int64
User ID of the user who updated the rule.
version
int64
The version of the rule.
{
"cases": [
{
"condition": "string",
"name": "string",
"notifications": [],
"status": "critical"
}
],
"createdAt": "integer",
"creationAuthorId": "integer",
"filters": [
{
"action": "string",
"query": "string"
}
],
"hasExtendedTitle": false,
"id": "string",
"isDefault": false,
"isDeleted": false,
"isEnabled": false,
"message": "string",
"name": "string",
"options": {
"detectionMethod": "string",
"evaluationWindow": "integer",
"keepAlive": "integer",
"maxSignalDuration": "integer",
"newValueOptions": {
"forgetAfter": "integer",
"learningDuration": "integer"
}
},
"queries": [
{
"aggregation": "string",
"distinctFields": [],
"groupByFields": [],
"metric": "string",
"name": "string",
"query": "string"
}
],
"tags": [],
"type": "string",
"updateAuthorId": "integer",
"version": "integer"
}Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Curl command
curl -X POST "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
"cases": [
{
"status": "critical"
}
],
"isEnabled": true,
"message": "",
"name": "My security monitoring rule.",
"options": {},
"queries": [
{
"query": "a > 3"
}
]
}
EOF
"""
Create a detection rule returns "OK" response
"""
from datadog_api_client.v2 import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_create_payload import SecurityMonitoringRuleCreatePayload
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_query_create import SecurityMonitoringRuleQueryCreate
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
body = SecurityMonitoringRuleCreatePayload(
name="Example-Create_a_detection_rule_returns_OK_response",
queries=[
SecurityMonitoringRuleQueryCreate(
query="@test:true",
aggregation=SecurityMonitoringRuleQueryAggregation("count"),
group_by_fields=[],
distinct_fields=[],
metric="",
)
],
filters=[],
cases=[
SecurityMonitoringRuleCaseCreate(
name="", status=SecurityMonitoringRuleSeverity("info"), condition="a > 0", notifications=[]
)
],
options=SecurityMonitoringRuleOptions(
evaluation_window=SecurityMonitoringRuleEvaluationWindow(900),
keep_alive=SecurityMonitoringRuleKeepAlive(3600),
max_signal_duration=SecurityMonitoringRuleMaxSignalDuration(86400),
),
message="Test rule",
tags=[],
is_enabled=True,
)
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.create_security_monitoring_rule(body=body)
print(response)
First install the library and its dependencies and then save the example to example.py and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Create a detection rule returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
body = DatadogAPIClient::V2::SecurityMonitoringRuleCreatePayload.new({
name: "Example-Create_a_detection_rule_returns_OK_response",
queries: [
DatadogAPIClient::V2::SecurityMonitoringRuleQueryCreate.new({
query: "@test:true",
aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
group_by_fields: [],
distinct_fields: [],
metric: "",
}),
],
filters: [],
cases: [
DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
name: "",
status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
condition: "a > 0",
notifications: [],
}),
],
options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR,
max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY,
}),
message: "Test rule",
tags: [],
is_enabled: true,
})
p api_instance.create_security_monitoring_rule(body)
First install the library and its dependencies and then save the example to example.rb and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
/**
* Create a detection rule returns "OK" response
*/
import { v2 } from "@datadog/datadog-api-client";
const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
let params: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest = {
body: {
name: "Example-Create_a_detection_rule_returns_OK_response",
queries: [
{
query: "@test:true",
aggregation: "count",
groupByFields: [],
distinctFields: [],
metric: "",
},
],
filters: [],
cases: [
{
name: "",
status: "info",
condition: "a > 0",
notifications: [],
},
],
options: {
evaluationWindow: 900,
keepAlive: 3600,
maxSignalDuration: 86400,
},
message: "Test rule",
tags: [],
isEnabled: true,
},
};
apiInstance
.createSecurityMonitoringRule(params)
.then((data: any) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
// Create a detection rule returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)
func main() {
body := datadog.SecurityMonitoringRuleCreatePayload{
Name: "Example-Create_a_detection_rule_returns_OK_response",
Queries: []datadog.SecurityMonitoringRuleQueryCreate{
{
Query: "@test:true",
Aggregation: datadog.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
GroupByFields: &[]string{},
DistinctFields: &[]string{},
Metric: datadog.PtrString(""),
},
},
Filters: &[]datadog.SecurityMonitoringFilter{},
Cases: []datadog.SecurityMonitoringRuleCaseCreate{
{
Name: datadog.PtrString(""),
Status: datadog.SECURITYMONITORINGRULESEVERITY_INFO,
Condition: datadog.PtrString("a > 0"),
Notifications: &[]string{},
},
},
Options: datadog.SecurityMonitoringRuleOptions{
EvaluationWindow: datadog.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(),
KeepAlive: datadog.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(),
MaxSignalDuration: datadog.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(),
},
Message: "Test rule",
Tags: &[]string{},
IsEnabled: true,
}
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
resp, r, err := apiClient.SecurityMonitoringApi.CreateSecurityMonitoringRule(ctx, body)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringRule`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringRule`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Create a detection rule returns "OK" response
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;
import com.datadog.api.v2.client.model.SecurityMonitoringFilter;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleCreatePayload;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleOptions;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleQueryCreate;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleResponse;
import com.datadog.api.v2.client.model.SecurityMonitoringRuleSeverity;
import java.time.*;
import java.util.*;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = Configuration.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
SecurityMonitoringRuleCreatePayload body =
new SecurityMonitoringRuleCreatePayload()
.name("Example-Create_a_detection_rule_returns_OK_response")
.queries(
new ArrayList<SecurityMonitoringRuleQueryCreate>() {
{
add(
new SecurityMonitoringRuleQueryCreate()
.query("@test:true")
.aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
.groupByFields(
new ArrayList<String>() {
{
;
}
})
.distinctFields(
new ArrayList<String>() {
{
;
}
})
.metric(""));
}
})
.filters(
new ArrayList<SecurityMonitoringFilter>() {
{
;
}
})
.cases(
new ArrayList<SecurityMonitoringRuleCaseCreate>() {
{
add(
new SecurityMonitoringRuleCaseCreate()
.name("")
.status(SecurityMonitoringRuleSeverity.INFO)
.condition("a > 0")
.notifications(
new ArrayList<String>() {
{
;
}
}));
}
})
.options(
new SecurityMonitoringRuleOptions()
.evaluationWindow(SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES)
.keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR)
.maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ONE_DAY))
.message("Test rule")
.tags(
new ArrayList<String>() {
{
;
}
})
.isEnabled(true);
try {
SecurityMonitoringRuleResponse result = apiInstance.createSecurityMonitoringRule(body);
System.out.println(result);
} catch (ApiException e) {
System.err.println(
"Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
GET https://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}https://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}
Get a rule’s details.
This endpoint requires the security_monitoring_rules_read authorization scope.
名前
種類
説明
rule_id [required]
string
The ID of the rule.
OK
Rule.
フィールド
種類
説明
cases
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
createdAt
int64
When the rule was created, timestamp in milliseconds.
creationAuthorId
int64
User ID of the user who created the rule.
filters
[object]
Additional queries to filter matched events before they are processed.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
id
string
The ID of the rule.
isDefault
boolean
Whether the rule is included by default.
isDeleted
boolean
Whether the rule has been deleted.
isEnabled
boolean
Whether the rule is enabled.
message
string
Message for generated signals.
name
string
The name of the rule.
options
object
Options on rules.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
queries
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
metric
string
The target field to aggregate over when using the sum or max aggregations.
name
string
Name of the query.
query
string
Query to run on logs.
tags
[string]
Tags for generated signals.
type
enum
The rule type.
Allowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration
updateAuthorId
int64
User ID of the user who updated the rule.
version
int64
The version of the rule.
{
"cases": [
{
"condition": "string",
"name": "string",
"notifications": [],
"status": "critical"
}
],
"createdAt": "integer",
"creationAuthorId": "integer",
"filters": [
{
"action": "string",
"query": "string"
}
],
"hasExtendedTitle": false,
"id": "string",
"isDefault": false,
"isDeleted": false,
"isEnabled": false,
"message": "string",
"name": "string",
"options": {
"detectionMethod": "string",
"evaluationWindow": "integer",
"keepAlive": "integer",
"maxSignalDuration": "integer",
"newValueOptions": {
"forgetAfter": "integer",
"learningDuration": "integer"
}
},
"queries": [
{
"aggregation": "string",
"distinctFields": [],
"groupByFields": [],
"metric": "string",
"name": "string",
"query": "string"
}
],
"tags": [],
"type": "string",
"updateAuthorId": "integer",
"version": "integer"
}Not Found
API error response.
{
"errors": [
"Bad Request"
]
}Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Path parameters
export rule_id="CHANGE_ME"
# Curl command
curl -X GET "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
import os
from dateutil.parser import parse as dateutil_parser
from datadog_api_client.v2 import ApiClient, ApiException, Configuration
from datadog_api_client.v2.api import security_monitoring_api
from datadog_api_client.v2.models import *
from pprint import pprint
# See configuration.py for a list of all supported configuration parameters.
configuration = Configuration()
# Enter a context with an instance of the API client
with ApiClient(configuration) as api_client:
# Create an instance of the API class
api_instance = security_monitoring_api.SecurityMonitoringApi(api_client)
rule_id = "rule_id_example" # str | The ID of the rule.
# example passing only required values which don't have defaults set
try:
# Get a rule's details
api_response = api_instance.get_security_monitoring_rule(rule_id)
pprint(api_response)
except ApiException as e:
print("Exception when calling SecurityMonitoringApi->get_security_monitoring_rule: %s\n" % e)
First install the library and its dependencies and then save the example to example.py and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
require 'datadog_api_client'
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
rule_id = 'rule_id_example' # String | The ID of the rule.
begin
# Get a rule's details
result = api_instance.get_security_monitoring_rule(rule_id)
p result
rescue DatadogAPIClient::V2::APIError => e
puts "Error when calling SecurityMonitoringAPI->get_security_monitoring_rule: #{e}"
end
First install the library and its dependencies and then save the example to example.rb and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
import { v2 } from "@datadog/datadog-api-client";
import * as fs from "fs";
const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
let params: v2.SecurityMonitoringApiGetSecurityMonitoringRuleRequest = {
// string | The ID of the rule.
ruleId: "rule_id_example",
};
apiInstance
.getSecurityMonitoringRule(params)
.then((data: any) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
package main
import (
"context"
"encoding/json"
"fmt"
"os"
datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)
func main() {
ctx := datadog.NewDefaultContext(context.Background())
ruleId := "ruleId_example" // string | The ID of the rule.
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
resp, r, err := apiClient.SecurityMonitoringApi.GetSecurityMonitoringRule(ctx, ruleId)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSecurityMonitoringRule`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
// response from `GetSecurityMonitoringRule`: SecurityMonitoringRuleResponse
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from SecurityMonitoringApi.GetSecurityMonitoringRule:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
import java.util.*;
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.model.*;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = Configuration.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
String ruleId = "ruleId_example"; // String | The ID of the rule.
try {
SecurityMonitoringRuleResponse result = apiInstance.getSecurityMonitoringRule(ruleId);
System.out.println(result);
} catch (ApiException e) {
System.err.println("Exception when calling SecurityMonitoringApi#getSecurityMonitoringRule");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
PUT https://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}https://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}
Update an existing rule. When updating cases, queries or options, the whole field
must be included. For example, when modifying a query all queries must be included.
Default rules can only be updated to be enabled and to change notifications.
This endpoint requires the security_monitoring_rules_write authorization scope.
名前
種類
説明
rule_id [required]
string
The ID of the rule.
フィールド
種類
説明
cases
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
filters
[object]
Additional queries to filter matched events before they are processed.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
isEnabled
boolean
Whether the rule is enabled.
message
string
Message for generated signals.
name
string
Name of the rule.
options
object
Options on rules.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
queries
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
metric
string
The target field to aggregate over when using the sum or max aggregations.
name
string
Name of the query.
query
string
Query to run on logs.
tags
[string]
Tags for generated signals.
version
int32
The version of the rule being updated.
{
"cases": [
{
"condition": "string",
"name": "string",
"notifications": [],
"status": "critical"
}
],
"filters": [
{
"action": "string",
"query": "string"
}
],
"hasExtendedTitle": true,
"isEnabled": false,
"message": "string",
"name": "string",
"options": {
"detectionMethod": "string",
"evaluationWindow": "integer",
"keepAlive": "integer",
"maxSignalDuration": "integer",
"newValueOptions": {
"forgetAfter": "integer",
"learningDuration": "integer"
}
},
"queries": [
{
"aggregation": "string",
"distinctFields": [],
"groupByFields": [],
"metric": "string",
"name": "string",
"query": "string"
}
],
"tags": [],
"version": 1
}OK
Rule.
フィールド
種類
説明
cases
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
createdAt
int64
When the rule was created, timestamp in milliseconds.
creationAuthorId
int64
User ID of the user who created the rule.
filters
[object]
Additional queries to filter matched events before they are processed.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
id
string
The ID of the rule.
isDefault
boolean
Whether the rule is included by default.
isDeleted
boolean
Whether the rule has been deleted.
isEnabled
boolean
Whether the rule is enabled.
message
string
Message for generated signals.
name
string
The name of the rule.
options
object
Options on rules.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
queries
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
metric
string
The target field to aggregate over when using the sum or max aggregations.
name
string
Name of the query.
query
string
Query to run on logs.
tags
[string]
Tags for generated signals.
type
enum
The rule type.
Allowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration
updateAuthorId
int64
User ID of the user who updated the rule.
version
int64
The version of the rule.
{
"cases": [
{
"condition": "string",
"name": "string",
"notifications": [],
"status": "critical"
}
],
"createdAt": "integer",
"creationAuthorId": "integer",
"filters": [
{
"action": "string",
"query": "string"
}
],
"hasExtendedTitle": false,
"id": "string",
"isDefault": false,
"isDeleted": false,
"isEnabled": false,
"message": "string",
"name": "string",
"options": {
"detectionMethod": "string",
"evaluationWindow": "integer",
"keepAlive": "integer",
"maxSignalDuration": "integer",
"newValueOptions": {
"forgetAfter": "integer",
"learningDuration": "integer"
}
},
"queries": [
{
"aggregation": "string",
"distinctFields": [],
"groupByFields": [],
"metric": "string",
"name": "string",
"query": "string"
}
],
"tags": [],
"type": "string",
"updateAuthorId": "integer",
"version": "integer"
}Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}Concurrent Modification
API error response.
{
"errors": [
"Bad Request"
]
}Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}Not Found
API error response.
{
"errors": [
"Bad Request"
]
}Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Path parameters
export rule_id="CHANGE_ME"
# Curl command
curl -X PUT "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{}
EOF
import os
from dateutil.parser import parse as dateutil_parser
from datadog_api_client.v2 import ApiClient, ApiException, Configuration
from datadog_api_client.v2.api import security_monitoring_api
from datadog_api_client.v2.models import *
from pprint import pprint
# See configuration.py for a list of all supported configuration parameters.
configuration = Configuration()
# Enter a context with an instance of the API client
with ApiClient(configuration) as api_client:
# Create an instance of the API class
api_instance = security_monitoring_api.SecurityMonitoringApi(api_client)
rule_id = "rule_id_example" # str | The ID of the rule.
body = SecurityMonitoringRuleUpdatePayload(
cases=[
SecurityMonitoringRuleCase(
condition="condition_example",
name="name_example",
notifications=[
"notifications_example",
],
status=SecurityMonitoringRuleSeverity("critical"),
),
],
filters=[
SecurityMonitoringFilter(
action=SecurityMonitoringFilterAction("require"),
query="query_example",
),
],
has_extended_title=True,
is_enabled=True,
message="message_example",
name="name_example",
options=SecurityMonitoringRuleOptions(
detection_method=SecurityMonitoringRuleDetectionMethod("threshold"),
evaluation_window=SecurityMonitoringRuleEvaluationWindow(0),
keep_alive=SecurityMonitoringRuleKeepAlive(0),
max_signal_duration=SecurityMonitoringRuleMaxSignalDuration(0),
new_value_options=SecurityMonitoringRuleNewValueOptions(
forget_after=SecurityMonitoringRuleNewValueOptionsForgetAfter(1),
learning_duration=SecurityMonitoringRuleNewValueOptionsLearningDuration(0),
),
),
queries=[
SecurityMonitoringRuleQuery(
aggregation=SecurityMonitoringRuleQueryAggregation("count"),
distinct_fields=[
"distinct_fields_example",
],
group_by_fields=[
"group_by_fields_example",
],
metric="metric_example",
name="name_example",
query="query_example",
),
],
tags=[
"tags_example",
],
version=1,
) # SecurityMonitoringRuleUpdatePayload |
# example passing only required values which don't have defaults set
try:
# Update an existing rule
api_response = api_instance.update_security_monitoring_rule(rule_id, body)
pprint(api_response)
except ApiException as e:
print("Exception when calling SecurityMonitoringApi->update_security_monitoring_rule: %s\n" % e)
First install the library and its dependencies and then save the example to example.py and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
require 'datadog_api_client'
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
rule_id = 'rule_id_example' # String | The ID of the rule.
body = DatadogAPIClient::V2::SecurityMonitoringRuleUpdatePayload.new # SecurityMonitoringRuleUpdatePayload |
begin
# Update an existing rule
result = api_instance.update_security_monitoring_rule(rule_id, body)
p result
rescue DatadogAPIClient::V2::APIError => e
puts "Error when calling SecurityMonitoringAPI->update_security_monitoring_rule: #{e}"
end
First install the library and its dependencies and then save the example to example.rb and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
import { v2 } from "@datadog/datadog-api-client";
import * as fs from "fs";
const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
let params: v2.SecurityMonitoringApiUpdateSecurityMonitoringRuleRequest = {
// string | The ID of the rule.
ruleId: "rule_id_example",
// SecurityMonitoringRuleUpdatePayload
body: {
cases: [
{
condition: "condition_example",
name: "name_example",
notifications: ["notifications_example"],
status: "critical",
},
],
filters: [
{
action: "require",
query: "query_example",
},
],
hasExtendedTitle: true,
isEnabled: true,
message: "message_example",
name: "name_example",
options: {
detectionMethod: "threshold",
evaluationWindow: 0,
keepAlive: 0,
maxSignalDuration: 0,
newValueOptions: {
forgetAfter: 1,
learningDuration: 0,
},
},
queries: [
{
aggregation: "count",
distinctFields: ["distinctFields_example"],
groupByFields: ["groupByFields_example"],
metric: "metric_example",
name: "name_example",
query: "query_example",
},
],
tags: ["tags_example"],
version: 1,
},
};
apiInstance
.updateSecurityMonitoringRule(params)
.then((data: any) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
package main
import (
"context"
"encoding/json"
"fmt"
"os"
datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)
func main() {
ctx := datadog.NewDefaultContext(context.Background())
ruleId := "ruleId_example" // string | The ID of the rule.
body := *datadog.NewSecurityMonitoringRuleUpdatePayload() // SecurityMonitoringRuleUpdatePayload |
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
resp, r, err := apiClient.SecurityMonitoringApi.UpdateSecurityMonitoringRule(ctx, ruleId, body)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.UpdateSecurityMonitoringRule`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
// response from `UpdateSecurityMonitoringRule`: SecurityMonitoringRuleResponse
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from SecurityMonitoringApi.UpdateSecurityMonitoringRule:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
import java.util.*;
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.model.*;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = Configuration.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
String ruleId = "ruleId_example"; // String | The ID of the rule.
SecurityMonitoringRuleUpdatePayload body = new SecurityMonitoringRuleUpdatePayload(); // SecurityMonitoringRuleUpdatePayload |
try {
SecurityMonitoringRuleResponse result = apiInstance.updateSecurityMonitoringRule(ruleId, body);
System.out.println(result);
} catch (ApiException e) {
System.err.println("Exception when calling SecurityMonitoringApi#updateSecurityMonitoringRule");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
DELETE https://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}https://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}
Delete an existing rule. Default rules cannot be deleted.
This endpoint requires the security_monitoring_rules_write authorization scope.
名前
種類
説明
rule_id [required]
string
The ID of the rule.
OK
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}Not Found
API error response.
{
"errors": [
"Bad Request"
]
}Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Path parameters
export rule_id="CHANGE_ME"
# Curl command
curl -X DELETE "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
"""
Delete an existing rule returns "OK" response
"""
from os import environ
from datadog_api_client.v2 import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
# there is a valid "security_rule" in the system
SECURITY_RULE_ID = environ["SECURITY_RULE_ID"]
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
api_instance.delete_security_monitoring_rule(rule_id=SECURITY_RULE_ID)
First install the library and its dependencies and then save the example to example.py and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Delete an existing rule returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
# there is a valid "security_rule" in the system
SECURITY_RULE_ID = ENV["SECURITY_RULE_ID"]
api_instance.delete_security_monitoring_rule(SECURITY_RULE_ID)
First install the library and its dependencies and then save the example to example.rb and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
/**
* Delete an existing rule returns "OK" response
*/
import { v2 } from "@datadog/datadog-api-client";
const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
// there is a valid "security_rule" in the system
let SECURITY_RULE_ID = process.env.SECURITY_RULE_ID as string;
let params: v2.SecurityMonitoringApiDeleteSecurityMonitoringRuleRequest = {
ruleId: SECURITY_RULE_ID,
};
apiInstance
.deleteSecurityMonitoringRule(params)
.then((data: any) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
// Delete an existing rule returns "OK" response
package main
import (
"context"
"fmt"
"os"
datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)
func main() {
// there is a valid "security_rule" in the system
SecurityRuleID := os.Getenv("SECURITY_RULE_ID")
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
r, err := apiClient.SecurityMonitoringApi.DeleteSecurityMonitoringRule(ctx, SecurityRuleID)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.DeleteSecurityMonitoringRule`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
}
First install the library and its dependencies and then save the example to main.go and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Delete an existing rule returns "OK" response
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;
import java.time.*;
import java.util.*;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = Configuration.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
// there is a valid "security_rule" in the system
String SECURITY_RULE_ID = System.getenv("SECURITY_RULE_ID");
try {
apiInstance.deleteSecurityMonitoringRule(SECURITY_RULE_ID);
} catch (ApiException e) {
System.err.println(
"Exception when calling SecurityMonitoringApi#deleteSecurityMonitoringRule");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
Note: This endpoint is in public beta. If you have any feedback, contact Datadog support.
POST https://api.datadoghq.eu/api/v2/security_monitoring/signals/searchhttps://api.ddog-gov.com/api/v2/security_monitoring/signals/searchhttps://api.datadoghq.com/api/v2/security_monitoring/signals/searchhttps://api.us3.datadoghq.com/api/v2/security_monitoring/signals/searchhttps://api.us5.datadoghq.com/api/v2/security_monitoring/signals/search
Returns security signals that match a search query.
Both this endpoint and the GET endpoint can be used interchangeably for listing
security signals.
This endpoint requires the security_monitoring_signals_read authorization scope.
フィールド
種類
説明
filter
object
Search filters for listing security signals.
from
date-time
The minimum timestamp for requested security signals.
query
string
Search query for listing security signals.
to
date-time
The maximum timestamp for requested security signals.
page
object
The paging attributes for listing security signals.
cursor
string
A list of results using the cursor provided in the previous query.
limit
int32
The maximum number of security signals in the response.
sort
enum
The sort parameters used for querying security signals.
Allowed enum values: timestamp,-timestamp
{
"filter": {
"from": "2019-01-02T09:42:36.320Z",
"query": "security:attack status:high",
"to": "2019-01-03T09:42:36.320Z"
},
"page": {
"cursor": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==",
"limit": 25
},
"sort": "string"
}OK
The response object with all security signals matching the request and pagination information.
フィールド
種類
説明
data
[object]
An array of security signals matching the request.
attributes
object
The object containing all signal attributes and their associated values.
attributes
object
A JSON object of attributes in the security signal.
message
string
The message in the security signal defined by the rule that generated the signal.
tags
array
An array of tags associated with the security signal.
timestamp
date-time
The timestamp of the security signal.
id
string
The unique ID of the security signal.
type
enum
The type of event.
Allowed enum values: signal
links
object
Links attributes.
next
string
The link for the next set of results. Note: The request can also be made using the POST endpoint.
meta
object
Meta attributes.
page
object
Paging attributes.
after
string
The cursor used to get the next results, if any. To make the next request, use the same
parameters with the addition of the page[cursor].
{
"data": [
{
"attributes": {
"attributes": {
"workflow": {
"first_seen": "2020-06-23T14:46:01.000Z",
"last_seen": "2020-06-23T14:46:49.000Z",
"rule": {
"id": "0f5-e0c-805",
"name": "Brute Force Attack Grouped By User ",
"version": 12
}
}
},
"message": "Detect Account Take Over (ATO) through brute force attempts",
"tags": [
"security:attack",
"technique:T1110-brute-force"
],
"timestamp": "2019-01-02T09:42:36.320Z"
},
"id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA",
"type": "signal"
}
],
"links": {
"next": "https://app.datadoghq.com/api/v2/security_monitoring/signals?filter[query]=foo\u0026page[cursor]=eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
},
"meta": {
"page": {
"after": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
}
}
}Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Curl command
curl -X POST "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/search" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{}
EOF
import os
from dateutil.parser import parse as dateutil_parser
from datadog_api_client.v2 import ApiClient, ApiException, Configuration
from datadog_api_client.v2.api import security_monitoring_api
from datadog_api_client.v2.models import *
from pprint import pprint
# See configuration.py for a list of all supported configuration parameters.
configuration = Configuration()
configuration.unstable_operations["search_security_monitoring_signals"] = True
# Enter a context with an instance of the API client
with ApiClient(configuration) as api_client:
# Create an instance of the API class
api_instance = security_monitoring_api.SecurityMonitoringApi(api_client)
body = SecurityMonitoringSignalListRequest(
filter=SecurityMonitoringSignalListRequestFilter(
_from=dateutil_parser('2019-01-02T09:42:36.32Z'),
query="security:attack status:high",
to=dateutil_parser('2019-01-03T09:42:36.32Z'),
),
page=SecurityMonitoringSignalListRequestPage(
cursor="eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==",
limit=25,
),
sort=SecurityMonitoringSignalsSort("timestamp"),
) # SecurityMonitoringSignalListRequest | (optional)
# example passing only required values which don't have defaults set
# and optional values
try:
# Get a list of security signals
api_response = api_instance.search_security_monitoring_signals(body=body)
pprint(api_response)
except ApiException as e:
print("Exception when calling SecurityMonitoringApi->search_security_monitoring_signals: %s\n" % e)
First install the library and its dependencies and then save the example to example.py and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
require 'datadog_api_client'
DatadogAPIClient::V2.configure do |config|
config.unstable_operations[:search_security_monitoring_signals] = true
end
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
opts = {
body: DatadogAPIClient::V2::SecurityMonitoringSignalListRequest.new # SecurityMonitoringSignalListRequest |
}
begin
# Get a list of security signals
result = api_instance.search_security_monitoring_signals(opts)
p result
rescue DatadogAPIClient::V2::APIError => e
puts "Error when calling SecurityMonitoringAPI->search_security_monitoring_signals: #{e}"
end
First install the library and its dependencies and then save the example to example.rb and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
import { v2 } from "@datadog/datadog-api-client";
import * as fs from "fs";
const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
let params: v2.SecurityMonitoringApiSearchSecurityMonitoringSignalsRequest = {
// SecurityMonitoringSignalListRequest (optional)
body: {
filter: {
from: new Date("2019-01-02T09:42:36.32Z"),
query: "security:attack status:high",
to: new Date("2019-01-03T09:42:36.32Z"),
},
page: {
cursor:
"eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==",
limit: 25,
},
sort: "timestamp",
},
};
apiInstance
.searchSecurityMonitoringSignals(params)
.then((data: any) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
package main
import (
"context"
"encoding/json"
"fmt"
"os"
datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)
func main() {
ctx := datadog.NewDefaultContext(context.Background())
body := *datadog.NewSecurityMonitoringSignalListRequest() // SecurityMonitoringSignalListRequest | (optional)
optionalParams := datadog.SearchSecurityMonitoringSignalsOptionalParameters{
Body: &body,
}
configuration := datadog.NewConfiguration()
configuration.SetUnstableOperationEnabled("SearchSecurityMonitoringSignals", true)
apiClient := datadog.NewAPIClient(configuration)
resp, r, err := apiClient.SecurityMonitoringApi.SearchSecurityMonitoringSignals(ctx, optionalParams)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.SearchSecurityMonitoringSignals`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
// response from `SearchSecurityMonitoringSignals`: SecurityMonitoringSignalsListResponse
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from SecurityMonitoringApi.SearchSecurityMonitoringSignals:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
import java.util.*;
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.model.*;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = Configuration.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
SecurityMonitoringSignalListRequest body = new SecurityMonitoringSignalListRequest(); // SecurityMonitoringSignalListRequest |
try {
SecurityMonitoringSignalsListResponse result = apiInstance.searchSecurityMonitoringSignals(new SecurityMonitoringApi.SearchSecurityMonitoringSignalsOptionalParameters()
.body(body));
System.out.println(result);
} catch (ApiException e) {
System.err.println("Exception when calling SecurityMonitoringApi#searchSecurityMonitoringSignals");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
Note: This endpoint is in public beta. If you have any feedback, contact Datadog support.
GET https://api.datadoghq.eu/api/v2/security_monitoring/signalshttps://api.ddog-gov.com/api/v2/security_monitoring/signalshttps://api.datadoghq.com/api/v2/security_monitoring/signalshttps://api.us3.datadoghq.com/api/v2/security_monitoring/signalshttps://api.us5.datadoghq.com/api/v2/security_monitoring/signals
The list endpoint returns security signals that match a search query.
Both this endpoint and the POST endpoint can be used interchangeably when listing
security signals.
This endpoint requires the security_monitoring_signals_read authorization scope.
名前
種類
説明
filter[query]
string
The search query for security signals.
filter[from]
string
The minimum timestamp for requested security signals.
filter[to]
string
The maximum timestamp for requested security signals.
sort
enum
The order of the security signals in results.
Allowed enum values: timestamp, -timestamp
page[cursor]
string
A list of results using the cursor provided in the previous query.
page[limit]
integer
The maximum number of security signals in the response.
OK
The response object with all security signals matching the request and pagination information.
フィールド
種類
説明
data
[object]
An array of security signals matching the request.
attributes
object
The object containing all signal attributes and their associated values.
attributes
object
A JSON object of attributes in the security signal.
message
string
The message in the security signal defined by the rule that generated the signal.
tags
array
An array of tags associated with the security signal.
timestamp
date-time
The timestamp of the security signal.
id
string
The unique ID of the security signal.
type
enum
The type of event.
Allowed enum values: signal
links
object
Links attributes.
next
string
The link for the next set of results. Note: The request can also be made using the POST endpoint.
meta
object
Meta attributes.
page
object
Paging attributes.
after
string
The cursor used to get the next results, if any. To make the next request, use the same
parameters with the addition of the page[cursor].
{
"data": [
{
"attributes": {
"attributes": {
"workflow": {
"first_seen": "2020-06-23T14:46:01.000Z",
"last_seen": "2020-06-23T14:46:49.000Z",
"rule": {
"id": "0f5-e0c-805",
"name": "Brute Force Attack Grouped By User ",
"version": 12
}
}
},
"message": "Detect Account Take Over (ATO) through brute force attempts",
"tags": [
"security:attack",
"technique:T1110-brute-force"
],
"timestamp": "2019-01-02T09:42:36.320Z"
},
"id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA",
"type": "signal"
}
],
"links": {
"next": "https://app.datadoghq.com/api/v2/security_monitoring/signals?filter[query]=foo\u0026page[cursor]=eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
},
"meta": {
"page": {
"after": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
}
}
}Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Curl command
curl -X GET "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/signals" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
import os
from dateutil.parser import parse as dateutil_parser
from datadog_api_client.v2 import ApiClient, ApiException, Configuration
from datadog_api_client.v2.api import security_monitoring_api
from datadog_api_client.v2.models import *
from pprint import pprint
# See configuration.py for a list of all supported configuration parameters.
configuration = Configuration()
configuration.unstable_operations["list_security_monitoring_signals"] = True
# Enter a context with an instance of the API client
with ApiClient(configuration) as api_client:
# Create an instance of the API class
api_instance = security_monitoring_api.SecurityMonitoringApi(api_client)
filter_query = "security:attack status:high" # str | The search query for security signals. (optional)
filter_from = dateutil_parser('2019-01-02T09:42:36.320Z') # datetime | The minimum timestamp for requested security signals. (optional)
filter_to = dateutil_parser('2019-01-03T09:42:36.320Z') # datetime | The maximum timestamp for requested security signals. (optional)
sort = SecurityMonitoringSignalsSort("timestamp") # SecurityMonitoringSignalsSort | The order of the security signals in results. (optional)
page_cursor = "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==" # str | A list of results using the cursor provided in the previous query. (optional)
page_limit = 25 # int | The maximum number of security signals in the response. (optional) if omitted the server will use the default value of 10
# example passing only required values which don't have defaults set
# and optional values
try:
# Get a quick list of security signals
api_response = api_instance.list_security_monitoring_signals(filter_query=filter_query, filter_from=filter_from, filter_to=filter_to, sort=sort, page_cursor=page_cursor, page_limit=page_limit)
pprint(api_response)
except ApiException as e:
print("Exception when calling SecurityMonitoringApi->list_security_monitoring_signals: %s\n" % e)
First install the library and its dependencies and then save the example to example.py and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
require 'datadog_api_client'
DatadogAPIClient::V2.configure do |config|
config.unstable_operations[:list_security_monitoring_signals] = true
end
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
opts = {
filter_query: 'security:attack status:high', # String | The search query for security signals.
filter_from: Time.parse('2019-01-02T09:42:36.320Z'), # Time | The minimum timestamp for requested security signals.
filter_to: Time.parse('2019-01-03T09:42:36.320Z'), # Time | The maximum timestamp for requested security signals.
sort: DatadogAPIClient::V2::SecurityMonitoringSignalsSort::TIMESTAMP_ASCENDING, # SecurityMonitoringSignalsSort | The order of the security signals in results.
page_cursor: 'eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==', # String | A list of results using the cursor provided in the previous query.
page_limit: 25 # Integer | The maximum number of security signals in the response.
}
begin
# Get a quick list of security signals
result = api_instance.list_security_monitoring_signals(opts)
p result
rescue DatadogAPIClient::V2::APIError => e
puts "Error when calling SecurityMonitoringAPI->list_security_monitoring_signals: #{e}"
end
First install the library and its dependencies and then save the example to example.rb and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
import { v2 } from "@datadog/datadog-api-client";
import * as fs from "fs";
const configuration = v2.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
let params: v2.SecurityMonitoringApiListSecurityMonitoringSignalsRequest = {
// string | The search query for security signals. (optional)
filterQuery: "security:attack status:high",
// Date | The minimum timestamp for requested security signals. (optional)
filterFrom: new Date("2019-01-02T09:42:36.320Z"),
// Date | The maximum timestamp for requested security signals. (optional)
filterTo: new Date("2019-01-03T09:42:36.320Z"),
// SecurityMonitoringSignalsSort | The order of the security signals in results. (optional)
sort: "timestamp",
// string | A list of results using the cursor provided in the previous query. (optional)
pageCursor:
"eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==",
// number | The maximum number of security signals in the response. (optional)
pageLimit: 25,
};
apiInstance
.listSecurityMonitoringSignals(params)
.then((data: any) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"time"
datadog "github.com/DataDog/datadog-api-client-go/api/v2/datadog"
)
func main() {
ctx := datadog.NewDefaultContext(context.Background())
filterQuery := "security:attack status:high" // string | The search query for security signals. (optional)
filterFrom := time.Now() // time.Time | The minimum timestamp for requested security signals. (optional)
filterTo := time.Now() // time.Time | The maximum timestamp for requested security signals. (optional)
sort := datadog.SecurityMonitoringSignalsSort("timestamp") // SecurityMonitoringSignalsSort | The order of the security signals in results. (optional)
pageCursor := "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==" // string | A list of results using the cursor provided in the previous query. (optional)
pageLimit := int32(25) // int32 | The maximum number of security signals in the response. (optional) (default to 10)
optionalParams := datadog.ListSecurityMonitoringSignalsOptionalParameters{
FilterQuery: &filterQuery,
FilterFrom: &filterFrom,
FilterTo: &filterTo,
Sort: &sort,
PageCursor: &pageCursor,
PageLimit: &pageLimit,
}
configuration := datadog.NewConfiguration()
configuration.SetUnstableOperationEnabled("ListSecurityMonitoringSignals", true)
apiClient := datadog.NewAPIClient(configuration)
resp, r, err := apiClient.SecurityMonitoringApi.ListSecurityMonitoringSignals(ctx, optionalParams)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListSecurityMonitoringSignals`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
// response from `ListSecurityMonitoringSignals`: SecurityMonitoringSignalsListResponse
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from SecurityMonitoringApi.ListSecurityMonitoringSignals:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
import java.time.OffsetDateTime;
import java.util.*;
import com.datadog.api.v2.client.ApiClient;
import com.datadog.api.v2.client.ApiException;
import com.datadog.api.v2.client.Configuration;
import com.datadog.api.v2.client.model.*;
import com.datadog.api.v2.client.api.SecurityMonitoringApi;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = Configuration.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
String filterQuery = "security:attack status:high"; // String | The search query for security signals.
OffsetDateTime filterFrom = OffsetDateTime.parse("2019-01-02T09:42:36.320Z"); // OffsetDateTime | The minimum timestamp for requested security signals.
OffsetDateTime filterTo = OffsetDateTime.parse("2019-01-03T09:42:36.320Z"); // OffsetDateTime | The maximum timestamp for requested security signals.
SecurityMonitoringSignalsSort sort = SecurityMonitoringSignalsSort.fromValue("timestamp"); // SecurityMonitoringSignalsSort | The order of the security signals in results.
String pageCursor = "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="; // String | A list of results using the cursor provided in the previous query.
Integer pageLimit = 10; // Integer | The maximum number of security signals in the response.
try {
SecurityMonitoringSignalsListResponse result = apiInstance.listSecurityMonitoringSignals(new SecurityMonitoringApi.ListSecurityMonitoringSignalsOptionalParameters()
.filterQuery(filterQuery)
.filterFrom(filterFrom)
.filterTo(filterTo)
.sort(sort)
.pageCursor(pageCursor)
.pageLimit(pageLimit));
System.out.println(result);
} catch (ApiException e) {
System.err.println("Exception when calling SecurityMonitoringApi#listSecurityMonitoringSignals");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java and run following commands:
export DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"