Object containing the attributes of the suppression rule to be created.
data_exclusion_query
string
An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule.
description
string
A description for the suppression rule.
enabled [required]
boolean
Whether the suppression rule is enabled.
expiration_date
int64
A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore.
name [required]
string
The name of the suppression rule.
rule_query [required]
string
The rule query of the suppression rule, with the same syntax as the search bar for detection rules.
suppression_query
string
The suppression query of the suppression rule. If a signal matches this query, it is suppressed and is not triggered. It uses the same syntax as the queries to search signals in the Signals Explorer.
type [required]
enum
The type of the resource. The value should always be suppressions.
Allowed enum values: suppressions
default: suppressions
{"data":{"attributes":{"description":"This rule suppresses low-severity signals in staging environments.","enabled":true,"expiration_date":1638443471000,"name":"Example-Security-Monitoring","rule_query":"type:log_detection source:cloudtrail","suppression_query":"env:staging status:low"},"type":"suppressions"}}
{"data":{"attributes":{"description":"This rule suppresses low-severity signals in staging environments.","enabled":true,"expiration_date":1638443471000,"name":"Example-Security-Monitoring","rule_query":"type:log_detection source:cloudtrail","data_exclusion_query":"account_id:12345"},"type":"suppressions"}}
Response object containing a single suppression rule.
Expand All
Champ
Type
Description
data
object
The suppression rule's properties.
attributes
object
The attributes of the suppression rule.
creation_date
int64
A Unix millisecond timestamp given the creation date of the suppression rule.
creator
object
A user.
handle
string
The handle of the user.
name
string
The name of the user.
data_exclusion_query
string
An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule.
description
string
A description for the suppression rule.
editable
boolean
Whether the suppression rule is editable.
enabled
boolean
Whether the suppression rule is enabled.
expiration_date
int64
A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore.
name
string
The name of the suppression rule.
rule_query
string
The rule query of the suppression rule, with the same syntax as the search bar for detection rules.
suppression_query
string
The suppression query of the suppression rule. If a signal matches this query, it is suppressed and not triggered. Same syntax as the queries to search signals in the signal explorer.
update_date
int64
A Unix millisecond timestamp given the update date of the suppression rule.
updater
object
A user.
handle
string
The handle of the user.
name
string
The name of the user.
version
int32
The version of the suppression rule; it starts at 1, and is incremented at each update.
id
string
The ID of the suppression rule.
type
enum
The type of the resource. The value should always be suppressions.
Allowed enum values: suppressions
# Create a suppression rule returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V2::SecurityMonitoringAPI.newbody=DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateRequest.new({data:DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateData.new({attributes:DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateAttributes.new({description:"This rule suppresses low-severity signals in staging environments.",enabled:true,expiration_date:1638443471000,name:"Example-Security-Monitoring",rule_query:"type:log_detection source:cloudtrail",suppression_query:"env:staging status:low",}),type:DatadogAPIClient::V2::SecurityMonitoringSuppressionType::SUPPRESSIONS,}),})papi_instance.create_security_monitoring_suppression(body)
# Create a suppression rule with an exclusion query returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V2::SecurityMonitoringAPI.newbody=DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateRequest.new({data:DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateData.new({attributes:DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateAttributes.new({description:"This rule suppresses low-severity signals in staging environments.",enabled:true,expiration_date:1638443471000,name:"Example-Security-Monitoring",rule_query:"type:log_detection source:cloudtrail",data_exclusion_query:"account_id:12345",}),type:DatadogAPIClient::V2::SecurityMonitoringSuppressionType::SUPPRESSIONS,}),})papi_instance.create_security_monitoring_suppression(body)
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<DD_API_KEY>"DD_APP_KEY="<DD_APP_KEY>"cargo run
/**
* Create a suppression rule returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv2.SecurityMonitoringApi(configuration);constparams: v2.SecurityMonitoringApiCreateSecurityMonitoringSuppressionRequest={body:{data:{attributes:{description:"This rule suppresses low-severity signals in staging environments.",enabled: true,expirationDate: 1638443471000,name:"Example-Security-Monitoring",ruleQuery:"type:log_detection source:cloudtrail",suppressionQuery:"env:staging status:low",},type:"suppressions",},},};apiInstance.createSecurityMonitoringSuppression(params).then((data: v2.SecurityMonitoringSuppressionResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
/**
* Create a suppression rule with an exclusion query returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv2.SecurityMonitoringApi(configuration);constparams: v2.SecurityMonitoringApiCreateSecurityMonitoringSuppressionRequest={body:{data:{attributes:{description:"This rule suppresses low-severity signals in staging environments.",enabled: true,expirationDate: 1638443471000,name:"Example-Security-Monitoring",ruleQuery:"type:log_detection source:cloudtrail",dataExclusionQuery:"account_id:12345",},type:"suppressions",},},};apiInstance.createSecurityMonitoringSuppression(params).then((data: v2.SecurityMonitoringSuppressionResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
"""
Delete a suppression rule returns "OK" response
"""fromosimportenvironfromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v2.api.security_monitoring_apiimportSecurityMonitoringApi# there is a valid "suppression" in the systemSUPPRESSION_DATA_ID=environ["SUPPRESSION_DATA_ID"]configuration=Configuration()withApiClient(configuration)asapi_client:api_instance=SecurityMonitoringApi(api_client)api_instance.delete_security_monitoring_suppression(suppression_id=SUPPRESSION_DATA_ID,)
# Delete a suppression rule returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V2::SecurityMonitoringAPI.new# there is a valid "suppression" in the systemSUPPRESSION_DATA_ID=ENV["SUPPRESSION_DATA_ID"]api_instance.delete_security_monitoring_suppression(SUPPRESSION_DATA_ID)
// Delete a suppression rule returns "OK" response
packagemainimport("context""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV2")funcmain(){// there is a valid "suppression" in the system
SuppressionDataID:=os.Getenv("SUPPRESSION_DATA_ID")ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV2.NewSecurityMonitoringApi(apiClient)r,err:=api.DeleteSecurityMonitoringSuppression(ctx,SuppressionDataID)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `SecurityMonitoringApi.DeleteSecurityMonitoringSuppression`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}}
// Delete a suppression rule returns "OK" responseimportcom.datadog.api.client.ApiClient;importcom.datadog.api.client.ApiException;importcom.datadog.api.client.v2.api.SecurityMonitoringApi;publicclassExample{publicstaticvoidmain(String[]args){ApiClientdefaultClient=ApiClient.getDefaultApiClient();SecurityMonitoringApiapiInstance=newSecurityMonitoringApi(defaultClient);// there is a valid "suppression" in the systemStringSUPPRESSION_DATA_ID=System.getenv("SUPPRESSION_DATA_ID");try{apiInstance.deleteSecurityMonitoringSuppression(SUPPRESSION_DATA_ID);}catch(ApiExceptione){System.err.println("Exception when calling SecurityMonitoringApi#deleteSecurityMonitoringSuppression");System.err.println("Status code: "+e.getCode());System.err.println("Reason: "+e.getResponseBody());System.err.println("Response headers: "+e.getResponseHeaders());e.printStackTrace();}}}
// Delete a suppression rule returns "OK" response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;#[tokio::main]asyncfnmain(){// there is a valid "suppression" in the system
letsuppression_data_id=std::env::var("SUPPRESSION_DATA_ID").unwrap();letconfiguration=datadog::Configuration::new();letapi=SecurityMonitoringAPI::with_config(configuration);letresp=api.delete_security_monitoring_suppression(suppression_data_id.clone()).await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<DD_API_KEY>"DD_APP_KEY="<DD_APP_KEY>"cargo run
/**
* Delete a suppression rule returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv2.SecurityMonitoringApi(configuration);// there is a valid "suppression" in the system
constSUPPRESSION_DATA_ID=process.env.SUPPRESSION_DATA_IDasstring;constparams: v2.SecurityMonitoringApiDeleteSecurityMonitoringSuppressionRequest={suppressionId: SUPPRESSION_DATA_ID,};apiInstance.deleteSecurityMonitoringSuppression(params).then((data: any)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
Response object containing a single suppression rule.
Expand All
Champ
Type
Description
data
object
The suppression rule's properties.
attributes
object
The attributes of the suppression rule.
creation_date
int64
A Unix millisecond timestamp given the creation date of the suppression rule.
creator
object
A user.
handle
string
The handle of the user.
name
string
The name of the user.
data_exclusion_query
string
An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule.
description
string
A description for the suppression rule.
editable
boolean
Whether the suppression rule is editable.
enabled
boolean
Whether the suppression rule is enabled.
expiration_date
int64
A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore.
name
string
The name of the suppression rule.
rule_query
string
The rule query of the suppression rule, with the same syntax as the search bar for detection rules.
suppression_query
string
The suppression query of the suppression rule. If a signal matches this query, it is suppressed and not triggered. Same syntax as the queries to search signals in the signal explorer.
update_date
int64
A Unix millisecond timestamp given the update date of the suppression rule.
updater
object
A user.
handle
string
The handle of the user.
name
string
The name of the user.
version
int32
The version of the suppression rule; it starts at 1, and is incremented at each update.
id
string
The ID of the suppression rule.
type
enum
The type of the resource. The value should always be suppressions.
Allowed enum values: suppressions
"""
Get a suppression rule returns "OK" response
"""fromosimportenvironfromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v2.api.security_monitoring_apiimportSecurityMonitoringApi# there is a valid "suppression" in the systemSUPPRESSION_DATA_ID=environ["SUPPRESSION_DATA_ID"]configuration=Configuration()withApiClient(configuration)asapi_client:api_instance=SecurityMonitoringApi(api_client)response=api_instance.get_security_monitoring_suppression(suppression_id=SUPPRESSION_DATA_ID,)print(response)
# Get a suppression rule returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V2::SecurityMonitoringAPI.new# there is a valid "suppression" in the systemSUPPRESSION_DATA_ID=ENV["SUPPRESSION_DATA_ID"]papi_instance.get_security_monitoring_suppression(SUPPRESSION_DATA_ID)
// Get a suppression rule returns "OK" response
packagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV2")funcmain(){// there is a valid "suppression" in the system
SuppressionDataID:=os.Getenv("SUPPRESSION_DATA_ID")ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV2.NewSecurityMonitoringApi(apiClient)resp,r,err:=api.GetSecurityMonitoringSuppression(ctx,SuppressionDataID)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `SecurityMonitoringApi.GetSecurityMonitoringSuppression`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `SecurityMonitoringApi.GetSecurityMonitoringSuppression`:\n%s\n",responseContent)}
// Get a suppression rule returns "OK" responseimportcom.datadog.api.client.ApiClient;importcom.datadog.api.client.ApiException;importcom.datadog.api.client.v2.api.SecurityMonitoringApi;importcom.datadog.api.client.v2.model.SecurityMonitoringSuppressionResponse;publicclassExample{publicstaticvoidmain(String[]args){ApiClientdefaultClient=ApiClient.getDefaultApiClient();SecurityMonitoringApiapiInstance=newSecurityMonitoringApi(defaultClient);// there is a valid "suppression" in the systemStringSUPPRESSION_DATA_ID=System.getenv("SUPPRESSION_DATA_ID");try{SecurityMonitoringSuppressionResponseresult=apiInstance.getSecurityMonitoringSuppression(SUPPRESSION_DATA_ID);System.out.println(result);}catch(ApiExceptione){System.err.println("Exception when calling SecurityMonitoringApi#getSecurityMonitoringSuppression");System.err.println("Status code: "+e.getCode());System.err.println("Reason: "+e.getResponseBody());System.err.println("Response headers: "+e.getResponseHeaders());e.printStackTrace();}}}
// Get a suppression rule returns "OK" response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;#[tokio::main]asyncfnmain(){// there is a valid "suppression" in the system
letsuppression_data_id=std::env::var("SUPPRESSION_DATA_ID").unwrap();letconfiguration=datadog::Configuration::new();letapi=SecurityMonitoringAPI::with_config(configuration);letresp=api.get_security_monitoring_suppression(suppression_data_id.clone()).await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<DD_API_KEY>"DD_APP_KEY="<DD_APP_KEY>"cargo run
/**
* Get a suppression rule returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv2.SecurityMonitoringApi(configuration);// there is a valid "suppression" in the system
constSUPPRESSION_DATA_ID=process.env.SUPPRESSION_DATA_IDasstring;constparams: v2.SecurityMonitoringApiGetSecurityMonitoringSuppressionRequest={suppressionId: SUPPRESSION_DATA_ID,};apiInstance.getSecurityMonitoringSuppression(params).then((data: v2.SecurityMonitoringSuppressionResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
Response object containing the available suppression rules.
Expand All
Champ
Type
Description
data
[object]
A list of suppressions objects.
attributes
object
The attributes of the suppression rule.
creation_date
int64
A Unix millisecond timestamp given the creation date of the suppression rule.
creator
object
A user.
handle
string
The handle of the user.
name
string
The name of the user.
data_exclusion_query
string
An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule.
description
string
A description for the suppression rule.
editable
boolean
Whether the suppression rule is editable.
enabled
boolean
Whether the suppression rule is enabled.
expiration_date
int64
A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore.
name
string
The name of the suppression rule.
rule_query
string
The rule query of the suppression rule, with the same syntax as the search bar for detection rules.
suppression_query
string
The suppression query of the suppression rule. If a signal matches this query, it is suppressed and not triggered. Same syntax as the queries to search signals in the signal explorer.
update_date
int64
A Unix millisecond timestamp given the update date of the suppression rule.
updater
object
A user.
handle
string
The handle of the user.
name
string
The name of the user.
version
int32
The version of the suppression rule; it starts at 1, and is incremented at each update.
id
string
The ID of the suppression rule.
type
enum
The type of the resource. The value should always be suppressions.
Allowed enum values: suppressions
"""
Get all suppression rules returns "OK" response
"""fromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v2.api.security_monitoring_apiimportSecurityMonitoringApiconfiguration=Configuration()withApiClient(configuration)asapi_client:api_instance=SecurityMonitoringApi(api_client)response=api_instance.list_security_monitoring_suppressions()print(response)
# Get all suppression rules returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V2::SecurityMonitoringAPI.newpapi_instance.list_security_monitoring_suppressions()
// Get all suppression rules returns "OK" response
packagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV2")funcmain(){ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV2.NewSecurityMonitoringApi(apiClient)resp,r,err:=api.ListSecurityMonitoringSuppressions(ctx)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `SecurityMonitoringApi.ListSecurityMonitoringSuppressions`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `SecurityMonitoringApi.ListSecurityMonitoringSuppressions`:\n%s\n",responseContent)}
// Get all suppression rules returns "OK" response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;#[tokio::main]asyncfnmain(){letconfiguration=datadog::Configuration::new();letapi=SecurityMonitoringAPI::with_config(configuration);letresp=api.list_security_monitoring_suppressions().await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<DD_API_KEY>"DD_APP_KEY="<DD_APP_KEY>"cargo run
/**
* Get all suppression rules returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv2.SecurityMonitoringApi(configuration);apiInstance.listSecurityMonitoringSuppressions().then((data: v2.SecurityMonitoringSuppressionsResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
The new suppression properties; partial updates are supported.
attributes [required]
object
The suppression rule properties to be updated.
data_exclusion_query
string
An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule.
description
string
A description for the suppression rule.
enabled
boolean
Whether the suppression rule is enabled.
expiration_date
int64
A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore. If unset, the expiration date of the suppression rule is left untouched. If set to null, the expiration date is removed.
name
string
The name of the suppression rule.
rule_query
string
The rule query of the suppression rule, with the same syntax as the search bar for detection rules.
suppression_query
string
The suppression query of the suppression rule. If a signal matches this query, it is suppressed and not triggered. Same syntax as the queries to search signals in the signal explorer.
version
int32
The current version of the suppression. This is optional, but it can help prevent concurrent modifications.
type [required]
enum
The type of the resource. The value should always be suppressions.
Allowed enum values: suppressions
Response object containing a single suppression rule.
Expand All
Champ
Type
Description
data
object
The suppression rule's properties.
attributes
object
The attributes of the suppression rule.
creation_date
int64
A Unix millisecond timestamp given the creation date of the suppression rule.
creator
object
A user.
handle
string
The handle of the user.
name
string
The name of the user.
data_exclusion_query
string
An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule.
description
string
A description for the suppression rule.
editable
boolean
Whether the suppression rule is editable.
enabled
boolean
Whether the suppression rule is enabled.
expiration_date
int64
A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore.
name
string
The name of the suppression rule.
rule_query
string
The rule query of the suppression rule, with the same syntax as the search bar for detection rules.
suppression_query
string
The suppression query of the suppression rule. If a signal matches this query, it is suppressed and not triggered. Same syntax as the queries to search signals in the signal explorer.
update_date
int64
A Unix millisecond timestamp given the update date of the suppression rule.
updater
object
A user.
handle
string
The handle of the user.
name
string
The name of the user.
version
int32
The version of the suppression rule; it starts at 1, and is incremented at each update.
id
string
The ID of the suppression rule.
type
enum
The type of the resource. The value should always be suppressions.
Allowed enum values: suppressions
// Update a suppression rule returns "OK" response
packagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV2")funcmain(){// there is a valid "suppression" in the system
SuppressionDataID:=os.Getenv("SUPPRESSION_DATA_ID")body:=datadogV2.SecurityMonitoringSuppressionUpdateRequest{Data:datadogV2.SecurityMonitoringSuppressionUpdateData{Attributes:datadogV2.SecurityMonitoringSuppressionUpdateAttributes{SuppressionQuery:datadog.PtrString("env:staging status:low"),},Type:datadogV2.SECURITYMONITORINGSUPPRESSIONTYPE_SUPPRESSIONS,},}ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV2.NewSecurityMonitoringApi(apiClient)resp,r,err:=api.UpdateSecurityMonitoringSuppression(ctx,SuppressionDataID,body)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `SecurityMonitoringApi.UpdateSecurityMonitoringSuppression`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `SecurityMonitoringApi.UpdateSecurityMonitoringSuppression`:\n%s\n",responseContent)}
// Update a suppression rule returns "OK" responseimportcom.datadog.api.client.ApiClient;importcom.datadog.api.client.ApiException;importcom.datadog.api.client.v2.api.SecurityMonitoringApi;importcom.datadog.api.client.v2.model.SecurityMonitoringSuppressionResponse;importcom.datadog.api.client.v2.model.SecurityMonitoringSuppressionType;importcom.datadog.api.client.v2.model.SecurityMonitoringSuppressionUpdateAttributes;importcom.datadog.api.client.v2.model.SecurityMonitoringSuppressionUpdateData;importcom.datadog.api.client.v2.model.SecurityMonitoringSuppressionUpdateRequest;publicclassExample{publicstaticvoidmain(String[]args){ApiClientdefaultClient=ApiClient.getDefaultApiClient();SecurityMonitoringApiapiInstance=newSecurityMonitoringApi(defaultClient);// there is a valid "suppression" in the systemStringSUPPRESSION_DATA_ID=System.getenv("SUPPRESSION_DATA_ID");SecurityMonitoringSuppressionUpdateRequestbody=newSecurityMonitoringSuppressionUpdateRequest().data(newSecurityMonitoringSuppressionUpdateData().attributes(newSecurityMonitoringSuppressionUpdateAttributes().suppressionQuery("env:staging status:low")).type(SecurityMonitoringSuppressionType.SUPPRESSIONS));try{SecurityMonitoringSuppressionResponseresult=apiInstance.updateSecurityMonitoringSuppression(SUPPRESSION_DATA_ID,body);System.out.println(result);}catch(ApiExceptione){System.err.println("Exception when calling SecurityMonitoringApi#updateSecurityMonitoringSuppression");System.err.println("Status code: "+e.getCode());System.err.println("Reason: "+e.getResponseBody());System.err.println("Response headers: "+e.getResponseHeaders());e.printStackTrace();}}}
"""
Update a suppression rule returns "OK" response
"""fromosimportenvironfromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v2.api.security_monitoring_apiimportSecurityMonitoringApifromdatadog_api_client.v2.model.security_monitoring_suppression_typeimportSecurityMonitoringSuppressionTypefromdatadog_api_client.v2.model.security_monitoring_suppression_update_attributesimport(SecurityMonitoringSuppressionUpdateAttributes,)fromdatadog_api_client.v2.model.security_monitoring_suppression_update_dataimport(SecurityMonitoringSuppressionUpdateData,)fromdatadog_api_client.v2.model.security_monitoring_suppression_update_requestimport(SecurityMonitoringSuppressionUpdateRequest,)# there is a valid "suppression" in the systemSUPPRESSION_DATA_ID=environ["SUPPRESSION_DATA_ID"]body=SecurityMonitoringSuppressionUpdateRequest(data=SecurityMonitoringSuppressionUpdateData(attributes=SecurityMonitoringSuppressionUpdateAttributes(suppression_query="env:staging status:low",),type=SecurityMonitoringSuppressionType.SUPPRESSIONS,),)configuration=Configuration()withApiClient(configuration)asapi_client:api_instance=SecurityMonitoringApi(api_client)response=api_instance.update_security_monitoring_suppression(suppression_id=SUPPRESSION_DATA_ID,body=body)print(response)
# Update a suppression rule returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V2::SecurityMonitoringAPI.new# there is a valid "suppression" in the systemSUPPRESSION_DATA_ID=ENV["SUPPRESSION_DATA_ID"]body=DatadogAPIClient::V2::SecurityMonitoringSuppressionUpdateRequest.new({data:DatadogAPIClient::V2::SecurityMonitoringSuppressionUpdateData.new({attributes:DatadogAPIClient::V2::SecurityMonitoringSuppressionUpdateAttributes.new({suppression_query:"env:staging status:low",}),type:DatadogAPIClient::V2::SecurityMonitoringSuppressionType::SUPPRESSIONS,}),})papi_instance.update_security_monitoring_suppression(SUPPRESSION_DATA_ID,body)
// Update a suppression rule returns "OK" response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;usedatadog_api_client::datadogV2::model::SecurityMonitoringSuppressionType;usedatadog_api_client::datadogV2::model::SecurityMonitoringSuppressionUpdateAttributes;usedatadog_api_client::datadogV2::model::SecurityMonitoringSuppressionUpdateData;usedatadog_api_client::datadogV2::model::SecurityMonitoringSuppressionUpdateRequest;#[tokio::main]asyncfnmain(){// there is a valid "suppression" in the system
letsuppression_data_id=std::env::var("SUPPRESSION_DATA_ID").unwrap();letbody=SecurityMonitoringSuppressionUpdateRequest::new(SecurityMonitoringSuppressionUpdateData::new(SecurityMonitoringSuppressionUpdateAttributes::new().suppression_query("env:staging status:low".to_string()),SecurityMonitoringSuppressionType::SUPPRESSIONS,),);letconfiguration=datadog::Configuration::new();letapi=SecurityMonitoringAPI::with_config(configuration);letresp=api.update_security_monitoring_suppression(suppression_data_id.clone(),body).await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<DD_API_KEY>"DD_APP_KEY="<DD_APP_KEY>"cargo run
/**
* Update a suppression rule returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv2.SecurityMonitoringApi(configuration);// there is a valid "suppression" in the system
constSUPPRESSION_DATA_ID=process.env.SUPPRESSION_DATA_IDasstring;constparams: v2.SecurityMonitoringApiUpdateSecurityMonitoringSuppressionRequest={body:{data:{attributes:{suppressionQuery:"env:staging status:low",},type:"suppressions",},},suppressionId: SUPPRESSION_DATA_ID,};apiInstance.updateSecurityMonitoringSuppression(params).then((data: v2.SecurityMonitoringSuppressionResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
Filtering on tags: ?filter[tags]=tag_key:tag_value&filter[tags]=tag_key_2:tag_value_2
Here, attribute_key can be any of the filter keys described further below.
Query parameters of type integer support comparison operators (>, >=, <, <=). This is particularly useful when filtering by evaluation_changed_at or resource_discovery_timestamp. For example: ?filter[evaluation_changed_at]=>20123123121.
You can also use the negation operator on strings. For example, use filter[resource_type]=-aws* to filter for any non-AWS resources.
The operator must come after the equal sign. For example, to filter with the >= operator, add the operator after the equal sign: filter[evaluation_changed_at]=>=1678809373257.
Query parameters must be only among the documented ones and with values of correct types. Duplicated query parameters (e.g. filter[status]=low&filter[status]=info) are not allowed.
The expected response schema when listing findings.
Expand All
Champ
Type
Description
data [required]
[object]
Array of findings.
attributes
object
The JSON:API attributes of the finding.
evaluation
enum
The evaluation of the finding.
Allowed enum values: pass,fail
evaluation_changed_at
int64
The date on which the evaluation for this finding changed (Unix ms).
mute
object
Information about the mute status of this finding.
description
string
Additional information about the reason why this finding is muted or unmuted.
expiration_date
int64
The expiration date of the mute or unmute action (Unix ms).
muted
boolean
Whether this finding is muted or unmuted.
reason
enum
The reason why this finding is muted or unmuted.
Allowed enum values: PENDING_FIX,FALSE_POSITIVE,ACCEPTED_RISK,NO_PENDING_FIX,HUMAN_ERROR,NO_LONGER_ACCEPTED_RISK,OTHER
start_date
int64
The start of the mute period.
uuid
string
The ID of the user who muted or unmuted this finding.
resource
string
The resource name of this finding.
resource_discovery_date
int64
The date on which the resource was discovered (Unix ms).
resource_type
string
The resource type of this finding.
rule
object
The rule that triggered this finding.
id
string
The ID of the rule that triggered this finding.
name
string
The name of the rule that triggered this finding.
status
enum
The status of the finding.
Allowed enum values: critical,high,medium,low,info
tags
[string]
The tags associated with this finding.
vulnerability_type
enum
The vulnerability type of the finding.
Allowed enum values: misconfiguration,attack_path,identity_risk,api_security
id
string
The unique ID for this finding.
type
enum
The JSON:API type for findings.
Allowed enum values: finding
default: finding
meta [required]
object
Metadata for pagination.
page
object
Pagination and findings count information.
cursor
string
The cursor used to paginate requests.
total_filtered_count
int64
The total count of findings after the filter has been applied.
snapshot_timestamp
int64
The point in time corresponding to the listed findings.
{"data":[{"attributes":{"evaluation":"pass","evaluation_changed_at":1678721573794,"mute":{"description":"To be resolved later","expiration_date":1778721573794,"muted":true,"reason":"ACCEPTED_RISK","start_date":1678721573794,"uuid":"e51c9744-d158-11ec-ad23-da7ad0900002"},"resource":"my_resource_name","resource_discovery_date":1678721573794,"resource_type":"azure_storage_account","rule":{"id":"dv2-jzf-41i","name":"Soft delete is enabled for Azure Storage"},"status":"critical","tags":["cloud_provider:aws","myTag:myValue"],"vulnerability_type":"misconfiguration"},"id":"ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==","type":"finding"}],"meta":{"page":{"cursor":"eyJhZnRlciI6IkFRQUFBWWJiaEJXQS1OY1dqUUFBQUFCQldXSmlhRUpYUVVGQlJFSktkbTlDTUdaWFRVbDNRVUUiLCJ2YWx1ZXMiOlsiY3JpdGljYWwiXX0=","total_filtered_count":213},"snapshot_timestamp":1678721573794}}
Bad Request: The server cannot process the request due to invalid syntax in the request.
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<DD_API_KEY>"DD_APP_KEY="<DD_APP_KEY>"cargo run
/**
* List findings returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();configuration.unstableOperations["v2.listFindings"]=true;constapiInstance=newv2.SecurityMonitoringApi(configuration);apiInstance.listFindings().then((data: v2.ListFindingsResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
The expected response schema when getting a finding.
Expand All
Champ
Type
Description
data [required]
object
A single finding with with message and resource configuration.
attributes
object
The JSON:API attributes of the detailed finding.
evaluation
enum
The evaluation of the finding.
Allowed enum values: pass,fail
evaluation_changed_at
int64
The date on which the evaluation for this finding changed (Unix ms).
message
string
The remediation message for this finding.
mute
object
Information about the mute status of this finding.
description
string
Additional information about the reason why this finding is muted or unmuted.
expiration_date
int64
The expiration date of the mute or unmute action (Unix ms).
muted
boolean
Whether this finding is muted or unmuted.
reason
enum
The reason why this finding is muted or unmuted.
Allowed enum values: PENDING_FIX,FALSE_POSITIVE,ACCEPTED_RISK,NO_PENDING_FIX,HUMAN_ERROR,NO_LONGER_ACCEPTED_RISK,OTHER
start_date
int64
The start of the mute period.
uuid
string
The ID of the user who muted or unmuted this finding.
resource
string
The resource name of this finding.
resource_configuration
object
The resource configuration for this finding.
resource_discovery_date
int64
The date on which the resource was discovered (Unix ms).
resource_type
string
The resource type of this finding.
rule
object
The rule that triggered this finding.
id
string
The ID of the rule that triggered this finding.
name
string
The name of the rule that triggered this finding.
status
enum
The status of the finding.
Allowed enum values: critical,high,medium,low,info
tags
[string]
The tags associated with this finding.
id
string
The unique ID for this finding.
type
enum
The JSON:API type for findings that have the message and resource configuration.
Allowed enum values: detailed_finding
default: detailed_finding
{"data":{"attributes":{"evaluation":"pass","evaluation_changed_at":1678721573794,"message":"## Remediation\n\n### From the console\n\n1. Go to Storage Account\n2. For each Storage Account, navigate to Data Protection\n3. Select Set soft delete enabled and enter the number of days to retain soft deleted data.","mute":{"description":"To be resolved later","expiration_date":1778721573794,"muted":true,"reason":"ACCEPTED_RISK","start_date":1678721573794,"uuid":"e51c9744-d158-11ec-ad23-da7ad0900002"},"resource":"my_resource_name","resource_configuration":{},"resource_discovery_date":1678721573794,"resource_type":"azure_storage_account","rule":{"id":"dv2-jzf-41i","name":"Soft delete is enabled for Azure Storage"},"status":"critical","tags":["cloud_provider:aws","myTag:myValue"]},"id":"ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==","type":"detailed_finding"}}
Bad Request: The server cannot process the request due to invalid syntax in the request.
"""
Get a finding returns "OK" response
"""fromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v2.api.security_monitoring_apiimportSecurityMonitoringApiconfiguration=Configuration()configuration.unstable_operations["get_finding"]=TruewithApiClient(configuration)asapi_client:api_instance=SecurityMonitoringApi(api_client)response=api_instance.get_finding(finding_id="AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz",)print(response)
# Get a finding returns "OK" responserequire"datadog_api_client"DatadogAPIClient.configuredo|config|config.unstable_operations["v2.get_finding".to_sym]=trueendapi_instance=DatadogAPIClient::V2::SecurityMonitoringAPI.newpapi_instance.get_finding("AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz")
// Get a finding returns "OK" response
packagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV2")funcmain(){ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()configuration.SetUnstableOperationEnabled("v2.GetFinding",true)apiClient:=datadog.NewAPIClient(configuration)api:=datadogV2.NewSecurityMonitoringApi(apiClient)resp,r,err:=api.GetFinding(ctx,"AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz",*datadogV2.NewGetFindingOptionalParameters())iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `SecurityMonitoringApi.GetFinding`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `SecurityMonitoringApi.GetFinding`:\n%s\n",responseContent)}
// Get a finding returns "OK" responseimportcom.datadog.api.client.ApiClient;importcom.datadog.api.client.ApiException;importcom.datadog.api.client.v2.api.SecurityMonitoringApi;importcom.datadog.api.client.v2.model.GetFindingResponse;publicclassExample{publicstaticvoidmain(String[]args){ApiClientdefaultClient=ApiClient.getDefaultApiClient();defaultClient.setUnstableOperationEnabled("v2.getFinding",true);SecurityMonitoringApiapiInstance=newSecurityMonitoringApi(defaultClient);try{GetFindingResponseresult=apiInstance.getFinding("AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz");System.out.println(result);}catch(ApiExceptione){System.err.println("Exception when calling SecurityMonitoringApi#getFinding");System.err.println("Status code: "+e.getCode());System.err.println("Reason: "+e.getResponseBody());System.err.println("Response headers: "+e.getResponseHeaders());e.printStackTrace();}}}
// Get a finding returns "OK" response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV2::api_security_monitoring::GetFindingOptionalParams;usedatadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;#[tokio::main]asyncfnmain(){letmutconfiguration=datadog::Configuration::new();configuration.set_unstable_operation_enabled("v2.GetFinding",true);letapi=SecurityMonitoringAPI::with_config(configuration);letresp=api.get_finding("AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz".to_string(),GetFindingOptionalParams::default(),).await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<DD_API_KEY>"DD_APP_KEY="<DD_APP_KEY>"cargo run
/**
* Get a finding returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();configuration.unstableOperations["v2.getFinding"]=true;constapiInstance=newv2.SecurityMonitoringApi(configuration);constparams: v2.SecurityMonitoringApiGetFindingRequest={findingId:"AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz",};apiInstance.getFinding(params).then((data: v2.GetFindingResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
All findings are updated with the same attributes. The request body must include at least two attributes: muted and reason.
The allowed reasons depend on whether the finding is being muted or unmuted:
To mute a finding: PENDING_FIX, FALSE_POSITIVE, ACCEPTED_RISK, OTHER.
To unmute a finding : NO_PENDING_FIX, HUMAN_ERROR, NO_LONGER_ACCEPTED_RISK, OTHER.
Meta
The request body must include a list of the finding IDs to be updated.
Data object containing the new bulk mute properties of the finding.
attributes [required]
object
The mute properties to be updated.
mute [required]
object
Object containing the new mute properties of the findings.
description
string
Additional information about the reason why those findings are muted or unmuted. This field has a maximum limit of 280 characters.
expiration_date
int64
The expiration date of the mute or unmute action (Unix ms). It must be set to a value greater than the current timestamp.
If this field is not provided, the finding will be muted or unmuted indefinitely, which is equivalent to setting the expiration date to 9999999999999.
muted [required]
boolean
Whether those findings should be muted or unmuted.
reason [required]
enum
The reason why this finding is muted or unmuted.
Allowed enum values: PENDING_FIX,FALSE_POSITIVE,ACCEPTED_RISK,NO_PENDING_FIX,HUMAN_ERROR,NO_LONGER_ACCEPTED_RISK,OTHER
id [required]
string
UUID to identify the request
meta [required]
object
Meta object containing the findings to be updated.
findings
[object]
Array of findings.
finding_id
string
The unique ID for this finding.
type [required]
enum
The JSON:API type for findings.
Allowed enum values: finding
// Mute or unmute a batch of findings returns "OK" response
packagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV2")funcmain(){body:=datadogV2.BulkMuteFindingsRequest{Data:datadogV2.BulkMuteFindingsRequestData{Attributes:datadogV2.BulkMuteFindingsRequestAttributes{Mute:datadogV2.BulkMuteFindingsRequestProperties{ExpirationDate:datadog.PtrInt64(1778721573794),Muted:true,Reason:datadogV2.FINDINGMUTEREASON_ACCEPTED_RISK,},},Id:"dbe5f567-192b-4404-b908-29b70e1c9f76",Meta:datadogV2.BulkMuteFindingsRequestMeta{Findings:[]datadogV2.BulkMuteFindingsRequestMetaFindings{{FindingId:datadog.PtrString("ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw=="),},},},Type:datadogV2.FINDINGTYPE_FINDING,},}ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()configuration.SetUnstableOperationEnabled("v2.MuteFindings",true)apiClient:=datadog.NewAPIClient(configuration)api:=datadogV2.NewSecurityMonitoringApi(apiClient)resp,r,err:=api.MuteFindings(ctx,body)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `SecurityMonitoringApi.MuteFindings`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `SecurityMonitoringApi.MuteFindings`:\n%s\n",responseContent)}
// Mute or unmute a batch of findings returns "OK" responseimportcom.datadog.api.client.ApiClient;importcom.datadog.api.client.ApiException;importcom.datadog.api.client.v2.api.SecurityMonitoringApi;importcom.datadog.api.client.v2.model.BulkMuteFindingsRequest;importcom.datadog.api.client.v2.model.BulkMuteFindingsRequestAttributes;importcom.datadog.api.client.v2.model.BulkMuteFindingsRequestData;importcom.datadog.api.client.v2.model.BulkMuteFindingsRequestMeta;importcom.datadog.api.client.v2.model.BulkMuteFindingsRequestMetaFindings;importcom.datadog.api.client.v2.model.BulkMuteFindingsRequestProperties;importcom.datadog.api.client.v2.model.BulkMuteFindingsResponse;importcom.datadog.api.client.v2.model.FindingMuteReason;importcom.datadog.api.client.v2.model.FindingType;importjava.util.Collections;publicclassExample{publicstaticvoidmain(String[]args){ApiClientdefaultClient=ApiClient.getDefaultApiClient();defaultClient.setUnstableOperationEnabled("v2.muteFindings",true);SecurityMonitoringApiapiInstance=newSecurityMonitoringApi(defaultClient);BulkMuteFindingsRequestbody=newBulkMuteFindingsRequest().data(newBulkMuteFindingsRequestData().attributes(newBulkMuteFindingsRequestAttributes().mute(newBulkMuteFindingsRequestProperties().expirationDate(1778721573794L).muted(true).reason(FindingMuteReason.ACCEPTED_RISK))).id("dbe5f567-192b-4404-b908-29b70e1c9f76").meta(newBulkMuteFindingsRequestMeta().findings(Collections.singletonList(newBulkMuteFindingsRequestMetaFindings().findingId("ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==")))).type(FindingType.FINDING));try{BulkMuteFindingsResponseresult=apiInstance.muteFindings(body);System.out.println(result);}catch(ApiExceptione){System.err.println("Exception when calling SecurityMonitoringApi#muteFindings");System.err.println("Status code: "+e.getCode());System.err.println("Reason: "+e.getResponseBody());System.err.println("Response headers: "+e.getResponseHeaders());e.printStackTrace();}}}
"""
Mute or unmute a batch of findings returns "OK" response
"""fromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v2.api.security_monitoring_apiimportSecurityMonitoringApifromdatadog_api_client.v2.model.bulk_mute_findings_requestimportBulkMuteFindingsRequestfromdatadog_api_client.v2.model.bulk_mute_findings_request_attributesimportBulkMuteFindingsRequestAttributesfromdatadog_api_client.v2.model.bulk_mute_findings_request_dataimportBulkMuteFindingsRequestDatafromdatadog_api_client.v2.model.bulk_mute_findings_request_metaimportBulkMuteFindingsRequestMetafromdatadog_api_client.v2.model.bulk_mute_findings_request_meta_findingsimportBulkMuteFindingsRequestMetaFindingsfromdatadog_api_client.v2.model.bulk_mute_findings_request_propertiesimportBulkMuteFindingsRequestPropertiesfromdatadog_api_client.v2.model.finding_mute_reasonimportFindingMuteReasonfromdatadog_api_client.v2.model.finding_typeimportFindingTypebody=BulkMuteFindingsRequest(data=BulkMuteFindingsRequestData(attributes=BulkMuteFindingsRequestAttributes(mute=BulkMuteFindingsRequestProperties(expiration_date=1778721573794,muted=True,reason=FindingMuteReason.ACCEPTED_RISK,),),id="dbe5f567-192b-4404-b908-29b70e1c9f76",meta=BulkMuteFindingsRequestMeta(findings=[BulkMuteFindingsRequestMetaFindings(finding_id="ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==",),],),type=FindingType.FINDING,),)configuration=Configuration()configuration.unstable_operations["mute_findings"]=TruewithApiClient(configuration)asapi_client:api_instance=SecurityMonitoringApi(api_client)response=api_instance.mute_findings(body=body)print(response)
# Mute or unmute a batch of findings returns "OK" responserequire"datadog_api_client"DatadogAPIClient.configuredo|config|config.unstable_operations["v2.mute_findings".to_sym]=trueendapi_instance=DatadogAPIClient::V2::SecurityMonitoringAPI.newbody=DatadogAPIClient::V2::BulkMuteFindingsRequest.new({data:DatadogAPIClient::V2::BulkMuteFindingsRequestData.new({attributes:DatadogAPIClient::V2::BulkMuteFindingsRequestAttributes.new({mute:DatadogAPIClient::V2::BulkMuteFindingsRequestProperties.new({expiration_date:1778721573794,muted:true,reason:DatadogAPIClient::V2::FindingMuteReason::ACCEPTED_RISK,}),}),id:"dbe5f567-192b-4404-b908-29b70e1c9f76",meta:DatadogAPIClient::V2::BulkMuteFindingsRequestMeta.new({findings:[DatadogAPIClient::V2::BulkMuteFindingsRequestMetaFindings.new({finding_id:"ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==",}),],}),type:DatadogAPIClient::V2::FindingType::FINDING,}),})papi_instance.mute_findings(body)
// Mute or unmute a batch of findings returns "OK" response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;usedatadog_api_client::datadogV2::model::BulkMuteFindingsRequest;usedatadog_api_client::datadogV2::model::BulkMuteFindingsRequestAttributes;usedatadog_api_client::datadogV2::model::BulkMuteFindingsRequestData;usedatadog_api_client::datadogV2::model::BulkMuteFindingsRequestMeta;usedatadog_api_client::datadogV2::model::BulkMuteFindingsRequestMetaFindings;usedatadog_api_client::datadogV2::model::BulkMuteFindingsRequestProperties;usedatadog_api_client::datadogV2::model::FindingMuteReason;usedatadog_api_client::datadogV2::model::FindingType;#[tokio::main]asyncfnmain(){letbody=BulkMuteFindingsRequest::new(BulkMuteFindingsRequestData::new(BulkMuteFindingsRequestAttributes::new(BulkMuteFindingsRequestProperties::new(true,FindingMuteReason::ACCEPTED_RISK).expiration_date(1778721573794),),"dbe5f567-192b-4404-b908-29b70e1c9f76".to_string(),BulkMuteFindingsRequestMeta::new().findings(vec![BulkMuteFindingsRequestMetaFindings::new().finding_id("ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==".to_string(),)]),FindingType::FINDING,));letmutconfiguration=datadog::Configuration::new();configuration.set_unstable_operation_enabled("v2.MuteFindings",true);letapi=SecurityMonitoringAPI::with_config(configuration);letresp=api.mute_findings(body).await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<DD_API_KEY>"DD_APP_KEY="<DD_APP_KEY>"cargo run
/**
* Mute or unmute a batch of findings returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();configuration.unstableOperations["v2.muteFindings"]=true;constapiInstance=newv2.SecurityMonitoringApi(configuration);constparams: v2.SecurityMonitoringApiMuteFindingsRequest={body:{data:{attributes:{mute:{expirationDate: 1778721573794,muted: true,reason:"ACCEPTED_RISK",},},id:"dbe5f567-192b-4404-b908-29b70e1c9f76",meta:{findings:[{findingId:"ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==",},],},type:"finding",},},};apiInstance.muteFindings(params).then((data: v2.BulkMuteFindingsResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
Add a security signal to an incident. This makes it possible to search for signals by incident within the signal explorer and to view the signals on the incident timeline.
This endpoint requires the security_monitoring_signals_write permission.
// Add a security signal to an incident returns "OK" response
packagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV1")funcmain(){body:=datadogV1.AddSignalToIncidentRequest{IncidentId:2609,}ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV1.NewSecurityMonitoringApi(apiClient)resp,r,err:=api.AddSecurityMonitoringSignalToIncident(ctx,"AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE",body)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `SecurityMonitoringApi.AddSecurityMonitoringSignalToIncident`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `SecurityMonitoringApi.AddSecurityMonitoringSignalToIncident`:\n%s\n",responseContent)}
// Add a security signal to an incident returns "OK" responseimportcom.datadog.api.client.ApiClient;importcom.datadog.api.client.ApiException;importcom.datadog.api.client.v1.api.SecurityMonitoringApi;importcom.datadog.api.client.v1.model.AddSignalToIncidentRequest;importcom.datadog.api.client.v1.model.SuccessfulSignalUpdateResponse;publicclassExample{publicstaticvoidmain(String[]args){ApiClientdefaultClient=ApiClient.getDefaultApiClient();SecurityMonitoringApiapiInstance=newSecurityMonitoringApi(defaultClient);AddSignalToIncidentRequestbody=newAddSignalToIncidentRequest().incidentId(2609L);try{SuccessfulSignalUpdateResponseresult=apiInstance.addSecurityMonitoringSignalToIncident("AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE",body);System.out.println(result);}catch(ApiExceptione){System.err.println("Exception when calling SecurityMonitoringApi#addSecurityMonitoringSignalToIncident");System.err.println("Status code: "+e.getCode());System.err.println("Reason: "+e.getResponseBody());System.err.println("Response headers: "+e.getResponseHeaders());e.printStackTrace();}}}
"""
Add a security signal to an incident returns "OK" response
"""fromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v1.api.security_monitoring_apiimportSecurityMonitoringApifromdatadog_api_client.v1.model.add_signal_to_incident_requestimportAddSignalToIncidentRequestbody=AddSignalToIncidentRequest(incident_id=2609,)configuration=Configuration()withApiClient(configuration)asapi_client:api_instance=SecurityMonitoringApi(api_client)response=api_instance.add_security_monitoring_signal_to_incident(signal_id="AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE",body=body)print(response)
# Add a security signal to an incident returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V1::SecurityMonitoringAPI.newbody=DatadogAPIClient::V1::AddSignalToIncidentRequest.new({incident_id:2609,})papi_instance.add_security_monitoring_signal_to_incident("AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE",body)
// Add a security signal to an incident returns "OK" response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV1::api_security_monitoring::SecurityMonitoringAPI;usedatadog_api_client::datadogV1::model::AddSignalToIncidentRequest;#[tokio::main]asyncfnmain(){letbody=AddSignalToIncidentRequest::new(2609);letconfiguration=datadog::Configuration::new();letapi=SecurityMonitoringAPI::with_config(configuration);letresp=api.add_security_monitoring_signal_to_incident("AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE".to_string(),body,).await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<API-KEY>"DD_APP_KEY="<APP-KEY>"cargo run
/**
* Add a security signal to an incident returns "OK" response
*/import{client,v1}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv1.SecurityMonitoringApi(configuration);constparams: v1.SecurityMonitoringApiAddSecurityMonitoringSignalToIncidentRequest={body:{incidentId: 2609,},signalId:"AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE",};apiInstance.addSecurityMonitoringSignalToIncident(params).then((data: v1.SuccessfulSignalUpdateResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
Optional comment to explain why a signal is being archived.
archiveReason
enum
Reason why a signal has been archived.
Allowed enum values: none,false_positive,testing_or_maintenance,investigated_case_opened,true_positive_benign,true_positive_malicious,other
state [required]
enum
The new triage state of the signal.
Allowed enum values: open,archived,under_review
version
int64
Version of the updated signal. If server side version is higher, update will be rejected.
// Change the triage state of a security signal returns "OK" response
packagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV1")funcmain(){body:=datadogV1.SignalStateUpdateRequest{ArchiveReason:datadogV1.SIGNALARCHIVEREASON_NONE.Ptr(),State:datadogV1.SIGNALTRIAGESTATE_OPEN,}ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV1.NewSecurityMonitoringApi(apiClient)resp,r,err:=api.EditSecurityMonitoringSignalState(ctx,"AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE",body)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `SecurityMonitoringApi.EditSecurityMonitoringSignalState`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `SecurityMonitoringApi.EditSecurityMonitoringSignalState`:\n%s\n",responseContent)}
// Change the triage state of a security signal returns "OK" responseimportcom.datadog.api.client.ApiClient;importcom.datadog.api.client.ApiException;importcom.datadog.api.client.v1.api.SecurityMonitoringApi;importcom.datadog.api.client.v1.model.SignalArchiveReason;importcom.datadog.api.client.v1.model.SignalStateUpdateRequest;importcom.datadog.api.client.v1.model.SignalTriageState;importcom.datadog.api.client.v1.model.SuccessfulSignalUpdateResponse;publicclassExample{publicstaticvoidmain(String[]args){ApiClientdefaultClient=ApiClient.getDefaultApiClient();SecurityMonitoringApiapiInstance=newSecurityMonitoringApi(defaultClient);SignalStateUpdateRequestbody=newSignalStateUpdateRequest().archiveReason(SignalArchiveReason.NONE).state(SignalTriageState.OPEN);try{SuccessfulSignalUpdateResponseresult=apiInstance.editSecurityMonitoringSignalState("AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE",body);System.out.println(result);}catch(ApiExceptione){System.err.println("Exception when calling SecurityMonitoringApi#editSecurityMonitoringSignalState");System.err.println("Status code: "+e.getCode());System.err.println("Reason: "+e.getResponseBody());System.err.println("Response headers: "+e.getResponseHeaders());e.printStackTrace();}}}
"""
Change the triage state of a security signal returns "OK" response
"""fromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v1.api.security_monitoring_apiimportSecurityMonitoringApifromdatadog_api_client.v1.model.signal_archive_reasonimportSignalArchiveReasonfromdatadog_api_client.v1.model.signal_state_update_requestimportSignalStateUpdateRequestfromdatadog_api_client.v1.model.signal_triage_stateimportSignalTriageStatebody=SignalStateUpdateRequest(archive_reason=SignalArchiveReason.NONE,state=SignalTriageState.OPEN,)configuration=Configuration()withApiClient(configuration)asapi_client:api_instance=SecurityMonitoringApi(api_client)response=api_instance.edit_security_monitoring_signal_state(signal_id="AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE",body=body)print(response)
# Change the triage state of a security signal returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V1::SecurityMonitoringAPI.newbody=DatadogAPIClient::V1::SignalStateUpdateRequest.new({archive_reason:DatadogAPIClient::V1::SignalArchiveReason::NONE,state:DatadogAPIClient::V1::SignalTriageState::OPEN,})papi_instance.edit_security_monitoring_signal_state("AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE",body)
// Change the triage state of a security signal returns "OK" response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV1::api_security_monitoring::SecurityMonitoringAPI;usedatadog_api_client::datadogV1::model::SignalArchiveReason;usedatadog_api_client::datadogV1::model::SignalStateUpdateRequest;usedatadog_api_client::datadogV1::model::SignalTriageState;#[tokio::main]asyncfnmain(){letbody=SignalStateUpdateRequest::new(SignalTriageState::OPEN).archive_reason(SignalArchiveReason::NONE);letconfiguration=datadog::Configuration::new();letapi=SecurityMonitoringAPI::with_config(configuration);letresp=api.edit_security_monitoring_signal_state("AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE".to_string(),body,).await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<API-KEY>"DD_APP_KEY="<APP-KEY>"cargo run
/**
* Change the triage state of a security signal returns "OK" response
*/import{client,v1}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv1.SecurityMonitoringApi(configuration);constparams: v1.SecurityMonitoringApiEditSecurityMonitoringSignalStateRequest={body:{archiveReason:"none",state:"open",},signalId:"AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE",};apiInstance.editSecurityMonitoringSignalState(params).then((data: v1.SuccessfulSignalUpdateResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
// Change the triage state of a security signal returns "OK" response
packagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV2")funcmain(){body:=datadogV2.SecurityMonitoringSignalStateUpdateRequest{Data:datadogV2.SecurityMonitoringSignalStateUpdateData{Attributes:datadogV2.SecurityMonitoringSignalStateUpdateAttributes{ArchiveReason:datadogV2.SECURITYMONITORINGSIGNALARCHIVEREASON_NONE.Ptr(),State:datadogV2.SECURITYMONITORINGSIGNALSTATE_OPEN,},},}ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV2.NewSecurityMonitoringApi(apiClient)resp,r,err:=api.EditSecurityMonitoringSignalState(ctx,"AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE",body)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `SecurityMonitoringApi.EditSecurityMonitoringSignalState`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `SecurityMonitoringApi.EditSecurityMonitoringSignalState`:\n%s\n",responseContent)}
// Change the triage state of a security signal returns "OK" responseimportcom.datadog.api.client.ApiClient;importcom.datadog.api.client.ApiException;importcom.datadog.api.client.v2.api.SecurityMonitoringApi;importcom.datadog.api.client.v2.model.SecurityMonitoringSignalArchiveReason;importcom.datadog.api.client.v2.model.SecurityMonitoringSignalState;importcom.datadog.api.client.v2.model.SecurityMonitoringSignalStateUpdateAttributes;importcom.datadog.api.client.v2.model.SecurityMonitoringSignalStateUpdateData;importcom.datadog.api.client.v2.model.SecurityMonitoringSignalStateUpdateRequest;importcom.datadog.api.client.v2.model.SecurityMonitoringSignalTriageUpdateResponse;publicclassExample{publicstaticvoidmain(String[]args){ApiClientdefaultClient=ApiClient.getDefaultApiClient();SecurityMonitoringApiapiInstance=newSecurityMonitoringApi(defaultClient);SecurityMonitoringSignalStateUpdateRequestbody=newSecurityMonitoringSignalStateUpdateRequest().data(newSecurityMonitoringSignalStateUpdateData().attributes(newSecurityMonitoringSignalStateUpdateAttributes().archiveReason(SecurityMonitoringSignalArchiveReason.NONE).state(SecurityMonitoringSignalState.OPEN)));try{SecurityMonitoringSignalTriageUpdateResponseresult=apiInstance.editSecurityMonitoringSignalState("AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE",body);System.out.println(result);}catch(ApiExceptione){System.err.println("Exception when calling SecurityMonitoringApi#editSecurityMonitoringSignalState");System.err.println("Status code: "+e.getCode());System.err.println("Reason: "+e.getResponseBody());System.err.println("Response headers: "+e.getResponseHeaders());e.printStackTrace();}}}
"""
Change the triage state of a security signal returns "OK" response
"""fromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v2.api.security_monitoring_apiimportSecurityMonitoringApifromdatadog_api_client.v2.model.security_monitoring_signal_archive_reasonimportSecurityMonitoringSignalArchiveReasonfromdatadog_api_client.v2.model.security_monitoring_signal_stateimportSecurityMonitoringSignalStatefromdatadog_api_client.v2.model.security_monitoring_signal_state_update_attributesimport(SecurityMonitoringSignalStateUpdateAttributes,)fromdatadog_api_client.v2.model.security_monitoring_signal_state_update_dataimport(SecurityMonitoringSignalStateUpdateData,)fromdatadog_api_client.v2.model.security_monitoring_signal_state_update_requestimport(SecurityMonitoringSignalStateUpdateRequest,)body=SecurityMonitoringSignalStateUpdateRequest(data=SecurityMonitoringSignalStateUpdateData(attributes=SecurityMonitoringSignalStateUpdateAttributes(archive_reason=SecurityMonitoringSignalArchiveReason.NONE,state=SecurityMonitoringSignalState.OPEN,),),)configuration=Configuration()withApiClient(configuration)asapi_client:api_instance=SecurityMonitoringApi(api_client)response=api_instance.edit_security_monitoring_signal_state(signal_id="AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE",body=body)print(response)
# Change the triage state of a security signal returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V2::SecurityMonitoringAPI.newbody=DatadogAPIClient::V2::SecurityMonitoringSignalStateUpdateRequest.new({data:DatadogAPIClient::V2::SecurityMonitoringSignalStateUpdateData.new({attributes:DatadogAPIClient::V2::SecurityMonitoringSignalStateUpdateAttributes.new({archive_reason:DatadogAPIClient::V2::SecurityMonitoringSignalArchiveReason::NONE,state:DatadogAPIClient::V2::SecurityMonitoringSignalState::OPEN,}),}),})papi_instance.edit_security_monitoring_signal_state("AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE",body)
// Change the triage state of a security signal returns "OK" response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;usedatadog_api_client::datadogV2::model::SecurityMonitoringSignalArchiveReason;usedatadog_api_client::datadogV2::model::SecurityMonitoringSignalState;usedatadog_api_client::datadogV2::model::SecurityMonitoringSignalStateUpdateAttributes;usedatadog_api_client::datadogV2::model::SecurityMonitoringSignalStateUpdateData;usedatadog_api_client::datadogV2::model::SecurityMonitoringSignalStateUpdateRequest;#[tokio::main]asyncfnmain(){letbody=SecurityMonitoringSignalStateUpdateRequest::new(SecurityMonitoringSignalStateUpdateData::new(SecurityMonitoringSignalStateUpdateAttributes::new(SecurityMonitoringSignalState::OPEN).archive_reason(SecurityMonitoringSignalArchiveReason::NONE),),);letconfiguration=datadog::Configuration::new();letapi=SecurityMonitoringAPI::with_config(configuration);letresp=api.edit_security_monitoring_signal_state("AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE".to_string(),body,).await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<API-KEY>"DD_APP_KEY="<APP-KEY>"cargo run
/**
* Change the triage state of a security signal returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv2.SecurityMonitoringApi(configuration);constparams: v2.SecurityMonitoringApiEditSecurityMonitoringSignalStateRequest={body:{data:{attributes:{archiveReason:"none",state:"open",},},},signalId:"AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE",};apiInstance.editSecurityMonitoringSignalState(params).then((data: v2.SecurityMonitoringSignalTriageUpdateResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
boolean
Whether the rule is enabled.
message [required]
string
Message for generated signals.
name [required]
string
The name of the rule.
options [required]
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.
The decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular
access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
hasOptionalGroupByFields
boolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
metric
string
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max
aggregations. metrics field should be used instead.
metrics
[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
string
Name of the query.
query
string
Query to run on logs.
referenceTables
[object]
Reference tables for the rule.
checkPresence
boolean
Whether to include or exclude the matched values.
columnName
string
The name of the column in the reference table.
logFieldPath
string
The field in the log to match against the reference table.
ruleQueryName
string
The name of the rule query to apply the reference table to.
tableName
string
The name of the reference table.
tags
[string]
Tags for generated signals.
thirdPartyCases
[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
query
string
A query to map a third party event to this case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
type
enum
The rule type.
Allowed enum values: application_security,log_detection,workload_security
Option 2
object
Create a new signal correlation rule.
cases [required]
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
boolean
Whether the rule is enabled.
message [required]
string
Message for generated signals.
name [required]
string
The name of the rule.
options [required]
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.
The decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular
access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
[object]
Queries for selecting signals which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
[string]
Fields to group by.
correlatedQueryIndex
int32
Index of the rule query used to retrieve the correlated field.
metrics
[string]
Group of target fields to aggregate over.
name
string
Name of the query.
ruleId [required]
string
Rule ID to match on signals.
tags
[string]
Tags for generated signals.
type
enum
The rule type.
Allowed enum values: signal_correlation
Option 3
object
Create a new cloud configuration rule.
cases [required]
[object]
Description of generated findings and signals (severity and channels to be notified in case of a signal). Must contain exactly one item.
notifications
[string]
Notification targets for each rule case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
complianceSignalOptions [required]
object
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
boolean
The default activation status.
defaultGroupByFields
[string]
The default group by fields.
userActivationStatus
boolean
Whether signals will be sent.
userGroupByFields
[string]
Fields to use to group findings by when sending signals.
filters
[object]
Additional queries to filter matched events before they are processed.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
isEnabled [required]
boolean
Whether the rule is enabled.
message [required]
string
Message in markdown format for generated findings and signals.
name [required]
string
The name of the rule.
options [required]
object
Options on cloud configuration rules.
complianceRuleOptions [required]
object
Options for cloud_configuration rules.
Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
{"name":"Example-Security-Monitoring","type":"log_detection","isEnabled":true,"thirdPartyCases":[{"query":"status:error","name":"high","status":"high"},{"query":"status:info","name":"low","status":"low"}],"queries":[],"cases":[],"message":"This is a third party rule","options":{"detectionMethod":"third_party","keepAlive":0,"maxSignalDuration":600,"thirdPartyRuleOptions":{"defaultStatus":"info","rootQueries":[{"query":"source:guardduty @details.alertType:*EC2*","groupByFields":["instance-id"]},{"query":"source:guardduty","groupByFields":[]}]}}}
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
complianceSignalOptions
object
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
boolean
The default activation status.
defaultGroupByFields
[string]
The default group by fields.
userActivationStatus
boolean
Whether signals will be sent.
userGroupByFields
[string]
Fields to use to group findings by when sending signals.
createdAt
int64
When the rule was created, timestamp in milliseconds.
creationAuthorId
int64
User ID of the user who created the rule.
defaultTags
[string]
Default Tags for default rules (included in tags)
deprecationDate
int64
When the rule will be deprecated, timestamp in milliseconds.
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
id
string
The ID of the rule.
isDefault
boolean
Whether the rule is included by default.
isDeleted
boolean
Whether the rule has been deleted.
isEnabled
boolean
Whether the rule is enabled.
message
string
Message for generated signals.
name
string
The name of the rule.
options
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.
The decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular
access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
hasOptionalGroupByFields
boolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
metric
string
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max
aggregations. metrics field should be used instead.
metrics
[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
string
Name of the query.
query
string
Query to run on logs.
referenceTables
[object]
Reference tables for the rule.
checkPresence
boolean
Whether to include or exclude the matched values.
columnName
string
The name of the column in the reference table.
logFieldPath
string
The field in the log to match against the reference table.
ruleQueryName
string
The name of the rule query to apply the reference table to.
tableName
string
The name of the reference table.
tags
[string]
Tags for generated signals.
thirdPartyCases
[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
query
string
A query to map a third party event to this case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
type
enum
The rule type.
Allowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration,application_security
updateAuthorId
int64
User ID of the user who updated the rule.
version
int64
The version of the rule.
Option 2
Rule.
cases
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
createdAt
int64
When the rule was created, timestamp in milliseconds.
creationAuthorId
int64
User ID of the user who created the rule.
deprecationDate
int64
When the rule will be deprecated, timestamp in milliseconds.
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
id
string
The ID of the rule.
isDefault
boolean
Whether the rule is included by default.
isDeleted
boolean
Whether the rule has been deleted.
isEnabled
boolean
Whether the rule is enabled.
message
string
Message for generated signals.
name
string
The name of the rule.
options
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.
The decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular
access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
[string]
Fields to correlate by.
correlatedQueryIndex
int32
Index of the rule query used to retrieve the correlated field.
defaultRuleId
string
Default Rule ID to match on signals.
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
metrics
[string]
Group of target fields to aggregate over.
name
string
Name of the query.
ruleId
string
Rule ID to match on signals.
tags
[string]
Tags for generated signals.
type
enum
The rule type.
Allowed enum values: signal_correlation
updateAuthorId
int64
User ID of the user who updated the rule.
version
int64
The version of the rule.
{"cases":[{"condition":"string","name":"string","notifications":[],"status":"critical"}],"complianceSignalOptions":{"defaultActivationStatus":false,"defaultGroupByFields":[],"userActivationStatus":false,"userGroupByFields":[]},"createdAt":"integer","creationAuthorId":"integer","defaultTags":["security:attacks"],"deprecationDate":"integer","filters":[{"action":"string","query":"string"}],"hasExtendedTitle":false,"id":"string","isDefault":false,"isDeleted":false,"isEnabled":false,"message":"string","name":"string","options":{"complianceRuleOptions":{"complexRule":false,"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n # Logic that evaluates to true if the resource should be skipped\n true\n} else = \"pass\" {\n # Logic that evaluates to true if the resource is compliant\n true\n} else = \"fail\" {\n # Logic that evaluates to true if the resource is not compliant\n true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n some resource in input.resources[input.main_resource_type]\n result := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account","gcp_iam_policy"]},"resourceType":"aws_acm"},"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"string","evaluationWindow":"integer","hardcodedEvaluatorType":"string","impossibleTravelOptions":{"baselineUserLocations":true},"keepAlive":"integer","maxSignalDuration":"integer","newValueOptions":{"forgetAfter":"integer","learningDuration":"integer","learningMethod":"string","learningThreshold":"integer"},"thirdPartyRuleOptions":{"defaultNotifications":[],"defaultStatus":"critical","rootQueries":[{"groupByFields":[],"query":"source:cloudtrail"}],"signalTitleTemplate":"string"}},"queries":[{"aggregation":"string","distinctFields":[],"groupByFields":[],"hasOptionalGroupByFields":false,"metric":"string","metrics":[],"name":"string","query":"a > 3"}],"referenceTables":[{"checkPresence":false,"columnName":"string","logFieldPath":"string","ruleQueryName":"string","tableName":"string"}],"tags":[],"thirdPartyCases":[{"name":"string","notifications":[],"query":"string","status":"critical"}],"type":"string","updateAuthorId":"integer","version":"integer"}
// Create a cloud_configuration rule returns "OK" response
packagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV2")funcmain(){body:=datadogV2.SecurityMonitoringRuleCreatePayload{CloudConfigurationRuleCreatePayload:&datadogV2.CloudConfigurationRuleCreatePayload{Type:datadogV2.CLOUDCONFIGURATIONRULETYPE_CLOUD_CONFIGURATION.Ptr(),Name:"Example-Security-Monitoring_cloud",IsEnabled:false,Cases:[]datadogV2.CloudConfigurationRuleCaseCreate{{Status:datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,Notifications:[]string{"channel",},},},Options:datadogV2.CloudConfigurationRuleOptions{ComplianceRuleOptions:datadogV2.CloudConfigurationComplianceRuleOptions{ResourceType:datadog.PtrString("gcp_compute_disk"),ComplexRule:datadog.PtrBool(false),RegoRule:&datadogV2.CloudConfigurationRegoRule{Policy:`package datadog
import data.datadog.output as dd_output
import future.keywords.contains
import future.keywords.if
import future.keywords.in
milliseconds_in_a_day := ((1000 * 60) * 60) * 24
eval(iam_service_account_key) = "skip" if {
iam_service_account_key.disabled
} else = "pass" if {
(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"
# This part remains unchanged for all rules
results contains result if {
some resource in input.resources[input.main_resource_type]
result := dd_output.format(resource, eval(resource))
}
`,ResourceTypes:[]string{"gcp_compute_disk",},},},},Message:"ddd",Tags:[]string{"my:tag",},ComplianceSignalOptions:datadogV2.CloudConfigurationRuleComplianceSignalOptions{UserActivationStatus:*datadog.NewNullableBool(datadog.PtrBool(true)),UserGroupByFields:*datadog.NewNullableList(&[]string{"@account_id",}),},Filters:[]datadogV2.SecurityMonitoringFilter{{Action:datadogV2.SECURITYMONITORINGFILTERACTION_REQUIRE.Ptr(),Query:datadog.PtrString("resource_id:helo*"),},{Action:datadogV2.SECURITYMONITORINGFILTERACTION_SUPPRESS.Ptr(),Query:datadog.PtrString("control:helo*"),},},}}ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV2.NewSecurityMonitoringApi(apiClient)resp,r,err:=api.CreateSecurityMonitoringRule(ctx,body)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringRule`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `SecurityMonitoringApi.CreateSecurityMonitoringRule`:\n%s\n",responseContent)}
// Create a detection rule returns "OK" response
packagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV2")funcmain(){body:=datadogV2.SecurityMonitoringRuleCreatePayload{SecurityMonitoringStandardRuleCreatePayload:&datadogV2.SecurityMonitoringStandardRuleCreatePayload{Name:"Example-Security-Monitoring",Queries:[]datadogV2.SecurityMonitoringStandardRuleQuery{{Query:datadog.PtrString("@test:true"),Aggregation:datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),GroupByFields:[]string{},DistinctFields:[]string{},Metric:datadog.PtrString(""),},},Filters:[]datadogV2.SecurityMonitoringFilter{},Cases:[]datadogV2.SecurityMonitoringRuleCaseCreate{{Name:datadog.PtrString(""),Status:datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,Condition:datadog.PtrString("a > 0"),Notifications:[]string{},},},Options:datadogV2.SecurityMonitoringRuleOptions{EvaluationWindow:datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(),KeepAlive:datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(),MaxSignalDuration:datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(),},Message:"Test rule",Tags:[]string{},IsEnabled:true,Type:datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(),}}ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV2.NewSecurityMonitoringApi(apiClient)resp,r,err:=api.CreateSecurityMonitoringRule(ctx,body)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringRule`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `SecurityMonitoringApi.CreateSecurityMonitoringRule`:\n%s\n",responseContent)}
// Create a detection rule with detection method 'third_party' returns "OK" response
packagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV2")funcmain(){body:=datadogV2.SecurityMonitoringRuleCreatePayload{SecurityMonitoringStandardRuleCreatePayload:&datadogV2.SecurityMonitoringStandardRuleCreatePayload{Name:"Example-Security-Monitoring",Type:datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(),IsEnabled:true,ThirdPartyCases:[]datadogV2.SecurityMonitoringThirdPartyRuleCaseCreate{{Query:datadog.PtrString("status:error"),Name:datadog.PtrString("high"),Status:datadogV2.SECURITYMONITORINGRULESEVERITY_HIGH,},{Query:datadog.PtrString("status:info"),Name:datadog.PtrString("low"),Status:datadogV2.SECURITYMONITORINGRULESEVERITY_LOW,},},Queries:[]datadogV2.SecurityMonitoringStandardRuleQuery{},Cases:[]datadogV2.SecurityMonitoringRuleCaseCreate{},Message:"This is a third party rule",Options:datadogV2.SecurityMonitoringRuleOptions{DetectionMethod:datadogV2.SECURITYMONITORINGRULEDETECTIONMETHOD_THIRD_PARTY.Ptr(),KeepAlive:datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ZERO_MINUTES.Ptr(),MaxSignalDuration:datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_TEN_MINUTES.Ptr(),ThirdPartyRuleOptions:&datadogV2.SecurityMonitoringRuleThirdPartyOptions{DefaultStatus:datadogV2.SECURITYMONITORINGRULESEVERITY_INFO.Ptr(),RootQueries:[]datadogV2.SecurityMonitoringThirdPartyRootQuery{{Query:datadog.PtrString("source:guardduty @details.alertType:*EC2*"),GroupByFields:[]string{"instance-id",},},{Query:datadog.PtrString("source:guardduty"),GroupByFields:[]string{},},},},},}}ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV2.NewSecurityMonitoringApi(apiClient)resp,r,err:=api.CreateSecurityMonitoringRule(ctx,body)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringRule`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `SecurityMonitoringApi.CreateSecurityMonitoringRule`:\n%s\n",responseContent)}
// Create a cloud_configuration rule returns "OK" responseimportcom.datadog.api.client.ApiClient;importcom.datadog.api.client.ApiException;importcom.datadog.api.client.v2.api.SecurityMonitoringApi;importcom.datadog.api.client.v2.model.CloudConfigurationComplianceRuleOptions;importcom.datadog.api.client.v2.model.CloudConfigurationRegoRule;importcom.datadog.api.client.v2.model.CloudConfigurationRuleCaseCreate;importcom.datadog.api.client.v2.model.CloudConfigurationRuleComplianceSignalOptions;importcom.datadog.api.client.v2.model.CloudConfigurationRuleCreatePayload;importcom.datadog.api.client.v2.model.CloudConfigurationRuleOptions;importcom.datadog.api.client.v2.model.CloudConfigurationRuleType;importcom.datadog.api.client.v2.model.SecurityMonitoringFilter;importcom.datadog.api.client.v2.model.SecurityMonitoringFilterAction;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;importjava.util.Arrays;importjava.util.Collections;publicclassExample{publicstaticvoidmain(String[]args){ApiClientdefaultClient=ApiClient.getDefaultApiClient();SecurityMonitoringApiapiInstance=newSecurityMonitoringApi(defaultClient);SecurityMonitoringRuleCreatePayloadbody=newSecurityMonitoringRuleCreatePayload(newCloudConfigurationRuleCreatePayload().type(CloudConfigurationRuleType.CLOUD_CONFIGURATION).name("Example-Security-Monitoring_cloud").isEnabled(false).cases(Collections.singletonList(newCloudConfigurationRuleCaseCreate().status(SecurityMonitoringRuleSeverity.INFO).notifications(Collections.singletonList("channel")))).options(newCloudConfigurationRuleOptions().complianceRuleOptions(newCloudConfigurationComplianceRuleOptions().resourceType("gcp_compute_disk").complexRule(false).regoRule(newCloudConfigurationRegoRule().policy("""
package datadog
import data.datadog.output as dd_output
import future.keywords.contains
import future.keywords.if
import future.keywords.in
milliseconds_in_a_day := ((1000 * 60) * 60) * 24
eval(iam_service_account_key) = "skip" if {
iam_service_account_key.disabled
} else = "pass" if {
(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"
# This part remains unchanged for all rules
results contains result if {
some resource in input.resources[input.main_resource_type]
result := dd_output.format(resource, eval(resource))
}
""").resourceTypes(Collections.singletonList("gcp_compute_disk"))))).message("ddd").tags(Collections.singletonList("my:tag")).complianceSignalOptions(newCloudConfigurationRuleComplianceSignalOptions().userActivationStatus(true).userGroupByFields(Collections.singletonList("@account_id"))).filters(Arrays.asList(newSecurityMonitoringFilter().action(SecurityMonitoringFilterAction.REQUIRE).query("resource_id:helo*"),newSecurityMonitoringFilter().action(SecurityMonitoringFilterAction.SUPPRESS).query("control:helo*"))));try{SecurityMonitoringRuleResponseresult=apiInstance.createSecurityMonitoringRule(body);System.out.println(result);}catch(ApiExceptione){System.err.println("Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule");System.err.println("Status code: "+e.getCode());System.err.println("Reason: "+e.getResponseBody());System.err.println("Response headers: "+e.getResponseHeaders());e.printStackTrace();}}}
// Create a detection rule returns "OK" responseimportcom.datadog.api.client.ApiClient;importcom.datadog.api.client.ApiException;importcom.datadog.api.client.v2.api.SecurityMonitoringApi;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;importcom.datadog.api.client.v2.model.SecurityMonitoringStandardRuleCreatePayload;importcom.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;importjava.util.Collections;publicclassExample{publicstaticvoidmain(String[]args){ApiClientdefaultClient=ApiClient.getDefaultApiClient();SecurityMonitoringApiapiInstance=newSecurityMonitoringApi(defaultClient);SecurityMonitoringRuleCreatePayloadbody=newSecurityMonitoringRuleCreatePayload(newSecurityMonitoringStandardRuleCreatePayload().name("Example-Security-Monitoring").queries(Collections.singletonList(newSecurityMonitoringStandardRuleQuery().query("@test:true").aggregation(SecurityMonitoringRuleQueryAggregation.COUNT).metric(""))).cases(Collections.singletonList(newSecurityMonitoringRuleCaseCreate().name("").status(SecurityMonitoringRuleSeverity.INFO).condition("a > 0"))).options(newSecurityMonitoringRuleOptions().evaluationWindow(SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES).keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR).maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ONE_DAY)).message("Test rule").isEnabled(true).type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION));try{SecurityMonitoringRuleResponseresult=apiInstance.createSecurityMonitoringRule(body);System.out.println(result);}catch(ApiExceptione){System.err.println("Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule");System.err.println("Status code: "+e.getCode());System.err.println("Reason: "+e.getResponseBody());System.err.println("Response headers: "+e.getResponseHeaders());e.printStackTrace();}}}
// Create a detection rule with detection method 'third_party' returns "OK" responseimportcom.datadog.api.client.ApiClient;importcom.datadog.api.client.ApiException;importcom.datadog.api.client.v2.api.SecurityMonitoringApi;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleThirdPartyOptions;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;importcom.datadog.api.client.v2.model.SecurityMonitoringStandardRuleCreatePayload;importcom.datadog.api.client.v2.model.SecurityMonitoringThirdPartyRootQuery;importcom.datadog.api.client.v2.model.SecurityMonitoringThirdPartyRuleCaseCreate;importjava.util.Arrays;importjava.util.Collections;publicclassExample{publicstaticvoidmain(String[]args){ApiClientdefaultClient=ApiClient.getDefaultApiClient();SecurityMonitoringApiapiInstance=newSecurityMonitoringApi(defaultClient);SecurityMonitoringRuleCreatePayloadbody=newSecurityMonitoringRuleCreatePayload(newSecurityMonitoringStandardRuleCreatePayload().name("Example-Security-Monitoring").type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION).isEnabled(true).thirdPartyCases(Arrays.asList(newSecurityMonitoringThirdPartyRuleCaseCreate().query("status:error").name("high").status(SecurityMonitoringRuleSeverity.HIGH),newSecurityMonitoringThirdPartyRuleCaseCreate().query("status:info").name("low").status(SecurityMonitoringRuleSeverity.LOW))).message("This is a third party rule").options(newSecurityMonitoringRuleOptions().detectionMethod(SecurityMonitoringRuleDetectionMethod.THIRD_PARTY).keepAlive(SecurityMonitoringRuleKeepAlive.ZERO_MINUTES).maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.TEN_MINUTES).thirdPartyRuleOptions(newSecurityMonitoringRuleThirdPartyOptions().defaultStatus(SecurityMonitoringRuleSeverity.INFO).rootQueries(Arrays.asList(newSecurityMonitoringThirdPartyRootQuery().query("source:guardduty @details.alertType:*EC2*").groupByFields(Collections.singletonList("instance-id")),newSecurityMonitoringThirdPartyRootQuery().query("source:guardduty"))))));try{SecurityMonitoringRuleResponseresult=apiInstance.createSecurityMonitoringRule(body);System.out.println(result);}catch(ApiExceptione){System.err.println("Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule");System.err.println("Status code: "+e.getCode());System.err.println("Reason: "+e.getResponseBody());System.err.println("Response headers: "+e.getResponseHeaders());e.printStackTrace();}}}
"""
Create a detection rule with detection method 'third_party' returns "OK" response
"""fromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v2.api.security_monitoring_apiimportSecurityMonitoringApifromdatadog_api_client.v2.model.security_monitoring_rule_detection_methodimportSecurityMonitoringRuleDetectionMethodfromdatadog_api_client.v2.model.security_monitoring_rule_keep_aliveimportSecurityMonitoringRuleKeepAlivefromdatadog_api_client.v2.model.security_monitoring_rule_max_signal_durationimport(SecurityMonitoringRuleMaxSignalDuration,)fromdatadog_api_client.v2.model.security_monitoring_rule_optionsimportSecurityMonitoringRuleOptionsfromdatadog_api_client.v2.model.security_monitoring_rule_severityimportSecurityMonitoringRuleSeverityfromdatadog_api_client.v2.model.security_monitoring_rule_third_party_optionsimport(SecurityMonitoringRuleThirdPartyOptions,)fromdatadog_api_client.v2.model.security_monitoring_rule_type_createimportSecurityMonitoringRuleTypeCreatefromdatadog_api_client.v2.model.security_monitoring_standard_rule_create_payloadimport(SecurityMonitoringStandardRuleCreatePayload,)fromdatadog_api_client.v2.model.security_monitoring_third_party_root_queryimportSecurityMonitoringThirdPartyRootQueryfromdatadog_api_client.v2.model.security_monitoring_third_party_rule_case_createimport(SecurityMonitoringThirdPartyRuleCaseCreate,)body=SecurityMonitoringStandardRuleCreatePayload(name="Example-Security-Monitoring",type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,is_enabled=True,third_party_cases=[SecurityMonitoringThirdPartyRuleCaseCreate(query="status:error",name="high",status=SecurityMonitoringRuleSeverity.HIGH,),SecurityMonitoringThirdPartyRuleCaseCreate(query="status:info",name="low",status=SecurityMonitoringRuleSeverity.LOW,),],queries=[],cases=[],message="This is a third party rule",options=SecurityMonitoringRuleOptions(detection_method=SecurityMonitoringRuleDetectionMethod.THIRD_PARTY,keep_alive=SecurityMonitoringRuleKeepAlive.ZERO_MINUTES,max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.TEN_MINUTES,third_party_rule_options=SecurityMonitoringRuleThirdPartyOptions(default_status=SecurityMonitoringRuleSeverity.INFO,root_queries=[SecurityMonitoringThirdPartyRootQuery(query="source:guardduty @details.alertType:*EC2*",group_by_fields=["instance-id",],),SecurityMonitoringThirdPartyRootQuery(query="source:guardduty",group_by_fields=[],),],),),)configuration=Configuration()withApiClient(configuration)asapi_client:api_instance=SecurityMonitoringApi(api_client)response=api_instance.create_security_monitoring_rule(body=body)print(response)
# Create a detection rule with detection method 'third_party' returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V2::SecurityMonitoringAPI.newbody=DatadogAPIClient::V2::SecurityMonitoringStandardRuleCreatePayload.new({name:"Example-Security-Monitoring",type:DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,is_enabled:true,third_party_cases:[DatadogAPIClient::V2::SecurityMonitoringThirdPartyRuleCaseCreate.new({query:"status:error",name:"high",status:DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::HIGH,}),DatadogAPIClient::V2::SecurityMonitoringThirdPartyRuleCaseCreate.new({query:"status:info",name:"low",status:DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::LOW,}),],queries:[],cases:[],message:"This is a third party rule",options:DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({detection_method:DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::THIRD_PARTY,keep_alive:DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ZERO_MINUTES,max_signal_duration:DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES,third_party_rule_options:DatadogAPIClient::V2::SecurityMonitoringRuleThirdPartyOptions.new({default_status:DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,root_queries:[DatadogAPIClient::V2::SecurityMonitoringThirdPartyRootQuery.new({query:"source:guardduty @details.alertType:*EC2*",group_by_fields:["instance-id",],}),DatadogAPIClient::V2::SecurityMonitoringThirdPartyRootQuery.new({query:"source:guardduty",group_by_fields:[],}),],}),}),})papi_instance.create_security_monitoring_rule(body)
// Create a detection rule with detection method 'third_party' returns "OK"
// response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleCreatePayload;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleDetectionMethod;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleThirdPartyOptions;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate;usedatadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleCreatePayload;usedatadog_api_client::datadogV2::model::SecurityMonitoringThirdPartyRootQuery;usedatadog_api_client::datadogV2::model::SecurityMonitoringThirdPartyRuleCaseCreate;#[tokio::main]asyncfnmain(){letbody=SecurityMonitoringRuleCreatePayload::SecurityMonitoringStandardRuleCreatePayload(Box::new(SecurityMonitoringStandardRuleCreatePayload::new(vec![],true,"This is a third party rule".to_string(),"Example-Security-Monitoring".to_string(),SecurityMonitoringRuleOptions::new().detection_method(SecurityMonitoringRuleDetectionMethod::THIRD_PARTY).keep_alive(SecurityMonitoringRuleKeepAlive::ZERO_MINUTES).max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES).third_party_rule_options(SecurityMonitoringRuleThirdPartyOptions::new().default_status(SecurityMonitoringRuleSeverity::INFO).root_queries(vec![SecurityMonitoringThirdPartyRootQuery::new().group_by_fields(vec!["instance-id".to_string()]).query("source:guardduty @details.alertType:*EC2*".to_string()),SecurityMonitoringThirdPartyRootQuery::new().group_by_fields(vec![]).query("source:guardduty".to_string()),]),),vec![],).third_party_cases(vec![SecurityMonitoringThirdPartyRuleCaseCreate::new(SecurityMonitoringRuleSeverity::HIGH,).name("high".to_string()).query("status:error".to_string()),SecurityMonitoringThirdPartyRuleCaseCreate::new(SecurityMonitoringRuleSeverity::LOW,).name("low".to_string()).query("status:info".to_string()),]).type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION),));letconfiguration=datadog::Configuration::new();letapi=SecurityMonitoringAPI::with_config(configuration);letresp=api.create_security_monitoring_rule(body).await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<DD_API_KEY>"DD_APP_KEY="<DD_APP_KEY>"cargo run
/**
* Create a cloud_configuration rule returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv2.SecurityMonitoringApi(configuration);constparams: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest={body:{type:"cloud_configuration",name:"Example-Security-Monitoring_cloud",isEnabled: false,cases:[{status:"info",notifications:["channel"],},],options:{complianceRuleOptions:{resourceType:"gcp_compute_disk",complexRule: false,regoRule:{policy:`package datadog
import data.datadog.output as dd_output
import future.keywords.contains
import future.keywords.if
import future.keywords.in
milliseconds_in_a_day := ((1000 * 60) * 60) * 24
eval(iam_service_account_key) = "skip" if {
iam_service_account_key.disabled
} else = "pass" if {
(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"
# This part remains unchanged for all rules
results contains result if {
some resource in input.resources[input.main_resource_type]
result := dd_output.format(resource, eval(resource))
}
`,resourceTypes:["gcp_compute_disk"],},},},message:"ddd",tags:["my:tag"],complianceSignalOptions:{userActivationStatus: true,userGroupByFields:["@account_id"],},filters:[{action:"require",query:"resource_id:helo*",},{action:"suppress",query:"control:helo*",},],},};apiInstance.createSecurityMonitoringRule(params).then((data: v2.SecurityMonitoringRuleResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
/**
* Create a detection rule returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv2.SecurityMonitoringApi(configuration);constparams: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest={body:{name:"Example-Security-Monitoring",queries:[{query:"@test:true",aggregation:"count",groupByFields:[],distinctFields:[],metric:"",},],filters:[],cases:[{name:"",status:"info",condition:"a > 0",notifications:[],},],options:{evaluationWindow: 900,keepAlive: 3600,maxSignalDuration: 86400,},message:"Test rule",tags:[],isEnabled: true,type:"log_detection",},};apiInstance.createSecurityMonitoringRule(params).then((data: v2.SecurityMonitoringRuleResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
/**
* Create a detection rule with detection method 'third_party' returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv2.SecurityMonitoringApi(configuration);constparams: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest={body:{name:"Example-Security-Monitoring",type:"log_detection",isEnabled: true,thirdPartyCases:[{query:"status:error",name:"high",status:"high",},{query:"status:info",name:"low",status:"low",},],queries:[],cases:[],message:"This is a third party rule",options:{detectionMethod:"third_party",keepAlive: 0,maxSignalDuration: 600,thirdPartyRuleOptions:{defaultStatus:"info",rootQueries:[{query:"source:guardduty @details.alertType:*EC2*",groupByFields:["instance-id"],},{query:"source:guardduty",groupByFields:[],},],},},},};apiInstance.createSecurityMonitoringRule(params).then((data: v2.SecurityMonitoringRuleResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
complianceSignalOptions
object
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
boolean
The default activation status.
defaultGroupByFields
[string]
The default group by fields.
userActivationStatus
boolean
Whether signals will be sent.
userGroupByFields
[string]
Fields to use to group findings by when sending signals.
createdAt
int64
When the rule was created, timestamp in milliseconds.
creationAuthorId
int64
User ID of the user who created the rule.
defaultTags
[string]
Default Tags for default rules (included in tags)
deprecationDate
int64
When the rule will be deprecated, timestamp in milliseconds.
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
id
string
The ID of the rule.
isDefault
boolean
Whether the rule is included by default.
isDeleted
boolean
Whether the rule has been deleted.
isEnabled
boolean
Whether the rule is enabled.
message
string
Message for generated signals.
name
string
The name of the rule.
options
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.
The decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular
access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
hasOptionalGroupByFields
boolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
metric
string
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max
aggregations. metrics field should be used instead.
metrics
[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
string
Name of the query.
query
string
Query to run on logs.
referenceTables
[object]
Reference tables for the rule.
checkPresence
boolean
Whether to include or exclude the matched values.
columnName
string
The name of the column in the reference table.
logFieldPath
string
The field in the log to match against the reference table.
ruleQueryName
string
The name of the rule query to apply the reference table to.
tableName
string
The name of the reference table.
tags
[string]
Tags for generated signals.
thirdPartyCases
[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
query
string
A query to map a third party event to this case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
type
enum
The rule type.
Allowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration,application_security
updateAuthorId
int64
User ID of the user who updated the rule.
version
int64
The version of the rule.
Option 2
Rule.
cases
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
createdAt
int64
When the rule was created, timestamp in milliseconds.
creationAuthorId
int64
User ID of the user who created the rule.
deprecationDate
int64
When the rule will be deprecated, timestamp in milliseconds.
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
id
string
The ID of the rule.
isDefault
boolean
Whether the rule is included by default.
isDeleted
boolean
Whether the rule has been deleted.
isEnabled
boolean
Whether the rule is enabled.
message
string
Message for generated signals.
name
string
The name of the rule.
options
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.
The decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular
access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
[string]
Fields to correlate by.
correlatedQueryIndex
int32
Index of the rule query used to retrieve the correlated field.
defaultRuleId
string
Default Rule ID to match on signals.
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
metrics
[string]
Group of target fields to aggregate over.
name
string
Name of the query.
ruleId
string
Rule ID to match on signals.
tags
[string]
Tags for generated signals.
type
enum
The rule type.
Allowed enum values: signal_correlation
updateAuthorId
int64
User ID of the user who updated the rule.
version
int64
The version of the rule.
meta
object
Object describing meta attributes of response.
page
object
Pagination object.
total_count
int64
Total count.
total_filtered_count
int64
Total count of elements matched by the filter.
{"data":[{"cases":[{"condition":"string","name":"string","notifications":[],"status":"critical"}],"complianceSignalOptions":{"defaultActivationStatus":false,"defaultGroupByFields":[],"userActivationStatus":false,"userGroupByFields":[]},"createdAt":"integer","creationAuthorId":"integer","defaultTags":["security:attacks"],"deprecationDate":"integer","filters":[{"action":"string","query":"string"}],"hasExtendedTitle":false,"id":"string","isDefault":false,"isDeleted":false,"isEnabled":false,"message":"string","name":"string","options":{"complianceRuleOptions":{"complexRule":false,"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n # Logic that evaluates to true if the resource should be skipped\n true\n} else = \"pass\" {\n # Logic that evaluates to true if the resource is compliant\n true\n} else = \"fail\" {\n # Logic that evaluates to true if the resource is not compliant\n true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n some resource in input.resources[input.main_resource_type]\n result := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account","gcp_iam_policy"]},"resourceType":"aws_acm"},"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"string","evaluationWindow":"integer","hardcodedEvaluatorType":"string","impossibleTravelOptions":{"baselineUserLocations":true},"keepAlive":"integer","maxSignalDuration":"integer","newValueOptions":{"forgetAfter":"integer","learningDuration":"integer","learningMethod":"string","learningThreshold":"integer"},"thirdPartyRuleOptions":{"defaultNotifications":[],"defaultStatus":"critical","rootQueries":[{"groupByFields":[],"query":"source:cloudtrail"}],"signalTitleTemplate":"string"}},"queries":[{"aggregation":"string","distinctFields":[],"groupByFields":[],"hasOptionalGroupByFields":false,"metric":"string","metrics":[],"name":"string","query":"a > 3"}],"referenceTables":[{"checkPresence":false,"columnName":"string","logFieldPath":"string","ruleQueryName":"string","tableName":"string"}],"tags":[],"thirdPartyCases":[{"name":"string","notifications":[],"query":"string","status":"critical"}],"type":"string","updateAuthorId":"integer","version":"integer"}],"meta":{"page":{"total_count":"integer","total_filtered_count":"integer"}}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<DD_API_KEY>"DD_APP_KEY="<DD_APP_KEY>"cargo run
/**
* List rules returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv2.SecurityMonitoringApi(configuration);apiInstance.listSecurityMonitoringRules().then((data: v2.SecurityMonitoringListRulesResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
complianceSignalOptions
object
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
boolean
The default activation status.
defaultGroupByFields
[string]
The default group by fields.
userActivationStatus
boolean
Whether signals will be sent.
userGroupByFields
[string]
Fields to use to group findings by when sending signals.
createdAt
int64
When the rule was created, timestamp in milliseconds.
creationAuthorId
int64
User ID of the user who created the rule.
defaultTags
[string]
Default Tags for default rules (included in tags)
deprecationDate
int64
When the rule will be deprecated, timestamp in milliseconds.
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
id
string
The ID of the rule.
isDefault
boolean
Whether the rule is included by default.
isDeleted
boolean
Whether the rule has been deleted.
isEnabled
boolean
Whether the rule is enabled.
message
string
Message for generated signals.
name
string
The name of the rule.
options
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.
The decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular
access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
hasOptionalGroupByFields
boolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
metric
string
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max
aggregations. metrics field should be used instead.
metrics
[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
string
Name of the query.
query
string
Query to run on logs.
referenceTables
[object]
Reference tables for the rule.
checkPresence
boolean
Whether to include or exclude the matched values.
columnName
string
The name of the column in the reference table.
logFieldPath
string
The field in the log to match against the reference table.
ruleQueryName
string
The name of the rule query to apply the reference table to.
tableName
string
The name of the reference table.
tags
[string]
Tags for generated signals.
thirdPartyCases
[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
query
string
A query to map a third party event to this case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
type
enum
The rule type.
Allowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration,application_security
updateAuthorId
int64
User ID of the user who updated the rule.
version
int64
The version of the rule.
Option 2
Rule.
cases
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
createdAt
int64
When the rule was created, timestamp in milliseconds.
creationAuthorId
int64
User ID of the user who created the rule.
deprecationDate
int64
When the rule will be deprecated, timestamp in milliseconds.
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
id
string
The ID of the rule.
isDefault
boolean
Whether the rule is included by default.
isDeleted
boolean
Whether the rule has been deleted.
isEnabled
boolean
Whether the rule is enabled.
message
string
Message for generated signals.
name
string
The name of the rule.
options
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.
The decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular
access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
[string]
Fields to correlate by.
correlatedQueryIndex
int32
Index of the rule query used to retrieve the correlated field.
defaultRuleId
string
Default Rule ID to match on signals.
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
metrics
[string]
Group of target fields to aggregate over.
name
string
Name of the query.
ruleId
string
Rule ID to match on signals.
tags
[string]
Tags for generated signals.
type
enum
The rule type.
Allowed enum values: signal_correlation
updateAuthorId
int64
User ID of the user who updated the rule.
version
int64
The version of the rule.
{"cases":[{"condition":"string","name":"string","notifications":[],"status":"critical"}],"complianceSignalOptions":{"defaultActivationStatus":false,"defaultGroupByFields":[],"userActivationStatus":false,"userGroupByFields":[]},"createdAt":"integer","creationAuthorId":"integer","defaultTags":["security:attacks"],"deprecationDate":"integer","filters":[{"action":"string","query":"string"}],"hasExtendedTitle":false,"id":"string","isDefault":false,"isDeleted":false,"isEnabled":false,"message":"string","name":"string","options":{"complianceRuleOptions":{"complexRule":false,"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n # Logic that evaluates to true if the resource should be skipped\n true\n} else = \"pass\" {\n # Logic that evaluates to true if the resource is compliant\n true\n} else = \"fail\" {\n # Logic that evaluates to true if the resource is not compliant\n true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n some resource in input.resources[input.main_resource_type]\n result := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account","gcp_iam_policy"]},"resourceType":"aws_acm"},"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"string","evaluationWindow":"integer","hardcodedEvaluatorType":"string","impossibleTravelOptions":{"baselineUserLocations":true},"keepAlive":"integer","maxSignalDuration":"integer","newValueOptions":{"forgetAfter":"integer","learningDuration":"integer","learningMethod":"string","learningThreshold":"integer"},"thirdPartyRuleOptions":{"defaultNotifications":[],"defaultStatus":"critical","rootQueries":[{"groupByFields":[],"query":"source:cloudtrail"}],"signalTitleTemplate":"string"}},"queries":[{"aggregation":"string","distinctFields":[],"groupByFields":[],"hasOptionalGroupByFields":false,"metric":"string","metrics":[],"name":"string","query":"a > 3"}],"referenceTables":[{"checkPresence":false,"columnName":"string","logFieldPath":"string","ruleQueryName":"string","tableName":"string"}],"tags":[],"thirdPartyCases":[{"name":"string","notifications":[],"query":"string","status":"critical"}],"type":"string","updateAuthorId":"integer","version":"integer"}
"""
Get a rule's details returns "OK" response
"""fromosimportenvironfromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v2.api.security_monitoring_apiimportSecurityMonitoringApi# there is a valid "security_rule" in the systemSECURITY_RULE_ID=environ["SECURITY_RULE_ID"]configuration=Configuration()withApiClient(configuration)asapi_client:api_instance=SecurityMonitoringApi(api_client)response=api_instance.get_security_monitoring_rule(rule_id=SECURITY_RULE_ID,)print(response)
# Get a rule's details returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V2::SecurityMonitoringAPI.new# there is a valid "security_rule" in the systemSECURITY_RULE_ID=ENV["SECURITY_RULE_ID"]papi_instance.get_security_monitoring_rule(SECURITY_RULE_ID)
// Get a rule's details returns "OK" response
packagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV2")funcmain(){// there is a valid "security_rule" in the system
SecurityRuleID:=os.Getenv("SECURITY_RULE_ID")ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV2.NewSecurityMonitoringApi(apiClient)resp,r,err:=api.GetSecurityMonitoringRule(ctx,SecurityRuleID)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `SecurityMonitoringApi.GetSecurityMonitoringRule`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `SecurityMonitoringApi.GetSecurityMonitoringRule`:\n%s\n",responseContent)}
// Get a rule's details returns "OK" responseimportcom.datadog.api.client.ApiClient;importcom.datadog.api.client.ApiException;importcom.datadog.api.client.v2.api.SecurityMonitoringApi;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;publicclassExample{publicstaticvoidmain(String[]args){ApiClientdefaultClient=ApiClient.getDefaultApiClient();SecurityMonitoringApiapiInstance=newSecurityMonitoringApi(defaultClient);// there is a valid "security_rule" in the systemStringSECURITY_RULE_ID=System.getenv("SECURITY_RULE_ID");try{SecurityMonitoringRuleResponseresult=apiInstance.getSecurityMonitoringRule(SECURITY_RULE_ID);System.out.println(result);}catch(ApiExceptione){System.err.println("Exception when calling SecurityMonitoringApi#getSecurityMonitoringRule");System.err.println("Status code: "+e.getCode());System.err.println("Reason: "+e.getResponseBody());System.err.println("Response headers: "+e.getResponseHeaders());e.printStackTrace();}}}
// Get a rule's details returns "OK" response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;#[tokio::main]asyncfnmain(){// there is a valid "security_rule" in the system
letsecurity_rule_id=std::env::var("SECURITY_RULE_ID").unwrap();letconfiguration=datadog::Configuration::new();letapi=SecurityMonitoringAPI::with_config(configuration);letresp=api.get_security_monitoring_rule(security_rule_id.clone()).await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<DD_API_KEY>"DD_APP_KEY="<DD_APP_KEY>"cargo run
/**
* Get a rule's details returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv2.SecurityMonitoringApi(configuration);// there is a valid "security_rule" in the system
constSECURITY_RULE_ID=process.env.SECURITY_RULE_IDasstring;constparams: v2.SecurityMonitoringApiGetSecurityMonitoringRuleRequest={ruleId: SECURITY_RULE_ID,};apiInstance.getSecurityMonitoringRule(params).then((data: v2.SecurityMonitoringRuleResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
// Modify the triage assignee of a security signal returns "OK" response
packagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV1")funcmain(){body:=datadogV1.SignalAssigneeUpdateRequest{Assignee:"773b045d-ccf8-4808-bd3b-955ef6a8c940",}ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV1.NewSecurityMonitoringApi(apiClient)resp,r,err:=api.EditSecurityMonitoringSignalAssignee(ctx,"AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE",body)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `SecurityMonitoringApi.EditSecurityMonitoringSignalAssignee`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `SecurityMonitoringApi.EditSecurityMonitoringSignalAssignee`:\n%s\n",responseContent)}
// Modify the triage assignee of a security signal returns "OK" responseimportcom.datadog.api.client.ApiClient;importcom.datadog.api.client.ApiException;importcom.datadog.api.client.v1.api.SecurityMonitoringApi;importcom.datadog.api.client.v1.model.SignalAssigneeUpdateRequest;importcom.datadog.api.client.v1.model.SuccessfulSignalUpdateResponse;publicclassExample{publicstaticvoidmain(String[]args){ApiClientdefaultClient=ApiClient.getDefaultApiClient();SecurityMonitoringApiapiInstance=newSecurityMonitoringApi(defaultClient);SignalAssigneeUpdateRequestbody=newSignalAssigneeUpdateRequest().assignee("773b045d-ccf8-4808-bd3b-955ef6a8c940");try{SuccessfulSignalUpdateResponseresult=apiInstance.editSecurityMonitoringSignalAssignee("AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE",body);System.out.println(result);}catch(ApiExceptione){System.err.println("Exception when calling SecurityMonitoringApi#editSecurityMonitoringSignalAssignee");System.err.println("Status code: "+e.getCode());System.err.println("Reason: "+e.getResponseBody());System.err.println("Response headers: "+e.getResponseHeaders());e.printStackTrace();}}}
"""
Modify the triage assignee of a security signal returns "OK" response
"""fromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v1.api.security_monitoring_apiimportSecurityMonitoringApifromdatadog_api_client.v1.model.signal_assignee_update_requestimportSignalAssigneeUpdateRequestbody=SignalAssigneeUpdateRequest(assignee="773b045d-ccf8-4808-bd3b-955ef6a8c940",)configuration=Configuration()withApiClient(configuration)asapi_client:api_instance=SecurityMonitoringApi(api_client)response=api_instance.edit_security_monitoring_signal_assignee(signal_id="AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE",body=body)print(response)
# Modify the triage assignee of a security signal returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V1::SecurityMonitoringAPI.newbody=DatadogAPIClient::V1::SignalAssigneeUpdateRequest.new({assignee:"773b045d-ccf8-4808-bd3b-955ef6a8c940",})papi_instance.edit_security_monitoring_signal_assignee("AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE",body)
// Modify the triage assignee of a security signal returns "OK" response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV1::api_security_monitoring::SecurityMonitoringAPI;usedatadog_api_client::datadogV1::model::SignalAssigneeUpdateRequest;#[tokio::main]asyncfnmain(){letbody=SignalAssigneeUpdateRequest::new("773b045d-ccf8-4808-bd3b-955ef6a8c940".to_string());letconfiguration=datadog::Configuration::new();letapi=SecurityMonitoringAPI::with_config(configuration);letresp=api.edit_security_monitoring_signal_assignee("AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE".to_string(),body,).await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<API-KEY>"DD_APP_KEY="<APP-KEY>"cargo run
/**
* Modify the triage assignee of a security signal returns "OK" response
*/import{client,v1}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv1.SecurityMonitoringApi(configuration);constparams: v1.SecurityMonitoringApiEditSecurityMonitoringSignalAssigneeRequest={body:{assignee:"773b045d-ccf8-4808-bd3b-955ef6a8c940",},signalId:"AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE",};apiInstance.editSecurityMonitoringSignalAssignee(params).then((data: v1.SuccessfulSignalUpdateResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
// Modify the triage assignee of a security signal returns "OK" response
packagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV2")funcmain(){body:=datadogV2.SecurityMonitoringSignalAssigneeUpdateRequest{Data:datadogV2.SecurityMonitoringSignalAssigneeUpdateData{Attributes:datadogV2.SecurityMonitoringSignalAssigneeUpdateAttributes{Assignee:datadogV2.SecurityMonitoringTriageUser{Uuid:"",},},},}ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV2.NewSecurityMonitoringApi(apiClient)resp,r,err:=api.EditSecurityMonitoringSignalAssignee(ctx,"AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE",body)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `SecurityMonitoringApi.EditSecurityMonitoringSignalAssignee`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `SecurityMonitoringApi.EditSecurityMonitoringSignalAssignee`:\n%s\n",responseContent)}
// Modify the triage assignee of a security signal returns "OK" responseimportcom.datadog.api.client.ApiClient;importcom.datadog.api.client.ApiException;importcom.datadog.api.client.v2.api.SecurityMonitoringApi;importcom.datadog.api.client.v2.model.SecurityMonitoringSignalAssigneeUpdateAttributes;importcom.datadog.api.client.v2.model.SecurityMonitoringSignalAssigneeUpdateData;importcom.datadog.api.client.v2.model.SecurityMonitoringSignalAssigneeUpdateRequest;importcom.datadog.api.client.v2.model.SecurityMonitoringSignalTriageUpdateResponse;importcom.datadog.api.client.v2.model.SecurityMonitoringTriageUser;publicclassExample{publicstaticvoidmain(String[]args){ApiClientdefaultClient=ApiClient.getDefaultApiClient();SecurityMonitoringApiapiInstance=newSecurityMonitoringApi(defaultClient);SecurityMonitoringSignalAssigneeUpdateRequestbody=newSecurityMonitoringSignalAssigneeUpdateRequest().data(newSecurityMonitoringSignalAssigneeUpdateData().attributes(newSecurityMonitoringSignalAssigneeUpdateAttributes().assignee(newSecurityMonitoringTriageUser().uuid(""))));try{SecurityMonitoringSignalTriageUpdateResponseresult=apiInstance.editSecurityMonitoringSignalAssignee("AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE",body);System.out.println(result);}catch(ApiExceptione){System.err.println("Exception when calling SecurityMonitoringApi#editSecurityMonitoringSignalAssignee");System.err.println("Status code: "+e.getCode());System.err.println("Reason: "+e.getResponseBody());System.err.println("Response headers: "+e.getResponseHeaders());e.printStackTrace();}}}
"""
Modify the triage assignee of a security signal returns "OK" response
"""fromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v2.api.security_monitoring_apiimportSecurityMonitoringApifromdatadog_api_client.v2.model.security_monitoring_signal_assignee_update_attributesimport(SecurityMonitoringSignalAssigneeUpdateAttributes,)fromdatadog_api_client.v2.model.security_monitoring_signal_assignee_update_dataimport(SecurityMonitoringSignalAssigneeUpdateData,)fromdatadog_api_client.v2.model.security_monitoring_signal_assignee_update_requestimport(SecurityMonitoringSignalAssigneeUpdateRequest,)fromdatadog_api_client.v2.model.security_monitoring_triage_userimportSecurityMonitoringTriageUserbody=SecurityMonitoringSignalAssigneeUpdateRequest(data=SecurityMonitoringSignalAssigneeUpdateData(attributes=SecurityMonitoringSignalAssigneeUpdateAttributes(assignee=SecurityMonitoringTriageUser(uuid="",),),),)configuration=Configuration()withApiClient(configuration)asapi_client:api_instance=SecurityMonitoringApi(api_client)response=api_instance.edit_security_monitoring_signal_assignee(signal_id="AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE",body=body)print(response)
# Modify the triage assignee of a security signal returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V2::SecurityMonitoringAPI.newbody=DatadogAPIClient::V2::SecurityMonitoringSignalAssigneeUpdateRequest.new({data:DatadogAPIClient::V2::SecurityMonitoringSignalAssigneeUpdateData.new({attributes:DatadogAPIClient::V2::SecurityMonitoringSignalAssigneeUpdateAttributes.new({assignee:DatadogAPIClient::V2::SecurityMonitoringTriageUser.new({uuid:"",}),}),}),})papi_instance.edit_security_monitoring_signal_assignee("AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE",body)
// Modify the triage assignee of a security signal returns "OK" response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;usedatadog_api_client::datadogV2::model::SecurityMonitoringSignalAssigneeUpdateAttributes;usedatadog_api_client::datadogV2::model::SecurityMonitoringSignalAssigneeUpdateData;usedatadog_api_client::datadogV2::model::SecurityMonitoringSignalAssigneeUpdateRequest;usedatadog_api_client::datadogV2::model::SecurityMonitoringTriageUser;#[tokio::main]asyncfnmain(){letbody=SecurityMonitoringSignalAssigneeUpdateRequest::new(SecurityMonitoringSignalAssigneeUpdateData::new(SecurityMonitoringSignalAssigneeUpdateAttributes::new(SecurityMonitoringTriageUser::new("".to_string()),),),);letconfiguration=datadog::Configuration::new();letapi=SecurityMonitoringAPI::with_config(configuration);letresp=api.edit_security_monitoring_signal_assignee("AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE".to_string(),body,).await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<API-KEY>"DD_APP_KEY="<APP-KEY>"cargo run
/**
* Modify the triage assignee of a security signal returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv2.SecurityMonitoringApi(configuration);constparams: v2.SecurityMonitoringApiEditSecurityMonitoringSignalAssigneeRequest={body:{data:{attributes:{assignee:{uuid:"",},},},},signalId:"AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE",};apiInstance.editSecurityMonitoringSignalAssignee(params).then((data: v2.SecurityMonitoringSignalTriageUpdateResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
Update an existing rule. When updating cases, queries or options, the whole field
must be included. For example, when modifying a query all queries must be included.
Default rules can only be updated to be enabled, to change notifications, or to update
the tags (default tags cannot be removed).
This endpoint requires the security_monitoring_rules_write permission.
OAuth apps require the security_monitoring_rules_write authorization scope to access this endpoint.
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
complianceSignalOptions
object
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
boolean
The default activation status.
defaultGroupByFields
[string]
The default group by fields.
userActivationStatus
boolean
Whether signals will be sent.
userGroupByFields
[string]
Fields to use to group findings by when sending signals.
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
isEnabled
boolean
Whether the rule is enabled.
message
string
Message for generated signals.
name
string
Name of the rule.
options
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.
The decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular
access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries
[ <oneOf>]
Queries for selecting logs which are part of the rule.
Option 1
object
Query for matching rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
hasOptionalGroupByFields
boolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
metric
string
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max
aggregations. metrics field should be used instead.
metrics
[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
string
Name of the query.
query
string
Query to run on logs.
Option 2
object
Query for matching rule on signals.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
[string]
Fields to group by.
correlatedQueryIndex
int32
Index of the rule query used to retrieve the correlated field.
metrics
[string]
Group of target fields to aggregate over.
name
string
Name of the query.
ruleId [required]
string
Rule ID to match on signals.
referenceTables
[object]
Reference tables for the rule.
checkPresence
boolean
Whether to include or exclude the matched values.
columnName
string
The name of the column in the reference table.
logFieldPath
string
The field in the log to match against the reference table.
ruleQueryName
string
The name of the rule query to apply the reference table to.
tableName
string
The name of the reference table.
tags
[string]
Tags for generated signals.
thirdPartyCases
[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
query
string
A query to map a third party event to this case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
version
int32
The version of the rule being updated.
{"name":"Example-Security-Monitoring_cloud_updated","isEnabled":false,"cases":[{"status":"info","notifications":[]}],"options":{"complianceRuleOptions":{"resourceType":"gcp_compute_disk","regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_disk"]}}},"message":"ddd","tags":[],"complianceSignalOptions":{"userActivationStatus":false,"userGroupByFields":[]}}
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
complianceSignalOptions
object
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
boolean
The default activation status.
defaultGroupByFields
[string]
The default group by fields.
userActivationStatus
boolean
Whether signals will be sent.
userGroupByFields
[string]
Fields to use to group findings by when sending signals.
createdAt
int64
When the rule was created, timestamp in milliseconds.
creationAuthorId
int64
User ID of the user who created the rule.
defaultTags
[string]
Default Tags for default rules (included in tags)
deprecationDate
int64
When the rule will be deprecated, timestamp in milliseconds.
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
id
string
The ID of the rule.
isDefault
boolean
Whether the rule is included by default.
isDeleted
boolean
Whether the rule has been deleted.
isEnabled
boolean
Whether the rule is enabled.
message
string
Message for generated signals.
name
string
The name of the rule.
options
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.
The decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular
access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
hasOptionalGroupByFields
boolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
metric
string
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max
aggregations. metrics field should be used instead.
metrics
[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
string
Name of the query.
query
string
Query to run on logs.
referenceTables
[object]
Reference tables for the rule.
checkPresence
boolean
Whether to include or exclude the matched values.
columnName
string
The name of the column in the reference table.
logFieldPath
string
The field in the log to match against the reference table.
ruleQueryName
string
The name of the rule query to apply the reference table to.
tableName
string
The name of the reference table.
tags
[string]
Tags for generated signals.
thirdPartyCases
[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
query
string
A query to map a third party event to this case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
type
enum
The rule type.
Allowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration,application_security
updateAuthorId
int64
User ID of the user who updated the rule.
version
int64
The version of the rule.
Option 2
Rule.
cases
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
createdAt
int64
When the rule was created, timestamp in milliseconds.
creationAuthorId
int64
User ID of the user who created the rule.
deprecationDate
int64
When the rule will be deprecated, timestamp in milliseconds.
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
id
string
The ID of the rule.
isDefault
boolean
Whether the rule is included by default.
isDeleted
boolean
Whether the rule has been deleted.
isEnabled
boolean
Whether the rule is enabled.
message
string
Message for generated signals.
name
string
The name of the rule.
options
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.
The decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular
access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
[string]
Fields to correlate by.
correlatedQueryIndex
int32
Index of the rule query used to retrieve the correlated field.
defaultRuleId
string
Default Rule ID to match on signals.
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
metrics
[string]
Group of target fields to aggregate over.
name
string
Name of the query.
ruleId
string
Rule ID to match on signals.
tags
[string]
Tags for generated signals.
type
enum
The rule type.
Allowed enum values: signal_correlation
updateAuthorId
int64
User ID of the user who updated the rule.
version
int64
The version of the rule.
{"cases":[{"condition":"string","name":"string","notifications":[],"status":"critical"}],"complianceSignalOptions":{"defaultActivationStatus":false,"defaultGroupByFields":[],"userActivationStatus":false,"userGroupByFields":[]},"createdAt":"integer","creationAuthorId":"integer","defaultTags":["security:attacks"],"deprecationDate":"integer","filters":[{"action":"string","query":"string"}],"hasExtendedTitle":false,"id":"string","isDefault":false,"isDeleted":false,"isEnabled":false,"message":"string","name":"string","options":{"complianceRuleOptions":{"complexRule":false,"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n # Logic that evaluates to true if the resource should be skipped\n true\n} else = \"pass\" {\n # Logic that evaluates to true if the resource is compliant\n true\n} else = \"fail\" {\n # Logic that evaluates to true if the resource is not compliant\n true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n some resource in input.resources[input.main_resource_type]\n result := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account","gcp_iam_policy"]},"resourceType":"aws_acm"},"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"string","evaluationWindow":"integer","hardcodedEvaluatorType":"string","impossibleTravelOptions":{"baselineUserLocations":true},"keepAlive":"integer","maxSignalDuration":"integer","newValueOptions":{"forgetAfter":"integer","learningDuration":"integer","learningMethod":"string","learningThreshold":"integer"},"thirdPartyRuleOptions":{"defaultNotifications":[],"defaultStatus":"critical","rootQueries":[{"groupByFields":[],"query":"source:cloudtrail"}],"signalTitleTemplate":"string"}},"queries":[{"aggregation":"string","distinctFields":[],"groupByFields":[],"hasOptionalGroupByFields":false,"metric":"string","metrics":[],"name":"string","query":"a > 3"}],"referenceTables":[{"checkPresence":false,"columnName":"string","logFieldPath":"string","ruleQueryName":"string","tableName":"string"}],"tags":[],"thirdPartyCases":[{"name":"string","notifications":[],"query":"string","status":"critical"}],"type":"string","updateAuthorId":"integer","version":"integer"}
// Update a cloud configuration rule's details returns "OK" response
packagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV2")funcmain(){// there is a valid "cloud_configuration_rule" in the system
CloudConfigurationRuleID:=os.Getenv("CLOUD_CONFIGURATION_RULE_ID")body:=datadogV2.SecurityMonitoringRuleUpdatePayload{Name:datadog.PtrString("Example-Security-Monitoring_cloud_updated"),IsEnabled:datadog.PtrBool(false),Cases:[]datadogV2.SecurityMonitoringRuleCase{{Status:datadogV2.SECURITYMONITORINGRULESEVERITY_INFO.Ptr(),Notifications:[]string{},},},Options:&datadogV2.SecurityMonitoringRuleOptions{ComplianceRuleOptions:&datadogV2.CloudConfigurationComplianceRuleOptions{ResourceType:datadog.PtrString("gcp_compute_disk"),RegoRule:&datadogV2.CloudConfigurationRegoRule{Policy:`package datadog
import data.datadog.output as dd_output
import future.keywords.contains
import future.keywords.if
import future.keywords.in
milliseconds_in_a_day := ((1000 * 60) * 60) * 24
eval(iam_service_account_key) = "skip" if {
iam_service_account_key.disabled
} else = "pass" if {
(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"
# This part remains unchanged for all rules
results contains result if {
some resource in input.resources[input.main_resource_type]
result := dd_output.format(resource, eval(resource))
}
`,ResourceTypes:[]string{"gcp_compute_disk",},},},},Message:datadog.PtrString("ddd"),Tags:[]string{},ComplianceSignalOptions:&datadogV2.CloudConfigurationRuleComplianceSignalOptions{UserActivationStatus:*datadog.NewNullableBool(datadog.PtrBool(false)),UserGroupByFields:*datadog.NewNullableList(&[]string{}),},}ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV2.NewSecurityMonitoringApi(apiClient)resp,r,err:=api.UpdateSecurityMonitoringRule(ctx,CloudConfigurationRuleID,body)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `SecurityMonitoringApi.UpdateSecurityMonitoringRule`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `SecurityMonitoringApi.UpdateSecurityMonitoringRule`:\n%s\n",responseContent)}
// Update an existing rule returns "OK" response
packagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV2")funcmain(){// there is a valid "security_rule" in the system
SecurityRuleID:=os.Getenv("SECURITY_RULE_ID")body:=datadogV2.SecurityMonitoringRuleUpdatePayload{Name:datadog.PtrString("Example-Security-Monitoring-Updated"),Queries:[]datadogV2.SecurityMonitoringRuleQuery{datadogV2.SecurityMonitoringRuleQuery{SecurityMonitoringStandardRuleQuery:&datadogV2.SecurityMonitoringStandardRuleQuery{Query:datadog.PtrString("@test:true"),Aggregation:datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),GroupByFields:[]string{},DistinctFields:[]string{},Metrics:[]string{},}},},Filters:[]datadogV2.SecurityMonitoringFilter{},Cases:[]datadogV2.SecurityMonitoringRuleCase{{Name:datadog.PtrString(""),Status:datadogV2.SECURITYMONITORINGRULESEVERITY_INFO.Ptr(),Condition:datadog.PtrString("a > 0"),Notifications:[]string{},},},Options:&datadogV2.SecurityMonitoringRuleOptions{EvaluationWindow:datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(),KeepAlive:datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(),MaxSignalDuration:datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(),},Message:datadog.PtrString("Test rule"),Tags:[]string{},IsEnabled:datadog.PtrBool(true),}ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV2.NewSecurityMonitoringApi(apiClient)resp,r,err:=api.UpdateSecurityMonitoringRule(ctx,SecurityRuleID,body)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `SecurityMonitoringApi.UpdateSecurityMonitoringRule`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `SecurityMonitoringApi.UpdateSecurityMonitoringRule`:\n%s\n",responseContent)}
// Update a cloud configuration rule's details returns "OK" responseimportcom.datadog.api.client.ApiClient;importcom.datadog.api.client.ApiException;importcom.datadog.api.client.v2.api.SecurityMonitoringApi;importcom.datadog.api.client.v2.model.CloudConfigurationComplianceRuleOptions;importcom.datadog.api.client.v2.model.CloudConfigurationRegoRule;importcom.datadog.api.client.v2.model.CloudConfigurationRuleComplianceSignalOptions;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleCase;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleUpdatePayload;importjava.util.Collections;publicclassExample{publicstaticvoidmain(String[]args){ApiClientdefaultClient=ApiClient.getDefaultApiClient();SecurityMonitoringApiapiInstance=newSecurityMonitoringApi(defaultClient);// there is a valid "cloud_configuration_rule" in the systemStringCLOUD_CONFIGURATION_RULE_ID=System.getenv("CLOUD_CONFIGURATION_RULE_ID");SecurityMonitoringRuleUpdatePayloadbody=newSecurityMonitoringRuleUpdatePayload().name("Example-Security-Monitoring_cloud_updated").isEnabled(false).cases(Collections.singletonList(newSecurityMonitoringRuleCase().status(SecurityMonitoringRuleSeverity.INFO))).options(newSecurityMonitoringRuleOptions().complianceRuleOptions(newCloudConfigurationComplianceRuleOptions().resourceType("gcp_compute_disk").regoRule(newCloudConfigurationRegoRule().policy("""
package datadog
import data.datadog.output as dd_output
import future.keywords.contains
import future.keywords.if
import future.keywords.in
milliseconds_in_a_day := ((1000 * 60) * 60) * 24
eval(iam_service_account_key) = "skip" if {
iam_service_account_key.disabled
} else = "pass" if {
(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"
# This part remains unchanged for all rules
results contains result if {
some resource in input.resources[input.main_resource_type]
result := dd_output.format(resource, eval(resource))
}
""").resourceTypes(Collections.singletonList("gcp_compute_disk"))))).message("ddd").complianceSignalOptions(newCloudConfigurationRuleComplianceSignalOptions().userActivationStatus(false));try{SecurityMonitoringRuleResponseresult=apiInstance.updateSecurityMonitoringRule(CLOUD_CONFIGURATION_RULE_ID,body);System.out.println(result);}catch(ApiExceptione){System.err.println("Exception when calling SecurityMonitoringApi#updateSecurityMonitoringRule");System.err.println("Status code: "+e.getCode());System.err.println("Reason: "+e.getResponseBody());System.err.println("Response headers: "+e.getResponseHeaders());e.printStackTrace();}}}
// Update an existing rule returns "OK" responseimportcom.datadog.api.client.ApiClient;importcom.datadog.api.client.ApiException;importcom.datadog.api.client.v2.api.SecurityMonitoringApi;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleCase;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleQuery;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleUpdatePayload;importcom.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;importjava.util.Collections;publicclassExample{publicstaticvoidmain(String[]args){ApiClientdefaultClient=ApiClient.getDefaultApiClient();SecurityMonitoringApiapiInstance=newSecurityMonitoringApi(defaultClient);// there is a valid "security_rule" in the systemStringSECURITY_RULE_ID=System.getenv("SECURITY_RULE_ID");SecurityMonitoringRuleUpdatePayloadbody=newSecurityMonitoringRuleUpdatePayload().name("Example-Security-Monitoring-Updated").queries(Collections.singletonList(newSecurityMonitoringRuleQuery(newSecurityMonitoringStandardRuleQuery().query("@test:true").aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)))).cases(Collections.singletonList(newSecurityMonitoringRuleCase().name("").status(SecurityMonitoringRuleSeverity.INFO).condition("a > 0"))).options(newSecurityMonitoringRuleOptions().evaluationWindow(SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES).keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR).maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ONE_DAY)).message("Test rule").isEnabled(true);try{SecurityMonitoringRuleResponseresult=apiInstance.updateSecurityMonitoringRule(SECURITY_RULE_ID,body);System.out.println(result);}catch(ApiExceptione){System.err.println("Exception when calling SecurityMonitoringApi#updateSecurityMonitoringRule");System.err.println("Status code: "+e.getCode());System.err.println("Reason: "+e.getResponseBody());System.err.println("Response headers: "+e.getResponseHeaders());e.printStackTrace();}}}
"""
Update a cloud configuration rule's details returns "OK" response
"""fromosimportenvironfromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v2.api.security_monitoring_apiimportSecurityMonitoringApifromdatadog_api_client.v2.model.cloud_configuration_compliance_rule_optionsimport(CloudConfigurationComplianceRuleOptions,)fromdatadog_api_client.v2.model.cloud_configuration_rego_ruleimportCloudConfigurationRegoRulefromdatadog_api_client.v2.model.cloud_configuration_rule_compliance_signal_optionsimport(CloudConfigurationRuleComplianceSignalOptions,)fromdatadog_api_client.v2.model.security_monitoring_rule_caseimportSecurityMonitoringRuleCasefromdatadog_api_client.v2.model.security_monitoring_rule_optionsimportSecurityMonitoringRuleOptionsfromdatadog_api_client.v2.model.security_monitoring_rule_severityimportSecurityMonitoringRuleSeverityfromdatadog_api_client.v2.model.security_monitoring_rule_update_payloadimportSecurityMonitoringRuleUpdatePayload# there is a valid "cloud_configuration_rule" in the systemCLOUD_CONFIGURATION_RULE_ID=environ["CLOUD_CONFIGURATION_RULE_ID"]body=SecurityMonitoringRuleUpdatePayload(name="Example-Security-Monitoring_cloud_updated",is_enabled=False,cases=[SecurityMonitoringRuleCase(status=SecurityMonitoringRuleSeverity.INFO,notifications=[],),],options=SecurityMonitoringRuleOptions(compliance_rule_options=CloudConfigurationComplianceRuleOptions(resource_type="gcp_compute_disk",rego_rule=CloudConfigurationRegoRule(policy='package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = "skip" if {\n\tiam_service_account_key.disabled\n} else = "pass" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = "fail"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n',resource_types=["gcp_compute_disk",],),),),message="ddd",tags=[],compliance_signal_options=CloudConfigurationRuleComplianceSignalOptions(user_activation_status=False,user_group_by_fields=[],),)configuration=Configuration()withApiClient(configuration)asapi_client:api_instance=SecurityMonitoringApi(api_client)response=api_instance.update_security_monitoring_rule(rule_id=CLOUD_CONFIGURATION_RULE_ID,body=body)print(response)
"""
Update an existing rule returns "OK" response
"""fromosimportenvironfromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v2.api.security_monitoring_apiimportSecurityMonitoringApifromdatadog_api_client.v2.model.security_monitoring_rule_caseimportSecurityMonitoringRuleCasefromdatadog_api_client.v2.model.security_monitoring_rule_evaluation_windowimport(SecurityMonitoringRuleEvaluationWindow,)fromdatadog_api_client.v2.model.security_monitoring_rule_keep_aliveimportSecurityMonitoringRuleKeepAlivefromdatadog_api_client.v2.model.security_monitoring_rule_max_signal_durationimport(SecurityMonitoringRuleMaxSignalDuration,)fromdatadog_api_client.v2.model.security_monitoring_rule_optionsimportSecurityMonitoringRuleOptionsfromdatadog_api_client.v2.model.security_monitoring_rule_query_aggregationimport(SecurityMonitoringRuleQueryAggregation,)fromdatadog_api_client.v2.model.security_monitoring_rule_severityimportSecurityMonitoringRuleSeverityfromdatadog_api_client.v2.model.security_monitoring_rule_update_payloadimportSecurityMonitoringRuleUpdatePayloadfromdatadog_api_client.v2.model.security_monitoring_standard_rule_queryimportSecurityMonitoringStandardRuleQuery# there is a valid "security_rule" in the systemSECURITY_RULE_ID=environ["SECURITY_RULE_ID"]body=SecurityMonitoringRuleUpdatePayload(name="Example-Security-Monitoring-Updated",queries=[SecurityMonitoringStandardRuleQuery(query="@test:true",aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,group_by_fields=[],distinct_fields=[],metrics=[],),],filters=[],cases=[SecurityMonitoringRuleCase(name="",status=SecurityMonitoringRuleSeverity.INFO,condition="a > 0",notifications=[],),],options=SecurityMonitoringRuleOptions(evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR,max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY,),message="Test rule",tags=[],is_enabled=True,)configuration=Configuration()withApiClient(configuration)asapi_client:api_instance=SecurityMonitoringApi(api_client)response=api_instance.update_security_monitoring_rule(rule_id=SECURITY_RULE_ID,body=body)print(response)
# Update a cloud configuration rule's details returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V2::SecurityMonitoringAPI.new# there is a valid "cloud_configuration_rule" in the systemCLOUD_CONFIGURATION_RULE_ID=ENV["CLOUD_CONFIGURATION_RULE_ID"]body=DatadogAPIClient::V2::SecurityMonitoringRuleUpdatePayload.new({name:"Example-Security-Monitoring_cloud_updated",is_enabled:false,cases:[DatadogAPIClient::V2::SecurityMonitoringRuleCase.new({status:DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,notifications:[],}),],options:DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({compliance_rule_options:DatadogAPIClient::V2::CloudConfigurationComplianceRuleOptions.new({resource_type:"gcp_compute_disk",rego_rule:DatadogAPIClient::V2::CloudConfigurationRegoRule.new({policy:'package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = "skip" if {\n\tiam_service_account_key.disabled\n} else = "pass" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = "fail"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n',resource_types:["gcp_compute_disk",],}),}),}),message:"ddd",tags:[],compliance_signal_options:DatadogAPIClient::V2::CloudConfigurationRuleComplianceSignalOptions.new({user_activation_status:false,user_group_by_fields:[],}),})papi_instance.update_security_monitoring_rule(CLOUD_CONFIGURATION_RULE_ID,body)
# Update an existing rule returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V2::SecurityMonitoringAPI.new# there is a valid "security_rule" in the systemSECURITY_RULE_ID=ENV["SECURITY_RULE_ID"]body=DatadogAPIClient::V2::SecurityMonitoringRuleUpdatePayload.new({name:"Example-Security-Monitoring-Updated",queries:[DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({query:"@test:true",aggregation:DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,group_by_fields:[],distinct_fields:[],metrics:[],}),],filters:[],cases:[DatadogAPIClient::V2::SecurityMonitoringRuleCase.new({name:"",status:DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,condition:"a > 0",notifications:[],}),],options:DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({evaluation_window:DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,keep_alive:DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR,max_signal_duration:DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY,}),message:"Test rule",tags:[],is_enabled:true,})papi_instance.update_security_monitoring_rule(SECURITY_RULE_ID,body)
// Update a cloud configuration rule's details returns "OK" response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;usedatadog_api_client::datadogV2::model::CloudConfigurationComplianceRuleOptions;usedatadog_api_client::datadogV2::model::CloudConfigurationRegoRule;usedatadog_api_client::datadogV2::model::CloudConfigurationRuleComplianceSignalOptions;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleCase;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleUpdatePayload;#[tokio::main]asyncfnmain(){// there is a valid "cloud_configuration_rule" in the system
letcloud_configuration_rule_id=std::env::var("CLOUD_CONFIGURATION_RULE_ID").unwrap();letbody=SecurityMonitoringRuleUpdatePayload::new().cases(vec![SecurityMonitoringRuleCase::new().notifications(vec![]).status(SecurityMonitoringRuleSeverity::INFO)],).compliance_signal_options(CloudConfigurationRuleComplianceSignalOptions::new().user_activation_status(Some(false)).user_group_by_fields(Some(vec![])),).is_enabled(false).message("ddd".to_string()).name("Example-Security-Monitoring_cloud_updated".to_string()).options(SecurityMonitoringRuleOptions::new().compliance_rule_options(CloudConfigurationComplianceRuleOptions::new().rego_rule(CloudConfigurationRegoRule::new(r#"package datadog
import data.datadog.output as dd_output
import future.keywords.contains
import future.keywords.if
import future.keywords.in
milliseconds_in_a_day := ((1000 * 60) * 60) * 24
eval(iam_service_account_key) = "skip" if {
iam_service_account_key.disabled
} else = "pass" if {
(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"
# This part remains unchanged for all rules
results contains result if {
some resource in input.resources[input.main_resource_type]
result := dd_output.format(resource, eval(resource))
}
"#.to_string(),vec!["gcp_compute_disk".to_string()],),).resource_type("gcp_compute_disk".to_string()),),).tags(vec![]);letconfiguration=datadog::Configuration::new();letapi=SecurityMonitoringAPI::with_config(configuration);letresp=api.update_security_monitoring_rule(cloud_configuration_rule_id.clone(),body).await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
// Update an existing rule returns "OK" response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleCase;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleQuery;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleUpdatePayload;usedatadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;#[tokio::main]asyncfnmain(){// there is a valid "security_rule" in the system
letsecurity_rule_id=std::env::var("SECURITY_RULE_ID").unwrap();letbody=SecurityMonitoringRuleUpdatePayload::new().cases(vec![SecurityMonitoringRuleCase::new().condition("a > 0".to_string()).name("".to_string()).notifications(vec![]).status(SecurityMonitoringRuleSeverity::INFO)]).filters(vec![]).is_enabled(true).message("Test rule".to_string()).name("Example-Security-Monitoring-Updated".to_string()).options(SecurityMonitoringRuleOptions::new().evaluation_window(SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES).keep_alive(SecurityMonitoringRuleKeepAlive::ONE_HOUR).max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::ONE_DAY),).queries(vec![SecurityMonitoringRuleQuery::SecurityMonitoringStandardRuleQuery(Box::new(SecurityMonitoringStandardRuleQuery::new().aggregation(SecurityMonitoringRuleQueryAggregation::COUNT).distinct_fields(vec![]).group_by_fields(vec![]).metrics(vec![]).query("@test:true".to_string()),)),]).tags(vec![]);letconfiguration=datadog::Configuration::new();letapi=SecurityMonitoringAPI::with_config(configuration);letresp=api.update_security_monitoring_rule(security_rule_id.clone(),body).await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<DD_API_KEY>"DD_APP_KEY="<DD_APP_KEY>"cargo run
/**
* Update a cloud configuration rule's details returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv2.SecurityMonitoringApi(configuration);// there is a valid "cloud_configuration_rule" in the system
constCLOUD_CONFIGURATION_RULE_ID=process.env.CLOUD_CONFIGURATION_RULE_IDasstring;constparams: v2.SecurityMonitoringApiUpdateSecurityMonitoringRuleRequest={body:{name:"Example-Security-Monitoring_cloud_updated",isEnabled: false,cases:[{status:"info",notifications:[],},],options:{complianceRuleOptions:{resourceType:"gcp_compute_disk",regoRule:{policy:`package datadog
import data.datadog.output as dd_output
import future.keywords.contains
import future.keywords.if
import future.keywords.in
milliseconds_in_a_day := ((1000 * 60) * 60) * 24
eval(iam_service_account_key) = "skip" if {
iam_service_account_key.disabled
} else = "pass" if {
(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"
# This part remains unchanged for all rules
results contains result if {
some resource in input.resources[input.main_resource_type]
result := dd_output.format(resource, eval(resource))
}
`,resourceTypes:["gcp_compute_disk"],},},},message:"ddd",tags:[],complianceSignalOptions:{userActivationStatus: false,userGroupByFields:[],},},ruleId: CLOUD_CONFIGURATION_RULE_ID,};apiInstance.updateSecurityMonitoringRule(params).then((data: v2.SecurityMonitoringRuleResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
/**
* Update an existing rule returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv2.SecurityMonitoringApi(configuration);// there is a valid "security_rule" in the system
constSECURITY_RULE_ID=process.env.SECURITY_RULE_IDasstring;constparams: v2.SecurityMonitoringApiUpdateSecurityMonitoringRuleRequest={body:{name:"Example-Security-Monitoring-Updated",queries:[{query:"@test:true",aggregation:"count",groupByFields:[],distinctFields:[],metrics:[],},],filters:[],cases:[{name:"",status:"info",condition:"a > 0",notifications:[],},],options:{evaluationWindow: 900,keepAlive: 3600,maxSignalDuration: 86400,},message:"Test rule",tags:[],isEnabled: true,},ruleId: SECURITY_RULE_ID,};apiInstance.updateSecurityMonitoringRule(params).then((data: v2.SecurityMonitoringRuleResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
"""
Delete an existing rule returns "OK" response
"""fromosimportenvironfromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v2.api.security_monitoring_apiimportSecurityMonitoringApi# there is a valid "security_rule" in the systemSECURITY_RULE_ID=environ["SECURITY_RULE_ID"]configuration=Configuration()withApiClient(configuration)asapi_client:api_instance=SecurityMonitoringApi(api_client)api_instance.delete_security_monitoring_rule(rule_id=SECURITY_RULE_ID,)
# Delete an existing rule returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V2::SecurityMonitoringAPI.new# there is a valid "security_rule" in the systemSECURITY_RULE_ID=ENV["SECURITY_RULE_ID"]api_instance.delete_security_monitoring_rule(SECURITY_RULE_ID)
// Delete an existing rule returns "OK" response
packagemainimport("context""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV2")funcmain(){// there is a valid "security_rule" in the system
SecurityRuleID:=os.Getenv("SECURITY_RULE_ID")ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV2.NewSecurityMonitoringApi(apiClient)r,err:=api.DeleteSecurityMonitoringRule(ctx,SecurityRuleID)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `SecurityMonitoringApi.DeleteSecurityMonitoringRule`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}}
// Delete an existing rule returns "OK" responseimportcom.datadog.api.client.ApiClient;importcom.datadog.api.client.ApiException;importcom.datadog.api.client.v2.api.SecurityMonitoringApi;publicclassExample{publicstaticvoidmain(String[]args){ApiClientdefaultClient=ApiClient.getDefaultApiClient();SecurityMonitoringApiapiInstance=newSecurityMonitoringApi(defaultClient);// there is a valid "security_rule" in the systemStringSECURITY_RULE_ID=System.getenv("SECURITY_RULE_ID");try{apiInstance.deleteSecurityMonitoringRule(SECURITY_RULE_ID);}catch(ApiExceptione){System.err.println("Exception when calling SecurityMonitoringApi#deleteSecurityMonitoringRule");System.err.println("Status code: "+e.getCode());System.err.println("Reason: "+e.getResponseBody());System.err.println("Response headers: "+e.getResponseHeaders());e.printStackTrace();}}}
// Delete an existing rule returns "OK" response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;#[tokio::main]asyncfnmain(){// there is a valid "security_rule" in the system
letsecurity_rule_id=std::env::var("SECURITY_RULE_ID").unwrap();letconfiguration=datadog::Configuration::new();letapi=SecurityMonitoringAPI::with_config(configuration);letresp=api.delete_security_monitoring_rule(security_rule_id.clone()).await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<DD_API_KEY>"DD_APP_KEY="<DD_APP_KEY>"cargo run
/**
* Delete an existing rule returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv2.SecurityMonitoringApi(configuration);// there is a valid "security_rule" in the system
constSECURITY_RULE_ID=process.env.SECURITY_RULE_IDasstring;constparams: v2.SecurityMonitoringApiDeleteSecurityMonitoringRuleRequest={ruleId: SECURITY_RULE_ID,};apiInstance.deleteSecurityMonitoringRule(params).then((data: any)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
boolean
Whether the rule is enabled.
message [required]
string
Message for generated signals.
name [required]
string
The name of the rule.
options [required]
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.
The decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular
access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
hasOptionalGroupByFields
boolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
metric
string
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max
aggregations. metrics field should be used instead.
metrics
[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
string
Name of the query.
query
string
Query to run on logs.
referenceTables
[object]
Reference tables for the rule.
checkPresence
boolean
Whether to include or exclude the matched values.
columnName
string
The name of the column in the reference table.
logFieldPath
string
The field in the log to match against the reference table.
ruleQueryName
string
The name of the rule query to apply the reference table to.
tableName
string
The name of the reference table.
tags
[string]
Tags for generated signals.
thirdPartyCases
[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
query
string
A query to map a third party event to this case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
type
enum
The rule type.
Allowed enum values: log_detection
ruleQueryPayloads
[object]
Data payloads used to test rules query with the expected result.
expectedResult
boolean
Expected result of the test.
index
int64
Index of the query under test.
payload
object
Payload used to test the rule query.
ddsource
string
Source of the payload.
ddtags
string
Tags associated with your data.
hostname
string
The name of the originating host of the log.
message
string
The message of the payload.
service
string
The name of the application or service generating the data.
{"rule":{"cases":[{"condition":"string","name":"string","notifications":[],"status":"critical"}],"filters":[{"action":"string","query":"string"}],"hasExtendedTitle":true,"isEnabled":true,"message":"","name":"My security monitoring rule.","options":{"complianceRuleOptions":{"complexRule":false,"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n # Logic that evaluates to true if the resource should be skipped\n true\n} else = \"pass\" {\n # Logic that evaluates to true if the resource is compliant\n true\n} else = \"fail\" {\n # Logic that evaluates to true if the resource is not compliant\n true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n some resource in input.resources[input.main_resource_type]\n result := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account","gcp_iam_policy"]},"resourceType":"aws_acm"},"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"string","evaluationWindow":"integer","hardcodedEvaluatorType":"string","impossibleTravelOptions":{"baselineUserLocations":true},"keepAlive":"integer","maxSignalDuration":"integer","newValueOptions":{"forgetAfter":"integer","learningDuration":"integer","learningMethod":"string","learningThreshold":"integer"},"thirdPartyRuleOptions":{"defaultNotifications":[],"defaultStatus":"critical","rootQueries":[{"groupByFields":[],"query":"source:cloudtrail"}],"signalTitleTemplate":"string"}},"queries":[{"aggregation":"string","distinctFields":[],"groupByFields":[],"metric":"string","metrics":[],"name":"string","query":"a > 3"}],"referenceTables":[{"checkPresence":false,"columnName":"string","logFieldPath":"string","ruleQueryName":"string","tableName":"string"}],"tags":["env:prod","team:security"],"thirdPartyCases":[{"name":"string","notifications":[],"query":"string","status":"critical"}],"type":"string"},"ruleQueryPayloads":[{"expectedResult":true,"index":0,"payload":{"ddsource":"nginx","ddtags":"env:staging,version:5.1","hostname":"i-012345678","message":"2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World","service":"payment"}}]}
Assert results are returned in the same order as the rule query payloads.
For each payload, it returns True if the result matched the expected result,
False otherwise.
# Path parameters exportrule_id="CHANGE_ME" # Curl command curl-XPOST"https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}/test" \
-H"Accept: application/json" \
-H"Content-Type: application/json" \
-H"DD-API-KEY: ${DD_API_KEY}" \
-H"DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d@-<<EOF{
"rule": {
"cases": [
{
"status": "critical"
}
],
"options": {
"complianceRuleOptions": {
"regoRule": {
"policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n # Logic that evaluates to true if the resource should be skipped\n true\n} else = \"pass\" {\n # Logic that evaluates to true if the resource is compliant\n true\n} else = \"fail\" {\n # Logic that evaluates to true if the resource is not compliant\n true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n some resource in input.resources[input.main_resource_type]\n result := dd_output.format(resource, eval(resource))\n}\n",
"resourceTypes": [
"gcp_iam_service_account",
"gcp_iam_policy"
]
}
}
},
"thirdPartyCases": [
{
"status": "critical"
}
]
}
}EOF
"""
Test an existing rule returns "OK" response
"""fromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v2.api.security_monitoring_apiimportSecurityMonitoringApifromdatadog_api_client.v2.model.security_monitoring_rule_query_payloadimportSecurityMonitoringRuleQueryPayloadfromdatadog_api_client.v2.model.security_monitoring_rule_query_payload_dataimport(SecurityMonitoringRuleQueryPayloadData,)fromdatadog_api_client.v2.model.security_monitoring_rule_test_requestimportSecurityMonitoringRuleTestRequestbody=SecurityMonitoringRuleTestRequest(rule_query_payloads=[SecurityMonitoringRuleQueryPayload(expected_result=True,index=0,payload=SecurityMonitoringRuleQueryPayloadData(ddsource="nginx",ddtags="env:staging,version:5.1",hostname="i-012345678",message="2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",service="payment",),),],)configuration=Configuration()withApiClient(configuration)asapi_client:api_instance=SecurityMonitoringApi(api_client)response=api_instance.test_existing_security_monitoring_rule(rule_id="rule_id",body=body)print(response)
# Test an existing rule returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V2::SecurityMonitoringAPI.newbody=DatadogAPIClient::V2::SecurityMonitoringRuleTestRequest.new({rule_query_payloads:[DatadogAPIClient::V2::SecurityMonitoringRuleQueryPayload.new({expected_result:true,index:0,payload:DatadogAPIClient::V2::SecurityMonitoringRuleQueryPayloadData.new({ddsource:"nginx",ddtags:"env:staging,version:5.1",hostname:"i-012345678",message:"2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",service:"payment",}),}),],})papi_instance.test_existing_security_monitoring_rule("rule_id",body)
// Test an existing rule returns "OK" response
packagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV2")funcmain(){body:=datadogV2.SecurityMonitoringRuleTestRequest{RuleQueryPayloads:[]datadogV2.SecurityMonitoringRuleQueryPayload{{ExpectedResult:datadog.PtrBool(true),Index:datadog.PtrInt64(0),Payload:&datadogV2.SecurityMonitoringRuleQueryPayloadData{Ddsource:datadog.PtrString("nginx"),Ddtags:datadog.PtrString("env:staging,version:5.1"),Hostname:datadog.PtrString("i-012345678"),Message:datadog.PtrString("2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World"),Service:datadog.PtrString("payment"),},},},}ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV2.NewSecurityMonitoringApi(apiClient)resp,r,err:=api.TestExistingSecurityMonitoringRule(ctx,"rule_id",body)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `SecurityMonitoringApi.TestExistingSecurityMonitoringRule`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `SecurityMonitoringApi.TestExistingSecurityMonitoringRule`:\n%s\n",responseContent)}
// Test an existing rule returns "OK" responseimportcom.datadog.api.client.ApiClient;importcom.datadog.api.client.ApiException;importcom.datadog.api.client.v2.api.SecurityMonitoringApi;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleQueryPayload;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleQueryPayloadData;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleTestRequest;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleTestResponse;importjava.util.Collections;publicclassExample{publicstaticvoidmain(String[]args){ApiClientdefaultClient=ApiClient.getDefaultApiClient();SecurityMonitoringApiapiInstance=newSecurityMonitoringApi(defaultClient);SecurityMonitoringRuleTestRequestbody=newSecurityMonitoringRuleTestRequest().ruleQueryPayloads(Collections.singletonList(newSecurityMonitoringRuleQueryPayload().expectedResult(true).index(0L).payload(newSecurityMonitoringRuleQueryPayloadData().ddsource("nginx").ddtags("env:staging,version:5.1").hostname("i-012345678").message("2019-11-19T14:37:58,995 INFO [process.name][20081] Hello"+" World").service("payment"))));try{SecurityMonitoringRuleTestResponseresult=apiInstance.testExistingSecurityMonitoringRule("rule_id",body);System.out.println(result);}catch(ApiExceptione){System.err.println("Exception when calling SecurityMonitoringApi#testExistingSecurityMonitoringRule");System.err.println("Status code: "+e.getCode());System.err.println("Reason: "+e.getResponseBody());System.err.println("Response headers: "+e.getResponseHeaders());e.printStackTrace();}}}
// Test an existing rule returns "OK" response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryPayload;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryPayloadData;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleTestRequest;#[tokio::main]asyncfnmain(){letbody=SecurityMonitoringRuleTestRequest::new().rule_query_payloads(vec![SecurityMonitoringRuleQueryPayload::new().expected_result(true).index(0).payload(SecurityMonitoringRuleQueryPayloadData::new().ddsource("nginx".to_string()).ddtags("env:staging,version:5.1".to_string()).hostname("i-012345678".to_string()).message("2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World".to_string(),).service("payment".to_string()),),]);letconfiguration=datadog::Configuration::new();letapi=SecurityMonitoringAPI::with_config(configuration);letresp=api.test_existing_security_monitoring_rule("rule_id".to_string(),body).await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<DD_API_KEY>"DD_APP_KEY="<DD_APP_KEY>"cargo run
/**
* Test an existing rule returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv2.SecurityMonitoringApi(configuration);constparams: v2.SecurityMonitoringApiTestExistingSecurityMonitoringRuleRequest={body:{ruleQueryPayloads:[{expectedResult: true,index: 0,payload:{ddsource:"nginx",ddtags:"env:staging,version:5.1",hostname:"i-012345678",message:"2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",service:"payment",},},],},ruleId:"rule_id",};apiInstance.testExistingSecurityMonitoringRule(params).then((data: v2.SecurityMonitoringRuleTestResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
boolean
Whether the rule is enabled.
message [required]
string
Message for generated signals.
name [required]
string
The name of the rule.
options [required]
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.
The decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular
access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
hasOptionalGroupByFields
boolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
metric
string
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max
aggregations. metrics field should be used instead.
metrics
[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
string
Name of the query.
query
string
Query to run on logs.
referenceTables
[object]
Reference tables for the rule.
checkPresence
boolean
Whether to include or exclude the matched values.
columnName
string
The name of the column in the reference table.
logFieldPath
string
The field in the log to match against the reference table.
ruleQueryName
string
The name of the rule query to apply the reference table to.
tableName
string
The name of the reference table.
tags
[string]
Tags for generated signals.
thirdPartyCases
[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
query
string
A query to map a third party event to this case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
type
enum
The rule type.
Allowed enum values: log_detection
ruleQueryPayloads
[object]
Data payloads used to test rules query with the expected result.
expectedResult
boolean
Expected result of the test.
index
int64
Index of the query under test.
payload
object
Payload used to test the rule query.
ddsource
string
Source of the payload.
ddtags
string
Tags associated with your data.
hostname
string
The name of the originating host of the log.
message
string
The message of the payload.
service
string
The name of the application or service generating the data.
Assert results are returned in the same order as the rule query payloads.
For each payload, it returns True if the result matched the expected result,
False otherwise.
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<DD_API_KEY>"DD_APP_KEY="<DD_APP_KEY>"cargo run
/**
* Test a rule returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv2.SecurityMonitoringApi(configuration);constparams: v2.SecurityMonitoringApiTestSecurityMonitoringRuleRequest={body:{rule:{cases:[{name:"",status:"info",notifications:[],condition:"a > 0",},],hasExtendedTitle: true,isEnabled: true,message:"My security monitoring rule message.",name:"My security monitoring rule.",options:{decreaseCriticalityBasedOnEnv: false,detectionMethod:"threshold",evaluationWindow: 0,keepAlive: 0,maxSignalDuration: 0,},queries:[{query:"source:source_here",groupByFields:["@userIdentity.assumed_role"],distinctFields:[],aggregation:"count",name:"",},],tags:["env:prod","team:security"],type:"log_detection",},ruleQueryPayloads:[{expectedResult: true,index: 0,payload:{ddsource:"source_here",ddtags:"env:staging,version:5.1",hostname:"i-012345678",message:"2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",service:"payment",},},],},};apiInstance.testSecurityMonitoringRule(params).then((data: v2.SecurityMonitoringRuleTestResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
boolean
Whether the rule is enabled.
message [required]
string
Message for generated signals.
name [required]
string
The name of the rule.
options [required]
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.
The decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular
access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
hasOptionalGroupByFields
boolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
metric
string
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max
aggregations. metrics field should be used instead.
metrics
[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
string
Name of the query.
query
string
Query to run on logs.
referenceTables
[object]
Reference tables for the rule.
checkPresence
boolean
Whether to include or exclude the matched values.
columnName
string
The name of the column in the reference table.
logFieldPath
string
The field in the log to match against the reference table.
ruleQueryName
string
The name of the rule query to apply the reference table to.
tableName
string
The name of the reference table.
tags
[string]
Tags for generated signals.
thirdPartyCases
[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
query
string
A query to map a third party event to this case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
type
enum
The rule type.
Allowed enum values: application_security,log_detection,workload_security
Option 2
object
The payload of a signal correlation rule.
cases [required]
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
boolean
Whether the rule is enabled.
message [required]
string
Message for generated signals.
name [required]
string
The name of the rule.
options [required]
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.
The decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular
access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
[object]
Queries for selecting signals which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
[string]
Fields to group by.
correlatedQueryIndex
int32
Index of the rule query used to retrieve the correlated field.
metrics
[string]
Group of target fields to aggregate over.
name
string
Name of the query.
ruleId [required]
string
Rule ID to match on signals.
tags
[string]
Tags for generated signals.
type
enum
The rule type.
Allowed enum values: signal_correlation
Option 3
object
The payload of a cloud configuration rule.
cases [required]
[object]
Description of generated findings and signals (severity and channels to be notified in case of a signal). Must contain exactly one item.
notifications
[string]
Notification targets for each rule case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
complianceSignalOptions [required]
object
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
boolean
The default activation status.
defaultGroupByFields
[string]
The default group by fields.
userActivationStatus
boolean
Whether signals will be sent.
userGroupByFields
[string]
Fields to use to group findings by when sending signals.
filters
[object]
Additional queries to filter matched events before they are processed.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
isEnabled [required]
boolean
Whether the rule is enabled.
message [required]
string
Message in markdown format for generated findings and signals.
name [required]
string
The name of the rule.
options [required]
object
Options on cloud configuration rules.
complianceRuleOptions [required]
object
Options for cloud_configuration rules.
Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<DD_API_KEY>"DD_APP_KEY="<DD_APP_KEY>"cargo run
// Change the related incidents of a security signal returns "OK" response
packagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV2")funcmain(){body:=datadogV2.SecurityMonitoringSignalIncidentsUpdateRequest{Data:datadogV2.SecurityMonitoringSignalIncidentsUpdateData{Attributes:datadogV2.SecurityMonitoringSignalIncidentsUpdateAttributes{IncidentIds:[]int64{2066,},},},}ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV2.NewSecurityMonitoringApi(apiClient)resp,r,err:=api.EditSecurityMonitoringSignalIncidents(ctx,"AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE",body)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `SecurityMonitoringApi.EditSecurityMonitoringSignalIncidents`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `SecurityMonitoringApi.EditSecurityMonitoringSignalIncidents`:\n%s\n",responseContent)}
// Change the related incidents of a security signal returns "OK" responseimportcom.datadog.api.client.ApiClient;importcom.datadog.api.client.ApiException;importcom.datadog.api.client.v2.api.SecurityMonitoringApi;importcom.datadog.api.client.v2.model.SecurityMonitoringSignalIncidentsUpdateAttributes;importcom.datadog.api.client.v2.model.SecurityMonitoringSignalIncidentsUpdateData;importcom.datadog.api.client.v2.model.SecurityMonitoringSignalIncidentsUpdateRequest;importcom.datadog.api.client.v2.model.SecurityMonitoringSignalTriageUpdateResponse;importjava.util.Collections;publicclassExample{publicstaticvoidmain(String[]args){ApiClientdefaultClient=ApiClient.getDefaultApiClient();SecurityMonitoringApiapiInstance=newSecurityMonitoringApi(defaultClient);SecurityMonitoringSignalIncidentsUpdateRequestbody=newSecurityMonitoringSignalIncidentsUpdateRequest().data(newSecurityMonitoringSignalIncidentsUpdateData().attributes(newSecurityMonitoringSignalIncidentsUpdateAttributes().incidentIds(Collections.singletonList(2066L))));try{SecurityMonitoringSignalTriageUpdateResponseresult=apiInstance.editSecurityMonitoringSignalIncidents("AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE",body);System.out.println(result);}catch(ApiExceptione){System.err.println("Exception when calling SecurityMonitoringApi#editSecurityMonitoringSignalIncidents");System.err.println("Status code: "+e.getCode());System.err.println("Reason: "+e.getResponseBody());System.err.println("Response headers: "+e.getResponseHeaders());e.printStackTrace();}}}
"""
Change the related incidents of a security signal returns "OK" response
"""fromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v2.api.security_monitoring_apiimportSecurityMonitoringApifromdatadog_api_client.v2.model.security_monitoring_signal_incident_idsimportSecurityMonitoringSignalIncidentIdsfromdatadog_api_client.v2.model.security_monitoring_signal_incidents_update_attributesimport(SecurityMonitoringSignalIncidentsUpdateAttributes,)fromdatadog_api_client.v2.model.security_monitoring_signal_incidents_update_dataimport(SecurityMonitoringSignalIncidentsUpdateData,)fromdatadog_api_client.v2.model.security_monitoring_signal_incidents_update_requestimport(SecurityMonitoringSignalIncidentsUpdateRequest,)body=SecurityMonitoringSignalIncidentsUpdateRequest(data=SecurityMonitoringSignalIncidentsUpdateData(attributes=SecurityMonitoringSignalIncidentsUpdateAttributes(incident_ids=SecurityMonitoringSignalIncidentIds([2066,]),),),)configuration=Configuration()withApiClient(configuration)asapi_client:api_instance=SecurityMonitoringApi(api_client)response=api_instance.edit_security_monitoring_signal_incidents(signal_id="AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE",body=body)print(response)
# Change the related incidents of a security signal returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V2::SecurityMonitoringAPI.newbody=DatadogAPIClient::V2::SecurityMonitoringSignalIncidentsUpdateRequest.new({data:DatadogAPIClient::V2::SecurityMonitoringSignalIncidentsUpdateData.new({attributes:DatadogAPIClient::V2::SecurityMonitoringSignalIncidentsUpdateAttributes.new({incident_ids:[2066,],}),}),})papi_instance.edit_security_monitoring_signal_incidents("AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE",body)
// Change the related incidents of a security signal returns "OK" response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;usedatadog_api_client::datadogV2::model::SecurityMonitoringSignalIncidentsUpdateAttributes;usedatadog_api_client::datadogV2::model::SecurityMonitoringSignalIncidentsUpdateData;usedatadog_api_client::datadogV2::model::SecurityMonitoringSignalIncidentsUpdateRequest;#[tokio::main]asyncfnmain(){letbody=SecurityMonitoringSignalIncidentsUpdateRequest::new(SecurityMonitoringSignalIncidentsUpdateData::new(SecurityMonitoringSignalIncidentsUpdateAttributes::new(vec![2066]),),);letconfiguration=datadog::Configuration::new();letapi=SecurityMonitoringAPI::with_config(configuration);letresp=api.edit_security_monitoring_signal_incidents("AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE".to_string(),body,).await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<API-KEY>"DD_APP_KEY="<APP-KEY>"cargo run
/**
* Change the related incidents of a security signal returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv2.SecurityMonitoringApi(configuration);constparams: v2.SecurityMonitoringApiEditSecurityMonitoringSignalIncidentsRequest={body:{data:{attributes:{incidentIds:[2066],},},},signalId:"AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE",};apiInstance.editSecurityMonitoringSignalIncidents(params).then((data: v2.SecurityMonitoringSignalTriageUpdateResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
Convert an existing rule from JSON to Terraform for datadog provider
resource datadog_security_monitoring_rule.
This endpoint requires the security_monitoring_rules_read permission.
OAuth apps require the security_monitoring_rules_read authorization scope to access this endpoint.
"""
Convert an existing rule from JSON to Terraform returns "OK" response
"""fromosimportenvironfromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v2.api.security_monitoring_apiimportSecurityMonitoringApi# there is a valid "security_rule" in the systemSECURITY_RULE_ID=environ["SECURITY_RULE_ID"]configuration=Configuration()withApiClient(configuration)asapi_client:api_instance=SecurityMonitoringApi(api_client)response=api_instance.convert_existing_security_monitoring_rule(rule_id=SECURITY_RULE_ID,)print(response)
# Convert an existing rule from JSON to Terraform returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V2::SecurityMonitoringAPI.new# there is a valid "security_rule" in the systemSECURITY_RULE_ID=ENV["SECURITY_RULE_ID"]papi_instance.convert_existing_security_monitoring_rule(SECURITY_RULE_ID)
// Convert an existing rule from JSON to Terraform returns "OK" response
packagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV2")funcmain(){// there is a valid "security_rule" in the system
SecurityRuleID:=os.Getenv("SECURITY_RULE_ID")ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV2.NewSecurityMonitoringApi(apiClient)resp,r,err:=api.ConvertExistingSecurityMonitoringRule(ctx,SecurityRuleID)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `SecurityMonitoringApi.ConvertExistingSecurityMonitoringRule`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `SecurityMonitoringApi.ConvertExistingSecurityMonitoringRule`:\n%s\n",responseContent)}
// Convert an existing rule from JSON to Terraform returns "OK" responseimportcom.datadog.api.client.ApiClient;importcom.datadog.api.client.ApiException;importcom.datadog.api.client.v2.api.SecurityMonitoringApi;importcom.datadog.api.client.v2.model.SecurityMonitoringRuleConvertResponse;publicclassExample{publicstaticvoidmain(String[]args){ApiClientdefaultClient=ApiClient.getDefaultApiClient();SecurityMonitoringApiapiInstance=newSecurityMonitoringApi(defaultClient);// there is a valid "security_rule" in the systemStringSECURITY_RULE_ID=System.getenv("SECURITY_RULE_ID");try{SecurityMonitoringRuleConvertResponseresult=apiInstance.convertExistingSecurityMonitoringRule(SECURITY_RULE_ID);System.out.println(result);}catch(ApiExceptione){System.err.println("Exception when calling SecurityMonitoringApi#convertExistingSecurityMonitoringRule");System.err.println("Status code: "+e.getCode());System.err.println("Reason: "+e.getResponseBody());System.err.println("Response headers: "+e.getResponseHeaders());e.printStackTrace();}}}
// Convert an existing rule from JSON to Terraform returns "OK" response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;#[tokio::main]asyncfnmain(){// there is a valid "security_rule" in the system
letsecurity_rule_id=std::env::var("SECURITY_RULE_ID").unwrap();letconfiguration=datadog::Configuration::new();letapi=SecurityMonitoringAPI::with_config(configuration);letresp=api.convert_existing_security_monitoring_rule(security_rule_id.clone()).await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<DD_API_KEY>"DD_APP_KEY="<DD_APP_KEY>"cargo run
/**
* Convert an existing rule from JSON to Terraform returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv2.SecurityMonitoringApi(configuration);// there is a valid "security_rule" in the system
constSECURITY_RULE_ID=process.env.SECURITY_RULE_IDasstring;constparams: v2.SecurityMonitoringApiConvertExistingSecurityMonitoringRuleRequest={ruleId: SECURITY_RULE_ID,};apiInstance.convertExistingSecurityMonitoringRule(params).then((data: v2.SecurityMonitoringRuleConvertResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
Convert a rule that doesn’t (yet) exist from JSON to Terraform for datadog provider
resource datadog_security_monitoring_rule.
This endpoint requires the security_monitoring_rules_write permission.
OAuth apps require the security_monitoring_rules_write authorization scope to access this endpoint.
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
boolean
Whether the rule is enabled.
message [required]
string
Message for generated signals.
name [required]
string
The name of the rule.
options [required]
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.
The decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular
access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
hasOptionalGroupByFields
boolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
metric
string
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max
aggregations. metrics field should be used instead.
metrics
[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
string
Name of the query.
query
string
Query to run on logs.
referenceTables
[object]
Reference tables for the rule.
checkPresence
boolean
Whether to include or exclude the matched values.
columnName
string
The name of the column in the reference table.
logFieldPath
string
The field in the log to match against the reference table.
ruleQueryName
string
The name of the rule query to apply the reference table to.
tableName
string
The name of the reference table.
tags
[string]
Tags for generated signals.
thirdPartyCases
[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
query
string
A query to map a third party event to this case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
type
enum
The rule type.
Allowed enum values: application_security,log_detection,workload_security
Option 2
object
The payload of a signal correlation rule.
cases [required]
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
boolean
Whether the rule is enabled.
message [required]
string
Message for generated signals.
name [required]
string
The name of the rule.
options [required]
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.
The decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular
access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
[object]
Queries for selecting signals which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
[string]
Fields to group by.
correlatedQueryIndex
int32
Index of the rule query used to retrieve the correlated field.
metrics
[string]
Group of target fields to aggregate over.
name
string
Name of the query.
ruleId [required]
string
Rule ID to match on signals.
tags
[string]
Tags for generated signals.
type
enum
The rule type.
Allowed enum values: signal_correlation
// Convert a rule from JSON to Terraform returns "OK" response
packagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV2")funcmain(){body:=datadogV2.SecurityMonitoringRuleConvertPayload{SecurityMonitoringStandardRulePayload:&datadogV2.SecurityMonitoringStandardRulePayload{Name:"Example-Security-Monitoring",Queries:[]datadogV2.SecurityMonitoringStandardRuleQuery{{Query:datadog.PtrString("@test:true"),Aggregation:datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),GroupByFields:[]string{},DistinctFields:[]string{},Metric:datadog.PtrString(""),},},Filters:[]datadogV2.SecurityMonitoringFilter{},Cases:[]datadogV2.SecurityMonitoringRuleCaseCreate{{Name:datadog.PtrString(""),Status:datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,Condition:datadog.PtrString("a > 0"),Notifications:[]string{},},},Options:datadogV2.SecurityMonitoringRuleOptions{EvaluationWindow:datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(),KeepAlive:datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(),MaxSignalDuration:datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(),},Message:"Test rule",Tags:[]string{},IsEnabled:true,Type:datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(),}}ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV2.NewSecurityMonitoringApi(apiClient)resp,r,err:=api.ConvertSecurityMonitoringRuleFromJSONToTerraform(ctx,body)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `SecurityMonitoringApi.ConvertSecurityMonitoringRuleFromJSONToTerraform`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `SecurityMonitoringApi.ConvertSecurityMonitoringRuleFromJSONToTerraform`:\n%s\n",responseContent)}
"""
Convert a rule from JSON to Terraform returns "OK" response
"""fromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v2.api.security_monitoring_apiimportSecurityMonitoringApifromdatadog_api_client.v2.model.security_monitoring_rule_case_createimportSecurityMonitoringRuleCaseCreatefromdatadog_api_client.v2.model.security_monitoring_rule_evaluation_windowimport(SecurityMonitoringRuleEvaluationWindow,)fromdatadog_api_client.v2.model.security_monitoring_rule_keep_aliveimportSecurityMonitoringRuleKeepAlivefromdatadog_api_client.v2.model.security_monitoring_rule_max_signal_durationimport(SecurityMonitoringRuleMaxSignalDuration,)fromdatadog_api_client.v2.model.security_monitoring_rule_optionsimportSecurityMonitoringRuleOptionsfromdatadog_api_client.v2.model.security_monitoring_rule_query_aggregationimport(SecurityMonitoringRuleQueryAggregation,)fromdatadog_api_client.v2.model.security_monitoring_rule_severityimportSecurityMonitoringRuleSeverityfromdatadog_api_client.v2.model.security_monitoring_rule_type_createimportSecurityMonitoringRuleTypeCreatefromdatadog_api_client.v2.model.security_monitoring_standard_rule_payloadimportSecurityMonitoringStandardRulePayloadfromdatadog_api_client.v2.model.security_monitoring_standard_rule_queryimportSecurityMonitoringStandardRuleQuerybody=SecurityMonitoringStandardRulePayload(name="Example-Security-Monitoring",queries=[SecurityMonitoringStandardRuleQuery(query="@test:true",aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,group_by_fields=[],distinct_fields=[],metric="",),],filters=[],cases=[SecurityMonitoringRuleCaseCreate(name="",status=SecurityMonitoringRuleSeverity.INFO,condition="a > 0",notifications=[],),],options=SecurityMonitoringRuleOptions(evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR,max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY,),message="Test rule",tags=[],is_enabled=True,type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,)configuration=Configuration()withApiClient(configuration)asapi_client:api_instance=SecurityMonitoringApi(api_client)response=api_instance.convert_security_monitoring_rule_from_json_to_terraform(body=body)print(response)
# Convert a rule from JSON to Terraform returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V2::SecurityMonitoringAPI.newbody=DatadogAPIClient::V2::SecurityMonitoringStandardRulePayload.new({name:"Example-Security-Monitoring",queries:[DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({query:"@test:true",aggregation:DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,group_by_fields:[],distinct_fields:[],metric:"",}),],filters:[],cases:[DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({name:"",status:DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,condition:"a > 0",notifications:[],}),],options:DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({evaluation_window:DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,keep_alive:DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR,max_signal_duration:DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY,}),message:"Test rule",tags:[],is_enabled:true,type:DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,})papi_instance.convert_security_monitoring_rule_from_json_to_terraform(body)
// Convert a rule from JSON to Terraform returns "OK" response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleConvertPayload;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;usedatadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate;usedatadog_api_client::datadogV2::model::SecurityMonitoringStandardRulePayload;usedatadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;#[tokio::main]asyncfnmain(){letbody=SecurityMonitoringRuleConvertPayload::SecurityMonitoringStandardRulePayload(Box::new(SecurityMonitoringStandardRulePayload::new(vec![SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO).condition("a > 0".to_string()).name("".to_string()).notifications(vec![]),],true,"Test rule".to_string(),"Example-Security-Monitoring".to_string(),SecurityMonitoringRuleOptions::new().evaluation_window(SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES).keep_alive(SecurityMonitoringRuleKeepAlive::ONE_HOUR).max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::ONE_DAY),vec![SecurityMonitoringStandardRuleQuery::new().aggregation(SecurityMonitoringRuleQueryAggregation::COUNT).distinct_fields(vec![]).group_by_fields(vec![]).metric("".to_string()).query("@test:true".to_string())],).filters(vec![]).tags(vec![]).type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION),));letconfiguration=datadog::Configuration::new();letapi=SecurityMonitoringAPI::with_config(configuration);letresp=api.convert_security_monitoring_rule_from_json_to_terraform(body).await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<DD_API_KEY>"DD_APP_KEY="<DD_APP_KEY>"cargo run
/**
* Convert a rule from JSON to Terraform returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv2.SecurityMonitoringApi(configuration);constparams: v2.SecurityMonitoringApiConvertSecurityMonitoringRuleFromJSONToTerraformRequest={body:{name:"Example-Security-Monitoring",queries:[{query:"@test:true",aggregation:"count",groupByFields:[],distinctFields:[],metric:"",},],filters:[],cases:[{name:"",status:"info",condition:"a > 0",notifications:[],},],options:{evaluationWindow: 900,keepAlive: 3600,maxSignalDuration: 86400,},message:"Test rule",tags:[],isEnabled: true,type:"log_detection",},};apiInstance.convertSecurityMonitoringRuleFromJSONToTerraform(params).then((data: v2.SecurityMonitoringRuleConvertResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
Returns security signals that match a search query.
Both this endpoint and the GET endpoint can be used interchangeably for listing
security signals.
This endpoint requires the security_monitoring_signals_read permission.
OAuth apps require the security_monitoring_signals_read authorization scope to access this endpoint.
The response object with all security signals matching the request
and pagination information.
Expand All
Champ
Type
Description
data
[object]
An array of security signals matching the request.
attributes
object
The object containing all signal attributes and their
associated values.
custom
object
A JSON object of attributes in the security signal.
message
string
The message in the security signal defined by the rule that generated the signal.
tags
[string]
An array of tags associated with the security signal.
timestamp
date-time
The timestamp of the security signal.
id
string
The unique ID of the security signal.
type
enum
The type of event.
Allowed enum values: signal
default: signal
links
object
Links attributes.
next
string
The link for the next set of results. Note: The request can also be made using the
POST endpoint.
meta
object
Meta attributes.
page
object
Paging attributes.
after
string
The cursor used to get the next results, if any. To make the next request, use the same
parameters with the addition of the page[cursor].
{"data":[{"attributes":{"custom":{"workflow":{"first_seen":"2020-06-23T14:46:01.000Z","last_seen":"2020-06-23T14:46:49.000Z","rule":{"id":"0f5-e0c-805","name":"Brute Force Attack Grouped By User ","version":12}}},"message":"Detect Account Take Over (ATO) through brute force attempts","tags":["security:attack","technique:T1110-brute-force"],"timestamp":"2019-01-02T09:42:36.320Z"},"id":"AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA","type":"signal"}],"links":{"next":"https://app.datadoghq.com/api/v2/security_monitoring/signals?filter[query]=foo\u0026page[cursor]=eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="},"meta":{"page":{"after":"eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="}}}
// Get a list of security signals returns "OK" response with pagination
packagemainimport("context""encoding/json""fmt""os""time""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV2")funcmain(){body:=datadogV2.SecurityMonitoringSignalListRequest{Filter:&datadogV2.SecurityMonitoringSignalListRequestFilter{From:datadog.PtrTime(time.Now().Add(time.Minute*-15)),Query:datadog.PtrString("security:attack status:high"),To:datadog.PtrTime(time.Now()),},Page:&datadogV2.SecurityMonitoringSignalListRequestPage{Limit:datadog.PtrInt32(2),},Sort:datadogV2.SECURITYMONITORINGSIGNALSSORT_TIMESTAMP_ASCENDING.Ptr(),}ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV2.NewSecurityMonitoringApi(apiClient)resp,_:=api.SearchSecurityMonitoringSignalsWithPagination(ctx,*datadogV2.NewSearchSecurityMonitoringSignalsOptionalParameters().WithBody(body))forpaginationResult:=rangeresp{ifpaginationResult.Error!=nil{fmt.Fprintf(os.Stderr,"Error when calling `SecurityMonitoringApi.SearchSecurityMonitoringSignals`: %v\n",paginationResult.Error)}responseContent,_:=json.MarshalIndent(paginationResult.Item,""," ")fmt.Fprintf(os.Stdout,"%s\n",responseContent)}}
// Get a list of security signals returns "OK" response with paginationimportcom.datadog.api.client.ApiClient;importcom.datadog.api.client.PaginationIterable;importcom.datadog.api.client.v2.api.SecurityMonitoringApi;importcom.datadog.api.client.v2.api.SecurityMonitoringApi.SearchSecurityMonitoringSignalsOptionalParameters;importcom.datadog.api.client.v2.model.SecurityMonitoringSignal;importcom.datadog.api.client.v2.model.SecurityMonitoringSignalListRequest;importcom.datadog.api.client.v2.model.SecurityMonitoringSignalListRequestFilter;importcom.datadog.api.client.v2.model.SecurityMonitoringSignalListRequestPage;importcom.datadog.api.client.v2.model.SecurityMonitoringSignalsSort;importjava.time.OffsetDateTime;publicclassExample{publicstaticvoidmain(String[]args){ApiClientdefaultClient=ApiClient.getDefaultApiClient();SecurityMonitoringApiapiInstance=newSecurityMonitoringApi(defaultClient);SecurityMonitoringSignalListRequestbody=newSecurityMonitoringSignalListRequest().filter(newSecurityMonitoringSignalListRequestFilter().from(OffsetDateTime.now().plusMinutes(-15)).query("security:attack status:high").to(OffsetDateTime.now())).page(newSecurityMonitoringSignalListRequestPage().limit(2)).sort(SecurityMonitoringSignalsSort.TIMESTAMP_ASCENDING);try{PaginationIterable<SecurityMonitoringSignal>iterable=apiInstance.searchSecurityMonitoringSignalsWithPagination(newSearchSecurityMonitoringSignalsOptionalParameters().body(body));for(SecurityMonitoringSignalitem:iterable){System.out.println(item);}}catch(RuntimeExceptione){System.err.println("Exception when calling"+" SecurityMonitoringApi#searchSecurityMonitoringSignalsWithPagination");System.err.println("Reason: "+e.getMessage());e.printStackTrace();}}}
"""
Get a list of security signals returns "OK" response with pagination
"""fromdatetimeimportdatetimefromdateutil.relativedeltaimportrelativedeltafromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v2.api.security_monitoring_apiimportSecurityMonitoringApifromdatadog_api_client.v2.model.security_monitoring_signal_list_requestimportSecurityMonitoringSignalListRequestfromdatadog_api_client.v2.model.security_monitoring_signal_list_request_filterimport(SecurityMonitoringSignalListRequestFilter,)fromdatadog_api_client.v2.model.security_monitoring_signal_list_request_pageimport(SecurityMonitoringSignalListRequestPage,)fromdatadog_api_client.v2.model.security_monitoring_signals_sortimportSecurityMonitoringSignalsSortbody=SecurityMonitoringSignalListRequest(filter=SecurityMonitoringSignalListRequestFilter(_from=(datetime.now()+relativedelta(minutes=-15)),query="security:attack status:high",to=datetime.now(),),page=SecurityMonitoringSignalListRequestPage(limit=2,),sort=SecurityMonitoringSignalsSort.TIMESTAMP_ASCENDING,)configuration=Configuration()withApiClient(configuration)asapi_client:api_instance=SecurityMonitoringApi(api_client)items=api_instance.search_security_monitoring_signals_with_pagination(body=body)foriteminitems:print(item)
# Get a list of security signals returns "OK" response with paginationrequire"datadog_api_client"api_instance=DatadogAPIClient::V2::SecurityMonitoringAPI.newbody=DatadogAPIClient::V2::SecurityMonitoringSignalListRequest.new({filter:DatadogAPIClient::V2::SecurityMonitoringSignalListRequestFilter.new({from:(Time.now+-15*60),query:"security:attack status:high",to:Time.now,}),page:DatadogAPIClient::V2::SecurityMonitoringSignalListRequestPage.new({limit:2,}),sort:DatadogAPIClient::V2::SecurityMonitoringSignalsSort::TIMESTAMP_ASCENDING,})opts={body:body,}api_instance.search_security_monitoring_signals_with_pagination(opts){|item|putsitem}
// Get a list of security signals returns "OK" response with pagination
usechrono::{DateTime,Utc};usedatadog_api_client::datadog;usedatadog_api_client::datadogV2::api_security_monitoring::SearchSecurityMonitoringSignalsOptionalParams;usedatadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;usedatadog_api_client::datadogV2::model::SecurityMonitoringSignalListRequest;usedatadog_api_client::datadogV2::model::SecurityMonitoringSignalListRequestFilter;usedatadog_api_client::datadogV2::model::SecurityMonitoringSignalListRequestPage;usedatadog_api_client::datadogV2::model::SecurityMonitoringSignalsSort;usefutures_util::pin_mut;usefutures_util::stream::StreamExt;#[tokio::main]asyncfnmain(){letbody=SecurityMonitoringSignalListRequest::new().filter(SecurityMonitoringSignalListRequestFilter::new().from(DateTime::parse_from_rfc3339("2021-11-11T10:56:11+00:00").expect("Failed to parse datetime").with_timezone(&Utc),).query("security:attack status:high".to_string()).to(DateTime::parse_from_rfc3339("2021-11-11T11:11:11+00:00").expect("Failed to parse datetime").with_timezone(&Utc)),).page(SecurityMonitoringSignalListRequestPage::new().limit(2)).sort(SecurityMonitoringSignalsSort::TIMESTAMP_ASCENDING);letconfiguration=datadog::Configuration::new();letapi=SecurityMonitoringAPI::with_config(configuration);letresponse=api.search_security_monitoring_signals_with_pagination(SearchSecurityMonitoringSignalsOptionalParams::default().body(body),);pin_mut!(response);whileletSome(resp)=response.next().await{ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<DD_API_KEY>"DD_APP_KEY="<DD_APP_KEY>"cargo run
/**
* Get a list of security signals returns "OK" response with pagination
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv2.SecurityMonitoringApi(configuration);constparams: v2.SecurityMonitoringApiSearchSecurityMonitoringSignalsRequest={body:{filter:{from:newDate(newDate().getTime()+-15*60*1000),query:"security:attack status:high",to: newDate(),},page:{limit: 2,},sort:"timestamp",},};(async()=>{try{forawait(constitemofapiInstance.searchSecurityMonitoringSignalsWithPagination(params)){console.log(item);}}catch(error){console.error(error);}})();
The object containing all signal attributes and their
associated values.
custom
object
A JSON object of attributes in the security signal.
message
string
The message in the security signal defined by the rule that generated the signal.
tags
[string]
An array of tags associated with the security signal.
timestamp
date-time
The timestamp of the security signal.
id
string
The unique ID of the security signal.
type
enum
The type of event.
Allowed enum values: signal
default: signal
{"data":{"attributes":{"custom":{"workflow":{"first_seen":"2020-06-23T14:46:01.000Z","last_seen":"2020-06-23T14:46:49.000Z","rule":{"id":"0f5-e0c-805","name":"Brute Force Attack Grouped By User ","version":12}}},"message":"Detect Account Take Over (ATO) through brute force attempts","tags":["security:attack","technique:T1110-brute-force"],"timestamp":"2019-01-02T09:42:36.320Z"},"id":"AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA","type":"signal"}}
"""
Get a signal's details returns "OK" response
"""fromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v2.api.security_monitoring_apiimportSecurityMonitoringApiconfiguration=Configuration()withApiClient(configuration)asapi_client:api_instance=SecurityMonitoringApi(api_client)response=api_instance.get_security_monitoring_signal(signal_id="AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE",)print(response)
# Get a signal's details returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V2::SecurityMonitoringAPI.newpapi_instance.get_security_monitoring_signal("AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE")
// Get a signal's details returns "OK" response
packagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV2")funcmain(){ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV2.NewSecurityMonitoringApi(apiClient)resp,r,err:=api.GetSecurityMonitoringSignal(ctx,"AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE")iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `SecurityMonitoringApi.GetSecurityMonitoringSignal`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `SecurityMonitoringApi.GetSecurityMonitoringSignal`:\n%s\n",responseContent)}
// Get a signal's details returns "OK" response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;#[tokio::main]asyncfnmain(){letconfiguration=datadog::Configuration::new();letapi=SecurityMonitoringAPI::with_config(configuration);letresp=api.get_security_monitoring_signal("AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE".to_string(),).await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<DD_API_KEY>"DD_APP_KEY="<DD_APP_KEY>"cargo run
/**
* Get a signal's details returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv2.SecurityMonitoringApi(configuration);constparams: v2.SecurityMonitoringApiGetSecurityMonitoringSignalRequest={signalId:"AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE",};apiInstance.getSecurityMonitoringSignal(params).then((data: v2.SecurityMonitoringSignalResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<DD_API_KEY>"DD_APP_KEY="<DD_APP_KEY>"cargo run
/**
* Delete a security filter returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv2.SecurityMonitoringApi(configuration);constparams: v2.SecurityMonitoringApiDeleteSecurityFilterRequest={securityFilterId:"security_filter_id",};apiInstance.deleteSecurityFilter(params).then((data: any)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
The list endpoint returns security signals that match a search query.
Both this endpoint and the POST endpoint can be used interchangeably when listing
security signals.
This endpoint requires the security_monitoring_signals_read permission.
OAuth apps require the security_monitoring_signals_read authorization scope to access this endpoint.
Arguments
Chaînes de requête
Nom
Type
Description
filter[query]
string
The search query for security signals.
filter[from]
string
The minimum timestamp for requested security signals.
filter[to]
string
The maximum timestamp for requested security signals.
sort
enum
The order of the security signals in results. Allowed enum values: timestamp, -timestamp
page[cursor]
string
A list of results using the cursor provided in the previous query.
page[limit]
integer
The maximum number of security signals in the response.
The response object with all security signals matching the request
and pagination information.
Expand All
Champ
Type
Description
data
[object]
An array of security signals matching the request.
attributes
object
The object containing all signal attributes and their
associated values.
custom
object
A JSON object of attributes in the security signal.
message
string
The message in the security signal defined by the rule that generated the signal.
tags
[string]
An array of tags associated with the security signal.
timestamp
date-time
The timestamp of the security signal.
id
string
The unique ID of the security signal.
type
enum
The type of event.
Allowed enum values: signal
default: signal
links
object
Links attributes.
next
string
The link for the next set of results. Note: The request can also be made using the
POST endpoint.
meta
object
Meta attributes.
page
object
Paging attributes.
after
string
The cursor used to get the next results, if any. To make the next request, use the same
parameters with the addition of the page[cursor].
{"data":[{"attributes":{"custom":{"workflow":{"first_seen":"2020-06-23T14:46:01.000Z","last_seen":"2020-06-23T14:46:49.000Z","rule":{"id":"0f5-e0c-805","name":"Brute Force Attack Grouped By User ","version":12}}},"message":"Detect Account Take Over (ATO) through brute force attempts","tags":["security:attack","technique:T1110-brute-force"],"timestamp":"2019-01-02T09:42:36.320Z"},"id":"AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA","type":"signal"}],"links":{"next":"https://app.datadoghq.com/api/v2/security_monitoring/signals?filter[query]=foo\u0026page[cursor]=eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="},"meta":{"page":{"after":"eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="}}}
"""
Get a quick list of security signals returns "OK" response
"""fromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v2.api.security_monitoring_apiimportSecurityMonitoringApiconfiguration=Configuration()withApiClient(configuration)asapi_client:api_instance=SecurityMonitoringApi(api_client)response=api_instance.list_security_monitoring_signals()print(response)
# Get a quick list of security signals returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V2::SecurityMonitoringAPI.newpapi_instance.list_security_monitoring_signals()
// Get a quick list of security signals returns "OK" response
packagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV2")funcmain(){ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV2.NewSecurityMonitoringApi(apiClient)resp,r,err:=api.ListSecurityMonitoringSignals(ctx,*datadogV2.NewListSecurityMonitoringSignalsOptionalParameters())iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `SecurityMonitoringApi.ListSecurityMonitoringSignals`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `SecurityMonitoringApi.ListSecurityMonitoringSignals`:\n%s\n",responseContent)}
// Get a quick list of security signals returns "OK" responseimportcom.datadog.api.client.ApiClient;importcom.datadog.api.client.ApiException;importcom.datadog.api.client.v2.api.SecurityMonitoringApi;importcom.datadog.api.client.v2.model.SecurityMonitoringSignalsListResponse;publicclassExample{publicstaticvoidmain(String[]args){ApiClientdefaultClient=ApiClient.getDefaultApiClient();SecurityMonitoringApiapiInstance=newSecurityMonitoringApi(defaultClient);try{SecurityMonitoringSignalsListResponseresult=apiInstance.listSecurityMonitoringSignals();System.out.println(result);}catch(ApiExceptione){System.err.println("Exception when calling SecurityMonitoringApi#listSecurityMonitoringSignals");System.err.println("Status code: "+e.getCode());System.err.println("Reason: "+e.getResponseBody());System.err.println("Response headers: "+e.getResponseHeaders());e.printStackTrace();}}}
// Get a quick list of security signals returns "OK" response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV2::api_security_monitoring::ListSecurityMonitoringSignalsOptionalParams;usedatadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;#[tokio::main]asyncfnmain(){letconfiguration=datadog::Configuration::new();letapi=SecurityMonitoringAPI::with_config(configuration);letresp=api.list_security_monitoring_signals(ListSecurityMonitoringSignalsOptionalParams::default()).await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<DD_API_KEY>"DD_APP_KEY="<DD_APP_KEY>"cargo run
/**
* Get a quick list of security signals returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv2.SecurityMonitoringApi(configuration);apiInstance.listSecurityMonitoringSignals().then((data: v2.SecurityMonitoringSignalsListResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
Update a specific security filter.
Returns the security filter object when the request is successful.
This endpoint requires the security_monitoring_filters_write permission.
OAuth apps require the security_monitoring_filters_write authorization scope to access this endpoint.
Response object which includes a single security filter.
Expand All
Champ
Type
Description
data
object
The security filter's properties.
attributes
object
The object describing a security filter.
exclusion_filters
[object]
The list of exclusion filters applied in this security filter.
name
string
The exclusion filter name.
query
string
The exclusion filter query.
filtered_data_type
enum
The filtered data type.
Allowed enum values: logs
is_builtin
boolean
Whether the security filter is the built-in filter.
is_enabled
boolean
Whether the security filter is enabled.
name
string
The security filter name.
query
string
The security filter query. Logs accepted by this query will be accepted by this filter.
version
int32
The version of the security filter.
id
string
The ID of the security filter.
type
enum
The type of the resource. The value should always be security_filters.
Allowed enum values: security_filters
default: security_filters
meta
object
Optional metadata associated to the response.
warning
string
A warning message.
{"data":{"attributes":{"exclusion_filters":[{"name":"Exclude staging","query":"source:staging"}],"filtered_data_type":"logs","is_builtin":false,"is_enabled":false,"name":"Custom security filter","query":"service:api","version":1},"id":"3dd-0uc-h1s","type":"security_filters"},"meta":{"warning":"All the security filters are disabled. As a result, no logs are being analyzed."}}
// Update a security filter returns "OK" response
packagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV2")funcmain(){// there is a valid "security_filter" in the system
SecurityFilterDataID:=os.Getenv("SECURITY_FILTER_DATA_ID")body:=datadogV2.SecurityFilterUpdateRequest{Data:datadogV2.SecurityFilterUpdateData{Attributes:datadogV2.SecurityFilterUpdateAttributes{ExclusionFilters:[]datadogV2.SecurityFilterExclusionFilter{},FilteredDataType:datadogV2.SECURITYFILTERFILTEREDDATATYPE_LOGS.Ptr(),IsEnabled:datadog.PtrBool(true),Name:datadog.PtrString("Example-Security-Monitoring"),Query:datadog.PtrString("service:ExampleSecurityMonitoring"),Version:datadog.PtrInt32(1),},Type:datadogV2.SECURITYFILTERTYPE_SECURITY_FILTERS,},}ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV2.NewSecurityMonitoringApi(apiClient)resp,r,err:=api.UpdateSecurityFilter(ctx,SecurityFilterDataID,body)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `SecurityMonitoringApi.UpdateSecurityFilter`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `SecurityMonitoringApi.UpdateSecurityFilter`:\n%s\n",responseContent)}
// Update a security filter returns "OK" responseimportcom.datadog.api.client.ApiClient;importcom.datadog.api.client.ApiException;importcom.datadog.api.client.v2.api.SecurityMonitoringApi;importcom.datadog.api.client.v2.model.SecurityFilterFilteredDataType;importcom.datadog.api.client.v2.model.SecurityFilterResponse;importcom.datadog.api.client.v2.model.SecurityFilterType;importcom.datadog.api.client.v2.model.SecurityFilterUpdateAttributes;importcom.datadog.api.client.v2.model.SecurityFilterUpdateData;importcom.datadog.api.client.v2.model.SecurityFilterUpdateRequest;publicclassExample{publicstaticvoidmain(String[]args){ApiClientdefaultClient=ApiClient.getDefaultApiClient();SecurityMonitoringApiapiInstance=newSecurityMonitoringApi(defaultClient);// there is a valid "security_filter" in the systemStringSECURITY_FILTER_DATA_ID=System.getenv("SECURITY_FILTER_DATA_ID");SecurityFilterUpdateRequestbody=newSecurityFilterUpdateRequest().data(newSecurityFilterUpdateData().attributes(newSecurityFilterUpdateAttributes().filteredDataType(SecurityFilterFilteredDataType.LOGS).isEnabled(true).name("Example-Security-Monitoring").query("service:ExampleSecurityMonitoring").version(1)).type(SecurityFilterType.SECURITY_FILTERS));try{SecurityFilterResponseresult=apiInstance.updateSecurityFilter(SECURITY_FILTER_DATA_ID,body);System.out.println(result);}catch(ApiExceptione){System.err.println("Exception when calling SecurityMonitoringApi#updateSecurityFilter");System.err.println("Status code: "+e.getCode());System.err.println("Reason: "+e.getResponseBody());System.err.println("Response headers: "+e.getResponseHeaders());e.printStackTrace();}}}
"""
Update a security filter returns "OK" response
"""fromosimportenvironfromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v2.api.security_monitoring_apiimportSecurityMonitoringApifromdatadog_api_client.v2.model.security_filter_filtered_data_typeimportSecurityFilterFilteredDataTypefromdatadog_api_client.v2.model.security_filter_typeimportSecurityFilterTypefromdatadog_api_client.v2.model.security_filter_update_attributesimportSecurityFilterUpdateAttributesfromdatadog_api_client.v2.model.security_filter_update_dataimportSecurityFilterUpdateDatafromdatadog_api_client.v2.model.security_filter_update_requestimportSecurityFilterUpdateRequest# there is a valid "security_filter" in the systemSECURITY_FILTER_DATA_ID=environ["SECURITY_FILTER_DATA_ID"]body=SecurityFilterUpdateRequest(data=SecurityFilterUpdateData(attributes=SecurityFilterUpdateAttributes(exclusion_filters=[],filtered_data_type=SecurityFilterFilteredDataType.LOGS,is_enabled=True,name="Example-Security-Monitoring",query="service:ExampleSecurityMonitoring",version=1,),type=SecurityFilterType.SECURITY_FILTERS,),)configuration=Configuration()withApiClient(configuration)asapi_client:api_instance=SecurityMonitoringApi(api_client)response=api_instance.update_security_filter(security_filter_id=SECURITY_FILTER_DATA_ID,body=body)print(response)
# Update a security filter returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V2::SecurityMonitoringAPI.new# there is a valid "security_filter" in the systemSECURITY_FILTER_DATA_ID=ENV["SECURITY_FILTER_DATA_ID"]body=DatadogAPIClient::V2::SecurityFilterUpdateRequest.new({data:DatadogAPIClient::V2::SecurityFilterUpdateData.new({attributes:DatadogAPIClient::V2::SecurityFilterUpdateAttributes.new({exclusion_filters:[],filtered_data_type:DatadogAPIClient::V2::SecurityFilterFilteredDataType::LOGS,is_enabled:true,name:"Example-Security-Monitoring",query:"service:ExampleSecurityMonitoring",version:1,}),type:DatadogAPIClient::V2::SecurityFilterType::SECURITY_FILTERS,}),})papi_instance.update_security_filter(SECURITY_FILTER_DATA_ID,body)
// Update a security filter returns "OK" response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;usedatadog_api_client::datadogV2::model::SecurityFilterFilteredDataType;usedatadog_api_client::datadogV2::model::SecurityFilterType;usedatadog_api_client::datadogV2::model::SecurityFilterUpdateAttributes;usedatadog_api_client::datadogV2::model::SecurityFilterUpdateData;usedatadog_api_client::datadogV2::model::SecurityFilterUpdateRequest;#[tokio::main]asyncfnmain(){// there is a valid "security_filter" in the system
letsecurity_filter_data_id=std::env::var("SECURITY_FILTER_DATA_ID").unwrap();letbody=SecurityFilterUpdateRequest::new(SecurityFilterUpdateData::new(SecurityFilterUpdateAttributes::new().exclusion_filters(vec![]).filtered_data_type(SecurityFilterFilteredDataType::LOGS).is_enabled(true).name("Example-Security-Monitoring".to_string()).query("service:ExampleSecurityMonitoring".to_string()).version(1),SecurityFilterType::SECURITY_FILTERS,));letconfiguration=datadog::Configuration::new();letapi=SecurityMonitoringAPI::with_config(configuration);letresp=api.update_security_filter(security_filter_data_id.clone(),body).await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<DD_API_KEY>"DD_APP_KEY="<DD_APP_KEY>"cargo run
/**
* Update a security filter returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv2.SecurityMonitoringApi(configuration);// there is a valid "security_filter" in the system
constSECURITY_FILTER_DATA_ID=process.env.SECURITY_FILTER_DATA_IDasstring;constparams: v2.SecurityMonitoringApiUpdateSecurityFilterRequest={body:{data:{attributes:{exclusionFilters:[],filteredDataType:"logs",isEnabled: true,name:"Example-Security-Monitoring",query:"service:ExampleSecurityMonitoring",version: 1,},type:"security_filters",},},securityFilterId: SECURITY_FILTER_DATA_ID,};apiInstance.updateSecurityFilter(params).then((data: v2.SecurityFilterResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
Response object which includes a single security filter.
Expand All
Champ
Type
Description
data
object
The security filter's properties.
attributes
object
The object describing a security filter.
exclusion_filters
[object]
The list of exclusion filters applied in this security filter.
name
string
The exclusion filter name.
query
string
The exclusion filter query.
filtered_data_type
enum
The filtered data type.
Allowed enum values: logs
is_builtin
boolean
Whether the security filter is the built-in filter.
is_enabled
boolean
Whether the security filter is enabled.
name
string
The security filter name.
query
string
The security filter query. Logs accepted by this query will be accepted by this filter.
version
int32
The version of the security filter.
id
string
The ID of the security filter.
type
enum
The type of the resource. The value should always be security_filters.
Allowed enum values: security_filters
default: security_filters
meta
object
Optional metadata associated to the response.
warning
string
A warning message.
{"data":{"attributes":{"exclusion_filters":[{"name":"Exclude staging","query":"source:staging"}],"filtered_data_type":"logs","is_builtin":false,"is_enabled":false,"name":"Custom security filter","query":"service:api","version":1},"id":"3dd-0uc-h1s","type":"security_filters"},"meta":{"warning":"All the security filters are disabled. As a result, no logs are being analyzed."}}
"""
Get a security filter returns "OK" response
"""fromosimportenvironfromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v2.api.security_monitoring_apiimportSecurityMonitoringApi# there is a valid "security_filter" in the systemSECURITY_FILTER_DATA_ID=environ["SECURITY_FILTER_DATA_ID"]configuration=Configuration()withApiClient(configuration)asapi_client:api_instance=SecurityMonitoringApi(api_client)response=api_instance.get_security_filter(security_filter_id=SECURITY_FILTER_DATA_ID,)print(response)
# Get a security filter returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V2::SecurityMonitoringAPI.new# there is a valid "security_filter" in the systemSECURITY_FILTER_DATA_ID=ENV["SECURITY_FILTER_DATA_ID"]papi_instance.get_security_filter(SECURITY_FILTER_DATA_ID)
// Get a security filter returns "OK" response
packagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV2")funcmain(){// there is a valid "security_filter" in the system
SecurityFilterDataID:=os.Getenv("SECURITY_FILTER_DATA_ID")ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV2.NewSecurityMonitoringApi(apiClient)resp,r,err:=api.GetSecurityFilter(ctx,SecurityFilterDataID)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `SecurityMonitoringApi.GetSecurityFilter`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `SecurityMonitoringApi.GetSecurityFilter`:\n%s\n",responseContent)}
// Get a security filter returns "OK" responseimportcom.datadog.api.client.ApiClient;importcom.datadog.api.client.ApiException;importcom.datadog.api.client.v2.api.SecurityMonitoringApi;importcom.datadog.api.client.v2.model.SecurityFilterResponse;publicclassExample{publicstaticvoidmain(String[]args){ApiClientdefaultClient=ApiClient.getDefaultApiClient();SecurityMonitoringApiapiInstance=newSecurityMonitoringApi(defaultClient);// there is a valid "security_filter" in the systemStringSECURITY_FILTER_DATA_ID=System.getenv("SECURITY_FILTER_DATA_ID");try{SecurityFilterResponseresult=apiInstance.getSecurityFilter(SECURITY_FILTER_DATA_ID);System.out.println(result);}catch(ApiExceptione){System.err.println("Exception when calling SecurityMonitoringApi#getSecurityFilter");System.err.println("Status code: "+e.getCode());System.err.println("Reason: "+e.getResponseBody());System.err.println("Response headers: "+e.getResponseHeaders());e.printStackTrace();}}}
// Get a security filter returns "OK" response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;#[tokio::main]asyncfnmain(){// there is a valid "security_filter" in the system
letsecurity_filter_data_id=std::env::var("SECURITY_FILTER_DATA_ID").unwrap();letconfiguration=datadog::Configuration::new();letapi=SecurityMonitoringAPI::with_config(configuration);letresp=api.get_security_filter(security_filter_data_id.clone()).await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<DD_API_KEY>"DD_APP_KEY="<DD_APP_KEY>"cargo run
/**
* Get a security filter returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv2.SecurityMonitoringApi(configuration);// there is a valid "security_filter" in the system
constSECURITY_FILTER_DATA_ID=process.env.SECURITY_FILTER_DATA_IDasstring;constparams: v2.SecurityMonitoringApiGetSecurityFilterRequest={securityFilterId: SECURITY_FILTER_DATA_ID,};apiInstance.getSecurityFilter(params).then((data: v2.SecurityFilterResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
Response object which includes a single security filter.
Expand All
Champ
Type
Description
data
object
The security filter's properties.
attributes
object
The object describing a security filter.
exclusion_filters
[object]
The list of exclusion filters applied in this security filter.
name
string
The exclusion filter name.
query
string
The exclusion filter query.
filtered_data_type
enum
The filtered data type.
Allowed enum values: logs
is_builtin
boolean
Whether the security filter is the built-in filter.
is_enabled
boolean
Whether the security filter is enabled.
name
string
The security filter name.
query
string
The security filter query. Logs accepted by this query will be accepted by this filter.
version
int32
The version of the security filter.
id
string
The ID of the security filter.
type
enum
The type of the resource. The value should always be security_filters.
Allowed enum values: security_filters
default: security_filters
meta
object
Optional metadata associated to the response.
warning
string
A warning message.
{"data":{"attributes":{"exclusion_filters":[{"name":"Exclude staging","query":"source:staging"}],"filtered_data_type":"logs","is_builtin":false,"is_enabled":false,"name":"Custom security filter","query":"service:api","version":1},"id":"3dd-0uc-h1s","type":"security_filters"},"meta":{"warning":"All the security filters are disabled. As a result, no logs are being analyzed."}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<DD_API_KEY>"DD_APP_KEY="<DD_APP_KEY>"cargo run
/**
* Create a security filter returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv2.SecurityMonitoringApi(configuration);constparams: v2.SecurityMonitoringApiCreateSecurityFilterRequest={body:{data:{attributes:{exclusionFilters:[{name:"Exclude staging",query:"source:staging",},],filteredDataType:"logs",isEnabled: true,name:"Example-Security-Monitoring",query:"service:ExampleSecurityMonitoring",},type:"security_filters",},},};apiInstance.createSecurityFilter(params).then((data: v2.SecurityFilterResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
The list of exclusion filters applied in this security filter.
name
string
The exclusion filter name.
query
string
The exclusion filter query.
filtered_data_type
enum
The filtered data type.
Allowed enum values: logs
is_builtin
boolean
Whether the security filter is the built-in filter.
is_enabled
boolean
Whether the security filter is enabled.
name
string
The security filter name.
query
string
The security filter query. Logs accepted by this query will be accepted by this filter.
version
int32
The version of the security filter.
id
string
The ID of the security filter.
type
enum
The type of the resource. The value should always be security_filters.
Allowed enum values: security_filters
default: security_filters
meta
object
Optional metadata associated to the response.
warning
string
A warning message.
{"data":[{"attributes":{"exclusion_filters":[{"name":"Exclude staging","query":"source:staging"}],"filtered_data_type":"logs","is_builtin":false,"is_enabled":false,"name":"Custom security filter","query":"service:api","version":1},"id":"3dd-0uc-h1s","type":"security_filters"}],"meta":{"warning":"All the security filters are disabled. As a result, no logs are being analyzed."}}
"""
Get all security filters returns "OK" response
"""fromdatadog_api_clientimportApiClient,Configurationfromdatadog_api_client.v2.api.security_monitoring_apiimportSecurityMonitoringApiconfiguration=Configuration()withApiClient(configuration)asapi_client:api_instance=SecurityMonitoringApi(api_client)response=api_instance.list_security_filters()print(response)
# Get all security filters returns "OK" responserequire"datadog_api_client"api_instance=DatadogAPIClient::V2::SecurityMonitoringAPI.newpapi_instance.list_security_filters()
// Get all security filters returns "OK" response
packagemainimport("context""encoding/json""fmt""os""github.com/DataDog/datadog-api-client-go/v2/api/datadog""github.com/DataDog/datadog-api-client-go/v2/api/datadogV2")funcmain(){ctx:=datadog.NewDefaultContext(context.Background())configuration:=datadog.NewConfiguration()apiClient:=datadog.NewAPIClient(configuration)api:=datadogV2.NewSecurityMonitoringApi(apiClient)resp,r,err:=api.ListSecurityFilters(ctx)iferr!=nil{fmt.Fprintf(os.Stderr,"Error when calling `SecurityMonitoringApi.ListSecurityFilters`: %v\n",err)fmt.Fprintf(os.Stderr,"Full HTTP response: %v\n",r)}responseContent,_:=json.MarshalIndent(resp,""," ")fmt.Fprintf(os.Stdout,"Response from `SecurityMonitoringApi.ListSecurityFilters`:\n%s\n",responseContent)}
// Get all security filters returns "OK" response
usedatadog_api_client::datadog;usedatadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;#[tokio::main]asyncfnmain(){letconfiguration=datadog::Configuration::new();letapi=SecurityMonitoringAPI::with_config(configuration);letresp=api.list_security_filters().await;ifletOk(value)=resp{println!("{:#?}",value);}else{println!("{:#?}",resp.unwrap_err());}}
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com"DD_API_KEY="<DD_API_KEY>"DD_APP_KEY="<DD_APP_KEY>"cargo run
/**
* Get all security filters returns "OK" response
*/import{client,v2}from"@datadog/datadog-api-client";constconfiguration=client.createConfiguration();constapiInstance=newv2.SecurityMonitoringApi(configuration);apiInstance.listSecurityFilters().then((data: v2.SecurityFiltersResponse)=>{console.log("API called successfully. Returned data: "+JSON.stringify(data));}).catch((error: any)=>console.error(error));
Definition of a historical job based on a security monitoring rule.
caseIndex [required]
int32
Index of the rule case applied by the job.
from [required]
int64
Starting time of data analyzed by the job.
id [required]
string
ID of the detection rule used to create the job.
index [required]
string
Index used to load the data.
notifications
[string]
Notifications sent when the job is completed.
to [required]
int64
Ending time of data analyzed by the job.
id
string
Request ID.
jobDefinition
object
Definition of a historical job.
calculatedFields
[object]
Calculated fields.
expression [required]
string
Expression.
name [required]
string
Field name.
cases [required]
[object]
Cases used for generating job results.
condition
string
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
from [required]
int64
Starting time of data analyzed by the job.
index [required]
string
Index used to load the data.
message [required]
string
Message for generated results.
name [required]
string
Job name.
options
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.
The decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular
access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
[object]
Queries for selecting logs analyzed by the job.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
hasOptionalGroupByFields
boolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
metric
string
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max
aggregations. metrics field should be used instead.
metrics
[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
string
Name of the query.
query
string
Query to run on logs.
referenceTables
[object]
Reference tables for the rule.
checkPresence
boolean
Whether to include or exclude the matched values.
columnName
string
The name of the column in the reference table.
logFieldPath
string
The field in the log to match against the reference table.
ruleQueryName
string
The name of the rule query to apply the reference table to.
tableName
string
The name of the reference table.
tags
[string]
Tags for generated signals.
thirdPartyCases
[object]
Cases for generating results from third-party rules. Only available for third-party rules.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
query
string
A query to map a third party event to this case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
to [required]
int64
Ending time of data analyzed by the job.
type
string
Job type.
type
enum
Type of data.
Allowed enum values: historicalDetectionsJobCreate
{"data":{"type":"historicalDetectionsJobCreate","attributes":{"jobDefinition":{"type":"log_detection","name":"Excessive number of failed attempts.","queries":[{"query":"source:non_existing_src_weekend","aggregation":"count","groupByFields":[],"distinctFields":[]}],"cases":[{"name":"Condition 1","status":"info","notifications":[],"condition":"a > 1"}],"options":{"keepAlive":3600,"maxSignalDuration":86400,"evaluationWindow":900},"message":"A large number of failed login attempts.","tags":[],"from":1730387522611,"to":1730387532611,"index":"main"}}}}
ID of the rule used to create the job (if it is created from a rule).
jobDefinition
object
Definition of a historical job.
calculatedFields
[object]
Calculated fields.
expression [required]
string
Expression.
name [required]
string
Field name.
cases [required]
[object]
Cases used for generating job results.
condition
string
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
from [required]
int64
Starting time of data analyzed by the job.
index [required]
string
Index used to load the data.
message [required]
string
Message for generated results.
name [required]
string
Job name.
options
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.
The decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular
access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
[object]
Queries for selecting logs analyzed by the job.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
hasOptionalGroupByFields
boolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
metric
string
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max
aggregations. metrics field should be used instead.
metrics
[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
string
Name of the query.
query
string
Query to run on logs.
referenceTables
[object]
Reference tables for the rule.
checkPresence
boolean
Whether to include or exclude the matched values.
columnName
string
The name of the column in the reference table.
logFieldPath
string
The field in the log to match against the reference table.
ruleQueryName
string
The name of the rule query to apply the reference table to.
tableName
string
The name of the reference table.
tags
[string]
Tags for generated signals.
thirdPartyCases
[object]
Cases for generating results from third-party rules. Only available for third-party rules.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
query
string
A query to map a third party event to this case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
to [required]
int64
Ending time of data analyzed by the job.
type
string
Job type.
jobName
string
Job name.
jobStatus
string
Job status.
modifiedAt
string
Last modification time of the job.
id
string
ID of the job.
type
enum
Type of payload.
Allowed enum values: historicalDetectionsJob
meta
object
Metadata about the list of jobs.
totalCount
int32
Number of jobs in the list.
{"data":[{"attributes":{"createdAt":"string","createdByHandle":"string","createdByName":"string","createdFromRuleId":"string","jobDefinition":{"calculatedFields":[{"expression":"@request_end_timestamp - @request_start_timestamp","name":"response_time"}],"cases":[{"condition":"string","name":"string","notifications":[],"status":"critical"}],"filters":[{"action":"string","query":"string"}],"from":1729843470000,"index":"cloud_siem","message":"A large number of failed login attempts.","name":"Excessive number of failed attempts.","options":{"complianceRuleOptions":{"complexRule":false,"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n # Logic that evaluates to true if the resource should be skipped\n true\n} else = \"pass\" {\n # Logic that evaluates to true if the resource is compliant\n true\n} else = \"fail\" {\n # Logic that evaluates to true if the resource is not compliant\n true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n some resource in input.resources[input.main_resource_type]\n result := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account","gcp_iam_policy"]},"resourceType":"aws_acm"},"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"string","evaluationWindow":"integer","hardcodedEvaluatorType":"string","impossibleTravelOptions":{"baselineUserLocations":true},"keepAlive":"integer","maxSignalDuration":"integer","newValueOptions":{"forgetAfter":"integer","learningDuration":"integer","learningMethod":"string","learningThreshold":"integer"},"thirdPartyRuleOptions":{"defaultNotifications":[],"defaultStatus":"critical","rootQueries":[{"groupByFields":[],"query":"source:cloudtrail"}],"signalTitleTemplate":"string"}},"queries":[{"aggregation":"string","distinctFields":[],"groupByFields":[],"hasOptionalGroupByFields":false,"metric":"string","metrics":[],"name":"string","query":"a > 3"}],"referenceTables":[{"checkPresence":false,"columnName":"string","logFieldPath":"string","ruleQueryName":"string","tableName":"string"}],"tags":[],"thirdPartyCases":[{"name":"string","notifications":[],"query":"string","status":"critical"}],"to":1729847070000,"type":"string"},"jobName":"string","jobStatus":"string","modifiedAt":"string"},"id":"string","type":"string"}],"meta":{"totalCount":"integer"}}
ID of the rule used to create the job (if it is created from a rule).
jobDefinition
object
Definition of a historical job.
calculatedFields
[object]
Calculated fields.
expression [required]
string
Expression.
name [required]
string
Field name.
cases [required]
[object]
Cases used for generating job results.
condition
string
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
from [required]
int64
Starting time of data analyzed by the job.
index [required]
string
Index used to load the data.
message [required]
string
Message for generated results.
name [required]
string
Job name.
options
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.
The decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular
access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
[object]
Queries for selecting logs analyzed by the job.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
hasOptionalGroupByFields
boolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
metric
string
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max
aggregations. metrics field should be used instead.
metrics
[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
string
Name of the query.
query
string
Query to run on logs.
referenceTables
[object]
Reference tables for the rule.
checkPresence
boolean
Whether to include or exclude the matched values.
columnName
string
The name of the column in the reference table.
logFieldPath
string
The field in the log to match against the reference table.
ruleQueryName
string
The name of the rule query to apply the reference table to.
tableName
string
The name of the reference table.
tags
[string]
Tags for generated signals.
thirdPartyCases
[object]
Cases for generating results from third-party rules. Only available for third-party rules.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
query
string
A query to map a third party event to this case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
to [required]
int64
Ending time of data analyzed by the job.
type
string
Job type.
jobName
string
Job name.
jobStatus
string
Job status.
modifiedAt
string
Last modification time of the job.
id
string
ID of the job.
type
enum
Type of payload.
Allowed enum values: historicalDetectionsJob
{"data":{"attributes":{"createdAt":"string","createdByHandle":"string","createdByName":"string","createdFromRuleId":"string","jobDefinition":{"calculatedFields":[{"expression":"@request_end_timestamp - @request_start_timestamp","name":"response_time"}],"cases":[{"condition":"string","name":"string","notifications":[],"status":"critical"}],"filters":[{"action":"string","query":"string"}],"from":1729843470000,"index":"cloud_siem","message":"A large number of failed login attempts.","name":"Excessive number of failed attempts.","options":{"complianceRuleOptions":{"complexRule":false,"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n # Logic that evaluates to true if the resource should be skipped\n true\n} else = \"pass\" {\n # Logic that evaluates to true if the resource is compliant\n true\n} else = \"fail\" {\n # Logic that evaluates to true if the resource is not compliant\n true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n some resource in input.resources[input.main_resource_type]\n result := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_iam_service_account","gcp_iam_policy"]},"resourceType":"aws_acm"},"decreaseCriticalityBasedOnEnv":false,"detectionMethod":"string","evaluationWindow":"integer","hardcodedEvaluatorType":"string","impossibleTravelOptions":{"baselineUserLocations":true},"keepAlive":"integer","maxSignalDuration":"integer","newValueOptions":{"forgetAfter":"integer","learningDuration":"integer","learningMethod":"string","learningThreshold":"integer"},"thirdPartyRuleOptions":{"defaultNotifications":[],"defaultStatus":"critical","rootQueries":[{"groupByFields":[],"query":"source:cloudtrail"}],"signalTitleTemplate":"string"}},"queries":[{"aggregation":"string","distinctFields":[],"groupByFields":[],"hasOptionalGroupByFields":false,"metric":"string","metrics":[],"name":"string","query":"a > 3"}],"referenceTables":[{"checkPresence":false,"columnName":"string","logFieldPath":"string","ruleQueryName":"string","tableName":"string"}],"tags":[],"thirdPartyCases":[{"name":"string","notifications":[],"query":"string","status":"critical"}],"to":1729847070000,"type":"string"},"jobName":"string","jobStatus":"string","modifiedAt":"string"},"id":"string","type":"string"}}
Data for converting historical job results to signals.
attributes
object
Attributes for converting historical job results to signals.
id
string
Request ID.
jobResultIds [required]
[string]
Job result IDs.
notifications [required]
[string]
Notifications sent.
signalMessage [required]
string
Message of generated signals.
signalSeverity [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
type
enum
Type of payload.
Allowed enum values: historicalDetectionsJobResultSignalConversion
{"data":{"attributes":{"id":"string","jobResultIds":[""],"notifications":[""],"signalMessage":"A large number of failed login attempts.","signalSeverity":"critical"},"type":"string"}}