Datadog Cloud Security

Create detection rule

Create a detection rule.

Inputs

Expand All

Field

Type

Description

ruleName [required]

string

Name of the new detection rule.

queries [required]

[object]

Queries for selecting logs which are part of the rule.

query [required]

string

Query to run on logs.

message [required]

string

Message to be included in the Security Signal.

cases [required]

[object]

Conditions for when to generate security signals.

status [required]

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

condition

string

A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

name

string

Name of the case.

maxSignalDuration

enum

A signal will “close” regardless of the query being matched once the time exceeds the maximum duration. This time is calculated from the first seen timestamp. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400

evaluationWindow

enum

A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Allowed enum values: 0,60,300,600,900,1800,3600,7200

keepAlive

enum

Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window. Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600

tags

Tags for generated signals.

Outputs

Expand All

Field

Type

Description

url [required]

string

Url for the detection rule.

cases

object

Cases for generating signals.

status

enum

Severity of the Security Signal. Allowed enum values: info,low,medium,high,critical

condition

string

A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.

name

string

Name of the case.

notifications [required]

[string]

Notification targets for each rule case.

complianceSignalOptions

object

How to generate compliance signals. Useful for cloud_configuration rules only.

createdAt

number

When the rule was created, timestamp in milliseconds.

creationAuthorId

number

User ID of the user who created the rule.

deprecationDate

number

When the rule will be deprecated, timestamp in milliseconds.

filters

[object]

Additional queries to filter matched events before they are processed.

hasExtendedTitle

boolean

Whether the notifications include the triggering group-by values in their title.

id

string

The ID of the rule.

isDefault

boolean

Whether the rule is included by default.

isDeleted

boolean

Whether the rule has been deleted.

isEnabled

boolean

Whether the rule is enabled.

message

string

Message for generated signals.

name

string

The name of the rule.

options

object

Options on rules.

queries

[object]

Queries for selecting logs which are part of the rule.

tags

[string]

Tags for generated signals.

type

enum

The rule type. Allowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration,application_security

updateAuthorId

number

User ID of the user who updated the rule.

version

number

The version of the rule.