Security Monitoring

Detection rules for generating signals and listing of generated signals.

List findings

v2 (latest)

Note: This endpoint is in public beta. If you have any feedback, contact Datadog support.

GET https://api.ap1.datadoghq.com/api/v2/posture_management/findingshttps://api.datadoghq.eu/api/v2/posture_management/findingshttps://api.ddog-gov.com/api/v2/posture_management/findingshttps://api.datadoghq.com/api/v2/posture_management/findingshttps://api.us3.datadoghq.com/api/v2/posture_management/findingshttps://api.us5.datadoghq.com/api/v2/posture_management/findings

개요

Get a list of CSPM findings.

Filtering

Filters can be applied by appending query parameters to the URL.

Using a single filter: ?filter[attribute_key]=attribute_value
Chaining filters: ?filter[attribute_key]=attribute_value&filter[attribute_key]=attribute_value...
Filtering on tags: ?filter[tags]=tag_key:tag_value&filter[tags]=tag_key_2:tag_value_2

Here, attribute_key can be any of the filter keys described further below.

Query parameters of type integer support comparison operators (>, >=, <, <=). This is particularly useful when filtering by evaluation_changed_at or resource_discovery_timestamp. For example: ?filter[evaluation_changed_at]=>20123123121.

You can also use the negation operator on strings. For example, use filter[resource_type]=-aws* to filter for any non-AWS resources.

The operator must come after the equal sign. For example, to filter with the >= operator, add the operator after the equal sign: filter[evaluation_changed_at]=>=1678809373257.

Query parameters must be only among the documented ones and with values of correct types. Duplicated query parameters (e.g. filter[status]=low&filter[status]=info) are not allowed.

Response

The response includes an array of finding objects, pagination metadata, and a count of items that match the query.

Each finding object contains the following:

The finding ID that can be used in a GetFinding request to retrieve the full finding details.
Core attributes, including status, evaluation, high-level resource details, muted state, and rule details.
evaluation_changed_at and resource_discovery_date time stamps.
An array of associated tags.

This endpoint requires the security_monitoring_findings_read authorization scope.

인수

Query Strings

이름

유형

설명

page[limit]

integer

Limit the number of findings returned. Must be <= 1000.

snapshot_timestamp

integer

Return findings for a given snapshot of time (Unix ms).

page[cursor]

string

Return the next page of findings pointed to by the cursor.

filter[tags]

string

Return findings that have these associated tags (repeatable).

filter[evaluation_changed_at]

string

Return findings that have changed from pass to fail or vice versa on a specified date (Unix ms) or date range (using comparison operators).

filter[muted]

boolean

Set to true to return findings that are muted. Set to false to return unmuted findings.

filter[rule_id]

string

Return findings for the specified rule ID.

filter[rule_name]

string

Return findings for the specified rule.

filter[resource_type]

string

Return only findings for the specified resource type.

filter[discovery_timestamp]

string

Return findings that were found on a specified date (Unix ms) or date range (using comparison operators).

filter[evaluation]

enum

Return only pass or fail findings.
Allowed enum values: pass, fail

filter[status]

enum

Return only findings with the specified status.
Allowed enum values: critical, high, medium, low, info

응답

The expected response schema when listing findings.

Expand All

항목

유형

설명

data [required]

[object]

Array of findings.

meta [required]

object

Metadata for pagination.

{
  "data": [
    {
      "attributes": {
        "evaluation": "pass",
        "evaluation_changed_at": 1678721573794,
        "mute": {
          "description": "To be resolved later",
          "expiration_date": 1778721573794,
          "muted": true,
          "reason": "ACCEPTED_RISK",
          "start_date": 1678721573794,
          "uuid": "e51c9744-d158-11ec-ad23-da7ad0900002"
        },
        "resource": "my_resource_name",
        "resource_discovery_date": 1678721573794,
        "resource_type": "azure_storage_account",
        "rule": {
          "id": "dv2-jzf-41i",
          "name": "Soft delete is enabled for Azure Storage"
        },
        "status": "critical",
        "tags": [
          "cloud_provider:aws",
          "myTag:myValue"
        ]
      },
      "id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==",
      "type": "finding"
    }
  ],
  "meta": {
    "page": {
      "cursor": "eyJhZnRlciI6IkFRQUFBWWJiaEJXQS1OY1dqUUFBQUFCQldXSmlhRUpYUVVGQlJFSktkbTlDTUdaWFRVbDNRVUUiLCJ2YWx1ZXMiOlsiY3JpdGljYWwiXX0=",
      "total_filtered_count": 213
    },
    "snapshot_timestamp": 1678721573794
  }
}

Bad Request: The server cannot process the request due to invalid syntax in the request.

API error response.

Expand All

항목

유형

설명

errors [required]

[object]

A list of errors.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Forbidden: Access denied

API error response.

Expand All

항목

유형

설명

errors [required]

[object]

A list of errors.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Not Found: The requested finding cannot be found.

API error response.

Expand All

항목

유형

설명

errors [required]

[object]

A list of errors.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Too many requests: The rate limit set by the API has been exceeded.

API error response.

Expand All

항목

유형

설명

errors [required]

[object]

A list of errors.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Code Example

                  # Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/posture_management/findings" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                

"""
List findings returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

configuration = Configuration()
configuration.unstable_operations["list_findings"] = True
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.list_findings()

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# List findings returns "OK" response

require "datadog_api_client"
DatadogAPIClient.configure do |config|
  config.unstable_operations["v2.list_findings".to_sym] = true
end
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.list_findings()

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// List findings returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	configuration.SetUnstableOperationEnabled("v2.ListFindings", true)
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.ListFindings(ctx, *datadogV2.NewListFindingsOptionalParameters())

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListFindings`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListFindings`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// List findings returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.ListFindingsResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    defaultClient.setUnstableOperationEnabled("v2.listFindings", true);
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      ListFindingsResponse result = apiInstance.listFindings();
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#listFindings");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

/**
 * List findings returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
configuration.unstableOperations["v2.listFindings"] = true;
const apiInstance = new v2.SecurityMonitoringApi(configuration);

apiInstance
  .listFindings()
  .then((data: v2.ListFindingsResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Get a finding

v2 (latest)

Note: This endpoint is in public beta. If you have any feedback, contact Datadog support.

GET https://api.ap1.datadoghq.com/api/v2/posture_management/findings/{finding_id}https://api.datadoghq.eu/api/v2/posture_management/findings/{finding_id}https://api.ddog-gov.com/api/v2/posture_management/findings/{finding_id}https://api.datadoghq.com/api/v2/posture_management/findings/{finding_id}https://api.us3.datadoghq.com/api/v2/posture_management/findings/{finding_id}https://api.us5.datadoghq.com/api/v2/posture_management/findings/{finding_id}

개요

Returns a single finding with message and resource configuration. This endpoint requires the security_monitoring_findings_read authorization scope.

인수

Path Parameters

이름

유형

설명

finding_id [required]

string

The ID of the finding.

Query Strings

이름

유형

설명

snapshot_timestamp

integer

Return the finding for a given snapshot of time (Unix ms).

응답

The expected response schema when getting a finding.

Expand All

항목

유형

설명

data [required]

object

A single finding with with message and resource configuration.

{
  "data": {
    "attributes": {
      "evaluation": "pass",
      "evaluation_changed_at": 1678721573794,
      "message": "## Remediation\n\n### From the console\n\n1. Go to Storage Account\n2. For each Storage Account, navigate to Data Protection\n3. Select Set soft delete enabled and enter the number of days to retain soft deleted data.",
      "mute": {
        "description": "To be resolved later",
        "expiration_date": 1778721573794,
        "muted": true,
        "reason": "ACCEPTED_RISK",
        "start_date": 1678721573794,
        "uuid": "e51c9744-d158-11ec-ad23-da7ad0900002"
      },
      "resource": "my_resource_name",
      "resource_configuration": {},
      "resource_discovery_date": 1678721573794,
      "resource_type": "azure_storage_account",
      "rule": {
        "id": "dv2-jzf-41i",
        "name": "Soft delete is enabled for Azure Storage"
      },
      "status": "critical",
      "tags": [
        "cloud_provider:aws",
        "myTag:myValue"
      ]
    },
    "id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==",
    "type": "detailed_finding"
  }
}

Bad Request: The server cannot process the request due to invalid syntax in the request.

API error response.

Expand All

항목

유형

설명

errors [required]

[object]

A list of errors.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Forbidden: Access denied

API error response.

Expand All

항목

유형

설명

errors [required]

[object]

A list of errors.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Not Found: The requested finding cannot be found.

API error response.

Expand All

항목

유형

설명

errors [required]

[object]

A list of errors.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Too many requests: The rate limit set by the API has been exceeded.

API error response.

Expand All

항목

유형

설명

errors [required]

[object]

A list of errors.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Code Example

                  # Path parameters
export finding_id="CHANGE_ME"
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/posture_management/findings/${finding_id}" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                

"""
Get a finding returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

configuration = Configuration()
configuration.unstable_operations["get_finding"] = True
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.get_finding(
        finding_id="AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz",
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Get a finding returns "OK" response

require "datadog_api_client"
DatadogAPIClient.configure do |config|
  config.unstable_operations["v2.get_finding".to_sym] = true
end
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.get_finding("AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz")

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

// Get a finding returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	configuration.SetUnstableOperationEnabled("v2.GetFinding", true)
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.GetFinding(ctx, "AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz", *datadogV2.NewGetFindingOptionalParameters())

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetFinding`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetFinding`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Get a finding returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.GetFindingResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    defaultClient.setUnstableOperationEnabled("v2.getFinding", true);
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    try {
      GetFindingResponse result =
          apiInstance.getFinding(
              "AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz");
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#getFinding");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

/**
 * Get a finding returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
configuration.unstableOperations["v2.getFinding"] = true;
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiGetFindingRequest = {
  findingId:
    "AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz",
};

apiInstance
  .getFinding(params)
  .then((data: v2.GetFindingResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Mute or unmute a batch of findings

v2 (latest)

Note: This endpoint is in public beta. If you have any feedback, contact Datadog support.

PATCH https://api.ap1.datadoghq.com/api/v2/posture_management/findingshttps://api.datadoghq.eu/api/v2/posture_management/findingshttps://api.ddog-gov.com/api/v2/posture_management/findingshttps://api.datadoghq.com/api/v2/posture_management/findingshttps://api.us3.datadoghq.com/api/v2/posture_management/findingshttps://api.us5.datadoghq.com/api/v2/posture_management/findings

개요

Mute or unmute findings.

요청

Body Data (required)

Attributes

All findings are updated with the same attributes. The request body must include at least two attributes: muted and reason. The allowed reasons depend on whether the finding is being muted or unmuted:

To mute a finding: PENDING_FIX, FALSE_POSITIVE, ACCEPTED_RISK, OTHER.
To unmute a finding : NO_PENDING_FIX, HUMAN_ERROR, NO_LONGER_ACCEPTED_RISK, OTHER.

응답

The expected response schema.

Expand All

항목

유형

설명

data [required]

object

Data object containing the ID of the request that was updated.

{
  "data": {
    "id": "93bfeb70-af47-424d-908a-948d3f08e37f",
    "type": "finding"
  }
}

Bad Request: The server cannot process the request due to invalid syntax in the request.

API error response.

Expand All

항목

유형

설명

errors [required]

[object]

A list of errors.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Forbidden: Access denied

API error response.

Expand All

항목

유형

설명

errors [required]

[object]

A list of errors.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Not Found: The requested finding cannot be found.

API error response.

Expand All

항목

유형

설명

errors [required]

[object]

A list of errors.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Invalid Request: The server understands the request syntax but cannot process it due to invalid data.

API error response.

Expand All

항목

유형

설명

errors [required]

[object]

A list of errors.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Too many requests: The rate limit set by the API has been exceeded.

API error response.

Expand All

항목

유형

설명

errors [required]

[object]

A list of errors.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Code Example

                          # Curl command
curl -X PATCH "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/posture_management/findings" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "mute": {
        "expiration_date": 1778721573794,
        "muted": true,
        "reason": "ACCEPTED_RISK"
      }
    },
    "id": "dbe5f567-192b-4404-b908-29b70e1c9f76",
    "meta": {
      "findings": [
        {
          "finding_id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw=="
        }
      ]
    },
    "type": "finding"
  }
}
EOF

                        

// Mute or unmute a batch of findings returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.BulkMuteFindingsRequest{
		Data: datadogV2.BulkMuteFindingsRequestData{
			Attributes: datadogV2.BulkMuteFindingsRequestAttributes{
				Mute: datadogV2.BulkMuteFindingsRequestProperties{
					ExpirationDate: datadog.PtrInt64(1778721573794),
					Muted:          true,
					Reason:         datadogV2.FINDINGMUTEREASON_ACCEPTED_RISK,
				},
			},
			Id: "dbe5f567-192b-4404-b908-29b70e1c9f76",
			Meta: datadogV2.BulkMuteFindingsRequestMeta{
				Findings: []datadogV2.BulkMuteFindingsRequestMetaFindings{
					{
						FindingId: datadog.PtrString("ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw=="),
					},
				},
			},
			Type: datadogV2.FINDINGTYPE_FINDING,
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	configuration.SetUnstableOperationEnabled("v2.MuteFindings", true)
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.MuteFindings(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.MuteFindings`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.MuteFindings`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Mute or unmute a batch of findings returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.BulkMuteFindingsRequest;
import com.datadog.api.client.v2.model.BulkMuteFindingsRequestAttributes;
import com.datadog.api.client.v2.model.BulkMuteFindingsRequestData;
import com.datadog.api.client.v2.model.BulkMuteFindingsRequestMeta;
import com.datadog.api.client.v2.model.BulkMuteFindingsRequestMetaFindings;
import com.datadog.api.client.v2.model.BulkMuteFindingsRequestProperties;
import com.datadog.api.client.v2.model.BulkMuteFindingsResponse;
import com.datadog.api.client.v2.model.FindingMuteReason;
import com.datadog.api.client.v2.model.FindingType;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    defaultClient.setUnstableOperationEnabled("v2.muteFindings", true);
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    BulkMuteFindingsRequest body =
        new BulkMuteFindingsRequest()
            .data(
                new BulkMuteFindingsRequestData()
                    .attributes(
                        new BulkMuteFindingsRequestAttributes()
                            .mute(
                                new BulkMuteFindingsRequestProperties()
                                    .expirationDate(1778721573794L)
                                    .muted(true)
                                    .reason(FindingMuteReason.ACCEPTED_RISK)))
                    .id("dbe5f567-192b-4404-b908-29b70e1c9f76")
                    .meta(
                        new BulkMuteFindingsRequestMeta()
                            .findings(
                                Collections.singletonList(
                                    new BulkMuteFindingsRequestMetaFindings()
                                        .findingId(
                                            "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw=="))))
                    .type(FindingType.FINDING));

    try {
      BulkMuteFindingsResponse result = apiInstance.muteFindings(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling SecurityMonitoringApi#muteFindings");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

"""
Mute or unmute a batch of findings returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.bulk_mute_findings_request import BulkMuteFindingsRequest
from datadog_api_client.v2.model.bulk_mute_findings_request_attributes import BulkMuteFindingsRequestAttributes
from datadog_api_client.v2.model.bulk_mute_findings_request_data import BulkMuteFindingsRequestData
from datadog_api_client.v2.model.bulk_mute_findings_request_meta import BulkMuteFindingsRequestMeta
from datadog_api_client.v2.model.bulk_mute_findings_request_meta_findings import BulkMuteFindingsRequestMetaFindings
from datadog_api_client.v2.model.bulk_mute_findings_request_properties import BulkMuteFindingsRequestProperties
from datadog_api_client.v2.model.finding_mute_reason import FindingMuteReason
from datadog_api_client.v2.model.finding_type import FindingType

body = BulkMuteFindingsRequest(
    data=BulkMuteFindingsRequestData(
        attributes=BulkMuteFindingsRequestAttributes(
            mute=BulkMuteFindingsRequestProperties(
                expiration_date=1778721573794,
                muted=True,
                reason=FindingMuteReason.ACCEPTED_RISK,
            ),
        ),
        id="dbe5f567-192b-4404-b908-29b70e1c9f76",
        meta=BulkMuteFindingsRequestMeta(
            findings=[
                BulkMuteFindingsRequestMetaFindings(
                    finding_id="ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==",
                ),
            ],
        ),
        type=FindingType.FINDING,
    ),
)

configuration = Configuration()
configuration.unstable_operations["mute_findings"] = True
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.mute_findings(body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Mute or unmute a batch of findings returns "OK" response

require "datadog_api_client"
DatadogAPIClient.configure do |config|
  config.unstable_operations["v2.mute_findings".to_sym] = true
end
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::BulkMuteFindingsRequest.new({
  data: DatadogAPIClient::V2::BulkMuteFindingsRequestData.new({
    attributes: DatadogAPIClient::V2::BulkMuteFindingsRequestAttributes.new({
      mute: DatadogAPIClient::V2::BulkMuteFindingsRequestProperties.new({
        expiration_date: 1778721573794,
        muted: true,
        reason: DatadogAPIClient::V2::FindingMuteReason::ACCEPTED_RISK,
      }),
    }),
    id: "dbe5f567-192b-4404-b908-29b70e1c9f76",
    meta: DatadogAPIClient::V2::BulkMuteFindingsRequestMeta.new({
      findings: [
        DatadogAPIClient::V2::BulkMuteFindingsRequestMetaFindings.new({
          finding_id: "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==",
        }),
      ],
    }),
    type: DatadogAPIClient::V2::FindingType::FINDING,
  }),
})
p api_instance.mute_findings(body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

/**
 * Mute or unmute a batch of findings returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
configuration.unstableOperations["v2.muteFindings"] = true;
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiMuteFindingsRequest = {
  body: {
    data: {
      attributes: {
        mute: {
          expirationDate: 1778721573794,
          muted: true,
          reason: "ACCEPTED_RISK",
        },
      },
      id: "dbe5f567-192b-4404-b908-29b70e1c9f76",
      meta: {
        findings: [
          {
            findingId: "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==",
          },
        ],
      },
      type: "finding",
    },
  },
};

apiInstance
  .muteFindings(params)
  .then((data: v2.BulkMuteFindingsResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

Add a security signal to an incident

v1 (latest)

PATCH https://api.ap1.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/add_to_incidenthttps://api.datadoghq.eu/api/v1/security_analytics/signals/{signal_id}/add_to_incidenthttps://api.ddog-gov.com/api/v1/security_analytics/signals/{signal_id}/add_to_incidenthttps://api.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/add_to_incidenthttps://api.us3.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/add_to_incidenthttps://api.us5.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/add_to_incident

개요

Add a security signal to an incident. This makes it possible to search for signals by incident within the signal explorer and to view the signals on the incident timeline.

인수

Path Parameters

이름

유형

설명

signal_id [required]

string

The ID of the signal.

요청

Body Data (required)

Attributes describing the signal update.

Expand All

항목

유형

설명

add_to_signal_timeline

boolean

Whether to post the signal on the incident timeline.

incident_id [required]

int64

Public ID attribute of the incident to which the signal will be added.

version

int64

Version of the updated signal. If server side version is higher, update will be rejected.

{
  "incident_id": 2609
}

응답

Updated signal data following a successfully performed update.

Expand All

항목

유형

설명

status

string

Status of the response.

{
  "status": "string"
}

Bad Request

Error response object.

Expand All

항목

유형

설명

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Forbidden

Error response object.

Expand All

항목

유형

설명

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

Error response object.

Expand All

항목

유형

설명

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

Error response object.

Expand All

항목

유형

설명

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                          # Path parameters
export signal_id="CHANGE_ME"
# Curl command
curl -X PATCH "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v1/security_analytics/signals/${signal_id}/add_to_incident" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "incident_id": 2609
}
EOF

                        

// Add a security signal to an incident returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV1"
)

func main() {
	body := datadogV1.AddSignalToIncidentRequest{
		IncidentId: 2609,
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV1.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.AddSecurityMonitoringSignalToIncident(ctx, "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.AddSecurityMonitoringSignalToIncident`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.AddSecurityMonitoringSignalToIncident`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"

// Add a security signal to an incident returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v1.api.SecurityMonitoringApi;
import com.datadog.api.client.v1.model.AddSignalToIncidentRequest;
import com.datadog.api.client.v1.model.SuccessfulSignalUpdateResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    AddSignalToIncidentRequest body = new AddSignalToIncidentRequest().incidentId(2609L);

    try {
      SuccessfulSignalUpdateResponse result =
          apiInstance.addSecurityMonitoringSignalToIncident(
              "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#addSecurityMonitoringSignalToIncident");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"

"""
Add a security signal to an incident returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v1.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v1.model.add_signal_to_incident_request import AddSignalToIncidentRequest

body = AddSignalToIncidentRequest(
    incident_id=2609,
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.add_security_monitoring_signal_to_incident(
        signal_id="AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body=body
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"

# Add a security signal to an incident returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V1::SecurityMonitoringAPI.new

body = DatadogAPIClient::V1::AddSignalToIncidentRequest.new({
  incident_id: 2609,
})
p api_instance.add_security_monitoring_signal_to_incident("AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"

/**
 * Add a security signal to an incident returns "OK" response
 */

import { client, v1 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v1.SecurityMonitoringApi(configuration);

const params: v1.SecurityMonitoringApiAddSecurityMonitoringSignalToIncidentRequest =
  {
    body: {
      incidentId: 2609,
    },
    signalId: "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE",
  };

apiInstance
  .addSecurityMonitoringSignalToIncident(params)
  .then((data: v1.SuccessfulSignalUpdateResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"

Change the triage state of a security signal

v1
v2 (latest)

PATCH https://api.ap1.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/statehttps://api.datadoghq.eu/api/v1/security_analytics/signals/{signal_id}/statehttps://api.ddog-gov.com/api/v1/security_analytics/signals/{signal_id}/statehttps://api.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/statehttps://api.us3.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/statehttps://api.us5.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/state

개요

Change the triage state of a security signal.

인수

Path Parameters

이름

유형

설명

signal_id [required]

string

The ID of the signal.

요청

Body Data (required)

Attributes describing the signal update.

Expand All

항목

유형

설명

archiveComment

string

Optional comment to explain why a signal is being archived.

archiveReason

enum

Reason why a signal has been archived. Allowed enum values: none,false_positive,testing_or_maintenance,investigated_case_opened,other

state [required]

enum

The new triage state of the signal. Allowed enum values: open,archived,under_review

version

int64

Version of the updated signal. If server side version is higher, update will be rejected.

{
  "archiveReason": "none",
  "state": "open"
}

응답

Updated signal data following a successfully performed update.

Expand All

항목

유형

설명

status

string

Status of the response.

{
  "status": "string"
}

Bad Request

Error response object.

Expand All

항목

유형

설명

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Forbidden

Error response object.

Expand All

항목

유형

설명

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

Error response object.

Expand All

항목

유형

설명

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

Error response object.

Expand All

항목

유형

설명

errors [required]

[string]

Array of errors returned by the API.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                          # Path parameters
export signal_id="CHANGE_ME"
# Curl command
curl -X PATCH "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v1/security_analytics/signals/${signal_id}/state" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "archiveReason": "none",
  "state": "open"
}
EOF

                        

// Change the triage state of a security signal returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV1"
)

func main() {
	body := datadogV1.SignalStateUpdateRequest{
		ArchiveReason: datadogV1.SIGNALARCHIVEREASON_NONE.Ptr(),
		State:         datadogV1.SIGNALTRIAGESTATE_OPEN,
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV1.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.EditSecurityMonitoringSignalState(ctx, "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.EditSecurityMonitoringSignalState`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.EditSecurityMonitoringSignalState`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"

// Change the triage state of a security signal returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v1.api.SecurityMonitoringApi;
import com.datadog.api.client.v1.model.SignalArchiveReason;
import com.datadog.api.client.v1.model.SignalStateUpdateRequest;
import com.datadog.api.client.v1.model.SignalTriageState;
import com.datadog.api.client.v1.model.SuccessfulSignalUpdateResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SignalStateUpdateRequest body =
        new SignalStateUpdateRequest()
            .archiveReason(SignalArchiveReason.NONE)
            .state(SignalTriageState.OPEN);

    try {
      SuccessfulSignalUpdateResponse result =
          apiInstance.editSecurityMonitoringSignalState(
              "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#editSecurityMonitoringSignalState");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"

"""
Change the triage state of a security signal returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v1.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v1.model.signal_archive_reason import SignalArchiveReason
from datadog_api_client.v1.model.signal_state_update_request import SignalStateUpdateRequest
from datadog_api_client.v1.model.signal_triage_state import SignalTriageState

body = SignalStateUpdateRequest(
    archive_reason=SignalArchiveReason.NONE,
    state=SignalTriageState.OPEN,
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.edit_security_monitoring_signal_state(
        signal_id="AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body=body
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"

# Change the triage state of a security signal returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V1::SecurityMonitoringAPI.new

body = DatadogAPIClient::V1::SignalStateUpdateRequest.new({
  archive_reason: DatadogAPIClient::V1::SignalArchiveReason::NONE,
  state: DatadogAPIClient::V1::SignalTriageState::OPEN,
})
p api_instance.edit_security_monitoring_signal_state("AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"

/**
 * Change the triage state of a security signal returns "OK" response
 */

import { client, v1 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v1.SecurityMonitoringApi(configuration);

const params: v1.SecurityMonitoringApiEditSecurityMonitoringSignalStateRequest =
  {
    body: {
      archiveReason: "none",
      state: "open",
    },
    signalId: "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE",
  };

apiInstance
  .editSecurityMonitoringSignalState(params)
  .then((data: v1.SuccessfulSignalUpdateResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"

PATCH https://api.ap1.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/statehttps://api.datadoghq.eu/api/v2/security_monitoring/signals/{signal_id}/statehttps://api.ddog-gov.com/api/v2/security_monitoring/signals/{signal_id}/statehttps://api.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/statehttps://api.us3.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/statehttps://api.us5.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/state

개요

Change the triage state of a security signal.

인수

Path Parameters

이름

유형

설명

signal_id [required]

string

The ID of the signal.

요청

Body Data (required)

Attributes describing the signal update.

Expand All

항목

유형

설명

data [required]

object

Data containing the patch for changing the state of a signal.

{
  "data": {
    "attributes": {
      "archive_reason": "none",
      "state": "open"
    }
  }
}

응답

The response returned after all triage operations, containing the updated signal triage data.

Expand All

항목

유형

설명

data [required]

object

Data containing the updated triage attributes of the signal.

{
  "data": {
    "attributes": {
      "archive_comment": "string",
      "archive_comment_timestamp": "integer",
      "archive_comment_user": {
        "handle": "string",
        "icon": "/path/to/matching/gravatar/icon",
        "id": "integer",
        "name": "string",
        "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
      },
      "archive_reason": "string",
      "assignee": {
        "handle": "string",
        "icon": "/path/to/matching/gravatar/icon",
        "id": "integer",
        "name": "string",
        "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
      },
      "incident_ids": [],
      "state": "open",
      "state_update_timestamp": "integer",
      "state_update_user": {
        "handle": "string",
        "icon": "/path/to/matching/gravatar/icon",
        "id": "integer",
        "name": "string",
        "uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
      }
    },
    "id": "string",
    "type": "signal_metadata"
  }
}

Bad Request

API error response.

Expand All

항목

유형

설명

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Forbidden

API error response.

Expand All

항목

유형

설명

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Found

API error response.

Expand All

항목

유형

설명

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

항목

유형

설명

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                          # Path parameters
export signal_id="CHANGE_ME"
# Curl command
curl -X PATCH "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/${signal_id}/state" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "data": {
    "attributes": {
      "archive_reason": "none",
      "state": "open"
    }
  }
}
EOF

                        

// Change the triage state of a security signal returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringSignalStateUpdateRequest{
		Data: datadogV2.SecurityMonitoringSignalStateUpdateData{
			Attributes: datadogV2.SecurityMonitoringSignalStateUpdateAttributes{
				ArchiveReason: datadogV2.SECURITYMONITORINGSIGNALARCHIVEREASON_NONE.Ptr(),
				State:         datadogV2.SECURITYMONITORINGSIGNALSTATE_OPEN,
			},
		},
	}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.EditSecurityMonitoringSignalState(ctx, "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.EditSecurityMonitoringSignalState`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.EditSecurityMonitoringSignalState`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"

// Change the triage state of a security signal returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalArchiveReason;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalState;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalStateUpdateAttributes;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalStateUpdateData;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalStateUpdateRequest;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalTriageUpdateResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringSignalStateUpdateRequest body =
        new SecurityMonitoringSignalStateUpdateRequest()
            .data(
                new SecurityMonitoringSignalStateUpdateData()
                    .attributes(
                        new SecurityMonitoringSignalStateUpdateAttributes()
                            .archiveReason(SecurityMonitoringSignalArchiveReason.NONE)
                            .state(SecurityMonitoringSignalState.OPEN)));

    try {
      SecurityMonitoringSignalTriageUpdateResponse result =
          apiInstance.editSecurityMonitoringSignalState(
              "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#editSecurityMonitoringSignalState");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"

"""
Change the triage state of a security signal returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_signal_archive_reason import SecurityMonitoringSignalArchiveReason
from datadog_api_client.v2.model.security_monitoring_signal_state import SecurityMonitoringSignalState
from datadog_api_client.v2.model.security_monitoring_signal_state_update_attributes import (
    SecurityMonitoringSignalStateUpdateAttributes,
)
from datadog_api_client.v2.model.security_monitoring_signal_state_update_data import (
    SecurityMonitoringSignalStateUpdateData,
)
from datadog_api_client.v2.model.security_monitoring_signal_state_update_request import (
    SecurityMonitoringSignalStateUpdateRequest,
)

body = SecurityMonitoringSignalStateUpdateRequest(
    data=SecurityMonitoringSignalStateUpdateData(
        attributes=SecurityMonitoringSignalStateUpdateAttributes(
            archive_reason=SecurityMonitoringSignalArchiveReason.NONE,
            state=SecurityMonitoringSignalState.OPEN,
        ),
    ),
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.edit_security_monitoring_signal_state(
        signal_id="AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body=body
    )

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"

# Change the triage state of a security signal returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringSignalStateUpdateRequest.new({
  data: DatadogAPIClient::V2::SecurityMonitoringSignalStateUpdateData.new({
    attributes: DatadogAPIClient::V2::SecurityMonitoringSignalStateUpdateAttributes.new({
      archive_reason: DatadogAPIClient::V2::SecurityMonitoringSignalArchiveReason::NONE,
      state: DatadogAPIClient::V2::SecurityMonitoringSignalState::OPEN,
    }),
  }),
})
p api_instance.edit_security_monitoring_signal_state("AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"

/**
 * Change the triage state of a security signal returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiEditSecurityMonitoringSignalStateRequest =
  {
    body: {
      data: {
        attributes: {
          archiveReason: "none",
          state: "open",
        },
      },
    },
    signalId: "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE",
  };

apiInstance
  .editSecurityMonitoringSignalState(params)
  .then((data: v2.SecurityMonitoringSignalTriageUpdateResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"

Create a detection rule

v2 (latest)

POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.datadoghq.eu/api/v2/security_monitoring/ruleshttps://api.ddog-gov.com/api/v2/security_monitoring/ruleshttps://api.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us3.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules

개요

Create a detection rule. This endpoint requires the security_monitoring_rules_write authorization scope.

요청

Body Data (required)

Expand All

항목

유형

설명

Option 1

object

Create a new rule.

options [required]

object

Options on rules.

Option 2

object

Create a new signal correlation rule.

options [required]

object

Options on rules.

Option 3

object

Create a new cloud configuration rule.

{
  "type": "cloud_configuration",
  "name": "Example-Security-Monitoring_cloud",
  "isEnabled": false,
  "cases": [
    {
      "status": "info",
      "notifications": [
        "channel"
      ]
    }
  ],
  "options": {
    "complianceRuleOptions": {
      "resourceType": "gcp_compute_disk",
      "complexRule": false,
      "regoRule": {
        "policy": "package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n",
        "resourceTypes": [
          "gcp_compute_disk"
        ]
      }
    }
  },
  "message": "ddd",
  "tags": [
    "my:tag"
  ],
  "complianceSignalOptions": {
    "userActivationStatus": true,
    "userGroupByFields": [
      "@account_id"
    ]
  },
  "filters": [
    {
      "action": "require",
      "query": "resource_id:helo*"
    },
    {
      "action": "suppress",
      "query": "control:helo*"
    }
  ]
}
{
  "name": "Example-Security-Monitoring",
  "queries": [
    {
      "query": "@test:true",
      "aggregation": "count",
      "groupByFields": [],
      "distinctFields": [],
      "metric": ""
    }
  ],
  "filters": [],
  "cases": [
    {
      "name": "",
      "status": "info",
      "condition": "a > 0",
      "notifications": []
    }
  ],
  "options": {
    "evaluationWindow": 900,
    "keepAlive": 3600,
    "maxSignalDuration": 86400
  },
  "message": "Test rule",
  "tags": [],
  "isEnabled": true,
  "type": "log_detection"
}
{
  "queries": [
    {
      "aggregation": "geo_data",
      "groupByFields": [
        "@usr.id"
      ],
      "distinctFields": [],
      "metric": "@network.client.geoip",
      "query": "*"
    }
  ],
  "cases": [
    {
      "name": "",
      "status": "info",
      "notifications": []
    }
  ],
  "hasExtendedTitle": true,
  "message": "test",
  "isEnabled": true,
  "options": {
    "maxSignalDuration": 86400,
    "evaluationWindow": 900,
    "keepAlive": 3600,
    "detectionMethod": "impossible_travel",
    "impossibleTravelOptions": {
      "baselineUserLocations": false
    }
  },
  "name": "Example-Security-Monitoring",
  "type": "log_detection",
  "tags": [],
  "filters": []
}

응답

Create a new rule.

Expand All

항목

유형

설명

Option 1

Rule.

options

object

Options on rules.

Option 2

Rule.

options

object

Options on rules.

{
  "cases": [
    {
      "condition": "string",
      "name": "string",
      "notifications": [],
      "status": "critical"
    }
  ],
  "complianceSignalOptions": {
    "defaultActivationStatus": false,
    "defaultGroupByFields": [],
    "userActivationStatus": false,
    "userGroupByFields": []
  },
  "createdAt": "integer",
  "creationAuthorId": "integer",
  "deprecationDate": "integer",
  "filters": [
    {
      "action": "string",
      "query": "string"
    }
  ],
  "hasExtendedTitle": false,
  "id": "string",
  "isDefault": false,
  "isDeleted": false,
  "isEnabled": false,
  "message": "string",
  "name": "string",
  "options": {
    "complianceRuleOptions": {
      "complexRule": false,
      "regoRule": {
        "policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n  # Logic that evaluates to true if the resource should be skipped\n  true\n} else = \"pass\" {\n  # Logic that evaluates to true if the resource is compliant\n  true\n} else = \"fail\" {\n  # Logic that evaluates to true if the resource is not compliant\n  true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n  some resource in input.resources[input.main_resource_type]\n  result := dd_output.format(resource, eval(resource))\n}\n",
        "resourceTypes": [
          "gcp_iam_service_account",
          "gcp_iam_policy"
        ]
      },
      "resourceType": "aws_acm"
    },
    "decreaseCriticalityBasedOnEnv": false,
    "detectionMethod": "string",
    "evaluationWindow": "integer",
    "hardcodedEvaluatorType": "string",
    "impossibleTravelOptions": {
      "baselineUserLocations": true
    },
    "keepAlive": "integer",
    "maxSignalDuration": "integer",
    "newValueOptions": {
      "forgetAfter": "integer",
      "learningDuration": "integer",
      "learningMethod": "string",
      "learningThreshold": "integer"
    }
  },
  "queries": [
    {
      "aggregation": "string",
      "distinctFields": [],
      "groupByFields": [],
      "hasOptionalGroupByFields": false,
      "metric": "string",
      "metrics": [],
      "name": "string",
      "query": "a > 3"
    }
  ],
  "tags": [],
  "type": "string",
  "updateAuthorId": "integer",
  "version": "integer"
}

Bad Request

API error response.

Expand All

항목

유형

설명

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Not Authorized

API error response.

Expand All

항목

유형

설명

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Too many requests

API error response.

Expand All

항목

유형

설명

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                          # Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "type": "cloud_configuration",
  "name": "Example-Security-Monitoring_cloud",
  "isEnabled": false,
  "cases": [
    {
      "status": "info",
      "notifications": [
        "channel"
      ]
    }
  ],
  "options": {
    "complianceRuleOptions": {
      "resourceType": "gcp_compute_disk",
      "complexRule": false,
      "regoRule": {
        "policy": "package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n",
        "resourceTypes": [
          "gcp_compute_disk"
        ]
      }
    }
  },
  "message": "ddd",
  "tags": [
    "my:tag"
  ],
  "complianceSignalOptions": {
    "userActivationStatus": true,
    "userGroupByFields": [
      "@account_id"
    ]
  },
  "filters": [
    {
      "action": "require",
      "query": "resource_id:helo*"
    },
    {
      "action": "suppress",
      "query": "control:helo*"
    }
  ]
}
EOF

                        
                          # Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "name": "Example-Security-Monitoring",
  "queries": [
    {
      "query": "@test:true",
      "aggregation": "count",
      "groupByFields": [],
      "distinctFields": [],
      "metric": ""
    }
  ],
  "filters": [],
  "cases": [
    {
      "name": "",
      "status": "info",
      "condition": "a > 0",
      "notifications": []
    }
  ],
  "options": {
    "evaluationWindow": 900,
    "keepAlive": 3600,
    "maxSignalDuration": 86400
  },
  "message": "Test rule",
  "tags": [],
  "isEnabled": true,
  "type": "log_detection"
}
EOF

                        
                          # Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
  "queries": [
    {
      "aggregation": "geo_data",
      "groupByFields": [
        "@usr.id"
      ],
      "distinctFields": [],
      "metric": "@network.client.geoip",
      "query": "*"
    }
  ],
  "cases": [
    {
      "name": "",
      "status": "info",
      "notifications": []
    }
  ],
  "hasExtendedTitle": true,
  "message": "test",
  "isEnabled": true,
  "options": {
    "maxSignalDuration": 86400,
    "evaluationWindow": 900,
    "keepAlive": 3600,
    "detectionMethod": "impossible_travel",
    "impossibleTravelOptions": {
      "baselineUserLocations": false
    }
  },
  "name": "Example-Security-Monitoring",
  "type": "log_detection",
  "tags": [],
  "filters": []
}
EOF

                        

// Create a cloud_configuration rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringRuleCreatePayload{
		CloudConfigurationRuleCreatePayload: &datadogV2.CloudConfigurationRuleCreatePayload{
			Type:      datadogV2.CLOUDCONFIGURATIONRULETYPE_CLOUD_CONFIGURATION.Ptr(),
			Name:      "Example-Security-Monitoring_cloud",
			IsEnabled: false,
			Cases: []datadogV2.CloudConfigurationRuleCaseCreate{
				{
					Status: datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
					Notifications: []string{
						"channel",
					},
				},
			},
			Options: datadogV2.CloudConfigurationRuleOptions{
				ComplianceRuleOptions: datadogV2.CloudConfigurationComplianceRuleOptions{
					ResourceType: datadog.PtrString("gcp_compute_disk"),
					ComplexRule:  datadog.PtrBool(false),
					RegoRule: &datadogV2.CloudConfigurationRegoRule{
						Policy: `package datadog

import data.datadog.output as dd_output

import future.keywords.contains
import future.keywords.if
import future.keywords.in

milliseconds_in_a_day := ((1000 * 60) * 60) * 24

eval(iam_service_account_key) = "skip" if {
	iam_service_account_key.disabled
} else = "pass" if {
	(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"

# This part remains unchanged for all rules
results contains result if {
	some resource in input.resources[input.main_resource_type]
	result := dd_output.format(resource, eval(resource))
}
`,
						ResourceTypes: []string{
							"gcp_compute_disk",
						},
					},
				},
			},
			Message: "ddd",
			Tags: []string{
				"my:tag",
			},
			ComplianceSignalOptions: datadogV2.CloudConfigurationRuleComplianceSignalOptions{
				UserActivationStatus: *datadog.NewNullableBool(datadog.PtrBool(true)),
				UserGroupByFields: *datadog.NewNullableList(&[]string{
					"@account_id",
				}),
			},
			Filters: []datadogV2.SecurityMonitoringFilter{
				{
					Action: datadogV2.SECURITYMONITORINGFILTERACTION_REQUIRE.Ptr(),
					Query:  datadog.PtrString("resource_id:helo*"),
				},
				{
					Action: datadogV2.SECURITYMONITORINGFILTERACTION_SUPPRESS.Ptr(),
					Query:  datadog.PtrString("control:helo*"),
				},
			},
		}}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.CreateSecurityMonitoringRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringRule`:\n%s\n", responseContent)
}

// Create a detection rule returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringRuleCreatePayload{
		SecurityMonitoringStandardRuleCreatePayload: &datadogV2.SecurityMonitoringStandardRuleCreatePayload{
			Name: "Example-Security-Monitoring",
			Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{
				{
					Query:          datadog.PtrString("@test:true"),
					Aggregation:    datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
					GroupByFields:  []string{},
					DistinctFields: []string{},
					Metric:         datadog.PtrString(""),
				},
			},
			Filters: []datadogV2.SecurityMonitoringFilter{},
			Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{
				{
					Name:          datadog.PtrString(""),
					Status:        datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
					Condition:     datadog.PtrString("a > 0"),
					Notifications: []string{},
				},
			},
			Options: datadogV2.SecurityMonitoringRuleOptions{
				EvaluationWindow:  datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(),
				KeepAlive:         datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(),
				MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(),
			},
			Message:   "Test rule",
			Tags:      []string{},
			IsEnabled: true,
			Type:      datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(),
		}}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.CreateSecurityMonitoringRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringRule`:\n%s\n", responseContent)
}

// Create a detection rule with type 'impossible_travel' returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	body := datadogV2.SecurityMonitoringRuleCreatePayload{
		SecurityMonitoringStandardRuleCreatePayload: &datadogV2.SecurityMonitoringStandardRuleCreatePayload{
			Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{
				{
					Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_GEO_DATA.Ptr(),
					GroupByFields: []string{
						"@usr.id",
					},
					DistinctFields: []string{},
					Metric:         datadog.PtrString("@network.client.geoip"),
					Query:          datadog.PtrString("*"),
				},
			},
			Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{
				{
					Name:          datadog.PtrString(""),
					Status:        datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
					Notifications: []string{},
				},
			},
			HasExtendedTitle: datadog.PtrBool(true),
			Message:          "test",
			IsEnabled:        true,
			Options: datadogV2.SecurityMonitoringRuleOptions{
				MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(),
				EvaluationWindow:  datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(),
				KeepAlive:         datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(),
				DetectionMethod:   datadogV2.SECURITYMONITORINGRULEDETECTIONMETHOD_IMPOSSIBLE_TRAVEL.Ptr(),
				ImpossibleTravelOptions: &datadogV2.SecurityMonitoringRuleImpossibleTravelOptions{
					BaselineUserLocations: datadog.PtrBool(false),
				},
			},
			Name:    "Example-Security-Monitoring",
			Type:    datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(),
			Tags:    []string{},
			Filters: []datadogV2.SecurityMonitoringFilter{},
		}}
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewSecurityMonitoringApi(apiClient)
	resp, r, err := api.CreateSecurityMonitoringRule(ctx, body)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringRule`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringRule`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"

// Create a cloud_configuration rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.CloudConfigurationComplianceRuleOptions;
import com.datadog.api.client.v2.model.CloudConfigurationRegoRule;
import com.datadog.api.client.v2.model.CloudConfigurationRuleCaseCreate;
import com.datadog.api.client.v2.model.CloudConfigurationRuleComplianceSignalOptions;
import com.datadog.api.client.v2.model.CloudConfigurationRuleCreatePayload;
import com.datadog.api.client.v2.model.CloudConfigurationRuleOptions;
import com.datadog.api.client.v2.model.CloudConfigurationRuleType;
import com.datadog.api.client.v2.model.SecurityMonitoringFilter;
import com.datadog.api.client.v2.model.SecurityMonitoringFilterAction;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import java.util.Arrays;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringRuleCreatePayload body =
        new SecurityMonitoringRuleCreatePayload(
            new CloudConfigurationRuleCreatePayload()
                .type(CloudConfigurationRuleType.CLOUD_CONFIGURATION)
                .name("Example-Security-Monitoring_cloud")
                .isEnabled(false)
                .cases(
                    Collections.singletonList(
                        new CloudConfigurationRuleCaseCreate()
                            .status(SecurityMonitoringRuleSeverity.INFO)
                            .notifications(Collections.singletonList("channel"))))
                .options(
                    new CloudConfigurationRuleOptions()
                        .complianceRuleOptions(
                            new CloudConfigurationComplianceRuleOptions()
                                .resourceType("gcp_compute_disk")
                                .complexRule(false)
                                .regoRule(
                                    new CloudConfigurationRegoRule()
                                        .policy(
                                            """
package datadog

import data.datadog.output as dd_output

import future.keywords.contains
import future.keywords.if
import future.keywords.in

milliseconds_in_a_day := ((1000 * 60) * 60) * 24

eval(iam_service_account_key) = "skip" if {
	iam_service_account_key.disabled
} else = "pass" if {
	(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"

# This part remains unchanged for all rules
results contains result if {
	some resource in input.resources[input.main_resource_type]
	result := dd_output.format(resource, eval(resource))
}

""")
                                        .resourceTypes(
                                            Collections.singletonList("gcp_compute_disk")))))
                .message("ddd")
                .tags(Collections.singletonList("my:tag"))
                .complianceSignalOptions(
                    new CloudConfigurationRuleComplianceSignalOptions()
                        .userActivationStatus(true)
                        .userGroupByFields(Collections.singletonList("@account_id")))
                .filters(
                    Arrays.asList(
                        new SecurityMonitoringFilter()
                            .action(SecurityMonitoringFilterAction.REQUIRE)
                            .query("resource_id:helo*"),
                        new SecurityMonitoringFilter()
                            .action(SecurityMonitoringFilterAction.SUPPRESS)
                            .query("control:helo*"))));

    try {
      SecurityMonitoringRuleResponse result = apiInstance.createSecurityMonitoringRule(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

// Create a detection rule returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringRuleCreatePayload body =
        new SecurityMonitoringRuleCreatePayload(
            new SecurityMonitoringStandardRuleCreatePayload()
                .name("Example-Security-Monitoring")
                .queries(
                    Collections.singletonList(
                        new SecurityMonitoringStandardRuleQuery()
                            .query("@test:true")
                            .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
                            .metric("")))
                .cases(
                    Collections.singletonList(
                        new SecurityMonitoringRuleCaseCreate()
                            .name("")
                            .status(SecurityMonitoringRuleSeverity.INFO)
                            .condition("a > 0")))
                .options(
                    new SecurityMonitoringRuleOptions()
                        .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES)
                        .keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR)
                        .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ONE_DAY))
                .message("Test rule")
                .isEnabled(true)
                .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION));

    try {
      SecurityMonitoringRuleResponse result = apiInstance.createSecurityMonitoringRule(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

// Create a detection rule with type 'impossible_travel' returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleImpossibleTravelOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import java.util.Collections;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

    SecurityMonitoringRuleCreatePayload body =
        new SecurityMonitoringRuleCreatePayload(
            new SecurityMonitoringStandardRuleCreatePayload()
                .queries(
                    Collections.singletonList(
                        new SecurityMonitoringStandardRuleQuery()
                            .aggregation(SecurityMonitoringRuleQueryAggregation.GEO_DATA)
                            .groupByFields(Collections.singletonList("@usr.id"))
                            .metric("@network.client.geoip")
                            .query("*")))
                .cases(
                    Collections.singletonList(
                        new SecurityMonitoringRuleCaseCreate()
                            .name("")
                            .status(SecurityMonitoringRuleSeverity.INFO)))
                .hasExtendedTitle(true)
                .message("test")
                .isEnabled(true)
                .options(
                    new SecurityMonitoringRuleOptions()
                        .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ONE_DAY)
                        .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES)
                        .keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR)
                        .detectionMethod(SecurityMonitoringRuleDetectionMethod.IMPOSSIBLE_TRAVEL)
                        .impossibleTravelOptions(
                            new SecurityMonitoringRuleImpossibleTravelOptions()
                                .baselineUserLocations(false)))
                .name("Example-Security-Monitoring")
                .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION));

    try {
      SecurityMonitoringRuleResponse result = apiInstance.createSecurityMonitoringRule(body);
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println(
          "Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"

"""
Create a cloud_configuration rule returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.cloud_configuration_compliance_rule_options import (
    CloudConfigurationComplianceRuleOptions,
)
from datadog_api_client.v2.model.cloud_configuration_rego_rule import CloudConfigurationRegoRule
from datadog_api_client.v2.model.cloud_configuration_rule_case_create import CloudConfigurationRuleCaseCreate
from datadog_api_client.v2.model.cloud_configuration_rule_compliance_signal_options import (
    CloudConfigurationRuleComplianceSignalOptions,
)
from datadog_api_client.v2.model.cloud_configuration_rule_create_payload import CloudConfigurationRuleCreatePayload
from datadog_api_client.v2.model.cloud_configuration_rule_options import CloudConfigurationRuleOptions
from datadog_api_client.v2.model.cloud_configuration_rule_type import CloudConfigurationRuleType
from datadog_api_client.v2.model.security_monitoring_filter import SecurityMonitoringFilter
from datadog_api_client.v2.model.security_monitoring_filter_action import SecurityMonitoringFilterAction
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity

body = CloudConfigurationRuleCreatePayload(
    type=CloudConfigurationRuleType.CLOUD_CONFIGURATION,
    name="Example-Security-Monitoring_cloud",
    is_enabled=False,
    cases=[
        CloudConfigurationRuleCaseCreate(
            status=SecurityMonitoringRuleSeverity.INFO,
            notifications=[
                "channel",
            ],
        ),
    ],
    options=CloudConfigurationRuleOptions(
        compliance_rule_options=CloudConfigurationComplianceRuleOptions(
            resource_type="gcp_compute_disk",
            complex_rule=False,
            rego_rule=CloudConfigurationRegoRule(
                policy='package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = "skip" if {\n\tiam_service_account_key.disabled\n} else = "pass" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = "fail"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n',
                resource_types=[
                    "gcp_compute_disk",
                ],
            ),
        ),
    ),
    message="ddd",
    tags=[
        "my:tag",
    ],
    compliance_signal_options=CloudConfigurationRuleComplianceSignalOptions(
        user_activation_status=True,
        user_group_by_fields=[
            "@account_id",
        ],
    ),
    filters=[
        SecurityMonitoringFilter(
            action=SecurityMonitoringFilterAction.REQUIRE,
            query="resource_id:helo*",
        ),
        SecurityMonitoringFilter(
            action=SecurityMonitoringFilterAction.SUPPRESS,
            query="control:helo*",
        ),
    ],
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.create_security_monitoring_rule(body=body)

    print(response)

"""
Create a detection rule returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
    SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
    SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
    SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
from datadog_api_client.v2.model.security_monitoring_standard_rule_create_payload import (
    SecurityMonitoringStandardRuleCreatePayload,
)
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery

body = SecurityMonitoringStandardRuleCreatePayload(
    name="Example-Security-Monitoring",
    queries=[
        SecurityMonitoringStandardRuleQuery(
            query="@test:true",
            aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
            group_by_fields=[],
            distinct_fields=[],
            metric="",
        ),
    ],
    filters=[],
    cases=[
        SecurityMonitoringRuleCaseCreate(
            name="",
            status=SecurityMonitoringRuleSeverity.INFO,
            condition="a > 0",
            notifications=[],
        ),
    ],
    options=SecurityMonitoringRuleOptions(
        evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,
        keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR,
        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY,
    ),
    message="Test rule",
    tags=[],
    is_enabled=True,
    type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.create_security_monitoring_rule(body=body)

    print(response)

"""
Create a detection rule with type 'impossible_travel' returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
    SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_impossible_travel_options import (
    SecurityMonitoringRuleImpossibleTravelOptions,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
    SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
    SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
from datadog_api_client.v2.model.security_monitoring_standard_rule_create_payload import (
    SecurityMonitoringStandardRuleCreatePayload,
)
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery

body = SecurityMonitoringStandardRuleCreatePayload(
    queries=[
        SecurityMonitoringStandardRuleQuery(
            aggregation=SecurityMonitoringRuleQueryAggregation.GEO_DATA,
            group_by_fields=[
                "@usr.id",
            ],
            distinct_fields=[],
            metric="@network.client.geoip",
            query="*",
        ),
    ],
    cases=[
        SecurityMonitoringRuleCaseCreate(
            name="",
            status=SecurityMonitoringRuleSeverity.INFO,
            notifications=[],
        ),
    ],
    has_extended_title=True,
    message="test",
    is_enabled=True,
    options=SecurityMonitoringRuleOptions(
        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY,
        evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,
        keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR,
        detection_method=SecurityMonitoringRuleDetectionMethod.IMPOSSIBLE_TRAVEL,
        impossible_travel_options=SecurityMonitoringRuleImpossibleTravelOptions(
            baseline_user_locations=False,
        ),
    ),
    name="Example-Security-Monitoring",
    type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
    tags=[],
    filters=[],
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.create_security_monitoring_rule(body=body)

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"

# Create a cloud_configuration rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::CloudConfigurationRuleCreatePayload.new({
  type: DatadogAPIClient::V2::CloudConfigurationRuleType::CLOUD_CONFIGURATION,
  name: "Example-Security-Monitoring_cloud",
  is_enabled: false,
  cases: [
    DatadogAPIClient::V2::CloudConfigurationRuleCaseCreate.new({
      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
      notifications: [
        "channel",
      ],
    }),
  ],
  options: DatadogAPIClient::V2::CloudConfigurationRuleOptions.new({
    compliance_rule_options: DatadogAPIClient::V2::CloudConfigurationComplianceRuleOptions.new({
      resource_type: "gcp_compute_disk",
      complex_rule: false,
      rego_rule: DatadogAPIClient::V2::CloudConfigurationRegoRule.new({
        policy: 'package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = "skip" if {\n\tiam_service_account_key.disabled\n} else = "pass" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = "fail"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n',
        resource_types: [
          "gcp_compute_disk",
        ],
      }),
    }),
  }),
  message: "ddd",
  tags: [
    "my:tag",
  ],
  compliance_signal_options: DatadogAPIClient::V2::CloudConfigurationRuleComplianceSignalOptions.new({
    user_activation_status: true,
    user_group_by_fields: [
      "@account_id",
    ],
  }),
  filters: [
    DatadogAPIClient::V2::SecurityMonitoringFilter.new({
      action: DatadogAPIClient::V2::SecurityMonitoringFilterAction::REQUIRE,
      query: "resource_id:helo*",
    }),
    DatadogAPIClient::V2::SecurityMonitoringFilter.new({
      action: DatadogAPIClient::V2::SecurityMonitoringFilterAction::SUPPRESS,
      query: "control:helo*",
    }),
  ],
})
p api_instance.create_security_monitoring_rule(body)

# Create a detection rule returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringStandardRuleCreatePayload.new({
  name: "Example-Security-Monitoring",
  queries: [
    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
      query: "@test:true",
      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
      group_by_fields: [],
      distinct_fields: [],
      metric: "",
    }),
  ],
  filters: [],
  cases: [
    DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
      name: "",
      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
      condition: "a > 0",
      notifications: [],
    }),
  ],
  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR,
    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY,
  }),
  message: "Test rule",
  tags: [],
  is_enabled: true,
  type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
})
p api_instance.create_security_monitoring_rule(body)

# Create a detection rule with type 'impossible_travel' returns "OK" response

require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new

body = DatadogAPIClient::V2::SecurityMonitoringStandardRuleCreatePayload.new({
  queries: [
    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::GEO_DATA,
      group_by_fields: [
        "@usr.id",
      ],
      distinct_fields: [],
      metric: "@network.client.geoip",
      query: "*",
    }),
  ],
  cases: [
    DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
      name: "",
      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
      notifications: [],
    }),
  ],
  has_extended_title: true,
  message: "test",
  is_enabled: true,
  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY,
    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR,
    detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::IMPOSSIBLE_TRAVEL,
    impossible_travel_options: DatadogAPIClient::V2::SecurityMonitoringRuleImpossibleTravelOptions.new({
      baseline_user_locations: false,
    }),
  }),
  name: "Example-Security-Monitoring",
  type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
  tags: [],
  filters: [],
})
p api_instance.create_security_monitoring_rule(body)

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"

/**
 * Create a cloud_configuration rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest = {
  body: {
    type: "cloud_configuration",
    name: "Example-Security-Monitoring_cloud",
    isEnabled: false,
    cases: [
      {
        status: "info",
        notifications: ["channel"],
      },
    ],
    options: {
      complianceRuleOptions: {
        resourceType: "gcp_compute_disk",
        complexRule: false,
        regoRule: {
          policy: `package datadog

import data.datadog.output as dd_output

import future.keywords.contains
import future.keywords.if
import future.keywords.in

milliseconds_in_a_day := ((1000 * 60) * 60) * 24

eval(iam_service_account_key) = "skip" if {
	iam_service_account_key.disabled
} else = "pass" if {
	(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"

# This part remains unchanged for all rules
results contains result if {
	some resource in input.resources[input.main_resource_type]
	result := dd_output.format(resource, eval(resource))
}
`,
          resourceTypes: ["gcp_compute_disk"],
        },
      },
    },
    message: "ddd",
    tags: ["my:tag"],
    complianceSignalOptions: {
      userActivationStatus: true,
      userGroupByFields: ["@account_id"],
    },
    filters: [
      {
        action: "require",
        query: "resource_id:helo*",
      },
      {
        action: "suppress",
        query: "control:helo*",
      },
    ],
  },
};

apiInstance
  .createSecurityMonitoringRule(params)
  .then((data: v2.SecurityMonitoringRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

/**
 * Create a detection rule returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest = {
  body: {
    name: "Example-Security-Monitoring",
    queries: [
      {
        query: "@test:true",
        aggregation: "count",
        groupByFields: [],
        distinctFields: [],
        metric: "",
      },
    ],
    filters: [],
    cases: [
      {
        name: "",
        status: "info",
        condition: "a > 0",
        notifications: [],
      },
    ],
    options: {
      evaluationWindow: 900,
      keepAlive: 3600,
      maxSignalDuration: 86400,
    },
    message: "Test rule",
    tags: [],
    isEnabled: true,
    type: "log_detection",
  },
};

apiInstance
  .createSecurityMonitoringRule(params)
  .then((data: v2.SecurityMonitoringRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

/**
 * Create a detection rule with type 'impossible_travel' returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);

const params: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest = {
  body: {
    queries: [
      {
        aggregation: "geo_data",
        groupByFields: ["@usr.id"],
        distinctFields: [],
        metric: "@network.client.geoip",
        query: "*",
      },
    ],
    cases: [
      {
        name: "",
        status: "info",
        notifications: [],
      },
    ],
    hasExtendedTitle: true,
    message: "test",
    isEnabled: true,
    options: {
      maxSignalDuration: 86400,
      evaluationWindow: 900,
      keepAlive: 3600,
      detectionMethod: "impossible_travel",
      impossibleTravelOptions: {
        baselineUserLocations: false,
      },
    },
    name: "Example-Security-Monitoring",
    type: "log_detection",
    tags: [],
    filters: [],
  },
};

apiInstance
  .createSecurityMonitoringRule(params)
  .then((data: v2.SecurityMonitoringRuleResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"

List rules

v2 (latest)

GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.datadoghq.eu/api/v2/security_monitoring/ruleshttps://api.ddog-gov.com/api/v2/security_monitoring/ruleshttps://api.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us3.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules

개요

List rules. This endpoint requires the security_monitoring_rules_read authorization scope.

인수

Query Strings

이름

유형

설명

page[size]

integer

Size for a given page. The maximum allowed value is 100.

page[number]

integer

Specific page number to return.

응답

List of rules.

Expand All

항목

유형

설명

data

[ <oneOf>]

Array containing the list of rules.

Option 1

Rule.

options

object

Options on rules.

Option 2

Rule.

options

object

Options on rules.

Code Example

                  # Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"

                

"""
List rules returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi

configuration = Configuration()
with ApiClient(configuration) as api_client:
    api_instance = SecurityMonitoringApi(api_client)
    response = api_instance.list_security_monitoring_rules()

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    DD_SITE="datadoghq.comus3.datad