セキュリティモニタリング

信号を生成し、生成された信号を一覧表示するための検出ルール。

PATCH https://api.datadoghq.eu/api/v1/security_analytics/signals/{signal_id}/add_to_incidenthttps://api.ddog-gov.com/api/v1/security_analytics/signals/{signal_id}/add_to_incidenthttps://api.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/add_to_incidenthttps://api.us3.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/add_to_incidenthttps://api.us5.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/add_to_incident

概要

インシデントにセキュリティシグナルを追加します。これにより、シグナルエクスプローラー内でインシデント別にシグナルを検索したり、インシデントタイムライン上でシグナルを表示したりすることが可能になります。

引数

パスパラメーター

名前

種類

説明

signal_id [required]

string

The ID of the signal.

リクエスト

Body Data (required)

シグナルの更新を記述する属性。

Expand All

フィールド

種類

説明

add_to_signal_timeline

boolean

Whether to post the signal on the incident timeline.

incident_id [required]

int64

Public ID attribute of the incident to which the signal will be added.

version

int64

Version of the updated signal. If server side version is higher, update will be rejected.

{
  "incident_id": 2609
}

応答

OK

Updated signal data following a successfully performed update.

Expand All

フィールド

種類

説明

status

string

Status of the response.

{
  "status": "string"
}

Bad Request

Error response object.

Expand All

フィールド

種類

説明

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Forbidden

Error response object.

Expand All

フィールド

種類

説明

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

Error response object.

Expand All

フィールド

種類

説明

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

Error response object.

Expand All

フィールド

種類

説明

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

  
  # Path parameters
export signal_id="CHANGE_ME"
# Curl command curl -X PATCH "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v1/security_analytics/signals/${signal_id}/add_to_incident" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "incident_id": 2609 } EOF
// Add a security signal to an incident returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV1"
)

func main() {
	body := datadogV1.AddSignalToIncidentRequest{
		IncidentId: 2609,
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV1.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.AddSecurityMonitoringSignalToIncident(ctx, "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.AddSecurityMonitoringSignalToIncident`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.AddSecurityMonitoringSignalToIncident`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"
// Add a security signal to an incident returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v1.api.SecurityMonitoringApi;
import com.datadog.api.client.v1.model.AddSignalToIncidentRequest;
import com.datadog.api.client.v1.model.SuccessfulSignalUpdateResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    AddSignalToIncidentRequest body = new AddSignalToIncidentRequest().incidentId(2609L);

    try {
      SuccessfulSignalUpdateResponse result =
          apiInstance.addSecurityMonitoringSignalToIncident(
              "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#addSecurityMonitoringSignalToIncident");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"
"""
Add a security signal to an incident returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v1.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v1.model.add_signal_to_incident_request import AddSignalToIncidentRequest

body = AddSignalToIncidentRequest(
    incident_id=2609,
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.add_security_monitoring_signal_to_incident(
        signal_id="AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body=body
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"
# Add a security signal to an incident returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V1::SecurityMonitoringAPI.new

body = DatadogAPIClient::V1::AddSignalToIncidentRequest.new({
  incident_id: 2609,
})
p api_instance.add_security_monitoring_signal_to_incident("AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"
/**
 * Add a security signal to an incident returns "OK" response
 */

import { client, v1 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v1.SecurityMonitoringApi(configuration);

const params: v1.SecurityMonitoringApiAddSecurityMonitoringSignalToIncidentRequest =
  {
    body: {
      incidentId: 2609,
    },
    signalId: "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE",
  };

apiInstance
  .addSecurityMonitoringSignalToIncident(params)
  .then((data: v1.SuccessfulSignalUpdateResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"

GET https://api.datadoghq.eu/api/v2/security_monitoring/ruleshttps://api.ddog-gov.com/api/v2/security_monitoring/ruleshttps://api.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us3.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules

概要

List rules. This endpoint requires the security_monitoring_rules_read authorization scope.

引数

クエリ文字列

名前

種類

説明

page[size]

integer

Size for a given page.

page[number]

integer

Specific page number to return.

応答

OK

List of rules.

Expand All

フィールド

種類

説明

data

[object <oneOf>]

Array containing the list of rules.

Option 1

Rule.

cases

[object]

Cases for generating signals.

condition

string

A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

name

string

Name of the case.

notifications

[string]

Notification targets for each rule case.

status

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

createdAt

int64

When the rule was created, timestamp in milliseconds.

creationAuthorId

int64

User ID of the user who created the rule.

filters

[object]

Additional queries to filter matched events before they are processed.

action

enum

The type of filtering action. Allowed enum values: require,suppress

query

string

Query for selecting logs to apply the filtering action.

hasExtendedTitle

boolean

Whether the notifications include the triggering group-by values in their title.

id

string

The ID of the rule.

isDefault

boolean

Whether the rule is included by default.

isDeleted

boolean

Whether the rule has been deleted.

isEnabled

boolean

Whether the rule is enabled.

message

string

Message for generated signals.

name

string

The name of the rule.

options

object

Options on rules.

decreaseCriticalityBasedOnEnv

boolean

If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO. The decrement is applied when the environment tag of the signal starts with staging, test or dev.

detectionMethod

enum

The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Allowed enum values: 0,60,300,600,900,1800,3600,7200

hardcodedEvaluatorType

enum

Hardcoded evaluator type. Allowed enum values: log4shell

impossibleTravelOptions

object

Options on impossible travel rules.

baselineUserLocations

boolean

If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

keepAlive

enum

Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600

maxSignalDuration

enum

A signal will “close” regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

newValueOptions

object

Options on new value rules.

forgetAfter

enum

The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

learningDuration

enum

The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

learningMethod

enum

The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: duration,threshold

learningThreshold

enum

A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: 0,1

queries

[object]

Queries for selecting logs which are part of the rule.

aggregation

enum

The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count

distinctFields

[string]

Field for which the cardinality is measured. Sent as an array.

groupByFields

[string]

Fields to group by.

metric

string

DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max aggregations. metrics field should be used instead.

metrics

[string]

Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.

name

string

Name of the query.

query [required]

string

Query to run on logs.

tags

[string]

Tags for generated signals.

type

enum

The rule type. Allowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration

updateAuthorId

int64

User ID of the user who updated the rule.

version

int64

The version of the rule.

Option 2

Rule.

cases

[object]

Cases for generating signals.

condition

string

A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

name

string

Name of the case.

notifications

[string]

Notification targets for each rule case.

status

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

createdAt

int64

When the rule was created, timestamp in milliseconds.

creationAuthorId

int64

User ID of the user who created the rule.

filters

[object]

Additional queries to filter matched events before they are processed.

action

enum

The type of filtering action. Allowed enum values: require,suppress

query

string

Query for selecting logs to apply the filtering action.

hasExtendedTitle

boolean

Whether the notifications include the triggering group-by values in their title.

id

string

The ID of the rule.

isDefault

boolean

Whether the rule is included by default.

isDeleted

boolean

Whether the rule has been deleted.

isEnabled

boolean

Whether the rule is enabled.

message

string

Message for generated signals.

name

string

The name of the rule.

options

object

Options on rules.

decreaseCriticalityBasedOnEnv

boolean

If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO. The decrement is applied when the environment tag of the signal starts with staging, test or dev.

detectionMethod

enum

The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Allowed enum values: 0,60,300,600,900,1800,3600,7200

hardcodedEvaluatorType

enum

Hardcoded evaluator type. Allowed enum values: log4shell

impossibleTravelOptions

object

Options on impossible travel rules.

baselineUserLocations

boolean

If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

keepAlive

enum

Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600

maxSignalDuration

enum

A signal will “close” regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

newValueOptions

object

Options on new value rules.

forgetAfter

enum

The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

learningDuration

enum

The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

learningMethod

enum

The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: duration,threshold

learningThreshold

enum

A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: 0,1

queries

[object]

Queries for selecting logs which are part of the rule.

aggregation

enum

The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count

correlatedByFields

[string]

Fields to group by.

correlatedQueryIndex

int32

Index of the rule query used to retrieve the correlated field.

defaultRuleId

string

Default Rule ID to match on signals.

metrics

[string]

Group of target fields to aggregate over.

name

string

Name of the query.

ruleId

string

Rule ID to match on signals.

tags

[string]

Tags for generated signals.

type

enum

The rule type. Allowed enum values: signal_correlation

updateAuthorId

int64

User ID of the user who updated the rule.

version

int64

The version of the rule.

meta

object

Object describing meta attributes of response.

page

object

Pagination object.

total_count

int64

Total count.

total_filtered_count

int64

Total count of elements matched by the filter.

{
  "data": [
    {
      "cases": [
        {
          "condition": "string",
          "name": "string",
          "notifications": [],
          "status": "critical"
        }
      ],
      "createdAt": "integer",
      "creationAuthorId": "integer",
      "filters": [
        {
          "action": "string",
          "query": "string"
        }
      ],
      "hasExtendedTitle": false,
      "id": "string",
      "isDefault": false,
      "isDeleted": false,
      "isEnabled": false,
      "message": "string",
      "name": "string",
      "options": {
        "decreaseCriticalityBasedOnEnv": false,
        "detectionMethod": "string",
        "evaluationWindow": "integer",
        "hardcodedEvaluatorType": "string",
        "impossibleTravelOptions": {
          "baselineUserLocations": true
        },
        "keepAlive": "integer",
        "maxSignalDuration": "integer",
        "newValueOptions": {
          "forgetAfter": "integer",
          "learningDuration": "integer",
          "learningMethod": "string",
          "learningThreshold": "integer"
        }
      },
      "queries": [
        {
          "aggregation": "string",
          "distinctFields": [],
          "groupByFields": [],
          "metric": "string",
          "metrics": [],
          "name": "string",
          "query": "a > 3"
        }
      ],
      "tags": [],
      "type": "string",
      "updateAuthorId": "integer",
      "version": "integer"
    }
  ],
  "meta": {
    "page": {
      "total_count": "integer",
      "total_filtered_count": "integer"
    }
  }
}

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例


# Curl command
curl -X GET "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
// List rules returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.ListSecurityMonitoringRules(ctx, *datadogV2.NewListSecurityMonitoringRulesOptionalParameters())

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListSecurityMonitoringRules`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListSecurityMonitoringRules`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// List rules returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringListRulesResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      SecurityMonitoringListRulesResponse result = apiInstance.listSecurityMonitoringRules();
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#listSecurityMonitoringRules");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
"""
List rules returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.list_security_monitoring_rules()

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# List rules returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.list_security_monitoring_rules()

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
/**
 * List rules returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

apiInstance
  .listSecurityMonitoringRules()
  .then((data: v2.SecurityMonitoringListRulesResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

PATCH https://api.datadoghq.eu/api/v1/security_analytics/signals/{signal_id}/statehttps://api.ddog-gov.com/api/v1/security_analytics/signals/{signal_id}/statehttps://api.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/statehttps://api.us3.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/statehttps://api.us5.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/state

概要

セキュリティシグナルのトリアージ状態を変更します。

引数

パスパラメーター

名前

種類

説明

signal_id [required]

string

The ID of the signal.

リクエスト

Body Data (required)

シグナルの更新を記述する属性。

Expand All

フィールド

種類

説明

archiveComment

string

Optional comment to explain why a signal is being archived.

archiveReason

enum

Reason why a signal has been archived. Allowed enum values: none,false_positive,testing_or_maintenance,other

state [required]

enum

The new triage state of the signal. Allowed enum values: open,archived,under_review

version

int64

Version of the updated signal. If server side version is higher, update will be rejected.

{
  "archiveReason": "none",
  "state": "open"
}

応答

OK

Updated signal data following a successfully performed update.

Expand All

フィールド

種類

説明

status

string

Status of the response.

{
  "status": "string"
}

Bad Request

Error response object.

Expand All

フィールド

種類

説明

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Forbidden

Error response object.

Expand All

フィールド

種類

説明

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

Error response object.

Expand All

フィールド

種類

説明

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

Error response object.

Expand All

フィールド

種類

説明

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

  
  # Path parameters
export signal_id="CHANGE_ME"
# Curl command curl -X PATCH "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v1/security_analytics/signals/${signal_id}/state" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "archiveReason": "none", "state": "open" } EOF
// Change the triage state of a security signal returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV1"
)

func main() {
	body := datadogV1.SignalStateUpdateRequest{
		ArchiveReason: datadogV1.SIGNALARCHIVEREASON_NONE.Ptr(),
		State:         datadogV1.SIGNALTRIAGESTATE_OPEN,
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV1.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.EditSecurityMonitoringSignalState(ctx, "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.EditSecurityMonitoringSignalState`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.EditSecurityMonitoringSignalState`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"
// Change the triage state of a security signal returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v1.api.SecurityMonitoringApi;
import com.datadog.api.client.v1.model.SignalArchiveReason;
import com.datadog.api.client.v1.model.SignalStateUpdateRequest;
import com.datadog.api.client.v1.model.SignalTriageState;
import com.datadog.api.client.v1.model.SuccessfulSignalUpdateResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SignalStateUpdateRequest body =
        new SignalStateUpdateRequest()
            .archiveReason(SignalArchiveReason.NONE)
            .state(SignalTriageState.OPEN);

    try {
      SuccessfulSignalUpdateResponse result =
          apiInstance.editSecurityMonitoringSignalState(
              "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#editSecurityMonitoringSignalState");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"
"""
Change the triage state of a security signal returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v1.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v1.model.signal_archive_reason import SignalArchiveReason
from datadog_api_client.v1.model.signal_state_update_request import SignalStateUpdateRequest
from datadog_api_client.v1.model.signal_triage_state import SignalTriageState

body = SignalStateUpdateRequest(
    archive_reason=SignalArchiveReason.NONE,
    state=SignalTriageState.OPEN,
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.edit_security_monitoring_signal_state(
        signal_id="AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body=body
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"
# Change the triage state of a security signal returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V1::SecurityMonitoringAPI.new

body = DatadogAPIClient::V1::SignalStateUpdateRequest.new({
  archive_reason: DatadogAPIClient::V1::SignalArchiveReason::NONE,
  state: DatadogAPIClient::V1::SignalTriageState::OPEN,
})
p api_instance.edit_security_monitoring_signal_state("AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"
/**
 * Change the triage state of a security signal returns "OK" response
 */

import { client, v1 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v1.SecurityMonitoringApi(configuration);

const params: v1.SecurityMonitoringApiEditSecurityMonitoringSignalStateRequest =
  {
    body: {
      archiveReason: "none",
      state: "open",
    },
    signalId: "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE",
  };

apiInstance
  .editSecurityMonitoringSignalState(params)
  .then((data: v1.SuccessfulSignalUpdateResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"

PATCH https://api.datadoghq.eu/api/v2/security_monitoring/signals/{signal_id}/statehttps://api.ddog-gov.com/api/v2/security_monitoring/signals/{signal_id}/statehttps://api.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/statehttps://api.us3.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/statehttps://api.us5.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/state

概要

セキュリティシグナルのトリアージ状態を変更します。

引数

パスパラメーター

名前

種類

説明

signal_id [required]

string

The ID of the signal.

リクエスト

Body Data (required)

シグナルの更新を記述する属性。

Expand All

フィールド

種類

説明

data [required]

object

Data containing the patch for changing the state of a signal.

attributes [required]

object

Attributes describing the change of state of a security signal.

archive_comment

string

Optional comment to display on archived signals.

archive_reason

enum

Reason a signal is archived. Allowed enum values: none,false_positive,testing_or_maintenance,other

state [required]

enum

The new triage state of the signal. Allowed enum values: open,archived,under_review

version

int64

Version of the updated signal. If server side version is higher, update will be rejected.

{
  "data": {
    "attributes": {
      "archive_reason": "none",
      "state": "open"
    }
  }
}

応答

OK

The response returned after all triage operations, containing the updated signal triage data.

Expand All

フィールド

種類

説明

data [required]

object

Data containing the updated triage attributes of the signal.

attributes

object

Attributes describing a triage state update operation over a security signal.

archive_comment

string

Optional comment to display on archived signals.

archive_comment_timestamp

int64

Timestamp of the last edit to the comment.

archive_comment_user

object

Object representing a given user entity.

handle

string

The handle for this user account.

id

int64

Numerical ID assigned by Datadog to this user account.

name

string

The name for this user account.

uuid [required]

string

UUID assigned by Datadog to this user account.

archive_reason

enum

Reason a signal is archived. Allowed enum values: none,false_positive,testing_or_maintenance,other

assignee [required]

object

Object representing a given user entity.

handle

string

The handle for this user account.

id

int64

Numerical ID assigned by Datadog to this user account.

name

string

The name for this user account.

uuid [required]

string

UUID assigned by Datadog to this user account.

incident_ids [required]

[integer]

Array of incidents that are associated with this signal.

state [required]

enum

The new triage state of the signal. Allowed enum values: open,archived,under_review

state_update_timestamp

int64

Timestamp of the last update to the signal state.

state_update_user

object

Object representing a given user entity.

handle

string

The handle for this user account.

id

int64

Numerical ID assigned by Datadog to this user account.

name

string

The name for this user account.

uuid [required]

string

UUID assigned by Datadog to this user account.

{
  "data": {
    "attributes": {
      "archive_comment": "string",
      "archive_comment_timestamp": "integer",
      "archive_comment_user": {
        "handle": "string",
        "id": "integer",
        "name": "string",
        "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
      },
      "archive_reason": "string",
      "assignee": {
        "handle": "string",
        "id": "integer",
        "name": "string",
        "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
      },
      "incident_ids": [],
      "state": "open",
      "state_update_timestamp": "integer",
      "state_update_user": {
        "handle": "string",
        "id": "integer",
        "name": "string",
        "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
      }
    }
  }
}

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Forbidden

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

  
  # Path parameters
export signal_id="CHANGE_ME"
# Curl command curl -X PATCH "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/${signal_id}/state" \ -H "Accept: application/json" \ -H "Content-Type: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \ -d @- << EOF { "data": { "attributes": { "archive_reason": "none", "state": "open" } } } EOF
// Change the triage state of a security signal returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringSignalStateUpdateRequest{
		Data: datadogV2.SecurityMonitoringSignalStateUpdateData{
			Attributes: datadogV2.SecurityMonitoringSignalStateUpdateAttributes{
				ArchiveReason: datadogV2.SECURITYMONITORINGSIGNALARCHIVEREASON_NONE.Ptr(),
				State:         datadogV2.SECURITYMONITORINGSIGNALSTATE_OPEN,
			},
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.EditSecurityMonitoringSignalState(ctx, "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.EditSecurityMonitoringSignalState`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.EditSecurityMonitoringSignalState`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"
// Change the triage state of a security signal returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalArchiveReason;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalState;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalStateUpdateAttributes;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalStateUpdateData;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalStateUpdateRequest;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalTriageUpdateResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringSignalStateUpdateRequest body =
        new SecurityMonitoringSignalStateUpdateRequest()
            .data(
                new SecurityMonitoringSignalStateUpdateData()
                    .attributes(
                        new SecurityMonitoringSignalStateUpdateAttributes()
                            .archiveReason(SecurityMonitoringSignalArchiveReason.NONE)
                            .state(SecurityMonitoringSignalState.OPEN)));

    try {
      SecurityMonitoringSignalTriageUpdateResponse result =
          apiInstance.editSecurityMonitoringSignalState(
              "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#editSecurityMonitoringSignalState");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"
"""
Change the triage state of a security signal returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_signal_archive_reason import SecurityMonitoringSignalArchiveReason
from datadog_api_client.v2.model.security_monitoring_signal_state import SecurityMonitoringSignalState
from datadog_api_client.v2.model.security_monitoring_signal_state_update_attributes import (
    SecurityMonitoringSignalStateUpdateAttributes,
)
from datadog_api_client.v2.model.security_monitoring_signal_state_update_data import (
    SecurityMonitoringSignalStateUpdateData,
)
from datadog_api_client.v2.model.security_monitoring_signal_state_update_request import (
    SecurityMonitoringSignalStateUpdateRequest,
)

body = SecurityMonitoringSignalStateUpdateRequest(
    data=SecurityMonitoringSignalStateUpdateData(
        attributes=SecurityMonitoringSignalStateUpdateAttributes(
            archive_reason=SecurityMonitoringSignalArchiveReason.NONE,
            state=SecurityMonitoringSignalState.OPEN,
        ),
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.edit_security_monitoring_signal_state(
        signal_id="AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body=body
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"
# Change the triage state of a security signal returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringSignalStateUpdateRequest.new({
  data: DatadogAPIClient::V2::SecurityMonitoringSignalStateUpdateData.new({
    attributes: DatadogAPIClient::V2::SecurityMonitoringSignalStateUpdateAttributes.new({
      archive_reason: DatadogAPIClient::V2::SecurityMonitoringSignalArchiveReason::NONE,
      state: DatadogAPIClient::V2::SecurityMonitoringSignalState::OPEN,
    }),
  }),
})
p api_instance.edit_security_monitoring_signal_state("AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"
/**
 * Change the triage state of a security signal returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiEditSecurityMonitoringSignalStateRequest =
  {
    body: {
      data: {
        attributes: {
          archiveReason: "none",
          state: "open",
        },
      },
    },
    signalId: "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE",
  };

apiInstance
  .editSecurityMonitoringSignalState(params)
  .then((data: v2.SecurityMonitoringSignalTriageUpdateResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"

POST https://api.datadoghq.eu/api/v2/security_monitoring/ruleshttps://api.ddog-gov.com/api/v2/security_monitoring/ruleshttps://api.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us3.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules

概要

Create a detection rule. This endpoint requires the security_monitoring_rules_write authorization scope.

リクエスト

Body Data (required)

Expand All

フィールド

種類

説明

Option 1

object

Create a new rule.

cases [required]

[object]

Cases for generating signals.

condition

string

A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

name

string

Name of the case.

notifications

[string]

Notification targets for each rule case.

status [required]

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

filters

[object]

Additional queries to filter matched events before they are processed.

action

enum

The type of filtering action. Allowed enum values: require,suppress

query

string

Query for selecting logs to apply the filtering action.

hasExtendedTitle

boolean

Whether the notifications include the triggering group-by values in their title.

isEnabled [required]

boolean

Whether the rule is enabled.

message [required]

string

Message for generated signals.

name [required]

string

The name of the rule.

options [required]

object

Options on rules.

decreaseCriticalityBasedOnEnv

boolean

If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO. The decrement is applied when the environment tag of the signal starts with staging, test or dev.

detectionMethod

enum

The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Allowed enum values: 0,60,300,600,900,1800,3600,7200

hardcodedEvaluatorType

enum

Hardcoded evaluator type. Allowed enum values: log4shell

impossibleTravelOptions

object

Options on impossible travel rules.

baselineUserLocations

boolean

If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

keepAlive

enum

Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600

maxSignalDuration

enum

A signal will “close” regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

newValueOptions

object

Options on new value rules.

forgetAfter

enum

The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

learningDuration

enum

The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

learningMethod

enum

The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: duration,threshold

learningThreshold

enum

A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: 0,1

queries [required]

[object]

Queries for selecting logs which are part of the rule.

aggregation

enum

The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count

distinctFields

[string]

Field for which the cardinality is measured. Sent as an array.

groupByFields

[string]

Fields to group by.

metric

string

DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max aggregations. metrics field should be used instead.

metrics

[string]

Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.

name

string

Name of the query.

query [required]

string

Query to run on logs.

tags

[string]

Tags for generated signals.

type

enum

The rule type. Allowed enum values: log_detection,workload_security

Option 2

object

Create a new signal correlation rule.

cases [required]

[object]

Cases for generating signals.

condition

string

A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

name

string

Name of the case.

notifications

[string]

Notification targets for each rule case.

status [required]

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

filters

[object]

Additional queries to filter matched events before they are processed.

action

enum

The type of filtering action. Allowed enum values: require,suppress

query

string

Query for selecting logs to apply the filtering action.

hasExtendedTitle

boolean

Whether the notifications include the triggering group-by values in their title.

isEnabled [required]

boolean

Whether the rule is enabled.

message [required]

string

Message for generated signals.

name [required]

string

The name of the rule.

options [required]

object

Options on rules.

decreaseCriticalityBasedOnEnv

boolean

If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO. The decrement is applied when the environment tag of the signal starts with staging, test or dev.

detectionMethod

enum

The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Allowed enum values: 0,60,300,600,900,1800,3600,7200

hardcodedEvaluatorType

enum

Hardcoded evaluator type. Allowed enum values: log4shell

impossibleTravelOptions

object

Options on impossible travel rules.

baselineUserLocations

boolean

If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

keepAlive

enum

Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600

maxSignalDuration

enum

A signal will “close” regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

newValueOptions

object

Options on new value rules.

forgetAfter

enum

The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

learningDuration

enum

The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

learningMethod

enum

The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: duration,threshold

learningThreshold

enum

A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: 0,1

queries [required]

[object]

Queries for selecting signals which are part of the rule.

aggregation

enum

The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count

correlatedByFields

[string]

Fields to group by.

correlatedQueryIndex

int32

Index of the rule query used to retrieve the correlated field.

metrics

[string]

Group of target fields to aggregate over.

name

string

Name of the query.

ruleId [required]

string

Rule ID to match on signals.

tags

[string]

Tags for generated signals.

type

enum

The rule type. Allowed enum values: signal_correlation

{
  "name": "Example-Create_a_detection_rule_returns_OK_response",
  "queries": [
    {
      "query": "@test:true",
      "aggregation": "count",
      "groupByFields": [],
      "distinctFields": [],
      "metric": ""
    }
  ],
  "filters": [],
  "cases": [
    {
      "name": "",
      "status": "info",
      "condition": "a > 0",
      "notifications": []
    }
  ],
  "options": {
    "evaluationWindow": 900,
    "keepAlive": 3600,
    "maxSignalDuration": 86400
  },
  "message": "Test rule",
  "tags": [],
  "isEnabled": true,
  "type": "log_detection"
}
{
  "queries": [
    {
      "aggregation": "geo_data",
      "groupByFields": [
        "@usr.id"
      ],
      "distinctFields": [],
      "metric": "@network.client.geoip",
      "query": "*"
    }
  ],
  "cases": [
    {
      "name": "",
      "status": "info",
      "notifications": []
    }
  ],
  "hasExtendedTitle": true,
  "message": "test",
  "isEnabled": true,
  "options": {
    "maxSignalDuration": 86400,
    "evaluationWindow": 900,
    "keepAlive": 3600,
    "detectionMethod": "impossible_travel",
    "impossibleTravelOptions": {
      "baselineUserLocations": false
    }
  },
  "name": "Example-Create_a_detection_rule_with_type_impossible_travel_returns_OK_response",
  "type": "log_detection",
  "tags": [],
  "filters": []
}
{
  "name": "Example-Create_a_detection_rule_with_type_signal_correlation_returns_OK_response_signal_rule",
  "queries": [
    {
      "ruleId": "string",
      "aggregation": "event_count",
      "correlatedByFields": [
        "host"
      ],
      "correlatedQueryIndex": 1
    },
    {
      "ruleId": "c5e332c9-eba2-4874-75f2-46be1b96d0e8",
      "aggregation": "event_count",
      "correlatedByFields": [
        "host"
      ]
    }
  ],
  "filters": [],
  "cases": [
    {
      "name": "",
      "status": "info",
      "condition": "a > 0 && b > 0",
      "notifications": []
    }
  ],
  "options": {
    "evaluationWindow": 900,
    "keepAlive": 3600,
    "maxSignalDuration": 86400
  },
  "message": "Test signal correlation rule",
  "tags": [],
  "isEnabled": true,
  "type": "signal_correlation"
}

応答

OK

Create a new rule.

Expand All

フィールド

種類

説明

Option 1

Rule.

cases

[object]

Cases for generating signals.

condition

string

A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

name

string

Name of the case.

notifications

[string]

Notification targets for each rule case.

status

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

createdAt

int64

When the rule was created, timestamp in milliseconds.

creationAuthorId

int64

User ID of the user who created the rule.

filters

[object]

Additional queries to filter matched events before they are processed.

action

enum

The type of filtering action. Allowed enum values: require,suppress

query

string

Query for selecting logs to apply the filtering action.

hasExtendedTitle

boolean

Whether the notifications include the triggering group-by values in their title.

id

string

The ID of the rule.

isDefault

boolean

Whether the rule is included by default.

isDeleted

boolean

Whether the rule has been deleted.

isEnabled

boolean

Whether the rule is enabled.

message

string

Message for generated signals.

name

string

The name of the rule.

options

object

Options on rules.

decreaseCriticalityBasedOnEnv

boolean

If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO. The decrement is applied when the environment tag of the signal starts with staging, test or dev.

detectionMethod

enum

The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Allowed enum values: 0,60,300,600,900,1800,3600,7200

hardcodedEvaluatorType

enum

Hardcoded evaluator type. Allowed enum values: log4shell

impossibleTravelOptions

object

Options on impossible travel rules.

baselineUserLocations

boolean

If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

keepAlive

enum

Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600

maxSignalDuration

enum

A signal will “close” regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

newValueOptions

object

Options on new value rules.

forgetAfter

enum

The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

learningDuration

enum

The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

learningMethod

enum

The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: duration,threshold

learningThreshold

enum

A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: 0,1

queries

[object]

Queries for selecting logs which are part of the rule.

aggregation

enum

The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count

distinctFields

[string]

Field for which the cardinality is measured. Sent as an array.

groupByFields

[string]

Fields to group by.

metric

string

DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max aggregations. metrics field should be used instead.

metrics

[string]

Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.

name

string

Name of the query.

query [required]

string

Query to run on logs.

tags

[string]

Tags for generated signals.

type

enum

The rule type. Allowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration

updateAuthorId

int64

User ID of the user who updated the rule.

version

int64

The version of the rule.

Option 2

Rule.

cases

[object]

Cases for generating signals.

condition

string

A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

name

string

Name of the case.

notifications

[string]

Notification targets for each rule case.

status

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

createdAt

int64

When the rule was created, timestamp in milliseconds.

creationAuthorId

int64

User ID of the user who created the rule.

filters

[object]

Additional queries to filter matched events before they are processed.

action

enum

The type of filtering action. Allowed enum values: require,suppress

query

string

Query for selecting logs to apply the filtering action.

hasExtendedTitle

boolean

Whether the notifications include the triggering group-by values in their title.

id

string

The ID of the rule.

isDefault

boolean

Whether the rule is included by default.

isDeleted

boolean

Whether the rule has been deleted.

isEnabled

boolean

Whether the rule is enabled.

message

string

Message for generated signals.

name

string

The name of the rule.

options

object

Options on rules.

decreaseCriticalityBasedOnEnv

boolean

If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO. The decrement is applied when the environment tag of the signal starts with staging, test or dev.

detectionMethod

enum

The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Allowed enum values: 0,60,300,600,900,1800,3600,7200

hardcodedEvaluatorType

enum

Hardcoded evaluator type. Allowed enum values: log4shell

impossibleTravelOptions

object

Options on impossible travel rules.

baselineUserLocations

boolean

If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

keepAlive

enum

Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600

maxSignalDuration

enum

A signal will “close” regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

newValueOptions

object

Options on new value rules.

forgetAfter

enum

The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

learningDuration

enum

The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

learningMethod

enum

The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: duration,threshold

learningThreshold

enum

A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: 0,1

queries

[object]

Queries for selecting logs which are part of the rule.

aggregation

enum

The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count

correlatedByFields

[string]

Fields to group by.

correlatedQueryIndex

int32

Index of the rule query used to retrieve the correlated field.

defaultRuleId

string

Default Rule ID to match on signals.

metrics

[string]

Group of target fields to aggregate over.

name

string

Name of the query.

ruleId

string

Rule ID to match on signals.

tags

[string]

Tags for generated signals.

type

enum

The rule type. Allowed enum values: signal_correlation

updateAuthorId

int64

User ID of the user who updated the rule.

version

int64

The version of the rule.

{
  "cases": [
    {
      "condition": "string",
      "name": "string",
      "notifications": [],
      "status": "critical"
    }
  ],
  "createdAt": "integer",
  "creationAuthorId": "integer",
  "filters": [
    {
      "action": "string",
      "query": "string"
    }
  ],
  "hasExtendedTitle": false,
  "id": "string",
  "isDefault": false,
  "isDeleted": false,
  "isEnabled": false,
  "message": "string",
  "name": "string",
  "options": {
    "decreaseCriticalityBasedOnEnv": false,
    "detectionMethod": "string",
    "evaluationWindow": "integer",
    "hardcodedEvaluatorType": "string",
    "impossibleTravelOptions": {
      "baselineUserLocations": true
    },
    "keepAlive": "integer",
    "maxSignalDuration": "integer",
    "newValueOptions": {
      "forgetAfter": "integer",
      "learningDuration": "integer",
      "learningMethod": "string",
      "learningThreshold": "integer"
    }
  },
  "queries": [
    {
      "aggregation": "string",
      "distinctFields": [],
      "groupByFields": [],
      "metric": "string",
      "metrics": [],
      "name": "string",
      "query": "a > 3"
    }
  ],
  "tags": [],
  "type": "string",
  "updateAuthorId": "integer",
  "version": "integer"
}

Bad Request

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例

  
  # Curl command
curl -X POST "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "name": "Example-Create_a_detection_rule_returns_OK_response",
  "queries": [
    {
      "query": "@test:true",
      "aggregation": "count",
      "groupByFields": [],
      "distinctFields": [],
      "metric": ""
    }
  ],
  "filters": [],
  "cases": [
    {
      "name": "",
      "status": "info",
      "condition": "a > 0",
      "notifications": []
    }
  ],
  "options": {
    "evaluationWindow": 900,
    "keepAlive": 3600,
    "maxSignalDuration": 86400
  },
  "message": "Test rule",
  "tags": [],
  "isEnabled": true,
  "type": "log_detection"
}
EOF
  
  # Curl command
curl -X POST "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "queries": [
    {
      "aggregation": "geo_data",
      "groupByFields": [
        "@usr.id"
      ],
      "distinctFields": [],
      "metric": "@network.client.geoip",
      "query": "*"
    }
  ],
  "cases": [
    {
      "name": "",
      "status": "info",
      "notifications": []
    }
  ],
  "hasExtendedTitle": true,
  "message": "test",
  "isEnabled": true,
  "options": {
    "maxSignalDuration": 86400,
    "evaluationWindow": 900,
    "keepAlive": 3600,
    "detectionMethod": "impossible_travel",
    "impossibleTravelOptions": {
      "baselineUserLocations": false
    }
  },
  "name": "Example-Create_a_detection_rule_with_type_impossible_travel_returns_OK_response",
  "type": "log_detection",
  "tags": [],
  "filters": []
}
EOF
  
  # Curl command
curl -X POST "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "name": "Example-Create_a_detection_rule_with_type_signal_correlation_returns_OK_response_signal_rule",
  "queries": [
    {
      "ruleId": "string",
      "aggregation": "event_count",
      "correlatedByFields": [
        "host"
      ],
      "correlatedQueryIndex": 1
    },
    {
      "ruleId": "c5e332c9-eba2-4874-75f2-46be1b96d0e8",
      "aggregation": "event_count",
      "correlatedByFields": [
        "host"
      ]
    }
  ],
  "filters": [],
  "cases": [
    {
      "name": "",
      "status": "info",
      "condition": "a > 0 && b > 0",
      "notifications": []
    }
  ],
  "options": {
    "evaluationWindow": 900,
    "keepAlive": 3600,
    "maxSignalDuration": 86400
  },
  "message": "Test signal correlation rule",
  "tags": [],
  "isEnabled": true,
  "type": "signal_correlation"
}
EOF
// Create a detection rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringRuleCreatePayload{
		SecurityMonitoringStandardRuleCreatePayload: &datadogV2.SecurityMonitoringStandardRuleCreatePayload{
			Name: "Example-Create_a_detection_rule_returns_OK_response",
			Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{
				{
					Query:          "@test:true",
					Aggregation:    datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
					GroupByFields:  []string{},
					DistinctFields: []string{},
					Metric:         datadog.PtrString(""),
				},
			},
			Filters: []datadogV2.SecurityMonitoringFilter{},
			Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{
				{
					Name:          datadog.PtrString(""),
					Status:        datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
					Condition:     datadog.PtrString("a > 0"),
					Notifications: []string{},
				},
			},
			Options: datadogV2.SecurityMonitoringRuleOptions{
				EvaluationWindow:  datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(),
				KeepAlive:         datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(),
				MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(),
			},
			Message:   "Test rule",
			Tags:      []string{},
			IsEnabled: true,
			Type:      datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(),
		}}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.CreateSecurityMonitoringRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringRule`:\n%s\n", responseContent)
}
// Create a detection rule with type 'impossible_travel' returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringRuleCreatePayload{
		SecurityMonitoringStandardRuleCreatePayload: &datadogV2.SecurityMonitoringStandardRuleCreatePayload{
			Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{
				{
					Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_GEO_DATA.Ptr(),
					GroupByFields: []string{
						"@usr.id",
					},
					DistinctFields: []string{},
					Metric:         datadog.PtrString("@network.client.geoip"),
					Query:          "*",
				},
			},
			Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{
				{
					Name:          datadog.PtrString(""),
					Status:        datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
					Notifications: []string{},
				},
			},
			HasExtendedTitle: datadog.PtrBool(true),
			Message:          "test",
			IsEnabled:        true,
			Options: datadogV2.SecurityMonitoringRuleOptions{
				MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(),
				EvaluationWindow:  datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(),
				KeepAlive:         datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(),
				DetectionMethod:   datadogV2.SECURITYMONITORINGRULEDETECTIONMETHOD_IMPOSSIBLE_TRAVEL.Ptr(),
				ImpossibleTravelOptions: &datadogV2.SecurityMonitoringRuleImpossibleTravelOptions{
					BaselineUserLocations: datadog.PtrBool(false),
				},
			},
			Name:    "Example-Create_a_detection_rule_with_type_impossible_travel_returns_OK_response",
			Type:    datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(),
			Tags:    []string{},
			Filters: []datadogV2.SecurityMonitoringFilter{},
		}}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.CreateSecurityMonitoringRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringRule`:\n%s\n", responseContent)
}
// Create a detection rule with type 'signal_correlation' returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "security_rule" in the system
	SecurityRuleID := os.Getenv("SECURITY_RULE_ID")

	// there is a valid "security_rule_bis" in the system
	SecurityRuleBisID := os.Getenv("SECURITY_RULE_BIS_ID")

	body := datadogV2.SecurityMonitoringRuleCreatePayload{
		SecurityMonitoringSignalRuleCreatePayload: &datadogV2.SecurityMonitoringSignalRuleCreatePayload{
			Name: "Example-Create_a_detection_rule_with_type_signal_correlation_returns_OK_response_signal_rule",
			Queries: []datadogV2.SecurityMonitoringSignalRuleQuery{
				{
					RuleId:      SecurityRuleID,
					Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_EVENT_COUNT.Ptr(),
					CorrelatedByFields: []string{
						"host",
					},
					CorrelatedQueryIndex: datadog.PtrInt32(1),
				},
				{
					RuleId:      SecurityRuleBisID,
					Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_EVENT_COUNT.Ptr(),
					CorrelatedByFields: []string{
						"host",
					},
				},
			},
			Filters: []datadogV2.SecurityMonitoringFilter{},
			Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{
				{
					Name:          datadog.PtrString(""),
					Status:        datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
					Condition:     datadog.PtrString("a > 0 && b > 0"),
					Notifications: []string{},
				},
			},
			Options: datadogV2.SecurityMonitoringRuleOptions{
				EvaluationWindow:  datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(),
				KeepAlive:         datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(),
				MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(),
			},
			Message:   "Test signal correlation rule",
			Tags:      []string{},
			IsEnabled: true,
			Type:      datadogV2.SECURITYMONITORINGSIGNALRULETYPE_SIGNAL_CORRELATION.Ptr(),
		}}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.CreateSecurityMonitoringRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringRule`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Create a detection rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringRuleCreatePayload body =
        new SecurityMonitoringRuleCreatePayload(
            new SecurityMonitoringStandardRuleCreatePayload()
                .name("Example-Create_a_detection_rule_returns_OK_response")
                .queries(
                    Collections.singletonList(
                        new SecurityMonitoringStandardRuleQuery()
                            .query("@test:true")
                            .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
                            .metric("")))
                .cases(
                    Collections.singletonList(
                        new SecurityMonitoringRuleCaseCreate()
                            .name("")
                            .status(SecurityMonitoringRuleSeverity.INFO)
                            .condition("a > 0")))
                .options(
                    new SecurityMonitoringRuleOptions()
                        .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES)
                        .keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR)
                        .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ONE_DAY))
                .message("Test rule")
                .isEnabled(true)
                .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION));

    try {
      SecurityMonitoringRuleResponse result = apiInstance.createSecurityMonitoringRule(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}
// Create a detection rule with type 'impossible_travel' returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleImpossibleTravelOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringRuleCreatePayload body =
        new SecurityMonitoringRuleCreatePayload(
            new SecurityMonitoringStandardRuleCreatePayload()
                .queries(
                    Collections.singletonList(
                        new SecurityMonitoringStandardRuleQuery()
                            .aggregation(SecurityMonitoringRuleQueryAggregation.GEO_DATA)
                            .groupByFields(Collections.singletonList("@usr.id"))
                            .metric("@network.client.geoip")
                            .query("*")))
                .cases(
                    Collections.singletonList(
                        new SecurityMonitoringRuleCaseCreate()
                            .name("")
                            .status(SecurityMonitoringRuleSeverity.INFO)))
                .hasExtendedTitle(true)
                .message("test")
                .isEnabled(true)
                .options(
                    new SecurityMonitoringRuleOptions()
                        .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ONE_DAY)
                        .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES)
                        .keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR)
                        .detectionMethod(SecurityMonitoringRuleDetectionMethod.IMPOSSIBLE_TRAVEL)
                        .impossibleTravelOptions(
                            new SecurityMonitoringRuleImpossibleTravelOptions()
                                .baselineUserLocations(false)))
                .name(
                    "Example-Create_a_detection_rule_with_type_impossible_travel_returns_OK_response")
                .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION));

    try {
      SecurityMonitoringRuleResponse result = apiInstance.createSecurityMonitoringRule(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}
// Create a detection rule with type 'signal_correlation' returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalRuleQuery;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalRuleType;
import java.util.Arrays;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    // there is a valid "security_rule" in the system
    String SECURITY_RULE_ID = System.getenv("SECURITY_RULE_ID");

    // there is a valid "security_rule_bis" in the system
    String SECURITY_RULE_BIS_ID = System.getenv("SECURITY_RULE_BIS_ID");

    SecurityMonitoringRuleCreatePayload body =
        new SecurityMonitoringRuleCreatePayload(
            new SecurityMonitoringSignalRuleCreatePayload()
                .name(
                    "Example-Create_a_detection_rule_with_type_signal_correlation_returns_OK_response_signal_rule")
                .queries(
                    Arrays.asList(
                        new SecurityMonitoringSignalRuleQuery()
                            .ruleId(SECURITY_RULE_ID)
                            .aggregation(SecurityMonitoringRuleQueryAggregation.EVENT_COUNT)
                            .correlatedByFields(Collections.singletonList("host"))
                            .correlatedQueryIndex(1),
                        new SecurityMonitoringSignalRuleQuery()
                            .ruleId(SECURITY_RULE_BIS_ID)
                            .aggregation(SecurityMonitoringRuleQueryAggregation.EVENT_COUNT)
                            .correlatedByFields(Collections.singletonList("host"))))
                .cases(
                    Collections.singletonList(
                        new SecurityMonitoringRuleCaseCreate()
                            .name("")
                            .status(SecurityMonitoringRuleSeverity.INFO)
                            .condition("a > 0 && b > 0")))
                .options(
                    new SecurityMonitoringRuleOptions()
                        .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES)
                        .keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR)
                        .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ONE_DAY))
                .message("Test signal correlation rule")
                .isEnabled(true)
                .type(SecurityMonitoringSignalRuleType.SIGNAL_CORRELATION));

    try {
      SecurityMonitoringRuleResponse result = apiInstance.createSecurityMonitoringRule(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
"""
Create a detection rule returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
    SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
    SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
    SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
from datadog_api_client.v2.model.security_monitoring_standard_rule_create_payload import (
    SecurityMonitoringStandardRuleCreatePayload,
)
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery

body = SecurityMonitoringStandardRuleCreatePayload(
    name="Example-Create_a_detection_rule_returns_OK_response",
    queries=[
        SecurityMonitoringStandardRuleQuery(
            query="@test:true",
            aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
            group_by_fields=[],
            distinct_fields=[],
            metric="",
        ),
    ],
    filters=[],
    cases=[
        SecurityMonitoringRuleCaseCreate(
            name="",
            status=SecurityMonitoringRuleSeverity.INFO,
            condition="a > 0",
            notifications=[],
        ),
    ],
    options=SecurityMonitoringRuleOptions(
        evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,
        keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR,
        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY,
    ),
    message="Test rule",
    tags=[],
    is_enabled=True,
    type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.create_security_monitoring_rule(body=body)

    print(response)
"""
Create a detection rule with type 'impossible_travel' returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
    SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_impossible_travel_options import (
    SecurityMonitoringRuleImpossibleTravelOptions,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
    SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
    SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
from datadog_api_client.v2.model.security_monitoring_standard_rule_create_payload import (
    SecurityMonitoringStandardRuleCreatePayload,
)
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery

body = SecurityMonitoringStandardRuleCreatePayload(
    queries=[
        SecurityMonitoringStandardRuleQuery(
            aggregation=SecurityMonitoringRuleQueryAggregation.GEO_DATA,
            group_by_fields=[
                "@usr.id",
            ],
            distinct_fields=[],
            metric="@network.client.geoip",
            query="*",
        ),
    ],
    cases=[
        SecurityMonitoringRuleCaseCreate(
            name="",
            status=SecurityMonitoringRuleSeverity.INFO,
            notifications=[],
        ),
    ],
    has_extended_title=True,
    message="test",
    is_enabled=True,
    options=SecurityMonitoringRuleOptions(
        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY,
        evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,
        keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR,
        detection_method=SecurityMonitoringRuleDetectionMethod.IMPOSSIBLE_TRAVEL,
        impossible_travel_options=SecurityMonitoringRuleImpossibleTravelOptions(
            baseline_user_locations=False,
        ),
    ),
    name="Example-Create_a_detection_rule_with_type_impossible_travel_returns_OK_response",
    type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
    tags=[],
    filters=[],
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.create_security_monitoring_rule(body=body)

    print(response)
"""
Create a detection rule with type 'signal_correlation' returns "OK" response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
    SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
    SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
    SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_signal_rule_create_payload import (
    SecurityMonitoringSignalRuleCreatePayload,
)
from datadog_api_client.v2.model.security_monitoring_signal_rule_query import SecurityMonitoringSignalRuleQuery
from datadog_api_client.v2.model.security_monitoring_signal_rule_type import SecurityMonitoringSignalRuleType

# there is a valid "security_rule" in the system
SECURITY_RULE_ID = environ["SECURITY_RULE_ID"]

# there is a valid "security_rule_bis" in the system
SECURITY_RULE_BIS_ID = environ["SECURITY_RULE_BIS_ID"]

body = SecurityMonitoringSignalRuleCreatePayload(
    name="Example-Create_a_detection_rule_with_type_signal_correlation_returns_OK_response_signal_rule",
    queries=[
        SecurityMonitoringSignalRuleQuery(
            rule_id=SECURITY_RULE_ID,
            aggregation=SecurityMonitoringRuleQueryAggregation.EVENT_COUNT,
            correlated_by_fields=[
                "host",
            ],
            correlated_query_index=1,
        ),
        SecurityMonitoringSignalRuleQuery(
            rule_id=SECURITY_RULE_BIS_ID,
            aggregation=SecurityMonitoringRuleQueryAggregation.EVENT_COUNT,
            correlated_by_fields=[
                "host",
            ],
        ),
    ],
    filters=[],
    cases=[
        SecurityMonitoringRuleCaseCreate(
            name="",
            status=SecurityMonitoringRuleSeverity.INFO,
            condition="a > 0 && b > 0",
            notifications=[],
        ),
    ],
    options=SecurityMonitoringRuleOptions(
        evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,
        keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR,
        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY,
    ),
    message="Test signal correlation rule",
    tags=[],
    is_enabled=True,
    type=SecurityMonitoringSignalRuleType.SIGNAL_CORRELATION,
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.create_security_monitoring_rule(body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Create a detection rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringStandardRuleCreatePayload.new({
  name: "Example-Create_a_detection_rule_returns_OK_response",
  queries: [
    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
      query: "@test:true",
      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
      group_by_fields: [],
      distinct_fields: [],
      metric: "",
    }),
  ],
  filters: [],
  cases: [
    DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
      name: "",
      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
      condition: "a > 0",
      notifications: [],
    }),
  ],
  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR,
    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY,
  }),
  message: "Test rule",
  tags: [],
  is_enabled: true,
  type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
})
p api_instance.create_security_monitoring_rule(body)
# Create a detection rule with type 'impossible_travel' returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringStandardRuleCreatePayload.new({
  queries: [
    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::GEO_DATA,
      group_by_fields: [
        "@usr.id",
      ],
      distinct_fields: [],
      metric: "@network.client.geoip",
      query: "*",
    }),
  ],
  cases: [
    DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
      name: "",
      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
      notifications: [],
    }),
  ],
  has_extended_title: true,
  message: "test",
  is_enabled: true,
  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY,
    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR,
    detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::IMPOSSIBLE_TRAVEL,
    impossible_travel_options: DatadogAPIClient::V2::SecurityMonitoringRuleImpossibleTravelOptions.new({
      baseline_user_locations: false,
    }),
  }),
  name: "Example-Create_a_detection_rule_with_type_impossible_travel_returns_OK_response",
  type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
  tags: [],
  filters: [],
})
p api_instance.create_security_monitoring_rule(body)
# Create a detection rule with type 'signal_correlation' returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

# there is a valid "security_rule" in the system
SECURITY_RULE_ID = ENV["SECURITY_RULE_ID"]

# there is a valid "security_rule_bis" in the system
SECURITY_RULE_BIS_ID = ENV["SECURITY_RULE_BIS_ID"]

body = DatadogAPIClient::V2::SecurityMonitoringSignalRuleCreatePayload.new({
  name: "Example-Create_a_detection_rule_with_type_signal_correlation_returns_OK_response_signal_rule",
  queries: [
    DatadogAPIClient::V2::SecurityMonitoringSignalRuleQuery.new({
      rule_id: SECURITY_RULE_ID,
      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::EVENT_COUNT,
      correlated_by_fields: [
        "host",
      ],
      correlated_query_index: 1,
    }),
    DatadogAPIClient::V2::SecurityMonitoringSignalRuleQuery.new({
      rule_id: SECURITY_RULE_BIS_ID,
      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::EVENT_COUNT,
      correlated_by_fields: [
        "host",
      ],
    }),
  ],
  filters: [],
  cases: [
    DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
      name: "",
      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
      condition: "a > 0 && b > 0",
      notifications: [],
    }),
  ],
  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR,
    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY,
  }),
  message: "Test signal correlation rule",
  tags: [],
  is_enabled: true,
  type: DatadogAPIClient::V2::SecurityMonitoringSignalRuleType::SIGNAL_CORRELATION,
})
p api_instance.create_security_monitoring_rule(body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
/**
 * Create a detection rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest = {
  body: {
    name: "Example-Create_a_detection_rule_returns_OK_response",
    queries: [
      {
        query: "@test:true",
        aggregation: "count",
        groupByFields: [],
        distinctFields: [],
        metric: "",
      },
    ],
    filters: [],
    cases: [
      {
        name: "",
        status: "info",
        condition: "a > 0",
        notifications: [],
      },
    ],
    options: {
      evaluationWindow: 900,
      keepAlive: 3600,
      maxSignalDuration: 86400,
    },
    message: "Test rule",
    tags: [],
    isEnabled: true,
    type: "log_detection",
  },
};

apiInstance
  .createSecurityMonitoringRule(params)
  .then((data: v2.SecurityMonitoringRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));
/**
 * Create a detection rule with type 'impossible_travel' returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest = {
  body: {
    queries: [
      {
        aggregation: "geo_data",
        groupByFields: ["@usr.id"],
        distinctFields: [],
        metric: "@network.client.geoip",
        query: "*",
      },
    ],
    cases: [
      {
        name: "",
        status: "info",
        notifications: [],
      },
    ],
    hasExtendedTitle: true,
    message: "test",
    isEnabled: true,
    options: {
      maxSignalDuration: 86400,
      evaluationWindow: 900,
      keepAlive: 3600,
      detectionMethod: "impossible_travel",
      impossibleTravelOptions: {
        baselineUserLocations: false,
      },
    },
    name: "Example-Create_a_detection_rule_with_type_impossible_travel_returns_OK_response",
    type: "log_detection",
    tags: [],
    filters: [],
  },
};

apiInstance
  .createSecurityMonitoringRule(params)
  .then((data: v2.SecurityMonitoringRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));
/**
 * Create a detection rule with type 'signal_correlation' returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

// there is a valid "security_rule" in the system
const SECURITY_RULE_ID = process.env.SECURITY_RULE_ID as string;

// there is a valid "security_rule_bis" in the system
const SECURITY_RULE_BIS_ID = process.env.SECURITY_RULE_BIS_ID as string;

const params: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest = {
  body: {
    name: "Example-Create_a_detection_rule_with_type_signal_correlation_returns_OK_response_signal_rule",
    queries: [
      {
        ruleId: SECURITY_RULE_ID,
        aggregation: "event_count",
        correlatedByFields: ["host"],
        correlatedQueryIndex: 1,
      },
      {
        ruleId: SECURITY_RULE_BIS_ID,
        aggregation: "event_count",
        correlatedByFields: ["host"],
      },
    ],
    filters: [],
    cases: [
      {
        name: "",
        status: "info",
        condition: "a > 0 && b > 0",
        notifications: [],
      },
    ],
    options: {
      evaluationWindow: 900,
      keepAlive: 3600,
      maxSignalDuration: 86400,
    },
    message: "Test signal correlation rule",
    tags: [],
    isEnabled: true,
    type: "signal_correlation",
  },
};

apiInstance
  .createSecurityMonitoringRule(params)
  .then((data: v2.SecurityMonitoringRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

GET https://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}https://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}

概要

Get a rule’s details. This endpoint requires the security_monitoring_rules_read authorization scope.

引数

パスパラメーター

名前

種類

説明

rule_id [required]

string

The ID of the rule.

応答

OK

Create a new rule.

Expand All

フィールド

種類

説明

Option 1

Rule.

cases

[object]

Cases for generating signals.

condition

string

A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

name

string

Name of the case.

notifications

[string]

Notification targets for each rule case.

status

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

createdAt

int64

When the rule was created, timestamp in milliseconds.

creationAuthorId

int64

User ID of the user who created the rule.

filters

[object]

Additional queries to filter matched events before they are processed.

action

enum

The type of filtering action. Allowed enum values: require,suppress

query

string

Query for selecting logs to apply the filtering action.

hasExtendedTitle

boolean

Whether the notifications include the triggering group-by values in their title.

id

string

The ID of the rule.

isDefault

boolean

Whether the rule is included by default.

isDeleted

boolean

Whether the rule has been deleted.

isEnabled

boolean

Whether the rule is enabled.

message

string

Message for generated signals.

name

string

The name of the rule.

options

object

Options on rules.

decreaseCriticalityBasedOnEnv

boolean

If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO. The decrement is applied when the environment tag of the signal starts with staging, test or dev.

detectionMethod

enum

The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Allowed enum values: 0,60,300,600,900,1800,3600,7200

hardcodedEvaluatorType

enum

Hardcoded evaluator type. Allowed enum values: log4shell

impossibleTravelOptions

object

Options on impossible travel rules.

baselineUserLocations

boolean

If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

keepAlive

enum

Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600

maxSignalDuration

enum

A signal will “close” regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

newValueOptions

object

Options on new value rules.

forgetAfter

enum

The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

learningDuration

enum

The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

learningMethod

enum

The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: duration,threshold

learningThreshold

enum

A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: 0,1

queries

[object]

Queries for selecting logs which are part of the rule.

aggregation

enum

The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count

distinctFields

[string]

Field for which the cardinality is measured. Sent as an array.

groupByFields

[string]

Fields to group by.

metric

string

DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max aggregations. metrics field should be used instead.

metrics

[string]

Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.

name

string

Name of the query.

query [required]

string

Query to run on logs.

tags

[string]

Tags for generated signals.

type

enum

The rule type. Allowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration

updateAuthorId

int64

User ID of the user who updated the rule.

version

int64

The version of the rule.

Option 2

Rule.

cases

[object]

Cases for generating signals.

condition

string

A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

name

string

Name of the case.

notifications

[string]

Notification targets for each rule case.

status

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

createdAt

int64

When the rule was created, timestamp in milliseconds.

creationAuthorId

int64

User ID of the user who created the rule.

filters

[object]

Additional queries to filter matched events before they are processed.

action

enum

The type of filtering action. Allowed enum values: require,suppress

query

string

Query for selecting logs to apply the filtering action.

hasExtendedTitle

boolean

Whether the notifications include the triggering group-by values in their title.

id

string

The ID of the rule.

isDefault

boolean

Whether the rule is included by default.

isDeleted

boolean

Whether the rule has been deleted.

isEnabled

boolean

Whether the rule is enabled.

message

string

Message for generated signals.

name

string

The name of the rule.

options

object

Options on rules.

decreaseCriticalityBasedOnEnv

boolean

If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise. The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO. The decrement is applied when the environment tag of the signal starts with staging, test or dev.

detectionMethod

enum

The detection method. Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Allowed enum values: 0,60,300,600,900,1800,3600,7200

hardcodedEvaluatorType

enum

Hardcoded evaluator type. Allowed enum values: log4shell

impossibleTravelOptions

object

Options on impossible travel rules.

baselineUserLocations

boolean

If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

keepAlive

enum

Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600

maxSignalDuration

enum

A signal will “close” regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

newValueOptions

object

Options on new value rules.

forgetAfter

enum

The duration in days after which a learned value is forgotten. Allowed enum values: 1,2,7,14,21,28

learningDuration

enum

The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Allowed enum values: 0,1,7

learningMethod

enum

The learning method used to determine when signals should be generated for values that weren't learned. Allowed enum values: duration,threshold

learningThreshold

enum

A number of occurrences after which signals will be generated for values that weren't learned. Allowed enum values: 0,1

queries

[object]

Queries for selecting logs which are part of the rule.

aggregation

enum

The aggregation type. Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count

correlatedByFields

[string]

Fields to group by.

correlatedQueryIndex

int32

Index of the rule query used to retrieve the correlated field.

defaultRuleId

string

Default Rule ID to match on signals.

metrics

[string]

Group of target fields to aggregate over.

name

string

Name of the query.

ruleId

string

Rule ID to match on signals.

tags

[string]

Tags for generated signals.

type

enum

The rule type. Allowed enum values: signal_correlation

updateAuthorId

int64

User ID of the user who updated the rule.

version

int64

The version of the rule.

{
  "cases": [
    {
      "condition": "string",
      "name": "string",
      "notifications": [],
      "status": "critical"
    }
  ],
  "createdAt": "integer",
  "creationAuthorId": "integer",
  "filters": [
    {
      "action": "string",
      "query": "string"
    }
  ],
  "hasExtendedTitle": false,
  "id": "string",
  "isDefault": false,
  "isDeleted": false,
  "isEnabled": false,
  "message": "string",
  "name": "string",
  "options": {
    "decreaseCriticalityBasedOnEnv": false,
    "detectionMethod": "string",
    "evaluationWindow": "integer",
    "hardcodedEvaluatorType": "string",
    "impossibleTravelOptions": {
      "baselineUserLocations": true
    },
    "keepAlive": "integer",
    "maxSignalDuration": "integer",
    "newValueOptions": {
      "forgetAfter": "integer",
      "learningDuration": "integer",
      "learningMethod": "string",
      "learningThreshold": "integer"
    }
  },
  "queries": [
    {
      "aggregation": "string",
      "distinctFields": [],
      "groupByFields": [],
      "metric": "string",
      "metrics": [],
      "name": "string",
      "query": "a > 3"
    }
  ],
  "tags": [],
  "type": "string",
  "updateAuthorId": "integer",
  "version": "integer"
}

Not Found

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

フィールド

種類

説明

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

コード例


# Path parameters
export rule_id="CHANGE_ME"
# Curl command curl -X GET "https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
// Get a rule's details returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	// there is a valid "security_rule" in the system
	SecurityRuleID := os.Getenv("SECURITY_RULE_ID")

	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.GetSecurityMonitoringRule(ctx, SecurityRuleID)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSecurityMonitoringRule`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Get a rule's details returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    // there is a valid "security_rule" in the system
    String SECURITY_RULE_ID = System.getenv("SECURITY_RULE_ID");

    try {
      SecurityMonitoringRuleResponse result =
          apiInstance.getSecurityMonitoringRule(SECURITY_RULE_ID);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#getSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
"""
Get a rule's details returns "OK" response
"""

from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

# there is a valid "security_rule" in the system
SECURITY_RULE_ID = environ["SECURITY_RULE_ID"]

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.get_security_monitoring_rule(
        rule_id=SECURITY_RULE_ID,
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Get a rule's details returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

# there is a valid "security_rule" in the system
SECURITY_RULE_ID = ENV["SECURITY_RULE_ID"]
p api_instance.get_security_monitoring_rule(SECURITY_RULE_ID)

Instructions

First install the library and its dependencies and then save the example to example.rb