- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
보안 규칙, 신호, 필터 등을 생성하고 관리하세요. 자세한 정보는 Datadog 보안 페이지를 참고하세요.
POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressionshttps://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressionshttps://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressionshttps://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressionshttps://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressionshttps://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions
Create a new suppression rule.
OAuth apps require the security_monitoring_suppressions_write
authorization scope to access this endpoint.
The definition of the new suppression rule.
항목
유형
설명
data [required]
object
Object for a single suppression rule.
attributes [required]
object
Object containing the attributes of the suppression rule to be created.
data_exclusion_query
string
An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule.
description
string
A description for the suppression rule.
enabled [required]
boolean
Whether the suppression rule is enabled.
expiration_date
int64
A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore.
name [required]
string
The name of the suppression rule.
rule_query [required]
string
The rule query of the suppression rule, with the same syntax as the search bar for detection rules.
suppression_query
string
The suppression query of the suppression rule. If a signal matches this query, it is suppressed and is not triggered. It uses the same syntax as the queries to search signals in the Signals Explorer.
type [required]
enum
The type of the resource. The value should always be suppressions
.
Allowed enum values: suppressions
default: suppressions
{
"data": {
"attributes": {
"description": "This rule suppresses low-severity signals in staging environments.",
"enabled": true,
"expiration_date": 1638443471000,
"name": "Example-Security-Monitoring",
"rule_query": "type:log_detection source:cloudtrail",
"suppression_query": "env:staging status:low"
},
"type": "suppressions"
}
}
{
"data": {
"attributes": {
"description": "This rule suppresses low-severity signals in staging environments.",
"enabled": true,
"expiration_date": 1638443471000,
"name": "Example-Security-Monitoring",
"rule_query": "type:log_detection source:cloudtrail",
"data_exclusion_query": "account_id:12345"
},
"type": "suppressions"
}
}
OK
Response object containing a single suppression rule.
항목
유형
설명
data
object
The suppression rule's properties.
attributes
object
The attributes of the suppression rule.
creation_date
int64
A Unix millisecond timestamp given the creation date of the suppression rule.
creator
object
A user.
handle
string
The handle of the user.
name
string
The name of the user.
data_exclusion_query
string
An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule.
description
string
A description for the suppression rule.
editable
boolean
Whether the suppression rule is editable.
enabled
boolean
Whether the suppression rule is enabled.
expiration_date
int64
A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore.
name
string
The name of the suppression rule.
rule_query
string
The rule query of the suppression rule, with the same syntax as the search bar for detection rules.
suppression_query
string
The suppression query of the suppression rule. If a signal matches this query, it is suppressed and not triggered. Same syntax as the queries to search signals in the signal explorer.
update_date
int64
A Unix millisecond timestamp given the update date of the suppression rule.
updater
object
A user.
handle
string
The handle of the user.
name
string
The name of the user.
version
int32
The version of the suppression rule; it starts at 1, and is incremented at each update.
id
string
The ID of the suppression rule.
type
enum
The type of the resource. The value should always be suppressions
.
Allowed enum values: suppressions
default: suppressions
{
"data": {
"attributes": {
"creation_date": "integer",
"creator": {
"handle": "john.doe@datadoghq.com",
"name": "John Doe"
},
"data_exclusion_query": "source:cloudtrail account_id:12345",
"description": "This rule suppresses low-severity signals in staging environments.",
"editable": true,
"enabled": true,
"expiration_date": 1703187336000,
"name": "Custom suppression",
"rule_query": "type:log_detection source:cloudtrail",
"suppression_query": "env:staging status:low",
"update_date": "integer",
"updater": {
"handle": "john.doe@datadoghq.com",
"name": "John Doe"
},
"version": 42
},
"id": "3dd-0uc-h1s",
"type": "suppressions"
}
}
Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
Conflict
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
"data": {
"attributes": {
"description": "This rule suppresses low-severity signals in staging environments.",
"enabled": true,
"expiration_date": 1638443471000,
"name": "Example-Security-Monitoring",
"rule_query": "type:log_detection source:cloudtrail",
"suppression_query": "env:staging status:low"
},
"type": "suppressions"
}
}
EOF
# Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
"data": {
"attributes": {
"description": "This rule suppresses low-severity signals in staging environments.",
"enabled": true,
"expiration_date": 1638443471000,
"name": "Example-Security-Monitoring",
"rule_query": "type:log_detection source:cloudtrail",
"data_exclusion_query": "account_id:12345"
},
"type": "suppressions"
}
}
EOF
// Create a suppression rule returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
body := datadogV2.SecurityMonitoringSuppressionCreateRequest{
Data: datadogV2.SecurityMonitoringSuppressionCreateData{
Attributes: datadogV2.SecurityMonitoringSuppressionCreateAttributes{
Description: datadog.PtrString("This rule suppresses low-severity signals in staging environments."),
Enabled: true,
ExpirationDate: datadog.PtrInt64(1638443471000),
Name: "Example-Security-Monitoring",
RuleQuery: "type:log_detection source:cloudtrail",
SuppressionQuery: datadog.PtrString("env:staging status:low"),
},
Type: datadogV2.SECURITYMONITORINGSUPPRESSIONTYPE_SUPPRESSIONS,
},
}
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
resp, r, err := api.CreateSecurityMonitoringSuppression(ctx, body)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringSuppression`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringSuppression`:\n%s\n", responseContent)
}
// Create a suppression rule with an exclusion query returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
body := datadogV2.SecurityMonitoringSuppressionCreateRequest{
Data: datadogV2.SecurityMonitoringSuppressionCreateData{
Attributes: datadogV2.SecurityMonitoringSuppressionCreateAttributes{
Description: datadog.PtrString("This rule suppresses low-severity signals in staging environments."),
Enabled: true,
ExpirationDate: datadog.PtrInt64(1638443471000),
Name: "Example-Security-Monitoring",
RuleQuery: "type:log_detection source:cloudtrail",
DataExclusionQuery: datadog.PtrString("account_id:12345"),
},
Type: datadogV2.SECURITYMONITORINGSUPPRESSIONTYPE_SUPPRESSIONS,
},
}
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
resp, r, err := api.CreateSecurityMonitoringSuppression(ctx, body)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringSuppression`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringSuppression`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Create a suppression rule returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateAttributes;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateData;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateRequest;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionType;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
SecurityMonitoringSuppressionCreateRequest body =
new SecurityMonitoringSuppressionCreateRequest()
.data(
new SecurityMonitoringSuppressionCreateData()
.attributes(
new SecurityMonitoringSuppressionCreateAttributes()
.description(
"This rule suppresses low-severity signals in staging"
+ " environments.")
.enabled(true)
.expirationDate(1638443471000L)
.name("Example-Security-Monitoring")
.ruleQuery("type:log_detection source:cloudtrail")
.suppressionQuery("env:staging status:low"))
.type(SecurityMonitoringSuppressionType.SUPPRESSIONS));
try {
SecurityMonitoringSuppressionResponse result =
apiInstance.createSecurityMonitoringSuppression(body);
System.out.println(result);
} catch (ApiException e) {
System.err.println(
"Exception when calling SecurityMonitoringApi#createSecurityMonitoringSuppression");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
// Create a suppression rule with an exclusion query returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateAttributes;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateData;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionCreateRequest;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionType;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
SecurityMonitoringSuppressionCreateRequest body =
new SecurityMonitoringSuppressionCreateRequest()
.data(
new SecurityMonitoringSuppressionCreateData()
.attributes(
new SecurityMonitoringSuppressionCreateAttributes()
.description(
"This rule suppresses low-severity signals in staging"
+ " environments.")
.enabled(true)
.expirationDate(1638443471000L)
.name("Example-Security-Monitoring")
.ruleQuery("type:log_detection source:cloudtrail")
.dataExclusionQuery("account_id:12345"))
.type(SecurityMonitoringSuppressionType.SUPPRESSIONS));
try {
SecurityMonitoringSuppressionResponse result =
apiInstance.createSecurityMonitoringSuppression(body);
System.out.println(result);
} catch (ApiException e) {
System.err.println(
"Exception when calling SecurityMonitoringApi#createSecurityMonitoringSuppression");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
"""
Create a suppression rule returns "OK" response
"""
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_suppression_create_attributes import (
SecurityMonitoringSuppressionCreateAttributes,
)
from datadog_api_client.v2.model.security_monitoring_suppression_create_data import (
SecurityMonitoringSuppressionCreateData,
)
from datadog_api_client.v2.model.security_monitoring_suppression_create_request import (
SecurityMonitoringSuppressionCreateRequest,
)
from datadog_api_client.v2.model.security_monitoring_suppression_type import SecurityMonitoringSuppressionType
body = SecurityMonitoringSuppressionCreateRequest(
data=SecurityMonitoringSuppressionCreateData(
attributes=SecurityMonitoringSuppressionCreateAttributes(
description="This rule suppresses low-severity signals in staging environments.",
enabled=True,
expiration_date=1638443471000,
name="Example-Security-Monitoring",
rule_query="type:log_detection source:cloudtrail",
suppression_query="env:staging status:low",
),
type=SecurityMonitoringSuppressionType.SUPPRESSIONS,
),
)
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.create_security_monitoring_suppression(body=body)
print(response)
"""
Create a suppression rule with an exclusion query returns "OK" response
"""
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_suppression_create_attributes import (
SecurityMonitoringSuppressionCreateAttributes,
)
from datadog_api_client.v2.model.security_monitoring_suppression_create_data import (
SecurityMonitoringSuppressionCreateData,
)
from datadog_api_client.v2.model.security_monitoring_suppression_create_request import (
SecurityMonitoringSuppressionCreateRequest,
)
from datadog_api_client.v2.model.security_monitoring_suppression_type import SecurityMonitoringSuppressionType
body = SecurityMonitoringSuppressionCreateRequest(
data=SecurityMonitoringSuppressionCreateData(
attributes=SecurityMonitoringSuppressionCreateAttributes(
description="This rule suppresses low-severity signals in staging environments.",
enabled=True,
expiration_date=1638443471000,
name="Example-Security-Monitoring",
rule_query="type:log_detection source:cloudtrail",
data_exclusion_query="account_id:12345",
),
type=SecurityMonitoringSuppressionType.SUPPRESSIONS,
),
)
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.create_security_monitoring_suppression(body=body)
print(response)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Create a suppression rule returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
body = DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateRequest.new({
data: DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateData.new({
attributes: DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateAttributes.new({
description: "This rule suppresses low-severity signals in staging environments.",
enabled: true,
expiration_date: 1638443471000,
name: "Example-Security-Monitoring",
rule_query: "type:log_detection source:cloudtrail",
suppression_query: "env:staging status:low",
}),
type: DatadogAPIClient::V2::SecurityMonitoringSuppressionType::SUPPRESSIONS,
}),
})
p api_instance.create_security_monitoring_suppression(body)
# Create a suppression rule with an exclusion query returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
body = DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateRequest.new({
data: DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateData.new({
attributes: DatadogAPIClient::V2::SecurityMonitoringSuppressionCreateAttributes.new({
description: "This rule suppresses low-severity signals in staging environments.",
enabled: true,
expiration_date: 1638443471000,
name: "Example-Security-Monitoring",
rule_query: "type:log_detection source:cloudtrail",
data_exclusion_query: "account_id:12345",
}),
type: DatadogAPIClient::V2::SecurityMonitoringSuppressionType::SUPPRESSIONS,
}),
})
p api_instance.create_security_monitoring_suppression(body)
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Create a suppression rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateAttributes;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateData;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateRequest;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionType;
#[tokio::main]
async fn main() {
let body = SecurityMonitoringSuppressionCreateRequest::new(
SecurityMonitoringSuppressionCreateData::new(
SecurityMonitoringSuppressionCreateAttributes::new(
true,
"Example-Security-Monitoring".to_string(),
"type:log_detection source:cloudtrail".to_string(),
)
.description(
"This rule suppresses low-severity signals in staging environments.".to_string(),
)
.expiration_date(1638443471000)
.suppression_query("env:staging status:low".to_string()),
SecurityMonitoringSuppressionType::SUPPRESSIONS,
),
);
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api.create_security_monitoring_suppression(body).await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
// Create a suppression rule with an exclusion query returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateAttributes;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateData;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionCreateRequest;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionType;
#[tokio::main]
async fn main() {
let body = SecurityMonitoringSuppressionCreateRequest::new(
SecurityMonitoringSuppressionCreateData::new(
SecurityMonitoringSuppressionCreateAttributes::new(
true,
"Example-Security-Monitoring".to_string(),
"type:log_detection source:cloudtrail".to_string(),
)
.data_exclusion_query("account_id:12345".to_string())
.description(
"This rule suppresses low-severity signals in staging environments.".to_string(),
)
.expiration_date(1638443471000),
SecurityMonitoringSuppressionType::SUPPRESSIONS,
),
);
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api.create_security_monitoring_suppression(body).await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
* Create a suppression rule returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
const params: v2.SecurityMonitoringApiCreateSecurityMonitoringSuppressionRequest =
{
body: {
data: {
attributes: {
description:
"This rule suppresses low-severity signals in staging environments.",
enabled: true,
expirationDate: 1638443471000,
name: "Example-Security-Monitoring",
ruleQuery: "type:log_detection source:cloudtrail",
suppressionQuery: "env:staging status:low",
},
type: "suppressions",
},
},
};
apiInstance
.createSecurityMonitoringSuppression(params)
.then((data: v2.SecurityMonitoringSuppressionResponse) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
/**
* Create a suppression rule with an exclusion query returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
const params: v2.SecurityMonitoringApiCreateSecurityMonitoringSuppressionRequest =
{
body: {
data: {
attributes: {
description:
"This rule suppresses low-severity signals in staging environments.",
enabled: true,
expirationDate: 1638443471000,
name: "Example-Security-Monitoring",
ruleQuery: "type:log_detection source:cloudtrail",
dataExclusionQuery: "account_id:12345",
},
type: "suppressions",
},
},
};
apiInstance
.createSecurityMonitoringSuppression(params)
.then((data: v2.SecurityMonitoringSuppressionResponse) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
DELETE https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}
Delete a specific suppression rule.
OAuth apps require the security_monitoring_suppressions_write
authorization scope to access this endpoint.
이름
유형
설명
suppression_id [required]
string
The ID of the suppression rule
OK
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
Not Found
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Path parameters
export suppression_id="CHANGE_ME"
# Curl command
curl -X DELETE "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/${suppression_id}" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
"""
Delete a suppression rule returns "OK" response
"""
from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
# there is a valid "suppression" in the system
SUPPRESSION_DATA_ID = environ["SUPPRESSION_DATA_ID"]
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
api_instance.delete_security_monitoring_suppression(
suppression_id=SUPPRESSION_DATA_ID,
)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Delete a suppression rule returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
# there is a valid "suppression" in the system
SUPPRESSION_DATA_ID = ENV["SUPPRESSION_DATA_ID"]
api_instance.delete_security_monitoring_suppression(SUPPRESSION_DATA_ID)
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Delete a suppression rule returns "OK" response
package main
import (
"context"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
// there is a valid "suppression" in the system
SuppressionDataID := os.Getenv("SUPPRESSION_DATA_ID")
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
r, err := api.DeleteSecurityMonitoringSuppression(ctx, SuppressionDataID)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.DeleteSecurityMonitoringSuppression`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Delete a suppression rule returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
// there is a valid "suppression" in the system
String SUPPRESSION_DATA_ID = System.getenv("SUPPRESSION_DATA_ID");
try {
apiInstance.deleteSecurityMonitoringSuppression(SUPPRESSION_DATA_ID);
} catch (ApiException e) {
System.err.println(
"Exception when calling SecurityMonitoringApi#deleteSecurityMonitoringSuppression");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
// Delete a suppression rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
#[tokio::main]
async fn main() {
// there is a valid "suppression" in the system
let suppression_data_id = std::env::var("SUPPRESSION_DATA_ID").unwrap();
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api
.delete_security_monitoring_suppression(suppression_data_id.clone())
.await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
* Delete a suppression rule returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
// there is a valid "suppression" in the system
const SUPPRESSION_DATA_ID = process.env.SUPPRESSION_DATA_ID as string;
const params: v2.SecurityMonitoringApiDeleteSecurityMonitoringSuppressionRequest =
{
suppressionId: SUPPRESSION_DATA_ID,
};
apiInstance
.deleteSecurityMonitoringSuppression(params)
.then((data: any) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}
Get the details of a specific suppression rule.
OAuth apps require the security_monitoring_suppressions_read
authorization scope to access this endpoint.
이름
유형
설명
suppression_id [required]
string
The ID of the suppression rule
OK
Response object containing a single suppression rule.
항목
유형
설명
data
object
The suppression rule's properties.
attributes
object
The attributes of the suppression rule.
creation_date
int64
A Unix millisecond timestamp given the creation date of the suppression rule.
creator
object
A user.
handle
string
The handle of the user.
name
string
The name of the user.
data_exclusion_query
string
An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule.
description
string
A description for the suppression rule.
editable
boolean
Whether the suppression rule is editable.
enabled
boolean
Whether the suppression rule is enabled.
expiration_date
int64
A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore.
name
string
The name of the suppression rule.
rule_query
string
The rule query of the suppression rule, with the same syntax as the search bar for detection rules.
suppression_query
string
The suppression query of the suppression rule. If a signal matches this query, it is suppressed and not triggered. Same syntax as the queries to search signals in the signal explorer.
update_date
int64
A Unix millisecond timestamp given the update date of the suppression rule.
updater
object
A user.
handle
string
The handle of the user.
name
string
The name of the user.
version
int32
The version of the suppression rule; it starts at 1, and is incremented at each update.
id
string
The ID of the suppression rule.
type
enum
The type of the resource. The value should always be suppressions
.
Allowed enum values: suppressions
default: suppressions
{
"data": {
"attributes": {
"creation_date": "integer",
"creator": {
"handle": "john.doe@datadoghq.com",
"name": "John Doe"
},
"data_exclusion_query": "source:cloudtrail account_id:12345",
"description": "This rule suppresses low-severity signals in staging environments.",
"editable": true,
"enabled": true,
"expiration_date": 1703187336000,
"name": "Custom suppression",
"rule_query": "type:log_detection source:cloudtrail",
"suppression_query": "env:staging status:low",
"update_date": "integer",
"updater": {
"handle": "john.doe@datadoghq.com",
"name": "John Doe"
},
"version": 42
},
"id": "3dd-0uc-h1s",
"type": "suppressions"
}
}
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
Not Found
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Path parameters
export suppression_id="CHANGE_ME"
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/${suppression_id}" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
"""
Get a suppression rule returns "OK" response
"""
from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
# there is a valid "suppression" in the system
SUPPRESSION_DATA_ID = environ["SUPPRESSION_DATA_ID"]
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.get_security_monitoring_suppression(
suppression_id=SUPPRESSION_DATA_ID,
)
print(response)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Get a suppression rule returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
# there is a valid "suppression" in the system
SUPPRESSION_DATA_ID = ENV["SUPPRESSION_DATA_ID"]
p api_instance.get_security_monitoring_suppression(SUPPRESSION_DATA_ID)
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Get a suppression rule returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
// there is a valid "suppression" in the system
SuppressionDataID := os.Getenv("SUPPRESSION_DATA_ID")
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
resp, r, err := api.GetSecurityMonitoringSuppression(ctx, SuppressionDataID)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSecurityMonitoringSuppression`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSecurityMonitoringSuppression`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Get a suppression rule returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionResponse;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
// there is a valid "suppression" in the system
String SUPPRESSION_DATA_ID = System.getenv("SUPPRESSION_DATA_ID");
try {
SecurityMonitoringSuppressionResponse result =
apiInstance.getSecurityMonitoringSuppression(SUPPRESSION_DATA_ID);
System.out.println(result);
} catch (ApiException e) {
System.err.println(
"Exception when calling SecurityMonitoringApi#getSecurityMonitoringSuppression");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
// Get a suppression rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
#[tokio::main]
async fn main() {
// there is a valid "suppression" in the system
let suppression_data_id = std::env::var("SUPPRESSION_DATA_ID").unwrap();
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api
.get_security_monitoring_suppression(suppression_data_id.clone())
.await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
* Get a suppression rule returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
// there is a valid "suppression" in the system
const SUPPRESSION_DATA_ID = process.env.SUPPRESSION_DATA_ID as string;
const params: v2.SecurityMonitoringApiGetSecurityMonitoringSuppressionRequest =
{
suppressionId: SUPPRESSION_DATA_ID,
};
apiInstance
.getSecurityMonitoringSuppression(params)
.then((data: v2.SecurityMonitoringSuppressionResponse) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressionshttps://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressionshttps://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressionshttps://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressionshttps://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressionshttps://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions
Get the list of all suppression rules.
OAuth apps require the security_monitoring_suppressions_read
authorization scope to access this endpoint.
OK
Response object containing the available suppression rules.
항목
유형
설명
data
[object]
A list of suppressions objects.
attributes
object
The attributes of the suppression rule.
creation_date
int64
A Unix millisecond timestamp given the creation date of the suppression rule.
creator
object
A user.
handle
string
The handle of the user.
name
string
The name of the user.
data_exclusion_query
string
An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule.
description
string
A description for the suppression rule.
editable
boolean
Whether the suppression rule is editable.
enabled
boolean
Whether the suppression rule is enabled.
expiration_date
int64
A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore.
name
string
The name of the suppression rule.
rule_query
string
The rule query of the suppression rule, with the same syntax as the search bar for detection rules.
suppression_query
string
The suppression query of the suppression rule. If a signal matches this query, it is suppressed and not triggered. Same syntax as the queries to search signals in the signal explorer.
update_date
int64
A Unix millisecond timestamp given the update date of the suppression rule.
updater
object
A user.
handle
string
The handle of the user.
name
string
The name of the user.
version
int32
The version of the suppression rule; it starts at 1, and is incremented at each update.
id
string
The ID of the suppression rule.
type
enum
The type of the resource. The value should always be suppressions
.
Allowed enum values: suppressions
default: suppressions
{
"data": [
{
"attributes": {
"creation_date": "integer",
"creator": {
"handle": "john.doe@datadoghq.com",
"name": "John Doe"
},
"data_exclusion_query": "source:cloudtrail account_id:12345",
"description": "This rule suppresses low-severity signals in staging environments.",
"editable": true,
"enabled": true,
"expiration_date": 1703187336000,
"name": "Custom suppression",
"rule_query": "type:log_detection source:cloudtrail",
"suppression_query": "env:staging status:low",
"update_date": "integer",
"updater": {
"handle": "john.doe@datadoghq.com",
"name": "John Doe"
},
"version": 42
},
"id": "3dd-0uc-h1s",
"type": "suppressions"
}
]
}
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
"""
Get all suppression rules returns "OK" response
"""
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.list_security_monitoring_suppressions()
print(response)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Get all suppression rules returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.list_security_monitoring_suppressions()
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Get all suppression rules returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
resp, r, err := api.ListSecurityMonitoringSuppressions(ctx)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListSecurityMonitoringSuppressions`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListSecurityMonitoringSuppressions`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Get all suppression rules returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionsResponse;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
try {
SecurityMonitoringSuppressionsResponse result =
apiInstance.listSecurityMonitoringSuppressions();
System.out.println(result);
} catch (ApiException e) {
System.err.println(
"Exception when calling SecurityMonitoringApi#listSecurityMonitoringSuppressions");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
// Get all suppression rules returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
#[tokio::main]
async fn main() {
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api.list_security_monitoring_suppressions().await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
* Get all suppression rules returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
apiInstance
.listSecurityMonitoringSuppressions()
.then((data: v2.SecurityMonitoringSuppressionsResponse) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
PATCH https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.datadoghq.eu/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/{suppression_id}
Update a specific suppression rule.
OAuth apps require the security_monitoring_suppressions_write
authorization scope to access this endpoint.
이름
유형
설명
suppression_id [required]
string
The ID of the suppression rule
New definition of the suppression rule. Supports partial updates.
항목
유형
설명
data [required]
object
The new suppression properties; partial updates are supported.
attributes [required]
object
The suppression rule properties to be updated.
data_exclusion_query
string
An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule.
description
string
A description for the suppression rule.
enabled
boolean
Whether the suppression rule is enabled.
expiration_date
int64
A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore. If unset, the expiration date of the suppression rule is left untouched. If set to null
, the expiration date is removed.
name
string
The name of the suppression rule.
rule_query
string
The rule query of the suppression rule, with the same syntax as the search bar for detection rules.
suppression_query
string
The suppression query of the suppression rule. If a signal matches this query, it is suppressed and not triggered. Same syntax as the queries to search signals in the signal explorer.
version
int32
The current version of the suppression. This is optional, but it can help prevent concurrent modifications.
type [required]
enum
The type of the resource. The value should always be suppressions
.
Allowed enum values: suppressions
default: suppressions
{
"data": {
"attributes": {
"suppression_query": "env:staging status:low"
},
"type": "suppressions"
}
}
OK
Response object containing a single suppression rule.
항목
유형
설명
data
object
The suppression rule's properties.
attributes
object
The attributes of the suppression rule.
creation_date
int64
A Unix millisecond timestamp given the creation date of the suppression rule.
creator
object
A user.
handle
string
The handle of the user.
name
string
The name of the user.
data_exclusion_query
string
An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule.
description
string
A description for the suppression rule.
editable
boolean
Whether the suppression rule is editable.
enabled
boolean
Whether the suppression rule is enabled.
expiration_date
int64
A Unix millisecond timestamp giving an expiration date for the suppression rule. After this date, it won't suppress signals anymore.
name
string
The name of the suppression rule.
rule_query
string
The rule query of the suppression rule, with the same syntax as the search bar for detection rules.
suppression_query
string
The suppression query of the suppression rule. If a signal matches this query, it is suppressed and not triggered. Same syntax as the queries to search signals in the signal explorer.
update_date
int64
A Unix millisecond timestamp given the update date of the suppression rule.
updater
object
A user.
handle
string
The handle of the user.
name
string
The name of the user.
version
int32
The version of the suppression rule; it starts at 1, and is incremented at each update.
id
string
The ID of the suppression rule.
type
enum
The type of the resource. The value should always be suppressions
.
Allowed enum values: suppressions
default: suppressions
{
"data": {
"attributes": {
"creation_date": "integer",
"creator": {
"handle": "john.doe@datadoghq.com",
"name": "John Doe"
},
"data_exclusion_query": "source:cloudtrail account_id:12345",
"description": "This rule suppresses low-severity signals in staging environments.",
"editable": true,
"enabled": true,
"expiration_date": 1703187336000,
"name": "Custom suppression",
"rule_query": "type:log_detection source:cloudtrail",
"suppression_query": "env:staging status:low",
"update_date": "integer",
"updater": {
"handle": "john.doe@datadoghq.com",
"name": "John Doe"
},
"version": 42
},
"id": "3dd-0uc-h1s",
"type": "suppressions"
}
}
Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
Not Found
API error response.
{
"errors": [
"Bad Request"
]
}
Concurrent Modification
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Path parameters
export suppression_id="CHANGE_ME"
# Curl command
curl -X PATCH "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/${suppression_id}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
"data": {
"attributes": {
"suppression_query": "env:staging status:low"
},
"type": "suppressions"
}
}
EOF
// Update a suppression rule returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
// there is a valid "suppression" in the system
SuppressionDataID := os.Getenv("SUPPRESSION_DATA_ID")
body := datadogV2.SecurityMonitoringSuppressionUpdateRequest{
Data: datadogV2.SecurityMonitoringSuppressionUpdateData{
Attributes: datadogV2.SecurityMonitoringSuppressionUpdateAttributes{
SuppressionQuery: datadog.PtrString("env:staging status:low"),
},
Type: datadogV2.SECURITYMONITORINGSUPPRESSIONTYPE_SUPPRESSIONS,
},
}
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
resp, r, err := api.UpdateSecurityMonitoringSuppression(ctx, SuppressionDataID, body)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.UpdateSecurityMonitoringSuppression`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.UpdateSecurityMonitoringSuppression`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Update a suppression rule returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionType;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionUpdateAttributes;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionUpdateData;
import com.datadog.api.client.v2.model.SecurityMonitoringSuppressionUpdateRequest;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
// there is a valid "suppression" in the system
String SUPPRESSION_DATA_ID = System.getenv("SUPPRESSION_DATA_ID");
SecurityMonitoringSuppressionUpdateRequest body =
new SecurityMonitoringSuppressionUpdateRequest()
.data(
new SecurityMonitoringSuppressionUpdateData()
.attributes(
new SecurityMonitoringSuppressionUpdateAttributes()
.suppressionQuery("env:staging status:low"))
.type(SecurityMonitoringSuppressionType.SUPPRESSIONS));
try {
SecurityMonitoringSuppressionResponse result =
apiInstance.updateSecurityMonitoringSuppression(SUPPRESSION_DATA_ID, body);
System.out.println(result);
} catch (ApiException e) {
System.err.println(
"Exception when calling SecurityMonitoringApi#updateSecurityMonitoringSuppression");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
"""
Update a suppression rule returns "OK" response
"""
from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_suppression_type import SecurityMonitoringSuppressionType
from datadog_api_client.v2.model.security_monitoring_suppression_update_attributes import (
SecurityMonitoringSuppressionUpdateAttributes,
)
from datadog_api_client.v2.model.security_monitoring_suppression_update_data import (
SecurityMonitoringSuppressionUpdateData,
)
from datadog_api_client.v2.model.security_monitoring_suppression_update_request import (
SecurityMonitoringSuppressionUpdateRequest,
)
# there is a valid "suppression" in the system
SUPPRESSION_DATA_ID = environ["SUPPRESSION_DATA_ID"]
body = SecurityMonitoringSuppressionUpdateRequest(
data=SecurityMonitoringSuppressionUpdateData(
attributes=SecurityMonitoringSuppressionUpdateAttributes(
suppression_query="env:staging status:low",
),
type=SecurityMonitoringSuppressionType.SUPPRESSIONS,
),
)
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.update_security_monitoring_suppression(suppression_id=SUPPRESSION_DATA_ID, body=body)
print(response)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Update a suppression rule returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
# there is a valid "suppression" in the system
SUPPRESSION_DATA_ID = ENV["SUPPRESSION_DATA_ID"]
body = DatadogAPIClient::V2::SecurityMonitoringSuppressionUpdateRequest.new({
data: DatadogAPIClient::V2::SecurityMonitoringSuppressionUpdateData.new({
attributes: DatadogAPIClient::V2::SecurityMonitoringSuppressionUpdateAttributes.new({
suppression_query: "env:staging status:low",
}),
type: DatadogAPIClient::V2::SecurityMonitoringSuppressionType::SUPPRESSIONS,
}),
})
p api_instance.update_security_monitoring_suppression(SUPPRESSION_DATA_ID, body)
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Update a suppression rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionType;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionUpdateAttributes;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionUpdateData;
use datadog_api_client::datadogV2::model::SecurityMonitoringSuppressionUpdateRequest;
#[tokio::main]
async fn main() {
// there is a valid "suppression" in the system
let suppression_data_id = std::env::var("SUPPRESSION_DATA_ID").unwrap();
let body = SecurityMonitoringSuppressionUpdateRequest::new(
SecurityMonitoringSuppressionUpdateData::new(
SecurityMonitoringSuppressionUpdateAttributes::new()
.suppression_query("env:staging status:low".to_string()),
SecurityMonitoringSuppressionType::SUPPRESSIONS,
),
);
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api
.update_security_monitoring_suppression(suppression_data_id.clone(), body)
.await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
* Update a suppression rule returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
// there is a valid "suppression" in the system
const SUPPRESSION_DATA_ID = process.env.SUPPRESSION_DATA_ID as string;
const params: v2.SecurityMonitoringApiUpdateSecurityMonitoringSuppressionRequest =
{
body: {
data: {
attributes: {
suppressionQuery: "env:staging status:low",
},
type: "suppressions",
},
},
suppressionId: SUPPRESSION_DATA_ID,
};
apiInstance
.updateSecurityMonitoringSuppression(params)
.then((data: v2.SecurityMonitoringSuppressionResponse) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
Note: This endpoint is in public beta. If you have any feedback, contact Datadog support.
GET https://api.ap1.datadoghq.com/api/v2/posture_management/findingshttps://api.datadoghq.eu/api/v2/posture_management/findingshttps://api.ddog-gov.com/api/v2/posture_management/findingshttps://api.datadoghq.com/api/v2/posture_management/findingshttps://api.us3.datadoghq.com/api/v2/posture_management/findingshttps://api.us5.datadoghq.com/api/v2/posture_management/findings
Get a list of findings. These include both misconfigurations and identity risks.
Filters can be applied by appending query parameters to the URL.
?filter[attribute_key]=attribute_value
?filter[attribute_key]=attribute_value&filter[attribute_key]=attribute_value...
?filter[tags]=tag_key:tag_value&filter[tags]=tag_key_2:tag_value_2
Here, attribute_key
can be any of the filter keys described further below.
Query parameters of type integer
support comparison operators (>
, >=
, <
, <=
). This is particularly useful when filtering by evaluation_changed_at
or resource_discovery_timestamp
. For example: ?filter[evaluation_changed_at]=>20123123121
.
You can also use the negation operator on strings. For example, use filter[resource_type]=-aws*
to filter for any non-AWS resources.
The operator must come after the equal sign. For example, to filter with the >=
operator, add the operator after the equal sign: filter[evaluation_changed_at]=>=1678809373257
.
Query parameters must be only among the documented ones and with values of correct types. Duplicated query parameters (e.g. filter[status]=low&filter[status]=info
) are not allowed.
The response includes an array of finding objects, pagination metadata, and a count of items that match the query.
Each finding object contains the following:
GetFinding
request to retrieve the full finding details.evaluation_changed_at
and resource_discovery_date
time stamps.OAuth apps require the security_monitoring_findings_read
authorization scope to access this endpoint.
이름
유형
설명
page[limit]
integer
Limit the number of findings returned. Must be <= 1000.
snapshot_timestamp
integer
Return findings for a given snapshot of time (Unix ms).
page[cursor]
string
Return the next page of findings pointed to by the cursor.
filter[tags]
string
Return findings that have these associated tags (repeatable).
filter[evaluation_changed_at]
string
Return findings that have changed from pass to fail or vice versa on a specified date (Unix ms) or date range (using comparison operators).
filter[muted]
boolean
Set to true
to return findings that are muted. Set to false
to return unmuted findings.
filter[rule_id]
string
Return findings for the specified rule ID.
filter[rule_name]
string
Return findings for the specified rule.
filter[resource_type]
string
Return only findings for the specified resource type.
filter[discovery_timestamp]
string
Return findings that were found on a specified date (Unix ms) or date range (using comparison operators).
filter[evaluation]
enum
Return only pass
or fail
findings.
Allowed enum values: pass, fail
filter[status]
enum
Return only findings with the specified status.
Allowed enum values: critical, high, medium, low, info
filter[vulnerability_type]
array
Return findings that match the selected vulnerability types (repeatable).
OK
The expected response schema when listing findings.
항목
유형
설명
data [required]
[object]
Array of findings.
attributes
object
The JSON:API attributes of the finding.
evaluation
enum
The evaluation of the finding.
Allowed enum values: pass,fail
evaluation_changed_at
int64
The date on which the evaluation for this finding changed (Unix ms).
mute
object
Information about the mute status of this finding.
description
string
Additional information about the reason why this finding is muted or unmuted.
expiration_date
int64
The expiration date of the mute or unmute action (Unix ms).
muted
boolean
Whether this finding is muted or unmuted.
reason
enum
The reason why this finding is muted or unmuted.
Allowed enum values: PENDING_FIX,FALSE_POSITIVE,ACCEPTED_RISK,NO_PENDING_FIX,HUMAN_ERROR,NO_LONGER_ACCEPTED_RISK,OTHER
start_date
int64
The start of the mute period.
uuid
string
The ID of the user who muted or unmuted this finding.
resource
string
The resource name of this finding.
resource_discovery_date
int64
The date on which the resource was discovered (Unix ms).
resource_type
string
The resource type of this finding.
rule
object
The rule that triggered this finding.
id
string
The ID of the rule that triggered this finding.
name
string
The name of the rule that triggered this finding.
status
enum
The status of the finding.
Allowed enum values: critical,high,medium,low,info
tags
[string]
The tags associated with this finding.
vulnerability_type
enum
The vulnerability type of the finding.
Allowed enum values: misconfiguration,attack_path,identity_risk,api_security
id
string
The unique ID for this finding.
type
enum
The JSON:API type for findings.
Allowed enum values: finding
default: finding
meta [required]
object
Metadata for pagination.
page
object
Pagination and findings count information.
cursor
string
The cursor used to paginate requests.
total_filtered_count
int64
The total count of findings after the filter has been applied.
snapshot_timestamp
int64
The point in time corresponding to the listed findings.
{
"data": [
{
"attributes": {
"evaluation": "pass",
"evaluation_changed_at": 1678721573794,
"mute": {
"description": "To be resolved later",
"expiration_date": 1778721573794,
"muted": true,
"reason": "ACCEPTED_RISK",
"start_date": 1678721573794,
"uuid": "e51c9744-d158-11ec-ad23-da7ad0900002"
},
"resource": "my_resource_name",
"resource_discovery_date": 1678721573794,
"resource_type": "azure_storage_account",
"rule": {
"id": "dv2-jzf-41i",
"name": "Soft delete is enabled for Azure Storage"
},
"status": "critical",
"tags": [
"cloud_provider:aws",
"myTag:myValue"
],
"vulnerability_type": "misconfiguration"
},
"id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==",
"type": "finding"
}
],
"meta": {
"page": {
"cursor": "eyJhZnRlciI6IkFRQUFBWWJiaEJXQS1OY1dqUUFBQUFCQldXSmlhRUpYUVVGQlJFSktkbTlDTUdaWFRVbDNRVUUiLCJ2YWx1ZXMiOlsiY3JpdGljYWwiXX0=",
"total_filtered_count": 213
},
"snapshot_timestamp": 1678721573794
}
}
Bad Request: The server cannot process the request due to invalid syntax in the request.
API error response.
항목
유형
설명
errors [required]
[object]
A list of errors.
detail
string
A human-readable explanation specific to this occurrence of the error.
status
string
Status code of the response.
title
string
Short human-readable summary of the error.
{
"errors": [
{
"detail": "Missing required attribute in body",
"status": "400",
"title": "Bad Request"
}
]
}
Forbidden: Access denied
API error response.
항목
유형
설명
errors [required]
[object]
A list of errors.
detail
string
A human-readable explanation specific to this occurrence of the error.
status
string
Status code of the response.
title
string
Short human-readable summary of the error.
{
"errors": [
{
"detail": "Missing required attribute in body",
"status": "400",
"title": "Bad Request"
}
]
}
Not Found: The requested finding cannot be found.
API error response.
항목
유형
설명
errors [required]
[object]
A list of errors.
detail
string
A human-readable explanation specific to this occurrence of the error.
status
string
Status code of the response.
title
string
Short human-readable summary of the error.
{
"errors": [
{
"detail": "Missing required attribute in body",
"status": "400",
"title": "Bad Request"
}
]
}
Too many requests: The rate limit set by the API has been exceeded.
API error response.
항목
유형
설명
errors [required]
[object]
A list of errors.
detail
string
A human-readable explanation specific to this occurrence of the error.
status
string
Status code of the response.
title
string
Short human-readable summary of the error.
{
"errors": [
{
"detail": "Missing required attribute in body",
"status": "400",
"title": "Bad Request"
}
]
}
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/posture_management/findings" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
"""
List findings returns "OK" response
"""
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
configuration = Configuration()
configuration.unstable_operations["list_findings"] = True
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.list_findings()
print(response)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# List findings returns "OK" response
require "datadog_api_client"
DatadogAPIClient.configure do |config|
config.unstable_operations["v2.list_findings".to_sym] = true
end
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.list_findings()
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// List findings returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
configuration.SetUnstableOperationEnabled("v2.ListFindings", true)
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
resp, r, err := api.ListFindings(ctx, *datadogV2.NewListFindingsOptionalParameters())
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListFindings`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListFindings`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// List findings returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.ListFindingsResponse;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
defaultClient.setUnstableOperationEnabled("v2.listFindings", true);
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
try {
ListFindingsResponse result = apiInstance.listFindings();
System.out.println(result);
} catch (ApiException e) {
System.err.println("Exception when calling SecurityMonitoringApi#listFindings");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
// List findings returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::ListFindingsOptionalParams;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
#[tokio::main]
async fn main() {
let mut configuration = datadog::Configuration::new();
configuration.set_unstable_operation_enabled("v2.ListFindings", true);
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api
.list_findings(ListFindingsOptionalParams::default())
.await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
* List findings returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
configuration.unstableOperations["v2.listFindings"] = true;
const apiInstance = new v2.SecurityMonitoringApi(configuration);
apiInstance
.listFindings()
.then((data: v2.ListFindingsResponse) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
Note: This endpoint is in public beta. If you have any feedback, contact Datadog support.
GET https://api.ap1.datadoghq.com/api/v2/posture_management/findings/{finding_id}https://api.datadoghq.eu/api/v2/posture_management/findings/{finding_id}https://api.ddog-gov.com/api/v2/posture_management/findings/{finding_id}https://api.datadoghq.com/api/v2/posture_management/findings/{finding_id}https://api.us3.datadoghq.com/api/v2/posture_management/findings/{finding_id}https://api.us5.datadoghq.com/api/v2/posture_management/findings/{finding_id}
Returns a single finding with message and resource configuration.
OAuth apps require the security_monitoring_findings_read
authorization scope to access this endpoint.
이름
유형
설명
finding_id [required]
string
The ID of the finding.
이름
유형
설명
snapshot_timestamp
integer
Return the finding for a given snapshot of time (Unix ms).
OK
The expected response schema when getting a finding.
항목
유형
설명
data [required]
object
A single finding with with message and resource configuration.
attributes
object
The JSON:API attributes of the detailed finding.
evaluation
enum
The evaluation of the finding.
Allowed enum values: pass,fail
evaluation_changed_at
int64
The date on which the evaluation for this finding changed (Unix ms).
message
string
The remediation message for this finding.
mute
object
Information about the mute status of this finding.
description
string
Additional information about the reason why this finding is muted or unmuted.
expiration_date
int64
The expiration date of the mute or unmute action (Unix ms).
muted
boolean
Whether this finding is muted or unmuted.
reason
enum
The reason why this finding is muted or unmuted.
Allowed enum values: PENDING_FIX,FALSE_POSITIVE,ACCEPTED_RISK,NO_PENDING_FIX,HUMAN_ERROR,NO_LONGER_ACCEPTED_RISK,OTHER
start_date
int64
The start of the mute period.
uuid
string
The ID of the user who muted or unmuted this finding.
resource
string
The resource name of this finding.
resource_configuration
object
The resource configuration for this finding.
resource_discovery_date
int64
The date on which the resource was discovered (Unix ms).
resource_type
string
The resource type of this finding.
rule
object
The rule that triggered this finding.
id
string
The ID of the rule that triggered this finding.
name
string
The name of the rule that triggered this finding.
status
enum
The status of the finding.
Allowed enum values: critical,high,medium,low,info
tags
[string]
The tags associated with this finding.
id
string
The unique ID for this finding.
type
enum
The JSON:API type for findings that have the message and resource configuration.
Allowed enum values: detailed_finding
default: detailed_finding
{
"data": {
"attributes": {
"evaluation": "pass",
"evaluation_changed_at": 1678721573794,
"message": "## Remediation\n\n### From the console\n\n1. Go to Storage Account\n2. For each Storage Account, navigate to Data Protection\n3. Select Set soft delete enabled and enter the number of days to retain soft deleted data.",
"mute": {
"description": "To be resolved later",
"expiration_date": 1778721573794,
"muted": true,
"reason": "ACCEPTED_RISK",
"start_date": 1678721573794,
"uuid": "e51c9744-d158-11ec-ad23-da7ad0900002"
},
"resource": "my_resource_name",
"resource_configuration": {},
"resource_discovery_date": 1678721573794,
"resource_type": "azure_storage_account",
"rule": {
"id": "dv2-jzf-41i",
"name": "Soft delete is enabled for Azure Storage"
},
"status": "critical",
"tags": [
"cloud_provider:aws",
"myTag:myValue"
]
},
"id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==",
"type": "detailed_finding"
}
}
Bad Request: The server cannot process the request due to invalid syntax in the request.
API error response.
항목
유형
설명
errors [required]
[object]
A list of errors.
detail
string
A human-readable explanation specific to this occurrence of the error.
status
string
Status code of the response.
title
string
Short human-readable summary of the error.
{
"errors": [
{
"detail": "Missing required attribute in body",
"status": "400",
"title": "Bad Request"
}
]
}
Forbidden: Access denied
API error response.
항목
유형
설명
errors [required]
[object]
A list of errors.
detail
string
A human-readable explanation specific to this occurrence of the error.
status
string
Status code of the response.
title
string
Short human-readable summary of the error.
{
"errors": [
{
"detail": "Missing required attribute in body",
"status": "400",
"title": "Bad Request"
}
]
}
Not Found: The requested finding cannot be found.
API error response.
항목
유형
설명
errors [required]
[object]
A list of errors.
detail
string
A human-readable explanation specific to this occurrence of the error.
status
string
Status code of the response.
title
string
Short human-readable summary of the error.
{
"errors": [
{
"detail": "Missing required attribute in body",
"status": "400",
"title": "Bad Request"
}
]
}
Too many requests: The rate limit set by the API has been exceeded.
API error response.
항목
유형
설명
errors [required]
[object]
A list of errors.
detail
string
A human-readable explanation specific to this occurrence of the error.
status
string
Status code of the response.
title
string
Short human-readable summary of the error.
{
"errors": [
{
"detail": "Missing required attribute in body",
"status": "400",
"title": "Bad Request"
}
]
}
# Path parameters
export finding_id="CHANGE_ME"
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/posture_management/findings/${finding_id}" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
"""
Get a finding returns "OK" response
"""
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
configuration = Configuration()
configuration.unstable_operations["get_finding"] = True
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.get_finding(
finding_id="AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz",
)
print(response)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Get a finding returns "OK" response
require "datadog_api_client"
DatadogAPIClient.configure do |config|
config.unstable_operations["v2.get_finding".to_sym] = true
end
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.get_finding("AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz")
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Get a finding returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
configuration.SetUnstableOperationEnabled("v2.GetFinding", true)
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
resp, r, err := api.GetFinding(ctx, "AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz", *datadogV2.NewGetFindingOptionalParameters())
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetFinding`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetFinding`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Get a finding returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.GetFindingResponse;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
defaultClient.setUnstableOperationEnabled("v2.getFinding", true);
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
try {
GetFindingResponse result =
apiInstance.getFinding(
"AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz");
System.out.println(result);
} catch (ApiException e) {
System.err.println("Exception when calling SecurityMonitoringApi#getFinding");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
// Get a finding returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::GetFindingOptionalParams;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
#[tokio::main]
async fn main() {
let mut configuration = datadog::Configuration::new();
configuration.set_unstable_operation_enabled("v2.GetFinding", true);
let api = SecurityMonitoringAPI::with_config(configuration);
let resp =
api
.get_finding(
"AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz".to_string(),
GetFindingOptionalParams::default(),
)
.await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
* Get a finding returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
configuration.unstableOperations["v2.getFinding"] = true;
const apiInstance = new v2.SecurityMonitoringApi(configuration);
const params: v2.SecurityMonitoringApiGetFindingRequest = {
findingId:
"AgAAAYd59gjghzF52gAAAAAAAAAYAAAAAEFZZDU5Z2pnQUFCRTRvV1lFeEo4SlFBQQAAACQAAAAAMDE4NzdhMDEtMDRiYS00NTZlLWFmMzMtNTIxNmNkNjVlNDMz",
};
apiInstance
.getFinding(params)
.then((data: v2.GetFindingResponse) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
Note: This endpoint is in public beta. If you have any feedback, contact Datadog support.
PATCH https://api.ap1.datadoghq.com/api/v2/posture_management/findingshttps://api.datadoghq.eu/api/v2/posture_management/findingshttps://api.ddog-gov.com/api/v2/posture_management/findingshttps://api.datadoghq.com/api/v2/posture_management/findingshttps://api.us3.datadoghq.com/api/v2/posture_management/findingshttps://api.us5.datadoghq.com/api/v2/posture_management/findings
Mute or unmute findings.
All findings are updated with the same attributes. The request body must include at least two attributes: muted
and reason
.
The allowed reasons depend on whether the finding is being muted or unmuted:
PENDING_FIX
, FALSE_POSITIVE
, ACCEPTED_RISK
, OTHER
.NO_PENDING_FIX
, HUMAN_ERROR
, NO_LONGER_ACCEPTED_RISK
, OTHER
.The request body must include a list of the finding IDs to be updated.
항목
유형
설명
data [required]
object
Data object containing the new bulk mute properties of the finding.
attributes [required]
object
The mute properties to be updated.
mute [required]
object
Object containing the new mute properties of the findings.
description
string
Additional information about the reason why those findings are muted or unmuted. This field has a maximum limit of 280 characters.
expiration_date
int64
The expiration date of the mute or unmute action (Unix ms). It must be set to a value greater than the current timestamp. If this field is not provided, the finding will be muted or unmuted indefinitely, which is equivalent to setting the expiration date to 9999999999999.
muted [required]
boolean
Whether those findings should be muted or unmuted.
reason [required]
enum
The reason why this finding is muted or unmuted.
Allowed enum values: PENDING_FIX,FALSE_POSITIVE,ACCEPTED_RISK,NO_PENDING_FIX,HUMAN_ERROR,NO_LONGER_ACCEPTED_RISK,OTHER
id [required]
string
UUID to identify the request
meta [required]
object
Meta object containing the findings to be updated.
findings
[object]
Array of findings.
finding_id
string
The unique ID for this finding.
type [required]
enum
The JSON:API type for findings.
Allowed enum values: finding
default: finding
{
"data": {
"attributes": {
"mute": {
"expiration_date": 1778721573794,
"muted": true,
"reason": "ACCEPTED_RISK"
}
},
"id": "dbe5f567-192b-4404-b908-29b70e1c9f76",
"meta": {
"findings": [
{
"finding_id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw=="
}
]
},
"type": "finding"
}
}
OK
The expected response schema.
항목
유형
설명
data [required]
object
Data object containing the ID of the request that was updated.
id
string
UUID used to identify the request
type
enum
The JSON:API type for findings.
Allowed enum values: finding
default: finding
{
"data": {
"id": "93bfeb70-af47-424d-908a-948d3f08e37f",
"type": "finding"
}
}
Bad Request: The server cannot process the request due to invalid syntax in the request.
API error response.
항목
유형
설명
errors [required]
[object]
A list of errors.
detail
string
A human-readable explanation specific to this occurrence of the error.
status
string
Status code of the response.
title
string
Short human-readable summary of the error.
{
"errors": [
{
"detail": "Missing required attribute in body",
"status": "400",
"title": "Bad Request"
}
]
}
Forbidden: Access denied
API error response.
항목
유형
설명
errors [required]
[object]
A list of errors.
detail
string
A human-readable explanation specific to this occurrence of the error.
status
string
Status code of the response.
title
string
Short human-readable summary of the error.
{
"errors": [
{
"detail": "Missing required attribute in body",
"status": "400",
"title": "Bad Request"
}
]
}
Not Found: The requested finding cannot be found.
API error response.
항목
유형
설명
errors [required]
[object]
A list of errors.
detail
string
A human-readable explanation specific to this occurrence of the error.
status
string
Status code of the response.
title
string
Short human-readable summary of the error.
{
"errors": [
{
"detail": "Missing required attribute in body",
"status": "400",
"title": "Bad Request"
}
]
}
Invalid Request: The server understands the request syntax but cannot process it due to invalid data.
API error response.
항목
유형
설명
errors [required]
[object]
A list of errors.
detail
string
A human-readable explanation specific to this occurrence of the error.
status
string
Status code of the response.
title
string
Short human-readable summary of the error.
{
"errors": [
{
"detail": "Missing required attribute in body",
"status": "400",
"title": "Bad Request"
}
]
}
Too many requests: The rate limit set by the API has been exceeded.
API error response.
항목
유형
설명
errors [required]
[object]
A list of errors.
detail
string
A human-readable explanation specific to this occurrence of the error.
status
string
Status code of the response.
title
string
Short human-readable summary of the error.
{
"errors": [
{
"detail": "Missing required attribute in body",
"status": "400",
"title": "Bad Request"
}
]
}
# Curl command
curl -X PATCH "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/posture_management/findings" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
"data": {
"attributes": {
"mute": {
"expiration_date": 1778721573794,
"muted": true,
"reason": "ACCEPTED_RISK"
}
},
"id": "dbe5f567-192b-4404-b908-29b70e1c9f76",
"meta": {
"findings": [
{
"finding_id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw=="
}
]
},
"type": "finding"
}
}
EOF
// Mute or unmute a batch of findings returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
body := datadogV2.BulkMuteFindingsRequest{
Data: datadogV2.BulkMuteFindingsRequestData{
Attributes: datadogV2.BulkMuteFindingsRequestAttributes{
Mute: datadogV2.BulkMuteFindingsRequestProperties{
ExpirationDate: datadog.PtrInt64(1778721573794),
Muted: true,
Reason: datadogV2.FINDINGMUTEREASON_ACCEPTED_RISK,
},
},
Id: "dbe5f567-192b-4404-b908-29b70e1c9f76",
Meta: datadogV2.BulkMuteFindingsRequestMeta{
Findings: []datadogV2.BulkMuteFindingsRequestMetaFindings{
{
FindingId: datadog.PtrString("ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw=="),
},
},
},
Type: datadogV2.FINDINGTYPE_FINDING,
},
}
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
configuration.SetUnstableOperationEnabled("v2.MuteFindings", true)
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
resp, r, err := api.MuteFindings(ctx, body)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.MuteFindings`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.MuteFindings`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Mute or unmute a batch of findings returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.BulkMuteFindingsRequest;
import com.datadog.api.client.v2.model.BulkMuteFindingsRequestAttributes;
import com.datadog.api.client.v2.model.BulkMuteFindingsRequestData;
import com.datadog.api.client.v2.model.BulkMuteFindingsRequestMeta;
import com.datadog.api.client.v2.model.BulkMuteFindingsRequestMetaFindings;
import com.datadog.api.client.v2.model.BulkMuteFindingsRequestProperties;
import com.datadog.api.client.v2.model.BulkMuteFindingsResponse;
import com.datadog.api.client.v2.model.FindingMuteReason;
import com.datadog.api.client.v2.model.FindingType;
import java.util.Collections;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
defaultClient.setUnstableOperationEnabled("v2.muteFindings", true);
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
BulkMuteFindingsRequest body =
new BulkMuteFindingsRequest()
.data(
new BulkMuteFindingsRequestData()
.attributes(
new BulkMuteFindingsRequestAttributes()
.mute(
new BulkMuteFindingsRequestProperties()
.expirationDate(1778721573794L)
.muted(true)
.reason(FindingMuteReason.ACCEPTED_RISK)))
.id("dbe5f567-192b-4404-b908-29b70e1c9f76")
.meta(
new BulkMuteFindingsRequestMeta()
.findings(
Collections.singletonList(
new BulkMuteFindingsRequestMetaFindings()
.findingId(
"ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw=="))))
.type(FindingType.FINDING));
try {
BulkMuteFindingsResponse result = apiInstance.muteFindings(body);
System.out.println(result);
} catch (ApiException e) {
System.err.println("Exception when calling SecurityMonitoringApi#muteFindings");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
"""
Mute or unmute a batch of findings returns "OK" response
"""
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.bulk_mute_findings_request import BulkMuteFindingsRequest
from datadog_api_client.v2.model.bulk_mute_findings_request_attributes import BulkMuteFindingsRequestAttributes
from datadog_api_client.v2.model.bulk_mute_findings_request_data import BulkMuteFindingsRequestData
from datadog_api_client.v2.model.bulk_mute_findings_request_meta import BulkMuteFindingsRequestMeta
from datadog_api_client.v2.model.bulk_mute_findings_request_meta_findings import BulkMuteFindingsRequestMetaFindings
from datadog_api_client.v2.model.bulk_mute_findings_request_properties import BulkMuteFindingsRequestProperties
from datadog_api_client.v2.model.finding_mute_reason import FindingMuteReason
from datadog_api_client.v2.model.finding_type import FindingType
body = BulkMuteFindingsRequest(
data=BulkMuteFindingsRequestData(
attributes=BulkMuteFindingsRequestAttributes(
mute=BulkMuteFindingsRequestProperties(
expiration_date=1778721573794,
muted=True,
reason=FindingMuteReason.ACCEPTED_RISK,
),
),
id="dbe5f567-192b-4404-b908-29b70e1c9f76",
meta=BulkMuteFindingsRequestMeta(
findings=[
BulkMuteFindingsRequestMetaFindings(
finding_id="ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==",
),
],
),
type=FindingType.FINDING,
),
)
configuration = Configuration()
configuration.unstable_operations["mute_findings"] = True
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.mute_findings(body=body)
print(response)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Mute or unmute a batch of findings returns "OK" response
require "datadog_api_client"
DatadogAPIClient.configure do |config|
config.unstable_operations["v2.mute_findings".to_sym] = true
end
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
body = DatadogAPIClient::V2::BulkMuteFindingsRequest.new({
data: DatadogAPIClient::V2::BulkMuteFindingsRequestData.new({
attributes: DatadogAPIClient::V2::BulkMuteFindingsRequestAttributes.new({
mute: DatadogAPIClient::V2::BulkMuteFindingsRequestProperties.new({
expiration_date: 1778721573794,
muted: true,
reason: DatadogAPIClient::V2::FindingMuteReason::ACCEPTED_RISK,
}),
}),
id: "dbe5f567-192b-4404-b908-29b70e1c9f76",
meta: DatadogAPIClient::V2::BulkMuteFindingsRequestMeta.new({
findings: [
DatadogAPIClient::V2::BulkMuteFindingsRequestMetaFindings.new({
finding_id: "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==",
}),
],
}),
type: DatadogAPIClient::V2::FindingType::FINDING,
}),
})
p api_instance.mute_findings(body)
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Mute or unmute a batch of findings returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::BulkMuteFindingsRequest;
use datadog_api_client::datadogV2::model::BulkMuteFindingsRequestAttributes;
use datadog_api_client::datadogV2::model::BulkMuteFindingsRequestData;
use datadog_api_client::datadogV2::model::BulkMuteFindingsRequestMeta;
use datadog_api_client::datadogV2::model::BulkMuteFindingsRequestMetaFindings;
use datadog_api_client::datadogV2::model::BulkMuteFindingsRequestProperties;
use datadog_api_client::datadogV2::model::FindingMuteReason;
use datadog_api_client::datadogV2::model::FindingType;
#[tokio::main]
async fn main() {
let body = BulkMuteFindingsRequest::new(BulkMuteFindingsRequestData::new(
BulkMuteFindingsRequestAttributes::new(
BulkMuteFindingsRequestProperties::new(true, FindingMuteReason::ACCEPTED_RISK)
.expiration_date(1778721573794),
),
"dbe5f567-192b-4404-b908-29b70e1c9f76".to_string(),
BulkMuteFindingsRequestMeta::new()
.findings(vec![BulkMuteFindingsRequestMetaFindings::new().finding_id(
"ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==".to_string(),
)]),
FindingType::FINDING,
));
let mut configuration = datadog::Configuration::new();
configuration.set_unstable_operation_enabled("v2.MuteFindings", true);
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api.mute_findings(body).await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
* Mute or unmute a batch of findings returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
configuration.unstableOperations["v2.muteFindings"] = true;
const apiInstance = new v2.SecurityMonitoringApi(configuration);
const params: v2.SecurityMonitoringApiMuteFindingsRequest = {
body: {
data: {
attributes: {
mute: {
expirationDate: 1778721573794,
muted: true,
reason: "ACCEPTED_RISK",
},
},
id: "dbe5f567-192b-4404-b908-29b70e1c9f76",
meta: {
findings: [
{
findingId: "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==",
},
],
},
type: "finding",
},
},
};
apiInstance
.muteFindings(params)
.then((data: v2.BulkMuteFindingsResponse) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
PATCH https://api.ap1.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/add_to_incidenthttps://api.datadoghq.eu/api/v1/security_analytics/signals/{signal_id}/add_to_incidenthttps://api.ddog-gov.com/api/v1/security_analytics/signals/{signal_id}/add_to_incidenthttps://api.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/add_to_incidenthttps://api.us3.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/add_to_incidenthttps://api.us5.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/add_to_incident
Add a security signal to an incident. This makes it possible to search for signals by incident within the signal explorer and to view the signals on the incident timeline.
This endpoint requires the security_monitoring_signals_write
permission.
이름
유형
설명
signal_id [required]
string
The ID of the signal.
Attributes describing the signal update.
{
"incident_id": 2609
}
OK
Updated signal data following a successfully performed update.
{
"status": "string"
}
Bad Request
Error response object.
{
"errors": [
"Bad Request"
]
}
Forbidden
Error response object.
{
"errors": [
"Bad Request"
]
}
Not Found
Error response object.
{
"errors": [
"Bad Request"
]
}
Too many requests
Error response object.
{
"errors": [
"Bad Request"
]
}
# Path parameters
export signal_id="CHANGE_ME"
# Curl command
curl -X PATCH "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v1/security_analytics/signals/${signal_id}/add_to_incident" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
"incident_id": 2609
}
EOF
// Add a security signal to an incident returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV1"
)
func main() {
body := datadogV1.AddSignalToIncidentRequest{
IncidentId: 2609,
}
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV1.NewSecurityMonitoringApi(apiClient)
resp, r, err := api.AddSecurityMonitoringSignalToIncident(ctx, "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.AddSecurityMonitoringSignalToIncident`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.AddSecurityMonitoringSignalToIncident`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"
// Add a security signal to an incident returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v1.api.SecurityMonitoringApi;
import com.datadog.api.client.v1.model.AddSignalToIncidentRequest;
import com.datadog.api.client.v1.model.SuccessfulSignalUpdateResponse;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
AddSignalToIncidentRequest body = new AddSignalToIncidentRequest().incidentId(2609L);
try {
SuccessfulSignalUpdateResponse result =
apiInstance.addSecurityMonitoringSignalToIncident(
"AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body);
System.out.println(result);
} catch (ApiException e) {
System.err.println(
"Exception when calling SecurityMonitoringApi#addSecurityMonitoringSignalToIncident");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"
"""
Add a security signal to an incident returns "OK" response
"""
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v1.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v1.model.add_signal_to_incident_request import AddSignalToIncidentRequest
body = AddSignalToIncidentRequest(
incident_id=2609,
)
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.add_security_monitoring_signal_to_incident(
signal_id="AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body=body
)
print(response)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"
# Add a security signal to an incident returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V1::SecurityMonitoringAPI.new
body = DatadogAPIClient::V1::AddSignalToIncidentRequest.new({
incident_id: 2609,
})
p api_instance.add_security_monitoring_signal_to_incident("AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body)
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"
// Add a security signal to an incident returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV1::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV1::model::AddSignalToIncidentRequest;
#[tokio::main]
async fn main() {
let body = AddSignalToIncidentRequest::new(2609);
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api
.add_security_monitoring_signal_to_incident(
"AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE".to_string(),
body,
)
.await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" cargo run
/**
* Add a security signal to an incident returns "OK" response
*/
import { client, v1 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v1.SecurityMonitoringApi(configuration);
const params: v1.SecurityMonitoringApiAddSecurityMonitoringSignalToIncidentRequest =
{
body: {
incidentId: 2609,
},
signalId: "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE",
};
apiInstance
.addSecurityMonitoringSignalToIncident(params)
.then((data: v1.SuccessfulSignalUpdateResponse) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"
PATCH https://api.ap1.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/statehttps://api.datadoghq.eu/api/v1/security_analytics/signals/{signal_id}/statehttps://api.ddog-gov.com/api/v1/security_analytics/signals/{signal_id}/statehttps://api.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/statehttps://api.us3.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/statehttps://api.us5.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/state
Change the triage state of a security signal.
This endpoint requires the security_monitoring_signals_write
permission.
이름
유형
설명
signal_id [required]
string
The ID of the signal.
Attributes describing the signal update.
{
"archiveReason": "none",
"state": "open"
}
OK
Updated signal data following a successfully performed update.
{
"status": "string"
}
Bad Request
Error response object.
{
"errors": [
"Bad Request"
]
}
Forbidden
Error response object.
{
"errors": [
"Bad Request"
]
}
Not Found
Error response object.
{
"errors": [
"Bad Request"
]
}
Too many requests
Error response object.
{
"errors": [
"Bad Request"
]
}
# Path parameters
export signal_id="CHANGE_ME"
# Curl command
curl -X PATCH "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v1/security_analytics/signals/${signal_id}/state" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
"archiveReason": "none",
"state": "open"
}
EOF
// Change the triage state of a security signal returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV1"
)
func main() {
body := datadogV1.SignalStateUpdateRequest{
ArchiveReason: datadogV1.SIGNALARCHIVEREASON_NONE.Ptr(),
State: datadogV1.SIGNALTRIAGESTATE_OPEN,
}
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV1.NewSecurityMonitoringApi(apiClient)
resp, r, err := api.EditSecurityMonitoringSignalState(ctx, "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.EditSecurityMonitoringSignalState`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.EditSecurityMonitoringSignalState`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"
// Change the triage state of a security signal returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v1.api.SecurityMonitoringApi;
import com.datadog.api.client.v1.model.SignalArchiveReason;
import com.datadog.api.client.v1.model.SignalStateUpdateRequest;
import com.datadog.api.client.v1.model.SignalTriageState;
import com.datadog.api.client.v1.model.SuccessfulSignalUpdateResponse;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
SignalStateUpdateRequest body =
new SignalStateUpdateRequest()
.archiveReason(SignalArchiveReason.NONE)
.state(SignalTriageState.OPEN);
try {
SuccessfulSignalUpdateResponse result =
apiInstance.editSecurityMonitoringSignalState(
"AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body);
System.out.println(result);
} catch (ApiException e) {
System.err.println(
"Exception when calling SecurityMonitoringApi#editSecurityMonitoringSignalState");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"
"""
Change the triage state of a security signal returns "OK" response
"""
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v1.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v1.model.signal_archive_reason import SignalArchiveReason
from datadog_api_client.v1.model.signal_state_update_request import SignalStateUpdateRequest
from datadog_api_client.v1.model.signal_triage_state import SignalTriageState
body = SignalStateUpdateRequest(
archive_reason=SignalArchiveReason.NONE,
state=SignalTriageState.OPEN,
)
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.edit_security_monitoring_signal_state(
signal_id="AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body=body
)
print(response)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"
# Change the triage state of a security signal returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V1::SecurityMonitoringAPI.new
body = DatadogAPIClient::V1::SignalStateUpdateRequest.new({
archive_reason: DatadogAPIClient::V1::SignalArchiveReason::NONE,
state: DatadogAPIClient::V1::SignalTriageState::OPEN,
})
p api_instance.edit_security_monitoring_signal_state("AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body)
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"
// Change the triage state of a security signal returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV1::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV1::model::SignalArchiveReason;
use datadog_api_client::datadogV1::model::SignalStateUpdateRequest;
use datadog_api_client::datadogV1::model::SignalTriageState;
#[tokio::main]
async fn main() {
let body = SignalStateUpdateRequest::new(SignalTriageState::OPEN)
.archive_reason(SignalArchiveReason::NONE);
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api
.edit_security_monitoring_signal_state(
"AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE".to_string(),
body,
)
.await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" cargo run
/**
* Change the triage state of a security signal returns "OK" response
*/
import { client, v1 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v1.SecurityMonitoringApi(configuration);
const params: v1.SecurityMonitoringApiEditSecurityMonitoringSignalStateRequest =
{
body: {
archiveReason: "none",
state: "open",
},
signalId: "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE",
};
apiInstance
.editSecurityMonitoringSignalState(params)
.then((data: v1.SuccessfulSignalUpdateResponse) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"
PATCH https://api.ap1.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/statehttps://api.datadoghq.eu/api/v2/security_monitoring/signals/{signal_id}/statehttps://api.ddog-gov.com/api/v2/security_monitoring/signals/{signal_id}/statehttps://api.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/statehttps://api.us3.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/statehttps://api.us5.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/state
Change the triage state of a security signal.
This endpoint requires the security_monitoring_signals_write
permission.
이름
유형
설명
signal_id [required]
string
The ID of the signal.
Attributes describing the signal update.
항목
유형
설명
data [required]
object
Data containing the patch for changing the state of a signal.
attributes [required]
object
Attributes describing the change of state of a security signal.
archive_comment
string
Optional comment to display on archived signals.
archive_reason
enum
Reason a signal is archived.
Allowed enum values: none,false_positive,testing_or_maintenance,investigated_case_opened,other
state [required]
enum
The new triage state of the signal.
Allowed enum values: open,archived,under_review
version
int64
Version of the updated signal. If server side version is higher, update will be rejected.
id
The unique ID of the security signal.
type
enum
The type of event.
Allowed enum values: signal_metadata
default: signal_metadata
{
"data": {
"attributes": {
"archive_reason": "none",
"state": "open"
}
}
}
OK
The response returned after all triage operations, containing the updated signal triage data.
항목
유형
설명
data [required]
object
Data containing the updated triage attributes of the signal.
attributes
object
Attributes describing a triage state update operation over a security signal.
archive_comment
string
Optional comment to display on archived signals.
archive_comment_timestamp
int64
Timestamp of the last edit to the comment.
archive_comment_user
object
Object representing a given user entity.
handle
string
The handle for this user account.
icon
string
Gravatar icon associated to the user.
id
int64
Numerical ID assigned by Datadog to this user account.
name
string
The name for this user account.
uuid [required]
string
UUID assigned by Datadog to this user account.
archive_reason
enum
Reason a signal is archived.
Allowed enum values: none,false_positive,testing_or_maintenance,investigated_case_opened,other
assignee [required]
object
Object representing a given user entity.
handle
string
The handle for this user account.
icon
string
Gravatar icon associated to the user.
id
int64
Numerical ID assigned by Datadog to this user account.
name
string
The name for this user account.
uuid [required]
string
UUID assigned by Datadog to this user account.
incident_ids [required]
[integer]
Array of incidents that are associated with this signal.
state [required]
enum
The new triage state of the signal.
Allowed enum values: open,archived,under_review
state_update_timestamp
int64
Timestamp of the last update to the signal state.
state_update_user
object
Object representing a given user entity.
handle
string
The handle for this user account.
icon
string
Gravatar icon associated to the user.
id
int64
Numerical ID assigned by Datadog to this user account.
name
string
The name for this user account.
uuid [required]
string
UUID assigned by Datadog to this user account.
id
string
The unique ID of the security signal.
type
enum
The type of event.
Allowed enum values: signal_metadata
default: signal_metadata
{
"data": {
"attributes": {
"archive_comment": "string",
"archive_comment_timestamp": "integer",
"archive_comment_user": {
"handle": "string",
"icon": "/path/to/matching/gravatar/icon",
"id": "integer",
"name": "string",
"uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
},
"archive_reason": "string",
"assignee": {
"handle": "string",
"icon": "/path/to/matching/gravatar/icon",
"id": "integer",
"name": "string",
"uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
},
"incident_ids": [
2066
],
"state": "open",
"state_update_timestamp": "integer",
"state_update_user": {
"handle": "string",
"icon": "/path/to/matching/gravatar/icon",
"id": "integer",
"name": "string",
"uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
}
},
"id": "string",
"type": "signal_metadata"
}
}
Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}
Forbidden
API error response.
{
"errors": [
"Bad Request"
]
}
Not Found
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Path parameters
export signal_id="CHANGE_ME"
# Curl command
curl -X PATCH "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/${signal_id}/state" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
"data": {
"attributes": {
"archive_reason": "none",
"state": "open"
}
}
}
EOF
// Change the triage state of a security signal returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
body := datadogV2.SecurityMonitoringSignalStateUpdateRequest{
Data: datadogV2.SecurityMonitoringSignalStateUpdateData{
Attributes: datadogV2.SecurityMonitoringSignalStateUpdateAttributes{
ArchiveReason: datadogV2.SECURITYMONITORINGSIGNALARCHIVEREASON_NONE.Ptr(),
State: datadogV2.SECURITYMONITORINGSIGNALSTATE_OPEN,
},
},
}
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
resp, r, err := api.EditSecurityMonitoringSignalState(ctx, "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.EditSecurityMonitoringSignalState`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.EditSecurityMonitoringSignalState`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"
// Change the triage state of a security signal returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalArchiveReason;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalState;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalStateUpdateAttributes;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalStateUpdateData;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalStateUpdateRequest;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalTriageUpdateResponse;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
SecurityMonitoringSignalStateUpdateRequest body =
new SecurityMonitoringSignalStateUpdateRequest()
.data(
new SecurityMonitoringSignalStateUpdateData()
.attributes(
new SecurityMonitoringSignalStateUpdateAttributes()
.archiveReason(SecurityMonitoringSignalArchiveReason.NONE)
.state(SecurityMonitoringSignalState.OPEN)));
try {
SecurityMonitoringSignalTriageUpdateResponse result =
apiInstance.editSecurityMonitoringSignalState(
"AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body);
System.out.println(result);
} catch (ApiException e) {
System.err.println(
"Exception when calling SecurityMonitoringApi#editSecurityMonitoringSignalState");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"
"""
Change the triage state of a security signal returns "OK" response
"""
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_signal_archive_reason import SecurityMonitoringSignalArchiveReason
from datadog_api_client.v2.model.security_monitoring_signal_state import SecurityMonitoringSignalState
from datadog_api_client.v2.model.security_monitoring_signal_state_update_attributes import (
SecurityMonitoringSignalStateUpdateAttributes,
)
from datadog_api_client.v2.model.security_monitoring_signal_state_update_data import (
SecurityMonitoringSignalStateUpdateData,
)
from datadog_api_client.v2.model.security_monitoring_signal_state_update_request import (
SecurityMonitoringSignalStateUpdateRequest,
)
body = SecurityMonitoringSignalStateUpdateRequest(
data=SecurityMonitoringSignalStateUpdateData(
attributes=SecurityMonitoringSignalStateUpdateAttributes(
archive_reason=SecurityMonitoringSignalArchiveReason.NONE,
state=SecurityMonitoringSignalState.OPEN,
),
),
)
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.edit_security_monitoring_signal_state(
signal_id="AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body=body
)
print(response)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"
# Change the triage state of a security signal returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
body = DatadogAPIClient::V2::SecurityMonitoringSignalStateUpdateRequest.new({
data: DatadogAPIClient::V2::SecurityMonitoringSignalStateUpdateData.new({
attributes: DatadogAPIClient::V2::SecurityMonitoringSignalStateUpdateAttributes.new({
archive_reason: DatadogAPIClient::V2::SecurityMonitoringSignalArchiveReason::NONE,
state: DatadogAPIClient::V2::SecurityMonitoringSignalState::OPEN,
}),
}),
})
p api_instance.edit_security_monitoring_signal_state("AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body)
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"
// Change the triage state of a security signal returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalArchiveReason;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalState;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalStateUpdateAttributes;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalStateUpdateData;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalStateUpdateRequest;
#[tokio::main]
async fn main() {
let body = SecurityMonitoringSignalStateUpdateRequest::new(
SecurityMonitoringSignalStateUpdateData::new(
SecurityMonitoringSignalStateUpdateAttributes::new(SecurityMonitoringSignalState::OPEN)
.archive_reason(SecurityMonitoringSignalArchiveReason::NONE),
),
);
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api
.edit_security_monitoring_signal_state(
"AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE".to_string(),
body,
)
.await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" cargo run
/**
* Change the triage state of a security signal returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
const params: v2.SecurityMonitoringApiEditSecurityMonitoringSignalStateRequest =
{
body: {
data: {
attributes: {
archiveReason: "none",
state: "open",
},
},
},
signalId: "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE",
};
apiInstance
.editSecurityMonitoringSignalState(params)
.then((data: v2.SecurityMonitoringSignalTriageUpdateResponse) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"
POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.datadoghq.eu/api/v2/security_monitoring/ruleshttps://api.ddog-gov.com/api/v2/security_monitoring/ruleshttps://api.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us3.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules
Create a detection rule.
This endpoint requires the security_monitoring_rules_write
permission.
OAuth apps require the security_monitoring_rules_write
authorization scope to access this endpoint.
항목
유형
설명
Option 1
object
Create a new rule.
cases [required]
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>
,>=
, &&
, ||
) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
boolean
Whether the rule is enabled.
message [required]
string
Message for generated signals.
name [required]
string
The name of the rule.
options [required]
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType
and regoRule
are mandatory when managing custom cloud_configuration
rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes
contains more than one item. Defaults to false.
regoRule
object
Rule details.
policy [required]
string
The policy written in rego
, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes
.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL
in production becomes HIGH
in non-production, HIGH
becomes MEDIUM
and so on. INFO
remains INFO
.
The decrement is applied when the environment tag of the signal starts with staging
, test
or dev
.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
hardcodedEvaluatorType
enum
Hardcoded evaluator type.
Allowed enum values: log4shell
impossibleTravelOptions
object
Options on impossible travel rules.
baselineUserLocations
boolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
hasOptionalGroupByFields
boolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A
, replacing the missing values.
metric
string
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max
aggregations. metrics
field should be used instead.
metrics
[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
string
Name of the query.
query
string
Query to run on logs.
referenceTables
[object]
Reference tables for the rule.
checkPresence
boolean
Whether to include or exclude the matched values.
columnName
string
The name of the column in the reference table.
logFieldPath
string
The field in the log to match against the reference table.
ruleQueryName
string
The name of the rule query to apply the reference table to.
tableName
string
The name of the reference table.
tags
[string]
Tags for generated signals.
thirdPartyCases
[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
query
string
A query to map a third party event to this case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
type
enum
The rule type.
Allowed enum values: application_security,log_detection,workload_security
Option 2
object
Create a new signal correlation rule.
cases [required]
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>
,>=
, &&
, ||
) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
boolean
Whether the rule is enabled.
message [required]
string
Message for generated signals.
name [required]
string
The name of the rule.
options [required]
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType
and regoRule
are mandatory when managing custom cloud_configuration
rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes
contains more than one item. Defaults to false.
regoRule
object
Rule details.
policy [required]
string
The policy written in rego
, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes
.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL
in production becomes HIGH
in non-production, HIGH
becomes MEDIUM
and so on. INFO
remains INFO
.
The decrement is applied when the environment tag of the signal starts with staging
, test
or dev
.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
hardcodedEvaluatorType
enum
Hardcoded evaluator type.
Allowed enum values: log4shell
impossibleTravelOptions
object
Options on impossible travel rules.
baselineUserLocations
boolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
[object]
Queries for selecting signals which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
[string]
Fields to group by.
correlatedQueryIndex
int32
Index of the rule query used to retrieve the correlated field.
metrics
[string]
Group of target fields to aggregate over.
name
string
Name of the query.
ruleId [required]
string
Rule ID to match on signals.
tags
[string]
Tags for generated signals.
type
enum
The rule type.
Allowed enum values: signal_correlation
Option 3
object
Create a new cloud configuration rule.
cases [required]
[object]
Description of generated findings and signals (severity and channels to be notified in case of a signal). Must contain exactly one item.
notifications
[string]
Notification targets for each rule case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
complianceSignalOptions [required]
object
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
boolean
The default activation status.
defaultGroupByFields
[string]
The default group by fields.
userActivationStatus
boolean
Whether signals will be sent.
userGroupByFields
[string]
Fields to use to group findings by when sending signals.
filters
[object]
Additional queries to filter matched events before they are processed.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
isEnabled [required]
boolean
Whether the rule is enabled.
message [required]
string
Message in markdown format for generated findings and signals.
name [required]
string
The name of the rule.
options [required]
object
Options on cloud configuration rules.
complianceRuleOptions [required]
object
Options for cloud_configuration rules.
Fields resourceType
and regoRule
are mandatory when managing custom cloud_configuration
rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes
contains more than one item. Defaults to false.
regoRule
object
Rule details.
policy [required]
string
The policy written in rego
, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes
.
tags
[string]
Tags for generated findings and signals.
type
enum
The rule type.
Allowed enum values: cloud_configuration
{
"type": "cloud_configuration",
"name": "Example-Security-Monitoring_cloud",
"isEnabled": false,
"cases": [
{
"status": "info",
"notifications": [
"channel"
]
}
],
"options": {
"complianceRuleOptions": {
"resourceType": "gcp_compute_disk",
"complexRule": false,
"regoRule": {
"policy": "package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n",
"resourceTypes": [
"gcp_compute_disk"
]
}
}
},
"message": "ddd",
"tags": [
"my:tag"
],
"complianceSignalOptions": {
"userActivationStatus": true,
"userGroupByFields": [
"@account_id"
]
},
"filters": [
{
"action": "require",
"query": "resource_id:helo*"
},
{
"action": "suppress",
"query": "control:helo*"
}
]
}
{
"name": "Example-Security-Monitoring",
"queries": [
{
"query": "@test:true",
"aggregation": "count",
"groupByFields": [],
"distinctFields": [],
"metric": ""
}
],
"filters": [],
"cases": [
{
"name": "",
"status": "info",
"condition": "a > 0",
"notifications": []
}
],
"options": {
"evaluationWindow": 900,
"keepAlive": 3600,
"maxSignalDuration": 86400
},
"message": "Test rule",
"tags": [],
"isEnabled": true,
"type": "log_detection",
"referenceTables": [
{
"tableName": "synthetics_test_reference_table_dont_delete",
"columnName": "value",
"logFieldPath": "testtag",
"checkPresence": true,
"ruleQueryName": "a"
}
]
}
{
"name": "Example-Security-Monitoring",
"type": "log_detection",
"isEnabled": true,
"thirdPartyCases": [
{
"query": "status:error",
"name": "high",
"status": "high"
},
{
"query": "status:info",
"name": "low",
"status": "low"
}
],
"queries": [],
"cases": [],
"message": "This is a third party rule",
"options": {
"detectionMethod": "third_party",
"keepAlive": 0,
"maxSignalDuration": 600,
"thirdPartyRuleOptions": {
"defaultStatus": "info",
"rootQueries": [
{
"query": "source:guardduty @details.alertType:*EC2*",
"groupByFields": [
"instance-id"
]
},
{
"query": "source:guardduty",
"groupByFields": []
}
]
}
}
}
OK
Create a new rule.
항목
유형
설명
Option 1
Rule.
cases
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>
,>=
, &&
, ||
) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
complianceSignalOptions
object
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
boolean
The default activation status.
defaultGroupByFields
[string]
The default group by fields.
userActivationStatus
boolean
Whether signals will be sent.
userGroupByFields
[string]
Fields to use to group findings by when sending signals.
createdAt
int64
When the rule was created, timestamp in milliseconds.
creationAuthorId
int64
User ID of the user who created the rule.
defaultTags
[string]
Default Tags for default rules (included in tags)
deprecationDate
int64
When the rule will be deprecated, timestamp in milliseconds.
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
id
string
The ID of the rule.
isDefault
boolean
Whether the rule is included by default.
isDeleted
boolean
Whether the rule has been deleted.
isEnabled
boolean
Whether the rule is enabled.
message
string
Message for generated signals.
name
string
The name of the rule.
options
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType
and regoRule
are mandatory when managing custom cloud_configuration
rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes
contains more than one item. Defaults to false.
regoRule
object
Rule details.
policy [required]
string
The policy written in rego
, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes
.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL
in production becomes HIGH
in non-production, HIGH
becomes MEDIUM
and so on. INFO
remains INFO
.
The decrement is applied when the environment tag of the signal starts with staging
, test
or dev
.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
hardcodedEvaluatorType
enum
Hardcoded evaluator type.
Allowed enum values: log4shell
impossibleTravelOptions
object
Options on impossible travel rules.
baselineUserLocations
boolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
hasOptionalGroupByFields
boolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A
, replacing the missing values.
metric
string
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max
aggregations. metrics
field should be used instead.
metrics
[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
string
Name of the query.
query
string
Query to run on logs.
referenceTables
[object]
Reference tables for the rule.
checkPresence
boolean
Whether to include or exclude the matched values.
columnName
string
The name of the column in the reference table.
logFieldPath
string
The field in the log to match against the reference table.
ruleQueryName
string
The name of the rule query to apply the reference table to.
tableName
string
The name of the reference table.
tags
[string]
Tags for generated signals.
thirdPartyCases
[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
query
string
A query to map a third party event to this case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
type
enum
The rule type.
Allowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration,application_security
updateAuthorId
int64
User ID of the user who updated the rule.
version
int64
The version of the rule.
Option 2
Rule.
cases
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>
,>=
, &&
, ||
) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
createdAt
int64
When the rule was created, timestamp in milliseconds.
creationAuthorId
int64
User ID of the user who created the rule.
deprecationDate
int64
When the rule will be deprecated, timestamp in milliseconds.
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
id
string
The ID of the rule.
isDefault
boolean
Whether the rule is included by default.
isDeleted
boolean
Whether the rule has been deleted.
isEnabled
boolean
Whether the rule is enabled.
message
string
Message for generated signals.
name
string
The name of the rule.
options
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType
and regoRule
are mandatory when managing custom cloud_configuration
rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes
contains more than one item. Defaults to false.
regoRule
object
Rule details.
policy [required]
string
The policy written in rego
, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes
.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL
in production becomes HIGH
in non-production, HIGH
becomes MEDIUM
and so on. INFO
remains INFO
.
The decrement is applied when the environment tag of the signal starts with staging
, test
or dev
.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
hardcodedEvaluatorType
enum
Hardcoded evaluator type.
Allowed enum values: log4shell
impossibleTravelOptions
object
Options on impossible travel rules.
baselineUserLocations
boolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
[string]
Fields to correlate by.
correlatedQueryIndex
int32
Index of the rule query used to retrieve the correlated field.
defaultRuleId
string
Default Rule ID to match on signals.
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
metrics
[string]
Group of target fields to aggregate over.
name
string
Name of the query.
ruleId
string
Rule ID to match on signals.
tags
[string]
Tags for generated signals.
type
enum
The rule type.
Allowed enum values: signal_correlation
updateAuthorId
int64
User ID of the user who updated the rule.
version
int64
The version of the rule.
{
"cases": [
{
"condition": "string",
"name": "string",
"notifications": [],
"status": "critical"
}
],
"complianceSignalOptions": {
"defaultActivationStatus": false,
"defaultGroupByFields": [],
"userActivationStatus": false,
"userGroupByFields": []
},
"createdAt": "integer",
"creationAuthorId": "integer",
"defaultTags": [
"security:attacks"
],
"deprecationDate": "integer",
"filters": [
{
"action": "string",
"query": "string"
}
],
"hasExtendedTitle": false,
"id": "string",
"isDefault": false,
"isDeleted": false,
"isEnabled": false,
"message": "string",
"name": "string",
"options": {
"complianceRuleOptions": {
"complexRule": false,
"regoRule": {
"policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n # Logic that evaluates to true if the resource should be skipped\n true\n} else = \"pass\" {\n # Logic that evaluates to true if the resource is compliant\n true\n} else = \"fail\" {\n # Logic that evaluates to true if the resource is not compliant\n true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n some resource in input.resources[input.main_resource_type]\n result := dd_output.format(resource, eval(resource))\n}\n",
"resourceTypes": [
"gcp_iam_service_account",
"gcp_iam_policy"
]
},
"resourceType": "aws_acm"
},
"decreaseCriticalityBasedOnEnv": false,
"detectionMethod": "string",
"evaluationWindow": "integer",
"hardcodedEvaluatorType": "string",
"impossibleTravelOptions": {
"baselineUserLocations": true
},
"keepAlive": "integer",
"maxSignalDuration": "integer",
"newValueOptions": {
"forgetAfter": "integer",
"learningDuration": "integer",
"learningMethod": "string",
"learningThreshold": "integer"
},
"thirdPartyRuleOptions": {
"defaultNotifications": [],
"defaultStatus": "critical",
"rootQueries": [
{
"groupByFields": [],
"query": "source:cloudtrail"
}
],
"signalTitleTemplate": "string"
}
},
"queries": [
{
"aggregation": "string",
"distinctFields": [],
"groupByFields": [],
"hasOptionalGroupByFields": false,
"metric": "string",
"metrics": [],
"name": "string",
"query": "a > 3"
}
],
"referenceTables": [
{
"checkPresence": false,
"columnName": "string",
"logFieldPath": "string",
"ruleQueryName": "string",
"tableName": "string"
}
],
"tags": [],
"thirdPartyCases": [
{
"name": "string",
"notifications": [],
"query": "string",
"status": "critical"
}
],
"type": "string",
"updateAuthorId": "integer",
"version": "integer"
}
Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
"type": "cloud_configuration",
"name": "Example-Security-Monitoring_cloud",
"isEnabled": false,
"cases": [
{
"status": "info",
"notifications": [
"channel"
]
}
],
"options": {
"complianceRuleOptions": {
"resourceType": "gcp_compute_disk",
"complexRule": false,
"regoRule": {
"policy": "package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n",
"resourceTypes": [
"gcp_compute_disk"
]
}
}
},
"message": "ddd",
"tags": [
"my:tag"
],
"complianceSignalOptions": {
"userActivationStatus": true,
"userGroupByFields": [
"@account_id"
]
},
"filters": [
{
"action": "require",
"query": "resource_id:helo*"
},
{
"action": "suppress",
"query": "control:helo*"
}
]
}
EOF
# Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
"name": "Example-Security-Monitoring",
"queries": [
{
"query": "@test:true",
"aggregation": "count",
"groupByFields": [],
"distinctFields": [],
"metric": ""
}
],
"filters": [],
"cases": [
{
"name": "",
"status": "info",
"condition": "a > 0",
"notifications": []
}
],
"options": {
"evaluationWindow": 900,
"keepAlive": 3600,
"maxSignalDuration": 86400
},
"message": "Test rule",
"tags": [],
"isEnabled": true,
"type": "log_detection",
"referenceTables": [
{
"tableName": "synthetics_test_reference_table_dont_delete",
"columnName": "value",
"logFieldPath": "testtag",
"checkPresence": true,
"ruleQueryName": "a"
}
]
}
EOF
# Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
"name": "Example-Security-Monitoring",
"type": "log_detection",
"isEnabled": true,
"thirdPartyCases": [
{
"query": "status:error",
"name": "high",
"status": "high"
},
{
"query": "status:info",
"name": "low",
"status": "low"
}
],
"queries": [],
"cases": [],
"message": "This is a third party rule",
"options": {
"detectionMethod": "third_party",
"keepAlive": 0,
"maxSignalDuration": 600,
"thirdPartyRuleOptions": {
"defaultStatus": "info",
"rootQueries": [
{
"query": "source:guardduty @details.alertType:*EC2*",
"groupByFields": [
"instance-id"
]
},
{
"query": "source:guardduty",
"groupByFields": []
}
]
}
}
}
EOF
// Create a cloud_configuration rule returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
body := datadogV2.SecurityMonitoringRuleCreatePayload{
CloudConfigurationRuleCreatePayload: &datadogV2.CloudConfigurationRuleCreatePayload{
Type: datadogV2.CLOUDCONFIGURATIONRULETYPE_CLOUD_CONFIGURATION.Ptr(),
Name: "Example-Security-Monitoring_cloud",
IsEnabled: false,
Cases: []datadogV2.CloudConfigurationRuleCaseCreate{
{
Status: datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
Notifications: []string{
"channel",
},
},
},
Options: datadogV2.CloudConfigurationRuleOptions{
ComplianceRuleOptions: datadogV2.CloudConfigurationComplianceRuleOptions{
ResourceType: datadog.PtrString("gcp_compute_disk"),
ComplexRule: datadog.PtrBool(false),
RegoRule: &datadogV2.CloudConfigurationRegoRule{
Policy: `package datadog
import data.datadog.output as dd_output
import future.keywords.contains
import future.keywords.if
import future.keywords.in
milliseconds_in_a_day := ((1000 * 60) * 60) * 24
eval(iam_service_account_key) = "skip" if {
iam_service_account_key.disabled
} else = "pass" if {
(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"
# This part remains unchanged for all rules
results contains result if {
some resource in input.resources[input.main_resource_type]
result := dd_output.format(resource, eval(resource))
}
`,
ResourceTypes: []string{
"gcp_compute_disk",
},
},
},
},
Message: "ddd",
Tags: []string{
"my:tag",
},
ComplianceSignalOptions: datadogV2.CloudConfigurationRuleComplianceSignalOptions{
UserActivationStatus: *datadog.NewNullableBool(datadog.PtrBool(true)),
UserGroupByFields: *datadog.NewNullableList(&[]string{
"@account_id",
}),
},
Filters: []datadogV2.SecurityMonitoringFilter{
{
Action: datadogV2.SECURITYMONITORINGFILTERACTION_REQUIRE.Ptr(),
Query: datadog.PtrString("resource_id:helo*"),
},
{
Action: datadogV2.SECURITYMONITORINGFILTERACTION_SUPPRESS.Ptr(),
Query: datadog.PtrString("control:helo*"),
},
},
}}
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
resp, r, err := api.CreateSecurityMonitoringRule(ctx, body)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringRule`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringRule`:\n%s\n", responseContent)
}
// Create a detection rule returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
body := datadogV2.SecurityMonitoringRuleCreatePayload{
SecurityMonitoringStandardRuleCreatePayload: &datadogV2.SecurityMonitoringStandardRuleCreatePayload{
Name: "Example-Security-Monitoring",
Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{
{
Query: datadog.PtrString("@test:true"),
Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
GroupByFields: []string{},
DistinctFields: []string{},
Metric: datadog.PtrString(""),
},
},
Filters: []datadogV2.SecurityMonitoringFilter{},
Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{
{
Name: datadog.PtrString(""),
Status: datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
Condition: datadog.PtrString("a > 0"),
Notifications: []string{},
},
},
Options: datadogV2.SecurityMonitoringRuleOptions{
EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(),
KeepAlive: datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(),
MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(),
},
Message: "Test rule",
Tags: []string{},
IsEnabled: true,
Type: datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(),
}}
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
resp, r, err := api.CreateSecurityMonitoringRule(ctx, body)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringRule`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringRule`:\n%s\n", responseContent)
}
// Create a detection rule with detection method 'third_party' returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
body := datadogV2.SecurityMonitoringRuleCreatePayload{
SecurityMonitoringStandardRuleCreatePayload: &datadogV2.SecurityMonitoringStandardRuleCreatePayload{
Name: "Example-Security-Monitoring",
Type: datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(),
IsEnabled: true,
ThirdPartyCases: []datadogV2.SecurityMonitoringThirdPartyRuleCaseCreate{
{
Query: datadog.PtrString("status:error"),
Name: datadog.PtrString("high"),
Status: datadogV2.SECURITYMONITORINGRULESEVERITY_HIGH,
},
{
Query: datadog.PtrString("status:info"),
Name: datadog.PtrString("low"),
Status: datadogV2.SECURITYMONITORINGRULESEVERITY_LOW,
},
},
Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{},
Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{},
Message: "This is a third party rule",
Options: datadogV2.SecurityMonitoringRuleOptions{
DetectionMethod: datadogV2.SECURITYMONITORINGRULEDETECTIONMETHOD_THIRD_PARTY.Ptr(),
KeepAlive: datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ZERO_MINUTES.Ptr(),
MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_TEN_MINUTES.Ptr(),
ThirdPartyRuleOptions: &datadogV2.SecurityMonitoringRuleThirdPartyOptions{
DefaultStatus: datadogV2.SECURITYMONITORINGRULESEVERITY_INFO.Ptr(),
RootQueries: []datadogV2.SecurityMonitoringThirdPartyRootQuery{
{
Query: datadog.PtrString("source:guardduty @details.alertType:*EC2*"),
GroupByFields: []string{
"instance-id",
},
},
{
Query: datadog.PtrString("source:guardduty"),
GroupByFields: []string{},
},
},
},
},
}}
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
resp, r, err := api.CreateSecurityMonitoringRule(ctx, body)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringRule`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringRule`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Create a cloud_configuration rule returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.CloudConfigurationComplianceRuleOptions;
import com.datadog.api.client.v2.model.CloudConfigurationRegoRule;
import com.datadog.api.client.v2.model.CloudConfigurationRuleCaseCreate;
import com.datadog.api.client.v2.model.CloudConfigurationRuleComplianceSignalOptions;
import com.datadog.api.client.v2.model.CloudConfigurationRuleCreatePayload;
import com.datadog.api.client.v2.model.CloudConfigurationRuleOptions;
import com.datadog.api.client.v2.model.CloudConfigurationRuleType;
import com.datadog.api.client.v2.model.SecurityMonitoringFilter;
import com.datadog.api.client.v2.model.SecurityMonitoringFilterAction;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import java.util.Arrays;
import java.util.Collections;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
SecurityMonitoringRuleCreatePayload body =
new SecurityMonitoringRuleCreatePayload(
new CloudConfigurationRuleCreatePayload()
.type(CloudConfigurationRuleType.CLOUD_CONFIGURATION)
.name("Example-Security-Monitoring_cloud")
.isEnabled(false)
.cases(
Collections.singletonList(
new CloudConfigurationRuleCaseCreate()
.status(SecurityMonitoringRuleSeverity.INFO)
.notifications(Collections.singletonList("channel"))))
.options(
new CloudConfigurationRuleOptions()
.complianceRuleOptions(
new CloudConfigurationComplianceRuleOptions()
.resourceType("gcp_compute_disk")
.complexRule(false)
.regoRule(
new CloudConfigurationRegoRule()
.policy(
"""
package datadog
import data.datadog.output as dd_output
import future.keywords.contains
import future.keywords.if
import future.keywords.in
milliseconds_in_a_day := ((1000 * 60) * 60) * 24
eval(iam_service_account_key) = "skip" if {
iam_service_account_key.disabled
} else = "pass" if {
(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"
# This part remains unchanged for all rules
results contains result if {
some resource in input.resources[input.main_resource_type]
result := dd_output.format(resource, eval(resource))
}
""")
.resourceTypes(
Collections.singletonList("gcp_compute_disk")))))
.message("ddd")
.tags(Collections.singletonList("my:tag"))
.complianceSignalOptions(
new CloudConfigurationRuleComplianceSignalOptions()
.userActivationStatus(true)
.userGroupByFields(Collections.singletonList("@account_id")))
.filters(
Arrays.asList(
new SecurityMonitoringFilter()
.action(SecurityMonitoringFilterAction.REQUIRE)
.query("resource_id:helo*"),
new SecurityMonitoringFilter()
.action(SecurityMonitoringFilterAction.SUPPRESS)
.query("control:helo*"))));
try {
SecurityMonitoringRuleResponse result = apiInstance.createSecurityMonitoringRule(body);
System.out.println(result);
} catch (ApiException e) {
System.err.println(
"Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
// Create a detection rule returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import java.util.Collections;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
SecurityMonitoringRuleCreatePayload body =
new SecurityMonitoringRuleCreatePayload(
new SecurityMonitoringStandardRuleCreatePayload()
.name("Example-Security-Monitoring")
.queries(
Collections.singletonList(
new SecurityMonitoringStandardRuleQuery()
.query("@test:true")
.aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
.metric("")))
.cases(
Collections.singletonList(
new SecurityMonitoringRuleCaseCreate()
.name("")
.status(SecurityMonitoringRuleSeverity.INFO)
.condition("a > 0")))
.options(
new SecurityMonitoringRuleOptions()
.evaluationWindow(SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES)
.keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR)
.maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ONE_DAY))
.message("Test rule")
.isEnabled(true)
.type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION));
try {
SecurityMonitoringRuleResponse result = apiInstance.createSecurityMonitoringRule(body);
System.out.println(result);
} catch (ApiException e) {
System.err.println(
"Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
// Create a detection rule with detection method 'third_party' returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleThirdPartyOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringThirdPartyRootQuery;
import com.datadog.api.client.v2.model.SecurityMonitoringThirdPartyRuleCaseCreate;
import java.util.Arrays;
import java.util.Collections;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
SecurityMonitoringRuleCreatePayload body =
new SecurityMonitoringRuleCreatePayload(
new SecurityMonitoringStandardRuleCreatePayload()
.name("Example-Security-Monitoring")
.type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION)
.isEnabled(true)
.thirdPartyCases(
Arrays.asList(
new SecurityMonitoringThirdPartyRuleCaseCreate()
.query("status:error")
.name("high")
.status(SecurityMonitoringRuleSeverity.HIGH),
new SecurityMonitoringThirdPartyRuleCaseCreate()
.query("status:info")
.name("low")
.status(SecurityMonitoringRuleSeverity.LOW)))
.message("This is a third party rule")
.options(
new SecurityMonitoringRuleOptions()
.detectionMethod(SecurityMonitoringRuleDetectionMethod.THIRD_PARTY)
.keepAlive(SecurityMonitoringRuleKeepAlive.ZERO_MINUTES)
.maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.TEN_MINUTES)
.thirdPartyRuleOptions(
new SecurityMonitoringRuleThirdPartyOptions()
.defaultStatus(SecurityMonitoringRuleSeverity.INFO)
.rootQueries(
Arrays.asList(
new SecurityMonitoringThirdPartyRootQuery()
.query("source:guardduty @details.alertType:*EC2*")
.groupByFields(
Collections.singletonList("instance-id")),
new SecurityMonitoringThirdPartyRootQuery()
.query("source:guardduty"))))));
try {
SecurityMonitoringRuleResponse result = apiInstance.createSecurityMonitoringRule(body);
System.out.println(result);
} catch (ApiException e) {
System.err.println(
"Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
"""
Create a cloud_configuration rule returns "OK" response
"""
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.cloud_configuration_compliance_rule_options import (
CloudConfigurationComplianceRuleOptions,
)
from datadog_api_client.v2.model.cloud_configuration_rego_rule import CloudConfigurationRegoRule
from datadog_api_client.v2.model.cloud_configuration_rule_case_create import CloudConfigurationRuleCaseCreate
from datadog_api_client.v2.model.cloud_configuration_rule_compliance_signal_options import (
CloudConfigurationRuleComplianceSignalOptions,
)
from datadog_api_client.v2.model.cloud_configuration_rule_create_payload import CloudConfigurationRuleCreatePayload
from datadog_api_client.v2.model.cloud_configuration_rule_options import CloudConfigurationRuleOptions
from datadog_api_client.v2.model.cloud_configuration_rule_type import CloudConfigurationRuleType
from datadog_api_client.v2.model.security_monitoring_filter import SecurityMonitoringFilter
from datadog_api_client.v2.model.security_monitoring_filter_action import SecurityMonitoringFilterAction
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
body = CloudConfigurationRuleCreatePayload(
type=CloudConfigurationRuleType.CLOUD_CONFIGURATION,
name="Example-Security-Monitoring_cloud",
is_enabled=False,
cases=[
CloudConfigurationRuleCaseCreate(
status=SecurityMonitoringRuleSeverity.INFO,
notifications=[
"channel",
],
),
],
options=CloudConfigurationRuleOptions(
compliance_rule_options=CloudConfigurationComplianceRuleOptions(
resource_type="gcp_compute_disk",
complex_rule=False,
rego_rule=CloudConfigurationRegoRule(
policy='package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = "skip" if {\n\tiam_service_account_key.disabled\n} else = "pass" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = "fail"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n',
resource_types=[
"gcp_compute_disk",
],
),
),
),
message="ddd",
tags=[
"my:tag",
],
compliance_signal_options=CloudConfigurationRuleComplianceSignalOptions(
user_activation_status=True,
user_group_by_fields=[
"@account_id",
],
),
filters=[
SecurityMonitoringFilter(
action=SecurityMonitoringFilterAction.REQUIRE,
query="resource_id:helo*",
),
SecurityMonitoringFilter(
action=SecurityMonitoringFilterAction.SUPPRESS,
query="control:helo*",
),
],
)
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.create_security_monitoring_rule(body=body)
print(response)
"""
Create a detection rule returns "OK" response
"""
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
from datadog_api_client.v2.model.security_monitoring_standard_rule_create_payload import (
SecurityMonitoringStandardRuleCreatePayload,
)
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery
body = SecurityMonitoringStandardRuleCreatePayload(
name="Example-Security-Monitoring",
queries=[
SecurityMonitoringStandardRuleQuery(
query="@test:true",
aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
group_by_fields=[],
distinct_fields=[],
metric="",
),
],
filters=[],
cases=[
SecurityMonitoringRuleCaseCreate(
name="",
status=SecurityMonitoringRuleSeverity.INFO,
condition="a > 0",
notifications=[],
),
],
options=SecurityMonitoringRuleOptions(
evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,
keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR,
max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY,
),
message="Test rule",
tags=[],
is_enabled=True,
type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
)
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.create_security_monitoring_rule(body=body)
print(response)
"""
Create a detection rule with detection method 'third_party' returns "OK" response
"""
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_third_party_options import (
SecurityMonitoringRuleThirdPartyOptions,
)
from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
from datadog_api_client.v2.model.security_monitoring_standard_rule_create_payload import (
SecurityMonitoringStandardRuleCreatePayload,
)
from datadog_api_client.v2.model.security_monitoring_third_party_root_query import SecurityMonitoringThirdPartyRootQuery
from datadog_api_client.v2.model.security_monitoring_third_party_rule_case_create import (
SecurityMonitoringThirdPartyRuleCaseCreate,
)
body = SecurityMonitoringStandardRuleCreatePayload(
name="Example-Security-Monitoring",
type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
is_enabled=True,
third_party_cases=[
SecurityMonitoringThirdPartyRuleCaseCreate(
query="status:error",
name="high",
status=SecurityMonitoringRuleSeverity.HIGH,
),
SecurityMonitoringThirdPartyRuleCaseCreate(
query="status:info",
name="low",
status=SecurityMonitoringRuleSeverity.LOW,
),
],
queries=[],
cases=[],
message="This is a third party rule",
options=SecurityMonitoringRuleOptions(
detection_method=SecurityMonitoringRuleDetectionMethod.THIRD_PARTY,
keep_alive=SecurityMonitoringRuleKeepAlive.ZERO_MINUTES,
max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.TEN_MINUTES,
third_party_rule_options=SecurityMonitoringRuleThirdPartyOptions(
default_status=SecurityMonitoringRuleSeverity.INFO,
root_queries=[
SecurityMonitoringThirdPartyRootQuery(
query="source:guardduty @details.alertType:*EC2*",
group_by_fields=[
"instance-id",
],
),
SecurityMonitoringThirdPartyRootQuery(
query="source:guardduty",
group_by_fields=[],
),
],
),
),
)
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.create_security_monitoring_rule(body=body)
print(response)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Create a cloud_configuration rule returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
body = DatadogAPIClient::V2::CloudConfigurationRuleCreatePayload.new({
type: DatadogAPIClient::V2::CloudConfigurationRuleType::CLOUD_CONFIGURATION,
name: "Example-Security-Monitoring_cloud",
is_enabled: false,
cases: [
DatadogAPIClient::V2::CloudConfigurationRuleCaseCreate.new({
status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
notifications: [
"channel",
],
}),
],
options: DatadogAPIClient::V2::CloudConfigurationRuleOptions.new({
compliance_rule_options: DatadogAPIClient::V2::CloudConfigurationComplianceRuleOptions.new({
resource_type: "gcp_compute_disk",
complex_rule: false,
rego_rule: DatadogAPIClient::V2::CloudConfigurationRegoRule.new({
policy: 'package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = "skip" if {\n\tiam_service_account_key.disabled\n} else = "pass" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = "fail"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n',
resource_types: [
"gcp_compute_disk",
],
}),
}),
}),
message: "ddd",
tags: [
"my:tag",
],
compliance_signal_options: DatadogAPIClient::V2::CloudConfigurationRuleComplianceSignalOptions.new({
user_activation_status: true,
user_group_by_fields: [
"@account_id",
],
}),
filters: [
DatadogAPIClient::V2::SecurityMonitoringFilter.new({
action: DatadogAPIClient::V2::SecurityMonitoringFilterAction::REQUIRE,
query: "resource_id:helo*",
}),
DatadogAPIClient::V2::SecurityMonitoringFilter.new({
action: DatadogAPIClient::V2::SecurityMonitoringFilterAction::SUPPRESS,
query: "control:helo*",
}),
],
})
p api_instance.create_security_monitoring_rule(body)
# Create a detection rule returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
body = DatadogAPIClient::V2::SecurityMonitoringStandardRuleCreatePayload.new({
name: "Example-Security-Monitoring",
queries: [
DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
query: "@test:true",
aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
group_by_fields: [],
distinct_fields: [],
metric: "",
}),
],
filters: [],
cases: [
DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
name: "",
status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
condition: "a > 0",
notifications: [],
}),
],
options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR,
max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY,
}),
message: "Test rule",
tags: [],
is_enabled: true,
type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
})
p api_instance.create_security_monitoring_rule(body)
# Create a detection rule with detection method 'third_party' returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
body = DatadogAPIClient::V2::SecurityMonitoringStandardRuleCreatePayload.new({
name: "Example-Security-Monitoring",
type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
is_enabled: true,
third_party_cases: [
DatadogAPIClient::V2::SecurityMonitoringThirdPartyRuleCaseCreate.new({
query: "status:error",
name: "high",
status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::HIGH,
}),
DatadogAPIClient::V2::SecurityMonitoringThirdPartyRuleCaseCreate.new({
query: "status:info",
name: "low",
status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::LOW,
}),
],
queries: [],
cases: [],
message: "This is a third party rule",
options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::THIRD_PARTY,
keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ZERO_MINUTES,
max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES,
third_party_rule_options: DatadogAPIClient::V2::SecurityMonitoringRuleThirdPartyOptions.new({
default_status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
root_queries: [
DatadogAPIClient::V2::SecurityMonitoringThirdPartyRootQuery.new({
query: "source:guardduty @details.alertType:*EC2*",
group_by_fields: [
"instance-id",
],
}),
DatadogAPIClient::V2::SecurityMonitoringThirdPartyRootQuery.new({
query: "source:guardduty",
group_by_fields: [],
}),
],
}),
}),
})
p api_instance.create_security_monitoring_rule(body)
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Create a cloud_configuration rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::CloudConfigurationComplianceRuleOptions;
use datadog_api_client::datadogV2::model::CloudConfigurationRegoRule;
use datadog_api_client::datadogV2::model::CloudConfigurationRuleCaseCreate;
use datadog_api_client::datadogV2::model::CloudConfigurationRuleComplianceSignalOptions;
use datadog_api_client::datadogV2::model::CloudConfigurationRuleCreatePayload;
use datadog_api_client::datadogV2::model::CloudConfigurationRuleOptions;
use datadog_api_client::datadogV2::model::CloudConfigurationRuleType;
use datadog_api_client::datadogV2::model::SecurityMonitoringFilter;
use datadog_api_client::datadogV2::model::SecurityMonitoringFilterAction;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCreatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
#[tokio::main]
async fn main() {
let body =
SecurityMonitoringRuleCreatePayload::CloudConfigurationRuleCreatePayload(
Box::new(
CloudConfigurationRuleCreatePayload::new(
vec![
CloudConfigurationRuleCaseCreate::new(
SecurityMonitoringRuleSeverity::INFO,
).notifications(vec!["channel".to_string()])
],
CloudConfigurationRuleComplianceSignalOptions::new()
.user_activation_status(Some(true))
.user_group_by_fields(Some(vec!["@account_id".to_string()])),
false,
"ddd".to_string(),
"Example-Security-Monitoring_cloud".to_string(),
CloudConfigurationRuleOptions::new(
CloudConfigurationComplianceRuleOptions::new()
.complex_rule(false)
.rego_rule(
CloudConfigurationRegoRule::new(
r#"package datadog
import data.datadog.output as dd_output
import future.keywords.contains
import future.keywords.if
import future.keywords.in
milliseconds_in_a_day := ((1000 * 60) * 60) * 24
eval(iam_service_account_key) = "skip" if {
iam_service_account_key.disabled
} else = "pass" if {
(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"
# This part remains unchanged for all rules
results contains result if {
some resource in input.resources[input.main_resource_type]
result := dd_output.format(resource, eval(resource))
}
"#.to_string(),
vec!["gcp_compute_disk".to_string()],
),
)
.resource_type("gcp_compute_disk".to_string()),
),
)
.filters(
vec![
SecurityMonitoringFilter::new()
.action(SecurityMonitoringFilterAction::REQUIRE)
.query("resource_id:helo*".to_string()),
SecurityMonitoringFilter::new()
.action(SecurityMonitoringFilterAction::SUPPRESS)
.query("control:helo*".to_string())
],
)
.tags(vec!["my:tag".to_string()])
.type_(CloudConfigurationRuleType::CLOUD_CONFIGURATION),
),
);
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api.create_security_monitoring_rule(body).await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
// Create a detection rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCreatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleCreatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;
#[tokio::main]
async fn main() {
let body =
SecurityMonitoringRuleCreatePayload::SecurityMonitoringStandardRuleCreatePayload(Box::new(
SecurityMonitoringStandardRuleCreatePayload::new(
vec![
SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO)
.condition("a > 0".to_string())
.name("".to_string())
.notifications(vec![]),
],
true,
"Test rule".to_string(),
"Example-Security-Monitoring".to_string(),
SecurityMonitoringRuleOptions::new()
.evaluation_window(SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES)
.keep_alive(SecurityMonitoringRuleKeepAlive::ONE_HOUR)
.max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::ONE_DAY),
vec![SecurityMonitoringStandardRuleQuery::new()
.aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
.distinct_fields(vec![])
.group_by_fields(vec![])
.metric("".to_string())
.query("@test:true".to_string())],
)
.filters(vec![])
.tags(vec![])
.type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION),
));
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api.create_security_monitoring_rule(body).await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
// Create a detection rule with detection method 'third_party' returns "OK"
// response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCreatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleDetectionMethod;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleThirdPartyOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleCreatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringThirdPartyRootQuery;
use datadog_api_client::datadogV2::model::SecurityMonitoringThirdPartyRuleCaseCreate;
#[tokio::main]
async fn main() {
let body =
SecurityMonitoringRuleCreatePayload::SecurityMonitoringStandardRuleCreatePayload(Box::new(
SecurityMonitoringStandardRuleCreatePayload::new(
vec![],
true,
"This is a third party rule".to_string(),
"Example-Security-Monitoring".to_string(),
SecurityMonitoringRuleOptions::new()
.detection_method(SecurityMonitoringRuleDetectionMethod::THIRD_PARTY)
.keep_alive(SecurityMonitoringRuleKeepAlive::ZERO_MINUTES)
.max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES)
.third_party_rule_options(
SecurityMonitoringRuleThirdPartyOptions::new()
.default_status(SecurityMonitoringRuleSeverity::INFO)
.root_queries(vec![
SecurityMonitoringThirdPartyRootQuery::new()
.group_by_fields(vec!["instance-id".to_string()])
.query("source:guardduty @details.alertType:*EC2*".to_string()),
SecurityMonitoringThirdPartyRootQuery::new()
.group_by_fields(vec![])
.query("source:guardduty".to_string()),
]),
),
vec![],
)
.third_party_cases(vec![
SecurityMonitoringThirdPartyRuleCaseCreate::new(
SecurityMonitoringRuleSeverity::HIGH,
)
.name("high".to_string())
.query("status:error".to_string()),
SecurityMonitoringThirdPartyRuleCaseCreate::new(
SecurityMonitoringRuleSeverity::LOW,
)
.name("low".to_string())
.query("status:info".to_string()),
])
.type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION),
));
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api.create_security_monitoring_rule(body).await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
* Create a cloud_configuration rule returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
const params: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest = {
body: {
type: "cloud_configuration",
name: "Example-Security-Monitoring_cloud",
isEnabled: false,
cases: [
{
status: "info",
notifications: ["channel"],
},
],
options: {
complianceRuleOptions: {
resourceType: "gcp_compute_disk",
complexRule: false,
regoRule: {
policy: `package datadog
import data.datadog.output as dd_output
import future.keywords.contains
import future.keywords.if
import future.keywords.in
milliseconds_in_a_day := ((1000 * 60) * 60) * 24
eval(iam_service_account_key) = "skip" if {
iam_service_account_key.disabled
} else = "pass" if {
(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"
# This part remains unchanged for all rules
results contains result if {
some resource in input.resources[input.main_resource_type]
result := dd_output.format(resource, eval(resource))
}
`,
resourceTypes: ["gcp_compute_disk"],
},
},
},
message: "ddd",
tags: ["my:tag"],
complianceSignalOptions: {
userActivationStatus: true,
userGroupByFields: ["@account_id"],
},
filters: [
{
action: "require",
query: "resource_id:helo*",
},
{
action: "suppress",
query: "control:helo*",
},
],
},
};
apiInstance
.createSecurityMonitoringRule(params)
.then((data: v2.SecurityMonitoringRuleResponse) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
/**
* Create a detection rule returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
const params: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest = {
body: {
name: "Example-Security-Monitoring",
queries: [
{
query: "@test:true",
aggregation: "count",
groupByFields: [],
distinctFields: [],
metric: "",
},
],
filters: [],
cases: [
{
name: "",
status: "info",
condition: "a > 0",
notifications: [],
},
],
options: {
evaluationWindow: 900,
keepAlive: 3600,
maxSignalDuration: 86400,
},
message: "Test rule",
tags: [],
isEnabled: true,
type: "log_detection",
},
};
apiInstance
.createSecurityMonitoringRule(params)
.then((data: v2.SecurityMonitoringRuleResponse) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
/**
* Create a detection rule with detection method 'third_party' returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
const params: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest = {
body: {
name: "Example-Security-Monitoring",
type: "log_detection",
isEnabled: true,
thirdPartyCases: [
{
query: "status:error",
name: "high",
status: "high",
},
{
query: "status:info",
name: "low",
status: "low",
},
],
queries: [],
cases: [],
message: "This is a third party rule",
options: {
detectionMethod: "third_party",
keepAlive: 0,
maxSignalDuration: 600,
thirdPartyRuleOptions: {
defaultStatus: "info",
rootQueries: [
{
query: "source:guardduty @details.alertType:*EC2*",
groupByFields: ["instance-id"],
},
{
query: "source:guardduty",
groupByFields: [],
},
],
},
},
},
};
apiInstance
.createSecurityMonitoringRule(params)
.then((data: v2.SecurityMonitoringRuleResponse) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.datadoghq.eu/api/v2/security_monitoring/ruleshttps://api.ddog-gov.com/api/v2/security_monitoring/ruleshttps://api.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us3.datadoghq.com/api/v2/security_monitoring/ruleshttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules
List rules.
This endpoint requires the security_monitoring_rules_read
permission.
OAuth apps require the security_monitoring_rules_read
authorization scope to access this endpoint.
이름
유형
설명
page[size]
integer
Size for a given page. The maximum allowed value is 100.
page[number]
integer
Specific page number to return.
OK
List of rules.
항목
유형
설명
data
[ <oneOf>]
Array containing the list of rules.
Option 1
Rule.
cases
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>
,>=
, &&
, ||
) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
complianceSignalOptions
object
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
boolean
The default activation status.
defaultGroupByFields
[string]
The default group by fields.
userActivationStatus
boolean
Whether signals will be sent.
userGroupByFields
[string]
Fields to use to group findings by when sending signals.
createdAt
int64
When the rule was created, timestamp in milliseconds.
creationAuthorId
int64
User ID of the user who created the rule.
defaultTags
[string]
Default Tags for default rules (included in tags)
deprecationDate
int64
When the rule will be deprecated, timestamp in milliseconds.
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
id
string
The ID of the rule.
isDefault
boolean
Whether the rule is included by default.
isDeleted
boolean
Whether the rule has been deleted.
isEnabled
boolean
Whether the rule is enabled.
message
string
Message for generated signals.
name
string
The name of the rule.
options
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType
and regoRule
are mandatory when managing custom cloud_configuration
rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes
contains more than one item. Defaults to false.
regoRule
object
Rule details.
policy [required]
string
The policy written in rego
, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes
.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL
in production becomes HIGH
in non-production, HIGH
becomes MEDIUM
and so on. INFO
remains INFO
.
The decrement is applied when the environment tag of the signal starts with staging
, test
or dev
.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
hardcodedEvaluatorType
enum
Hardcoded evaluator type.
Allowed enum values: log4shell
impossibleTravelOptions
object
Options on impossible travel rules.
baselineUserLocations
boolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
hasOptionalGroupByFields
boolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A
, replacing the missing values.
metric
string
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max
aggregations. metrics
field should be used instead.
metrics
[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
string
Name of the query.
query
string
Query to run on logs.
referenceTables
[object]
Reference tables for the rule.
checkPresence
boolean
Whether to include or exclude the matched values.
columnName
string
The name of the column in the reference table.
logFieldPath
string
The field in the log to match against the reference table.
ruleQueryName
string
The name of the rule query to apply the reference table to.
tableName
string
The name of the reference table.
tags
[string]
Tags for generated signals.
thirdPartyCases
[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
query
string
A query to map a third party event to this case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
type
enum
The rule type.
Allowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration,application_security
updateAuthorId
int64
User ID of the user who updated the rule.
version
int64
The version of the rule.
Option 2
Rule.
cases
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>
,>=
, &&
, ||
) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
createdAt
int64
When the rule was created, timestamp in milliseconds.
creationAuthorId
int64
User ID of the user who created the rule.
deprecationDate
int64
When the rule will be deprecated, timestamp in milliseconds.
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
id
string
The ID of the rule.
isDefault
boolean
Whether the rule is included by default.
isDeleted
boolean
Whether the rule has been deleted.
isEnabled
boolean
Whether the rule is enabled.
message
string
Message for generated signals.
name
string
The name of the rule.
options
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType
and regoRule
are mandatory when managing custom cloud_configuration
rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes
contains more than one item. Defaults to false.
regoRule
object
Rule details.
policy [required]
string
The policy written in rego
, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes
.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL
in production becomes HIGH
in non-production, HIGH
becomes MEDIUM
and so on. INFO
remains INFO
.
The decrement is applied when the environment tag of the signal starts with staging
, test
or dev
.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
hardcodedEvaluatorType
enum
Hardcoded evaluator type.
Allowed enum values: log4shell
impossibleTravelOptions
object
Options on impossible travel rules.
baselineUserLocations
boolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
[string]
Fields to correlate by.
correlatedQueryIndex
int32
Index of the rule query used to retrieve the correlated field.
defaultRuleId
string
Default Rule ID to match on signals.
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
metrics
[string]
Group of target fields to aggregate over.
name
string
Name of the query.
ruleId
string
Rule ID to match on signals.
tags
[string]
Tags for generated signals.
type
enum
The rule type.
Allowed enum values: signal_correlation
updateAuthorId
int64
User ID of the user who updated the rule.
version
int64
The version of the rule.
meta
object
Object describing meta attributes of response.
page
object
Pagination object.
total_count
int64
Total count.
total_filtered_count
int64
Total count of elements matched by the filter.
{
"data": [
{
"cases": [
{
"condition": "string",
"name": "string",
"notifications": [],
"status": "critical"
}
],
"complianceSignalOptions": {
"defaultActivationStatus": false,
"defaultGroupByFields": [],
"userActivationStatus": false,
"userGroupByFields": []
},
"createdAt": "integer",
"creationAuthorId": "integer",
"defaultTags": [
"security:attacks"
],
"deprecationDate": "integer",
"filters": [
{
"action": "string",
"query": "string"
}
],
"hasExtendedTitle": false,
"id": "string",
"isDefault": false,
"isDeleted": false,
"isEnabled": false,
"message": "string",
"name": "string",
"options": {
"complianceRuleOptions": {
"complexRule": false,
"regoRule": {
"policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n # Logic that evaluates to true if the resource should be skipped\n true\n} else = \"pass\" {\n # Logic that evaluates to true if the resource is compliant\n true\n} else = \"fail\" {\n # Logic that evaluates to true if the resource is not compliant\n true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n some resource in input.resources[input.main_resource_type]\n result := dd_output.format(resource, eval(resource))\n}\n",
"resourceTypes": [
"gcp_iam_service_account",
"gcp_iam_policy"
]
},
"resourceType": "aws_acm"
},
"decreaseCriticalityBasedOnEnv": false,
"detectionMethod": "string",
"evaluationWindow": "integer",
"hardcodedEvaluatorType": "string",
"impossibleTravelOptions": {
"baselineUserLocations": true
},
"keepAlive": "integer",
"maxSignalDuration": "integer",
"newValueOptions": {
"forgetAfter": "integer",
"learningDuration": "integer",
"learningMethod": "string",
"learningThreshold": "integer"
},
"thirdPartyRuleOptions": {
"defaultNotifications": [],
"defaultStatus": "critical",
"rootQueries": [
{
"groupByFields": [],
"query": "source:cloudtrail"
}
],
"signalTitleTemplate": "string"
}
},
"queries": [
{
"aggregation": "string",
"distinctFields": [],
"groupByFields": [],
"hasOptionalGroupByFields": false,
"metric": "string",
"metrics": [],
"name": "string",
"query": "a > 3"
}
],
"referenceTables": [
{
"checkPresence": false,
"columnName": "string",
"logFieldPath": "string",
"ruleQueryName": "string",
"tableName": "string"
}
],
"tags": [],
"thirdPartyCases": [
{
"name": "string",
"notifications": [],
"query": "string",
"status": "critical"
}
],
"type": "string",
"updateAuthorId": "integer",
"version": "integer"
}
],
"meta": {
"page": {
"total_count": "integer",
"total_filtered_count": "integer"
}
}
}
Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
"""
List rules returns "OK" response
"""
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.list_security_monitoring_rules()
print(response)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# List rules returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.list_security_monitoring_rules()
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// List rules returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
resp, r, err := api.ListSecurityMonitoringRules(ctx, *datadogV2.NewListSecurityMonitoringRulesOptionalParameters())
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListSecurityMonitoringRules`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListSecurityMonitoringRules`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// List rules returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringListRulesResponse;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
try {
SecurityMonitoringListRulesResponse result = apiInstance.listSecurityMonitoringRules();
System.out.println(result);
} catch (ApiException e) {
System.err.println(
"Exception when calling SecurityMonitoringApi#listSecurityMonitoringRules");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
// List rules returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::ListSecurityMonitoringRulesOptionalParams;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
#[tokio::main]
async fn main() {
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api
.list_security_monitoring_rules(ListSecurityMonitoringRulesOptionalParams::default())
.await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
* List rules returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
apiInstance
.listSecurityMonitoringRules()
.then((data: v2.SecurityMonitoringListRulesResponse) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}https://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}
Get a rule’s details.
This endpoint requires the security_monitoring_rules_read
permission.
OAuth apps require the security_monitoring_rules_read
authorization scope to access this endpoint.
이름
유형
설명
rule_id [required]
string
The ID of the rule.
OK
Create a new rule.
항목
유형
설명
Option 1
Rule.
cases
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>
,>=
, &&
, ||
) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
complianceSignalOptions
object
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
boolean
The default activation status.
defaultGroupByFields
[string]
The default group by fields.
userActivationStatus
boolean
Whether signals will be sent.
userGroupByFields
[string]
Fields to use to group findings by when sending signals.
createdAt
int64
When the rule was created, timestamp in milliseconds.
creationAuthorId
int64
User ID of the user who created the rule.
defaultTags
[string]
Default Tags for default rules (included in tags)
deprecationDate
int64
When the rule will be deprecated, timestamp in milliseconds.
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
id
string
The ID of the rule.
isDefault
boolean
Whether the rule is included by default.
isDeleted
boolean
Whether the rule has been deleted.
isEnabled
boolean
Whether the rule is enabled.
message
string
Message for generated signals.
name
string
The name of the rule.
options
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType
and regoRule
are mandatory when managing custom cloud_configuration
rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes
contains more than one item. Defaults to false.
regoRule
object
Rule details.
policy [required]
string
The policy written in rego
, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes
.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL
in production becomes HIGH
in non-production, HIGH
becomes MEDIUM
and so on. INFO
remains INFO
.
The decrement is applied when the environment tag of the signal starts with staging
, test
or dev
.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
hardcodedEvaluatorType
enum
Hardcoded evaluator type.
Allowed enum values: log4shell
impossibleTravelOptions
object
Options on impossible travel rules.
baselineUserLocations
boolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
hasOptionalGroupByFields
boolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A
, replacing the missing values.
metric
string
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max
aggregations. metrics
field should be used instead.
metrics
[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
string
Name of the query.
query
string
Query to run on logs.
referenceTables
[object]
Reference tables for the rule.
checkPresence
boolean
Whether to include or exclude the matched values.
columnName
string
The name of the column in the reference table.
logFieldPath
string
The field in the log to match against the reference table.
ruleQueryName
string
The name of the rule query to apply the reference table to.
tableName
string
The name of the reference table.
tags
[string]
Tags for generated signals.
thirdPartyCases
[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
query
string
A query to map a third party event to this case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
type
enum
The rule type.
Allowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration,application_security
updateAuthorId
int64
User ID of the user who updated the rule.
version
int64
The version of the rule.
Option 2
Rule.
cases
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>
,>=
, &&
, ||
) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
createdAt
int64
When the rule was created, timestamp in milliseconds.
creationAuthorId
int64
User ID of the user who created the rule.
deprecationDate
int64
When the rule will be deprecated, timestamp in milliseconds.
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
id
string
The ID of the rule.
isDefault
boolean
Whether the rule is included by default.
isDeleted
boolean
Whether the rule has been deleted.
isEnabled
boolean
Whether the rule is enabled.
message
string
Message for generated signals.
name
string
The name of the rule.
options
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType
and regoRule
are mandatory when managing custom cloud_configuration
rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes
contains more than one item. Defaults to false.
regoRule
object
Rule details.
policy [required]
string
The policy written in rego
, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes
.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL
in production becomes HIGH
in non-production, HIGH
becomes MEDIUM
and so on. INFO
remains INFO
.
The decrement is applied when the environment tag of the signal starts with staging
, test
or dev
.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
hardcodedEvaluatorType
enum
Hardcoded evaluator type.
Allowed enum values: log4shell
impossibleTravelOptions
object
Options on impossible travel rules.
baselineUserLocations
boolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
[string]
Fields to correlate by.
correlatedQueryIndex
int32
Index of the rule query used to retrieve the correlated field.
defaultRuleId
string
Default Rule ID to match on signals.
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
metrics
[string]
Group of target fields to aggregate over.
name
string
Name of the query.
ruleId
string
Rule ID to match on signals.
tags
[string]
Tags for generated signals.
type
enum
The rule type.
Allowed enum values: signal_correlation
updateAuthorId
int64
User ID of the user who updated the rule.
version
int64
The version of the rule.
{
"cases": [
{
"condition": "string",
"name": "string",
"notifications": [],
"status": "critical"
}
],
"complianceSignalOptions": {
"defaultActivationStatus": false,
"defaultGroupByFields": [],
"userActivationStatus": false,
"userGroupByFields": []
},
"createdAt": "integer",
"creationAuthorId": "integer",
"defaultTags": [
"security:attacks"
],
"deprecationDate": "integer",
"filters": [
{
"action": "string",
"query": "string"
}
],
"hasExtendedTitle": false,
"id": "string",
"isDefault": false,
"isDeleted": false,
"isEnabled": false,
"message": "string",
"name": "string",
"options": {
"complianceRuleOptions": {
"complexRule": false,
"regoRule": {
"policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n # Logic that evaluates to true if the resource should be skipped\n true\n} else = \"pass\" {\n # Logic that evaluates to true if the resource is compliant\n true\n} else = \"fail\" {\n # Logic that evaluates to true if the resource is not compliant\n true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n some resource in input.resources[input.main_resource_type]\n result := dd_output.format(resource, eval(resource))\n}\n",
"resourceTypes": [
"gcp_iam_service_account",
"gcp_iam_policy"
]
},
"resourceType": "aws_acm"
},
"decreaseCriticalityBasedOnEnv": false,
"detectionMethod": "string",
"evaluationWindow": "integer",
"hardcodedEvaluatorType": "string",
"impossibleTravelOptions": {
"baselineUserLocations": true
},
"keepAlive": "integer",
"maxSignalDuration": "integer",
"newValueOptions": {
"forgetAfter": "integer",
"learningDuration": "integer",
"learningMethod": "string",
"learningThreshold": "integer"
},
"thirdPartyRuleOptions": {
"defaultNotifications": [],
"defaultStatus": "critical",
"rootQueries": [
{
"groupByFields": [],
"query": "source:cloudtrail"
}
],
"signalTitleTemplate": "string"
}
},
"queries": [
{
"aggregation": "string",
"distinctFields": [],
"groupByFields": [],
"hasOptionalGroupByFields": false,
"metric": "string",
"metrics": [],
"name": "string",
"query": "a > 3"
}
],
"referenceTables": [
{
"checkPresence": false,
"columnName": "string",
"logFieldPath": "string",
"ruleQueryName": "string",
"tableName": "string"
}
],
"tags": [],
"thirdPartyCases": [
{
"name": "string",
"notifications": [],
"query": "string",
"status": "critical"
}
],
"type": "string",
"updateAuthorId": "integer",
"version": "integer"
}
Not Found
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Path parameters
export rule_id="CHANGE_ME"
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
"""
Get a rule's details returns "OK" response
"""
from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
# there is a valid "security_rule" in the system
SECURITY_RULE_ID = environ["SECURITY_RULE_ID"]
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.get_security_monitoring_rule(
rule_id=SECURITY_RULE_ID,
)
print(response)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Get a rule's details returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
# there is a valid "security_rule" in the system
SECURITY_RULE_ID = ENV["SECURITY_RULE_ID"]
p api_instance.get_security_monitoring_rule(SECURITY_RULE_ID)
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Get a rule's details returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
// there is a valid "security_rule" in the system
SecurityRuleID := os.Getenv("SECURITY_RULE_ID")
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
resp, r, err := api.GetSecurityMonitoringRule(ctx, SecurityRuleID)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSecurityMonitoringRule`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSecurityMonitoringRule`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Get a rule's details returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
// there is a valid "security_rule" in the system
String SECURITY_RULE_ID = System.getenv("SECURITY_RULE_ID");
try {
SecurityMonitoringRuleResponse result =
apiInstance.getSecurityMonitoringRule(SECURITY_RULE_ID);
System.out.println(result);
} catch (ApiException e) {
System.err.println("Exception when calling SecurityMonitoringApi#getSecurityMonitoringRule");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
// Get a rule's details returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
#[tokio::main]
async fn main() {
// there is a valid "security_rule" in the system
let security_rule_id = std::env::var("SECURITY_RULE_ID").unwrap();
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api
.get_security_monitoring_rule(security_rule_id.clone())
.await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
* Get a rule's details returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
// there is a valid "security_rule" in the system
const SECURITY_RULE_ID = process.env.SECURITY_RULE_ID as string;
const params: v2.SecurityMonitoringApiGetSecurityMonitoringRuleRequest = {
ruleId: SECURITY_RULE_ID,
};
apiInstance
.getSecurityMonitoringRule(params)
.then((data: v2.SecurityMonitoringRuleResponse) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
PATCH https://api.ap1.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/assigneehttps://api.datadoghq.eu/api/v1/security_analytics/signals/{signal_id}/assigneehttps://api.ddog-gov.com/api/v1/security_analytics/signals/{signal_id}/assigneehttps://api.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/assigneehttps://api.us3.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/assigneehttps://api.us5.datadoghq.com/api/v1/security_analytics/signals/{signal_id}/assignee
Modify the triage assignee of a security signal.
This endpoint requires the security_monitoring_signals_write
permission.
이름
유형
설명
signal_id [required]
string
The ID of the signal.
Attributes describing the signal update.
{
"assignee": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
}
OK
Updated signal data following a successfully performed update.
{
"status": "string"
}
Bad Request
Error response object.
{
"errors": [
"Bad Request"
]
}
Forbidden
Error response object.
{
"errors": [
"Bad Request"
]
}
Not Found
Error response object.
{
"errors": [
"Bad Request"
]
}
Too many requests
Error response object.
{
"errors": [
"Bad Request"
]
}
# Path parameters
export signal_id="CHANGE_ME"
# Curl command
curl -X PATCH "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v1/security_analytics/signals/${signal_id}/assignee" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
"assignee": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
}
EOF
// Modify the triage assignee of a security signal returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV1"
)
func main() {
body := datadogV1.SignalAssigneeUpdateRequest{
Assignee: "773b045d-ccf8-4808-bd3b-955ef6a8c940",
}
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV1.NewSecurityMonitoringApi(apiClient)
resp, r, err := api.EditSecurityMonitoringSignalAssignee(ctx, "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.EditSecurityMonitoringSignalAssignee`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.EditSecurityMonitoringSignalAssignee`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"
// Modify the triage assignee of a security signal returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v1.api.SecurityMonitoringApi;
import com.datadog.api.client.v1.model.SignalAssigneeUpdateRequest;
import com.datadog.api.client.v1.model.SuccessfulSignalUpdateResponse;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
SignalAssigneeUpdateRequest body =
new SignalAssigneeUpdateRequest().assignee("773b045d-ccf8-4808-bd3b-955ef6a8c940");
try {
SuccessfulSignalUpdateResponse result =
apiInstance.editSecurityMonitoringSignalAssignee(
"AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body);
System.out.println(result);
} catch (ApiException e) {
System.err.println(
"Exception when calling SecurityMonitoringApi#editSecurityMonitoringSignalAssignee");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"
"""
Modify the triage assignee of a security signal returns "OK" response
"""
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v1.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v1.model.signal_assignee_update_request import SignalAssigneeUpdateRequest
body = SignalAssigneeUpdateRequest(
assignee="773b045d-ccf8-4808-bd3b-955ef6a8c940",
)
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.edit_security_monitoring_signal_assignee(
signal_id="AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body=body
)
print(response)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"
# Modify the triage assignee of a security signal returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V1::SecurityMonitoringAPI.new
body = DatadogAPIClient::V1::SignalAssigneeUpdateRequest.new({
assignee: "773b045d-ccf8-4808-bd3b-955ef6a8c940",
})
p api_instance.edit_security_monitoring_signal_assignee("AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE", body)
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"
// Modify the triage assignee of a security signal returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV1::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV1::model::SignalAssigneeUpdateRequest;
#[tokio::main]
async fn main() {
let body = SignalAssigneeUpdateRequest::new("773b045d-ccf8-4808-bd3b-955ef6a8c940".to_string());
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api
.edit_security_monitoring_signal_assignee(
"AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE".to_string(),
body,
)
.await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" cargo run
/**
* Modify the triage assignee of a security signal returns "OK" response
*/
import { client, v1 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v1.SecurityMonitoringApi(configuration);
const params: v1.SecurityMonitoringApiEditSecurityMonitoringSignalAssigneeRequest =
{
body: {
assignee: "773b045d-ccf8-4808-bd3b-955ef6a8c940",
},
signalId: "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE",
};
apiInstance
.editSecurityMonitoringSignalAssignee(params)
.then((data: v1.SuccessfulSignalUpdateResponse) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"
PATCH https://api.ap1.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/assigneehttps://api.datadoghq.eu/api/v2/security_monitoring/signals/{signal_id}/assigneehttps://api.ddog-gov.com/api/v2/security_monitoring/signals/{signal_id}/assigneehttps://api.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/assigneehttps://api.us3.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/assigneehttps://api.us5.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}/assignee
Modify the triage assignee of a security signal.
This endpoint requires the security_monitoring_signals_write
permission.
이름
유형
설명
signal_id [required]
string
The ID of the signal.
Attributes describing the signal update.
항목
유형
설명
data [required]
object
Data containing the patch for changing the assignee of a signal.
attributes [required]
object
Attributes describing the new assignee of a security signal.
assignee [required]
object
Object representing a given user entity.
handle
string
The handle for this user account.
icon
string
Gravatar icon associated to the user.
id
int64
Numerical ID assigned by Datadog to this user account.
name
string
The name for this user account.
uuid [required]
string
UUID assigned by Datadog to this user account.
version
int64
Version of the updated signal. If server side version is higher, update will be rejected.
{
"data": {
"attributes": {
"assignee": {
"uuid": ""
}
}
}
}
OK
The response returned after all triage operations, containing the updated signal triage data.
항목
유형
설명
data [required]
object
Data containing the updated triage attributes of the signal.
attributes
object
Attributes describing a triage state update operation over a security signal.
archive_comment
string
Optional comment to display on archived signals.
archive_comment_timestamp
int64
Timestamp of the last edit to the comment.
archive_comment_user
object
Object representing a given user entity.
handle
string
The handle for this user account.
icon
string
Gravatar icon associated to the user.
id
int64
Numerical ID assigned by Datadog to this user account.
name
string
The name for this user account.
uuid [required]
string
UUID assigned by Datadog to this user account.
archive_reason
enum
Reason a signal is archived.
Allowed enum values: none,false_positive,testing_or_maintenance,investigated_case_opened,other
assignee [required]
object
Object representing a given user entity.
handle
string
The handle for this user account.
icon
string
Gravatar icon associated to the user.
id
int64
Numerical ID assigned by Datadog to this user account.
name
string
The name for this user account.
uuid [required]
string
UUID assigned by Datadog to this user account.
incident_ids [required]
[integer]
Array of incidents that are associated with this signal.
state [required]
enum
The new triage state of the signal.
Allowed enum values: open,archived,under_review
state_update_timestamp
int64
Timestamp of the last update to the signal state.
state_update_user
object
Object representing a given user entity.
handle
string
The handle for this user account.
icon
string
Gravatar icon associated to the user.
id
int64
Numerical ID assigned by Datadog to this user account.
name
string
The name for this user account.
uuid [required]
string
UUID assigned by Datadog to this user account.
id
string
The unique ID of the security signal.
type
enum
The type of event.
Allowed enum values: signal_metadata
default: signal_metadata
{
"data": {
"attributes": {
"archive_comment": "string",
"archive_comment_timestamp": "integer",
"archive_comment_user": {
"handle": "string",
"icon": "/path/to/matching/gravatar/icon",
"id": "integer",
"name": "string",
"uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
},
"archive_reason": "string",
"assignee": {
"handle": "string",
"icon": "/path/to/matching/gravatar/icon",
"id": "integer",
"name": "string",
"uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
},
"incident_ids": [
2066
],
"state": "open",
"state_update_timestamp": "integer",
"state_update_user": {
"handle": "string",
"icon": "/path/to/matching/gravatar/icon",
"id": "integer",
"name": "string",
"uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"
}
},
"id": "string",
"type": "signal_metadata"
}
}
Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}
Forbidden
API error response.
{
"errors": [
"Bad Request"
]
}
Not Found
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Path parameters
export signal_id="CHANGE_ME"
# Curl command
curl -X PATCH "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/${signal_id}/assignee" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
"data": {
"attributes": {
"assignee": {
"uuid": ""
}
}
}
}
EOF
// Modify the triage assignee of a security signal returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
body := datadogV2.SecurityMonitoringSignalAssigneeUpdateRequest{
Data: datadogV2.SecurityMonitoringSignalAssigneeUpdateData{
Attributes: datadogV2.SecurityMonitoringSignalAssigneeUpdateAttributes{
Assignee: datadogV2.SecurityMonitoringTriageUser{
Uuid: "",
},
},
},
}
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
resp, r, err := api.EditSecurityMonitoringSignalAssignee(ctx, "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.EditSecurityMonitoringSignalAssignee`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.EditSecurityMonitoringSignalAssignee`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"
// Modify the triage assignee of a security signal returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalAssigneeUpdateAttributes;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalAssigneeUpdateData;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalAssigneeUpdateRequest;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalTriageUpdateResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringTriageUser;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
SecurityMonitoringSignalAssigneeUpdateRequest body =
new SecurityMonitoringSignalAssigneeUpdateRequest()
.data(
new SecurityMonitoringSignalAssigneeUpdateData()
.attributes(
new SecurityMonitoringSignalAssigneeUpdateAttributes()
.assignee(new SecurityMonitoringTriageUser().uuid(""))));
try {
SecurityMonitoringSignalTriageUpdateResponse result =
apiInstance.editSecurityMonitoringSignalAssignee(
"AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body);
System.out.println(result);
} catch (ApiException e) {
System.err.println(
"Exception when calling SecurityMonitoringApi#editSecurityMonitoringSignalAssignee");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"
"""
Modify the triage assignee of a security signal returns "OK" response
"""
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_signal_assignee_update_attributes import (
SecurityMonitoringSignalAssigneeUpdateAttributes,
)
from datadog_api_client.v2.model.security_monitoring_signal_assignee_update_data import (
SecurityMonitoringSignalAssigneeUpdateData,
)
from datadog_api_client.v2.model.security_monitoring_signal_assignee_update_request import (
SecurityMonitoringSignalAssigneeUpdateRequest,
)
from datadog_api_client.v2.model.security_monitoring_triage_user import SecurityMonitoringTriageUser
body = SecurityMonitoringSignalAssigneeUpdateRequest(
data=SecurityMonitoringSignalAssigneeUpdateData(
attributes=SecurityMonitoringSignalAssigneeUpdateAttributes(
assignee=SecurityMonitoringTriageUser(
uuid="",
),
),
),
)
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.edit_security_monitoring_signal_assignee(
signal_id="AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body=body
)
print(response)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"
# Modify the triage assignee of a security signal returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
body = DatadogAPIClient::V2::SecurityMonitoringSignalAssigneeUpdateRequest.new({
data: DatadogAPIClient::V2::SecurityMonitoringSignalAssigneeUpdateData.new({
attributes: DatadogAPIClient::V2::SecurityMonitoringSignalAssigneeUpdateAttributes.new({
assignee: DatadogAPIClient::V2::SecurityMonitoringTriageUser.new({
uuid: "",
}),
}),
}),
})
p api_instance.edit_security_monitoring_signal_assignee("AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE", body)
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"
// Modify the triage assignee of a security signal returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalAssigneeUpdateAttributes;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalAssigneeUpdateData;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalAssigneeUpdateRequest;
use datadog_api_client::datadogV2::model::SecurityMonitoringTriageUser;
#[tokio::main]
async fn main() {
let body = SecurityMonitoringSignalAssigneeUpdateRequest::new(
SecurityMonitoringSignalAssigneeUpdateData::new(
SecurityMonitoringSignalAssigneeUpdateAttributes::new(
SecurityMonitoringTriageUser::new("".to_string()),
),
),
);
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api
.edit_security_monitoring_signal_assignee(
"AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE".to_string(),
body,
)
.await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" cargo run
/**
* Modify the triage assignee of a security signal returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
const params: v2.SecurityMonitoringApiEditSecurityMonitoringSignalAssigneeRequest =
{
body: {
data: {
attributes: {
assignee: {
uuid: "",
},
},
},
},
signalId: "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE",
};
apiInstance
.editSecurityMonitoringSignalAssignee(params)
.then((data: v2.SecurityMonitoringSignalTriageUpdateResponse) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"
PUT https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}https://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}
Update an existing rule. When updating cases
, queries
or options
, the whole field
must be included. For example, when modifying a query all queries must be included.
Default rules can only be updated to be enabled, to change notifications, or to update
the tags (default tags cannot be removed).
This endpoint requires the security_monitoring_rules_write
permission.
OAuth apps require the security_monitoring_rules_write
authorization scope to access this endpoint.
이름
유형
설명
rule_id [required]
string
The ID of the rule.
항목
유형
설명
cases
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>
,>=
, &&
, ||
) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
complianceSignalOptions
object
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
boolean
The default activation status.
defaultGroupByFields
[string]
The default group by fields.
userActivationStatus
boolean
Whether signals will be sent.
userGroupByFields
[string]
Fields to use to group findings by when sending signals.
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
isEnabled
boolean
Whether the rule is enabled.
message
string
Message for generated signals.
name
string
Name of the rule.
options
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType
and regoRule
are mandatory when managing custom cloud_configuration
rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes
contains more than one item. Defaults to false.
regoRule
object
Rule details.
policy [required]
string
The policy written in rego
, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes
.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL
in production becomes HIGH
in non-production, HIGH
becomes MEDIUM
and so on. INFO
remains INFO
.
The decrement is applied when the environment tag of the signal starts with staging
, test
or dev
.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
hardcodedEvaluatorType
enum
Hardcoded evaluator type.
Allowed enum values: log4shell
impossibleTravelOptions
object
Options on impossible travel rules.
baselineUserLocations
boolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries
[ <oneOf>]
Queries for selecting logs which are part of the rule.
Option 1
object
Query for matching rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
hasOptionalGroupByFields
boolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A
, replacing the missing values.
metric
string
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max
aggregations. metrics
field should be used instead.
metrics
[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
string
Name of the query.
query
string
Query to run on logs.
Option 2
object
Query for matching rule on signals.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
[string]
Fields to group by.
correlatedQueryIndex
int32
Index of the rule query used to retrieve the correlated field.
metrics
[string]
Group of target fields to aggregate over.
name
string
Name of the query.
ruleId [required]
string
Rule ID to match on signals.
referenceTables
[object]
Reference tables for the rule.
checkPresence
boolean
Whether to include or exclude the matched values.
columnName
string
The name of the column in the reference table.
logFieldPath
string
The field in the log to match against the reference table.
ruleQueryName
string
The name of the rule query to apply the reference table to.
tableName
string
The name of the reference table.
tags
[string]
Tags for generated signals.
thirdPartyCases
[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
query
string
A query to map a third party event to this case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
version
int32
The version of the rule being updated.
{
"name": "Example-Security-Monitoring_cloud_updated",
"isEnabled": false,
"cases": [
{
"status": "info",
"notifications": []
}
],
"options": {
"complianceRuleOptions": {
"resourceType": "gcp_compute_disk",
"regoRule": {
"policy": "package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n",
"resourceTypes": [
"gcp_compute_disk"
]
}
}
},
"message": "ddd",
"tags": [],
"complianceSignalOptions": {
"userActivationStatus": false,
"userGroupByFields": []
}
}
{
"name": "Example-Security-Monitoring-Updated",
"queries": [
{
"query": "@test:true",
"aggregation": "count",
"groupByFields": [],
"distinctFields": [],
"metrics": []
}
],
"filters": [],
"cases": [
{
"name": "",
"status": "info",
"condition": "a > 0",
"notifications": []
}
],
"options": {
"evaluationWindow": 900,
"keepAlive": 3600,
"maxSignalDuration": 86400
},
"message": "Test rule",
"tags": [],
"isEnabled": true
}
OK
Create a new rule.
항목
유형
설명
Option 1
Rule.
cases
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>
,>=
, &&
, ||
) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
complianceSignalOptions
object
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
boolean
The default activation status.
defaultGroupByFields
[string]
The default group by fields.
userActivationStatus
boolean
Whether signals will be sent.
userGroupByFields
[string]
Fields to use to group findings by when sending signals.
createdAt
int64
When the rule was created, timestamp in milliseconds.
creationAuthorId
int64
User ID of the user who created the rule.
defaultTags
[string]
Default Tags for default rules (included in tags)
deprecationDate
int64
When the rule will be deprecated, timestamp in milliseconds.
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
id
string
The ID of the rule.
isDefault
boolean
Whether the rule is included by default.
isDeleted
boolean
Whether the rule has been deleted.
isEnabled
boolean
Whether the rule is enabled.
message
string
Message for generated signals.
name
string
The name of the rule.
options
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType
and regoRule
are mandatory when managing custom cloud_configuration
rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes
contains more than one item. Defaults to false.
regoRule
object
Rule details.
policy [required]
string
The policy written in rego
, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes
.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL
in production becomes HIGH
in non-production, HIGH
becomes MEDIUM
and so on. INFO
remains INFO
.
The decrement is applied when the environment tag of the signal starts with staging
, test
or dev
.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
hardcodedEvaluatorType
enum
Hardcoded evaluator type.
Allowed enum values: log4shell
impossibleTravelOptions
object
Options on impossible travel rules.
baselineUserLocations
boolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
hasOptionalGroupByFields
boolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A
, replacing the missing values.
metric
string
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max
aggregations. metrics
field should be used instead.
metrics
[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
string
Name of the query.
query
string
Query to run on logs.
referenceTables
[object]
Reference tables for the rule.
checkPresence
boolean
Whether to include or exclude the matched values.
columnName
string
The name of the column in the reference table.
logFieldPath
string
The field in the log to match against the reference table.
ruleQueryName
string
The name of the rule query to apply the reference table to.
tableName
string
The name of the reference table.
tags
[string]
Tags for generated signals.
thirdPartyCases
[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
query
string
A query to map a third party event to this case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
type
enum
The rule type.
Allowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration,application_security
updateAuthorId
int64
User ID of the user who updated the rule.
version
int64
The version of the rule.
Option 2
Rule.
cases
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>
,>=
, &&
, ||
) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
createdAt
int64
When the rule was created, timestamp in milliseconds.
creationAuthorId
int64
User ID of the user who created the rule.
deprecationDate
int64
When the rule will be deprecated, timestamp in milliseconds.
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
id
string
The ID of the rule.
isDefault
boolean
Whether the rule is included by default.
isDeleted
boolean
Whether the rule has been deleted.
isEnabled
boolean
Whether the rule is enabled.
message
string
Message for generated signals.
name
string
The name of the rule.
options
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType
and regoRule
are mandatory when managing custom cloud_configuration
rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes
contains more than one item. Defaults to false.
regoRule
object
Rule details.
policy [required]
string
The policy written in rego
, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes
.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL
in production becomes HIGH
in non-production, HIGH
becomes MEDIUM
and so on. INFO
remains INFO
.
The decrement is applied when the environment tag of the signal starts with staging
, test
or dev
.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
hardcodedEvaluatorType
enum
Hardcoded evaluator type.
Allowed enum values: log4shell
impossibleTravelOptions
object
Options on impossible travel rules.
baselineUserLocations
boolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
[string]
Fields to correlate by.
correlatedQueryIndex
int32
Index of the rule query used to retrieve the correlated field.
defaultRuleId
string
Default Rule ID to match on signals.
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
metrics
[string]
Group of target fields to aggregate over.
name
string
Name of the query.
ruleId
string
Rule ID to match on signals.
tags
[string]
Tags for generated signals.
type
enum
The rule type.
Allowed enum values: signal_correlation
updateAuthorId
int64
User ID of the user who updated the rule.
version
int64
The version of the rule.
{
"cases": [
{
"condition": "string",
"name": "string",
"notifications": [],
"status": "critical"
}
],
"complianceSignalOptions": {
"defaultActivationStatus": false,
"defaultGroupByFields": [],
"userActivationStatus": false,
"userGroupByFields": []
},
"createdAt": "integer",
"creationAuthorId": "integer",
"defaultTags": [
"security:attacks"
],
"deprecationDate": "integer",
"filters": [
{
"action": "string",
"query": "string"
}
],
"hasExtendedTitle": false,
"id": "string",
"isDefault": false,
"isDeleted": false,
"isEnabled": false,
"message": "string",
"name": "string",
"options": {
"complianceRuleOptions": {
"complexRule": false,
"regoRule": {
"policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n # Logic that evaluates to true if the resource should be skipped\n true\n} else = \"pass\" {\n # Logic that evaluates to true if the resource is compliant\n true\n} else = \"fail\" {\n # Logic that evaluates to true if the resource is not compliant\n true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n some resource in input.resources[input.main_resource_type]\n result := dd_output.format(resource, eval(resource))\n}\n",
"resourceTypes": [
"gcp_iam_service_account",
"gcp_iam_policy"
]
},
"resourceType": "aws_acm"
},
"decreaseCriticalityBasedOnEnv": false,
"detectionMethod": "string",
"evaluationWindow": "integer",
"hardcodedEvaluatorType": "string",
"impossibleTravelOptions": {
"baselineUserLocations": true
},
"keepAlive": "integer",
"maxSignalDuration": "integer",
"newValueOptions": {
"forgetAfter": "integer",
"learningDuration": "integer",
"learningMethod": "string",
"learningThreshold": "integer"
},
"thirdPartyRuleOptions": {
"defaultNotifications": [],
"defaultStatus": "critical",
"rootQueries": [
{
"groupByFields": [],
"query": "source:cloudtrail"
}
],
"signalTitleTemplate": "string"
}
},
"queries": [
{
"aggregation": "string",
"distinctFields": [],
"groupByFields": [],
"hasOptionalGroupByFields": false,
"metric": "string",
"metrics": [],
"name": "string",
"query": "a > 3"
}
],
"referenceTables": [
{
"checkPresence": false,
"columnName": "string",
"logFieldPath": "string",
"ruleQueryName": "string",
"tableName": "string"
}
],
"tags": [],
"thirdPartyCases": [
{
"name": "string",
"notifications": [],
"query": "string",
"status": "critical"
}
],
"type": "string",
"updateAuthorId": "integer",
"version": "integer"
}
Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}
Concurrent Modification
API error response.
{
"errors": [
"Bad Request"
]
}
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
Not Found
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Path parameters
export rule_id="CHANGE_ME"
# Curl command
curl -X PUT "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
"name": "Example-Security-Monitoring_cloud_updated",
"isEnabled": false,
"cases": [
{
"status": "info",
"notifications": []
}
],
"options": {
"complianceRuleOptions": {
"resourceType": "gcp_compute_disk",
"regoRule": {
"policy": "package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n",
"resourceTypes": [
"gcp_compute_disk"
]
}
}
},
"message": "ddd",
"tags": [],
"complianceSignalOptions": {
"userActivationStatus": false,
"userGroupByFields": []
}
}
EOF
# Path parameters
export rule_id="CHANGE_ME"
# Curl command
curl -X PUT "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
"name": "Example-Security-Monitoring-Updated",
"queries": [
{
"query": "@test:true",
"aggregation": "count",
"groupByFields": [],
"distinctFields": [],
"metrics": []
}
],
"filters": [],
"cases": [
{
"name": "",
"status": "info",
"condition": "a > 0",
"notifications": []
}
],
"options": {
"evaluationWindow": 900,
"keepAlive": 3600,
"maxSignalDuration": 86400
},
"message": "Test rule",
"tags": [],
"isEnabled": true
}
EOF
// Update a cloud configuration rule's details returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
// there is a valid "cloud_configuration_rule" in the system
CloudConfigurationRuleID := os.Getenv("CLOUD_CONFIGURATION_RULE_ID")
body := datadogV2.SecurityMonitoringRuleUpdatePayload{
Name: datadog.PtrString("Example-Security-Monitoring_cloud_updated"),
IsEnabled: datadog.PtrBool(false),
Cases: []datadogV2.SecurityMonitoringRuleCase{
{
Status: datadogV2.SECURITYMONITORINGRULESEVERITY_INFO.Ptr(),
Notifications: []string{},
},
},
Options: &datadogV2.SecurityMonitoringRuleOptions{
ComplianceRuleOptions: &datadogV2.CloudConfigurationComplianceRuleOptions{
ResourceType: datadog.PtrString("gcp_compute_disk"),
RegoRule: &datadogV2.CloudConfigurationRegoRule{
Policy: `package datadog
import data.datadog.output as dd_output
import future.keywords.contains
import future.keywords.if
import future.keywords.in
milliseconds_in_a_day := ((1000 * 60) * 60) * 24
eval(iam_service_account_key) = "skip" if {
iam_service_account_key.disabled
} else = "pass" if {
(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"
# This part remains unchanged for all rules
results contains result if {
some resource in input.resources[input.main_resource_type]
result := dd_output.format(resource, eval(resource))
}
`,
ResourceTypes: []string{
"gcp_compute_disk",
},
},
},
},
Message: datadog.PtrString("ddd"),
Tags: []string{},
ComplianceSignalOptions: &datadogV2.CloudConfigurationRuleComplianceSignalOptions{
UserActivationStatus: *datadog.NewNullableBool(datadog.PtrBool(false)),
UserGroupByFields: *datadog.NewNullableList(&[]string{}),
},
}
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
resp, r, err := api.UpdateSecurityMonitoringRule(ctx, CloudConfigurationRuleID, body)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.UpdateSecurityMonitoringRule`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.UpdateSecurityMonitoringRule`:\n%s\n", responseContent)
}
// Update an existing rule returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
// there is a valid "security_rule" in the system
SecurityRuleID := os.Getenv("SECURITY_RULE_ID")
body := datadogV2.SecurityMonitoringRuleUpdatePayload{
Name: datadog.PtrString("Example-Security-Monitoring-Updated"),
Queries: []datadogV2.SecurityMonitoringRuleQuery{
datadogV2.SecurityMonitoringRuleQuery{
SecurityMonitoringStandardRuleQuery: &datadogV2.SecurityMonitoringStandardRuleQuery{
Query: datadog.PtrString("@test:true"),
Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
GroupByFields: []string{},
DistinctFields: []string{},
Metrics: []string{},
}},
},
Filters: []datadogV2.SecurityMonitoringFilter{},
Cases: []datadogV2.SecurityMonitoringRuleCase{
{
Name: datadog.PtrString(""),
Status: datadogV2.SECURITYMONITORINGRULESEVERITY_INFO.Ptr(),
Condition: datadog.PtrString("a > 0"),
Notifications: []string{},
},
},
Options: &datadogV2.SecurityMonitoringRuleOptions{
EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(),
KeepAlive: datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(),
MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(),
},
Message: datadog.PtrString("Test rule"),
Tags: []string{},
IsEnabled: datadog.PtrBool(true),
}
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
resp, r, err := api.UpdateSecurityMonitoringRule(ctx, SecurityRuleID, body)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.UpdateSecurityMonitoringRule`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.UpdateSecurityMonitoringRule`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Update a cloud configuration rule's details returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.CloudConfigurationComplianceRuleOptions;
import com.datadog.api.client.v2.model.CloudConfigurationRegoRule;
import com.datadog.api.client.v2.model.CloudConfigurationRuleComplianceSignalOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCase;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleUpdatePayload;
import java.util.Collections;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
// there is a valid "cloud_configuration_rule" in the system
String CLOUD_CONFIGURATION_RULE_ID = System.getenv("CLOUD_CONFIGURATION_RULE_ID");
SecurityMonitoringRuleUpdatePayload body =
new SecurityMonitoringRuleUpdatePayload()
.name("Example-Security-Monitoring_cloud_updated")
.isEnabled(false)
.cases(
Collections.singletonList(
new SecurityMonitoringRuleCase().status(SecurityMonitoringRuleSeverity.INFO)))
.options(
new SecurityMonitoringRuleOptions()
.complianceRuleOptions(
new CloudConfigurationComplianceRuleOptions()
.resourceType("gcp_compute_disk")
.regoRule(
new CloudConfigurationRegoRule()
.policy(
"""
package datadog
import data.datadog.output as dd_output
import future.keywords.contains
import future.keywords.if
import future.keywords.in
milliseconds_in_a_day := ((1000 * 60) * 60) * 24
eval(iam_service_account_key) = "skip" if {
iam_service_account_key.disabled
} else = "pass" if {
(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"
# This part remains unchanged for all rules
results contains result if {
some resource in input.resources[input.main_resource_type]
result := dd_output.format(resource, eval(resource))
}
""")
.resourceTypes(Collections.singletonList("gcp_compute_disk")))))
.message("ddd")
.complianceSignalOptions(
new CloudConfigurationRuleComplianceSignalOptions().userActivationStatus(false));
try {
SecurityMonitoringRuleResponse result =
apiInstance.updateSecurityMonitoringRule(CLOUD_CONFIGURATION_RULE_ID, body);
System.out.println(result);
} catch (ApiException e) {
System.err.println(
"Exception when calling SecurityMonitoringApi#updateSecurityMonitoringRule");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
// Update an existing rule returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCase;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQuery;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleUpdatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import java.util.Collections;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
// there is a valid "security_rule" in the system
String SECURITY_RULE_ID = System.getenv("SECURITY_RULE_ID");
SecurityMonitoringRuleUpdatePayload body =
new SecurityMonitoringRuleUpdatePayload()
.name("Example-Security-Monitoring-Updated")
.queries(
Collections.singletonList(
new SecurityMonitoringRuleQuery(
new SecurityMonitoringStandardRuleQuery()
.query("@test:true")
.aggregation(SecurityMonitoringRuleQueryAggregation.COUNT))))
.cases(
Collections.singletonList(
new SecurityMonitoringRuleCase()
.name("")
.status(SecurityMonitoringRuleSeverity.INFO)
.condition("a > 0")))
.options(
new SecurityMonitoringRuleOptions()
.evaluationWindow(SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES)
.keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR)
.maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ONE_DAY))
.message("Test rule")
.isEnabled(true);
try {
SecurityMonitoringRuleResponse result =
apiInstance.updateSecurityMonitoringRule(SECURITY_RULE_ID, body);
System.out.println(result);
} catch (ApiException e) {
System.err.println(
"Exception when calling SecurityMonitoringApi#updateSecurityMonitoringRule");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
"""
Update a cloud configuration rule's details returns "OK" response
"""
from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.cloud_configuration_compliance_rule_options import (
CloudConfigurationComplianceRuleOptions,
)
from datadog_api_client.v2.model.cloud_configuration_rego_rule import CloudConfigurationRegoRule
from datadog_api_client.v2.model.cloud_configuration_rule_compliance_signal_options import (
CloudConfigurationRuleComplianceSignalOptions,
)
from datadog_api_client.v2.model.security_monitoring_rule_case import SecurityMonitoringRuleCase
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_update_payload import SecurityMonitoringRuleUpdatePayload
# there is a valid "cloud_configuration_rule" in the system
CLOUD_CONFIGURATION_RULE_ID = environ["CLOUD_CONFIGURATION_RULE_ID"]
body = SecurityMonitoringRuleUpdatePayload(
name="Example-Security-Monitoring_cloud_updated",
is_enabled=False,
cases=[
SecurityMonitoringRuleCase(
status=SecurityMonitoringRuleSeverity.INFO,
notifications=[],
),
],
options=SecurityMonitoringRuleOptions(
compliance_rule_options=CloudConfigurationComplianceRuleOptions(
resource_type="gcp_compute_disk",
rego_rule=CloudConfigurationRegoRule(
policy='package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = "skip" if {\n\tiam_service_account_key.disabled\n} else = "pass" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = "fail"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n',
resource_types=[
"gcp_compute_disk",
],
),
),
),
message="ddd",
tags=[],
compliance_signal_options=CloudConfigurationRuleComplianceSignalOptions(
user_activation_status=False,
user_group_by_fields=[],
),
)
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.update_security_monitoring_rule(rule_id=CLOUD_CONFIGURATION_RULE_ID, body=body)
print(response)
"""
Update an existing rule returns "OK" response
"""
from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_case import SecurityMonitoringRuleCase
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_update_payload import SecurityMonitoringRuleUpdatePayload
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery
# there is a valid "security_rule" in the system
SECURITY_RULE_ID = environ["SECURITY_RULE_ID"]
body = SecurityMonitoringRuleUpdatePayload(
name="Example-Security-Monitoring-Updated",
queries=[
SecurityMonitoringStandardRuleQuery(
query="@test:true",
aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
group_by_fields=[],
distinct_fields=[],
metrics=[],
),
],
filters=[],
cases=[
SecurityMonitoringRuleCase(
name="",
status=SecurityMonitoringRuleSeverity.INFO,
condition="a > 0",
notifications=[],
),
],
options=SecurityMonitoringRuleOptions(
evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,
keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR,
max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY,
),
message="Test rule",
tags=[],
is_enabled=True,
)
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.update_security_monitoring_rule(rule_id=SECURITY_RULE_ID, body=body)
print(response)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Update a cloud configuration rule's details returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
# there is a valid "cloud_configuration_rule" in the system
CLOUD_CONFIGURATION_RULE_ID = ENV["CLOUD_CONFIGURATION_RULE_ID"]
body = DatadogAPIClient::V2::SecurityMonitoringRuleUpdatePayload.new({
name: "Example-Security-Monitoring_cloud_updated",
is_enabled: false,
cases: [
DatadogAPIClient::V2::SecurityMonitoringRuleCase.new({
status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
notifications: [],
}),
],
options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
compliance_rule_options: DatadogAPIClient::V2::CloudConfigurationComplianceRuleOptions.new({
resource_type: "gcp_compute_disk",
rego_rule: DatadogAPIClient::V2::CloudConfigurationRegoRule.new({
policy: 'package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = "skip" if {\n\tiam_service_account_key.disabled\n} else = "pass" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = "fail"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n',
resource_types: [
"gcp_compute_disk",
],
}),
}),
}),
message: "ddd",
tags: [],
compliance_signal_options: DatadogAPIClient::V2::CloudConfigurationRuleComplianceSignalOptions.new({
user_activation_status: false,
user_group_by_fields: [],
}),
})
p api_instance.update_security_monitoring_rule(CLOUD_CONFIGURATION_RULE_ID, body)
# Update an existing rule returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
# there is a valid "security_rule" in the system
SECURITY_RULE_ID = ENV["SECURITY_RULE_ID"]
body = DatadogAPIClient::V2::SecurityMonitoringRuleUpdatePayload.new({
name: "Example-Security-Monitoring-Updated",
queries: [
DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
query: "@test:true",
aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
group_by_fields: [],
distinct_fields: [],
metrics: [],
}),
],
filters: [],
cases: [
DatadogAPIClient::V2::SecurityMonitoringRuleCase.new({
name: "",
status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
condition: "a > 0",
notifications: [],
}),
],
options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR,
max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY,
}),
message: "Test rule",
tags: [],
is_enabled: true,
})
p api_instance.update_security_monitoring_rule(SECURITY_RULE_ID, body)
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Update a cloud configuration rule's details returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::CloudConfigurationComplianceRuleOptions;
use datadog_api_client::datadogV2::model::CloudConfigurationRegoRule;
use datadog_api_client::datadogV2::model::CloudConfigurationRuleComplianceSignalOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCase;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleUpdatePayload;
#[tokio::main]
async fn main() {
// there is a valid "cloud_configuration_rule" in the system
let cloud_configuration_rule_id = std::env::var("CLOUD_CONFIGURATION_RULE_ID").unwrap();
let body =
SecurityMonitoringRuleUpdatePayload::new()
.cases(
vec![
SecurityMonitoringRuleCase::new()
.notifications(vec![])
.status(SecurityMonitoringRuleSeverity::INFO)
],
)
.compliance_signal_options(
CloudConfigurationRuleComplianceSignalOptions::new()
.user_activation_status(Some(false))
.user_group_by_fields(Some(vec![])),
)
.is_enabled(false)
.message("ddd".to_string())
.name("Example-Security-Monitoring_cloud_updated".to_string())
.options(
SecurityMonitoringRuleOptions
::new().compliance_rule_options(
CloudConfigurationComplianceRuleOptions::new()
.rego_rule(
CloudConfigurationRegoRule::new(
r#"package datadog
import data.datadog.output as dd_output
import future.keywords.contains
import future.keywords.if
import future.keywords.in
milliseconds_in_a_day := ((1000 * 60) * 60) * 24
eval(iam_service_account_key) = "skip" if {
iam_service_account_key.disabled
} else = "pass" if {
(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"
# This part remains unchanged for all rules
results contains result if {
some resource in input.resources[input.main_resource_type]
result := dd_output.format(resource, eval(resource))
}
"#.to_string(),
vec!["gcp_compute_disk".to_string()],
),
)
.resource_type("gcp_compute_disk".to_string()),
),
)
.tags(vec![]);
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api
.update_security_monitoring_rule(cloud_configuration_rule_id.clone(), body)
.await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
// Update an existing rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCase;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQuery;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleUpdatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;
#[tokio::main]
async fn main() {
// there is a valid "security_rule" in the system
let security_rule_id = std::env::var("SECURITY_RULE_ID").unwrap();
let body = SecurityMonitoringRuleUpdatePayload::new()
.cases(vec![SecurityMonitoringRuleCase::new()
.condition("a > 0".to_string())
.name("".to_string())
.notifications(vec![])
.status(SecurityMonitoringRuleSeverity::INFO)])
.filters(vec![])
.is_enabled(true)
.message("Test rule".to_string())
.name("Example-Security-Monitoring-Updated".to_string())
.options(
SecurityMonitoringRuleOptions::new()
.evaluation_window(SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES)
.keep_alive(SecurityMonitoringRuleKeepAlive::ONE_HOUR)
.max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::ONE_DAY),
)
.queries(vec![
SecurityMonitoringRuleQuery::SecurityMonitoringStandardRuleQuery(Box::new(
SecurityMonitoringStandardRuleQuery::new()
.aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
.distinct_fields(vec![])
.group_by_fields(vec![])
.metrics(vec![])
.query("@test:true".to_string()),
)),
])
.tags(vec![]);
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api
.update_security_monitoring_rule(security_rule_id.clone(), body)
.await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
* Update a cloud configuration rule's details returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
// there is a valid "cloud_configuration_rule" in the system
const CLOUD_CONFIGURATION_RULE_ID = process.env
.CLOUD_CONFIGURATION_RULE_ID as string;
const params: v2.SecurityMonitoringApiUpdateSecurityMonitoringRuleRequest = {
body: {
name: "Example-Security-Monitoring_cloud_updated",
isEnabled: false,
cases: [
{
status: "info",
notifications: [],
},
],
options: {
complianceRuleOptions: {
resourceType: "gcp_compute_disk",
regoRule: {
policy: `package datadog
import data.datadog.output as dd_output
import future.keywords.contains
import future.keywords.if
import future.keywords.in
milliseconds_in_a_day := ((1000 * 60) * 60) * 24
eval(iam_service_account_key) = "skip" if {
iam_service_account_key.disabled
} else = "pass" if {
(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90
} else = "fail"
# This part remains unchanged for all rules
results contains result if {
some resource in input.resources[input.main_resource_type]
result := dd_output.format(resource, eval(resource))
}
`,
resourceTypes: ["gcp_compute_disk"],
},
},
},
message: "ddd",
tags: [],
complianceSignalOptions: {
userActivationStatus: false,
userGroupByFields: [],
},
},
ruleId: CLOUD_CONFIGURATION_RULE_ID,
};
apiInstance
.updateSecurityMonitoringRule(params)
.then((data: v2.SecurityMonitoringRuleResponse) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
/**
* Update an existing rule returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
// there is a valid "security_rule" in the system
const SECURITY_RULE_ID = process.env.SECURITY_RULE_ID as string;
const params: v2.SecurityMonitoringApiUpdateSecurityMonitoringRuleRequest = {
body: {
name: "Example-Security-Monitoring-Updated",
queries: [
{
query: "@test:true",
aggregation: "count",
groupByFields: [],
distinctFields: [],
metrics: [],
},
],
filters: [],
cases: [
{
name: "",
status: "info",
condition: "a > 0",
notifications: [],
},
],
options: {
evaluationWindow: 900,
keepAlive: 3600,
maxSignalDuration: 86400,
},
message: "Test rule",
tags: [],
isEnabled: true,
},
ruleId: SECURITY_RULE_ID,
};
apiInstance
.updateSecurityMonitoringRule(params)
.then((data: v2.SecurityMonitoringRuleResponse) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
DELETE https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}https://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id}https://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}
Delete an existing rule. Default rules cannot be deleted.
This endpoint requires the security_monitoring_rules_write
permission.
OAuth apps require the security_monitoring_rules_write
authorization scope to access this endpoint.
이름
유형
설명
rule_id [required]
string
The ID of the rule.
OK
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
Not Found
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Path parameters
export rule_id="CHANGE_ME"
# Curl command
curl -X DELETE "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
"""
Delete an existing rule returns "OK" response
"""
from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
# there is a valid "security_rule" in the system
SECURITY_RULE_ID = environ["SECURITY_RULE_ID"]
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
api_instance.delete_security_monitoring_rule(
rule_id=SECURITY_RULE_ID,
)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Delete an existing rule returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
# there is a valid "security_rule" in the system
SECURITY_RULE_ID = ENV["SECURITY_RULE_ID"]
api_instance.delete_security_monitoring_rule(SECURITY_RULE_ID)
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Delete an existing rule returns "OK" response
package main
import (
"context"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
// there is a valid "security_rule" in the system
SecurityRuleID := os.Getenv("SECURITY_RULE_ID")
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
r, err := api.DeleteSecurityMonitoringRule(ctx, SecurityRuleID)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.DeleteSecurityMonitoringRule`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Delete an existing rule returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
// there is a valid "security_rule" in the system
String SECURITY_RULE_ID = System.getenv("SECURITY_RULE_ID");
try {
apiInstance.deleteSecurityMonitoringRule(SECURITY_RULE_ID);
} catch (ApiException e) {
System.err.println(
"Exception when calling SecurityMonitoringApi#deleteSecurityMonitoringRule");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
// Delete an existing rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
#[tokio::main]
async fn main() {
// there is a valid "security_rule" in the system
let security_rule_id = std::env::var("SECURITY_RULE_ID").unwrap();
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api
.delete_security_monitoring_rule(security_rule_id.clone())
.await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
* Delete an existing rule returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
// there is a valid "security_rule" in the system
const SECURITY_RULE_ID = process.env.SECURITY_RULE_ID as string;
const params: v2.SecurityMonitoringApiDeleteSecurityMonitoringRuleRequest = {
ruleId: SECURITY_RULE_ID,
};
apiInstance
.deleteSecurityMonitoringRule(params)
.then((data: any) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/testhttps://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}/testhttps://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id}/testhttps://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/testhttps://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/testhttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/test
Test an existing rule.
This endpoint requires the security_monitoring_rules_write
permission.
OAuth apps require the security_monitoring_rules_write
authorization scope to access this endpoint.
이름
유형
설명
rule_id [required]
string
The ID of the rule.
항목
유형
설명
rule
<oneOf>
Test a rule.
Option 1
object
The payload of a rule to test
cases [required]
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>
,>=
, &&
, ||
) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
boolean
Whether the rule is enabled.
message [required]
string
Message for generated signals.
name [required]
string
The name of the rule.
options [required]
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType
and regoRule
are mandatory when managing custom cloud_configuration
rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes
contains more than one item. Defaults to false.
regoRule
object
Rule details.
policy [required]
string
The policy written in rego
, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes
.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL
in production becomes HIGH
in non-production, HIGH
becomes MEDIUM
and so on. INFO
remains INFO
.
The decrement is applied when the environment tag of the signal starts with staging
, test
or dev
.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
hardcodedEvaluatorType
enum
Hardcoded evaluator type.
Allowed enum values: log4shell
impossibleTravelOptions
object
Options on impossible travel rules.
baselineUserLocations
boolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
hasOptionalGroupByFields
boolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A
, replacing the missing values.
metric
string
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max
aggregations. metrics
field should be used instead.
metrics
[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
string
Name of the query.
query
string
Query to run on logs.
referenceTables
[object]
Reference tables for the rule.
checkPresence
boolean
Whether to include or exclude the matched values.
columnName
string
The name of the column in the reference table.
logFieldPath
string
The field in the log to match against the reference table.
ruleQueryName
string
The name of the rule query to apply the reference table to.
tableName
string
The name of the reference table.
tags
[string]
Tags for generated signals.
thirdPartyCases
[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
query
string
A query to map a third party event to this case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
type
enum
The rule type.
Allowed enum values: log_detection
ruleQueryPayloads
[object]
Data payloads used to test rules query with the expected result.
expectedResult
boolean
Expected result of the test.
index
int64
Index of the query under test.
payload
object
Payload used to test the rule query.
ddsource
string
Source of the payload.
ddtags
string
Tags associated with your data.
hostname
string
The name of the originating host of the log.
message
string
The message of the payload.
service
string
The name of the application or service generating the data.
{
"rule": {
"cases": [
{
"condition": "string",
"name": "string",
"notifications": [],
"status": "critical"
}
],
"filters": [
{
"action": "string",
"query": "string"
}
],
"hasExtendedTitle": true,
"isEnabled": true,
"message": "",
"name": "My security monitoring rule.",
"options": {
"complianceRuleOptions": {
"complexRule": false,
"regoRule": {
"policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n # Logic that evaluates to true if the resource should be skipped\n true\n} else = \"pass\" {\n # Logic that evaluates to true if the resource is compliant\n true\n} else = \"fail\" {\n # Logic that evaluates to true if the resource is not compliant\n true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n some resource in input.resources[input.main_resource_type]\n result := dd_output.format(resource, eval(resource))\n}\n",
"resourceTypes": [
"gcp_iam_service_account",
"gcp_iam_policy"
]
},
"resourceType": "aws_acm"
},
"decreaseCriticalityBasedOnEnv": false,
"detectionMethod": "string",
"evaluationWindow": "integer",
"hardcodedEvaluatorType": "string",
"impossibleTravelOptions": {
"baselineUserLocations": true
},
"keepAlive": "integer",
"maxSignalDuration": "integer",
"newValueOptions": {
"forgetAfter": "integer",
"learningDuration": "integer",
"learningMethod": "string",
"learningThreshold": "integer"
},
"thirdPartyRuleOptions": {
"defaultNotifications": [],
"defaultStatus": "critical",
"rootQueries": [
{
"groupByFields": [],
"query": "source:cloudtrail"
}
],
"signalTitleTemplate": "string"
}
},
"queries": [
{
"aggregation": "string",
"distinctFields": [],
"groupByFields": [],
"metric": "string",
"metrics": [],
"name": "string",
"query": "a > 3"
}
],
"referenceTables": [
{
"checkPresence": false,
"columnName": "string",
"logFieldPath": "string",
"ruleQueryName": "string",
"tableName": "string"
}
],
"tags": [
"env:prod",
"team:security"
],
"thirdPartyCases": [
{
"name": "string",
"notifications": [],
"query": "string",
"status": "critical"
}
],
"type": "string"
},
"ruleQueryPayloads": [
{
"expectedResult": true,
"index": 0,
"payload": {
"ddsource": "nginx",
"ddtags": "env:staging,version:5.1",
"hostname": "i-012345678",
"message": "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",
"service": "payment"
}
}
]
}
OK
Result of the test of the rule queries.
{
"results": []
}
Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}
Concurrent Modification
API error response.
{
"errors": [
"Bad Request"
]
}
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
Not Found
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Path parameters
export rule_id="CHANGE_ME"
# Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}/test" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
"rule": {
"cases": [
{
"status": "critical"
}
],
"options": {
"complianceRuleOptions": {
"regoRule": {
"policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n # Logic that evaluates to true if the resource should be skipped\n true\n} else = \"pass\" {\n # Logic that evaluates to true if the resource is compliant\n true\n} else = \"fail\" {\n # Logic that evaluates to true if the resource is not compliant\n true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n some resource in input.resources[input.main_resource_type]\n result := dd_output.format(resource, eval(resource))\n}\n",
"resourceTypes": [
"gcp_iam_service_account",
"gcp_iam_policy"
]
}
}
},
"thirdPartyCases": [
{
"status": "critical"
}
]
}
}
EOF
"""
Test an existing rule returns "OK" response
"""
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_query_payload import SecurityMonitoringRuleQueryPayload
from datadog_api_client.v2.model.security_monitoring_rule_query_payload_data import (
SecurityMonitoringRuleQueryPayloadData,
)
from datadog_api_client.v2.model.security_monitoring_rule_test_request import SecurityMonitoringRuleTestRequest
body = SecurityMonitoringRuleTestRequest(
rule_query_payloads=[
SecurityMonitoringRuleQueryPayload(
expected_result=True,
index=0,
payload=SecurityMonitoringRuleQueryPayloadData(
ddsource="nginx",
ddtags="env:staging,version:5.1",
hostname="i-012345678",
message="2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",
service="payment",
),
),
],
)
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.test_existing_security_monitoring_rule(rule_id="rule_id", body=body)
print(response)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Test an existing rule returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
body = DatadogAPIClient::V2::SecurityMonitoringRuleTestRequest.new({
rule_query_payloads: [
DatadogAPIClient::V2::SecurityMonitoringRuleQueryPayload.new({
expected_result: true,
index: 0,
payload: DatadogAPIClient::V2::SecurityMonitoringRuleQueryPayloadData.new({
ddsource: "nginx",
ddtags: "env:staging,version:5.1",
hostname: "i-012345678",
message: "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",
service: "payment",
}),
}),
],
})
p api_instance.test_existing_security_monitoring_rule("rule_id", body)
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Test an existing rule returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
body := datadogV2.SecurityMonitoringRuleTestRequest{
RuleQueryPayloads: []datadogV2.SecurityMonitoringRuleQueryPayload{
{
ExpectedResult: datadog.PtrBool(true),
Index: datadog.PtrInt64(0),
Payload: &datadogV2.SecurityMonitoringRuleQueryPayloadData{
Ddsource: datadog.PtrString("nginx"),
Ddtags: datadog.PtrString("env:staging,version:5.1"),
Hostname: datadog.PtrString("i-012345678"),
Message: datadog.PtrString("2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World"),
Service: datadog.PtrString("payment"),
},
},
},
}
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
resp, r, err := api.TestExistingSecurityMonitoringRule(ctx, "rule_id", body)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.TestExistingSecurityMonitoringRule`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.TestExistingSecurityMonitoringRule`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Test an existing rule returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryPayload;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryPayloadData;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTestRequest;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTestResponse;
import java.util.Collections;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
SecurityMonitoringRuleTestRequest body =
new SecurityMonitoringRuleTestRequest()
.ruleQueryPayloads(
Collections.singletonList(
new SecurityMonitoringRuleQueryPayload()
.expectedResult(true)
.index(0L)
.payload(
new SecurityMonitoringRuleQueryPayloadData()
.ddsource("nginx")
.ddtags("env:staging,version:5.1")
.hostname("i-012345678")
.message(
"2019-11-19T14:37:58,995 INFO [process.name][20081] Hello"
+ " World")
.service("payment"))));
try {
SecurityMonitoringRuleTestResponse result =
apiInstance.testExistingSecurityMonitoringRule("rule_id", body);
System.out.println(result);
} catch (ApiException e) {
System.err.println(
"Exception when calling SecurityMonitoringApi#testExistingSecurityMonitoringRule");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
// Test an existing rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryPayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryPayloadData;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTestRequest;
#[tokio::main]
async fn main() {
let body = SecurityMonitoringRuleTestRequest::new().rule_query_payloads(vec![
SecurityMonitoringRuleQueryPayload::new()
.expected_result(true)
.index(0)
.payload(
SecurityMonitoringRuleQueryPayloadData::new()
.ddsource("nginx".to_string())
.ddtags("env:staging,version:5.1".to_string())
.hostname("i-012345678".to_string())
.message(
"2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World"
.to_string(),
)
.service("payment".to_string()),
),
]);
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api
.test_existing_security_monitoring_rule("rule_id".to_string(), body)
.await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
* Test an existing rule returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
const params: v2.SecurityMonitoringApiTestExistingSecurityMonitoringRuleRequest =
{
body: {
ruleQueryPayloads: [
{
expectedResult: true,
index: 0,
payload: {
ddsource: "nginx",
ddtags: "env:staging,version:5.1",
hostname: "i-012345678",
message:
"2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",
service: "payment",
},
},
],
},
ruleId: "rule_id",
};
apiInstance
.testExistingSecurityMonitoringRule(params)
.then((data: v2.SecurityMonitoringRuleTestResponse) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/testhttps://api.datadoghq.eu/api/v2/security_monitoring/rules/testhttps://api.ddog-gov.com/api/v2/security_monitoring/rules/testhttps://api.datadoghq.com/api/v2/security_monitoring/rules/testhttps://api.us3.datadoghq.com/api/v2/security_monitoring/rules/testhttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules/test
Test a rule.
This endpoint requires the security_monitoring_rules_write
permission.
OAuth apps require the security_monitoring_rules_write
authorization scope to access this endpoint.
항목
유형
설명
rule
<oneOf>
Test a rule.
Option 1
object
The payload of a rule to test
cases [required]
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>
,>=
, &&
, ||
) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
boolean
Whether the rule is enabled.
message [required]
string
Message for generated signals.
name [required]
string
The name of the rule.
options [required]
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType
and regoRule
are mandatory when managing custom cloud_configuration
rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes
contains more than one item. Defaults to false.
regoRule
object
Rule details.
policy [required]
string
The policy written in rego
, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes
.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL
in production becomes HIGH
in non-production, HIGH
becomes MEDIUM
and so on. INFO
remains INFO
.
The decrement is applied when the environment tag of the signal starts with staging
, test
or dev
.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
hardcodedEvaluatorType
enum
Hardcoded evaluator type.
Allowed enum values: log4shell
impossibleTravelOptions
object
Options on impossible travel rules.
baselineUserLocations
boolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
hasOptionalGroupByFields
boolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A
, replacing the missing values.
metric
string
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max
aggregations. metrics
field should be used instead.
metrics
[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
string
Name of the query.
query
string
Query to run on logs.
referenceTables
[object]
Reference tables for the rule.
checkPresence
boolean
Whether to include or exclude the matched values.
columnName
string
The name of the column in the reference table.
logFieldPath
string
The field in the log to match against the reference table.
ruleQueryName
string
The name of the rule query to apply the reference table to.
tableName
string
The name of the reference table.
tags
[string]
Tags for generated signals.
thirdPartyCases
[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
query
string
A query to map a third party event to this case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
type
enum
The rule type.
Allowed enum values: log_detection
ruleQueryPayloads
[object]
Data payloads used to test rules query with the expected result.
expectedResult
boolean
Expected result of the test.
index
int64
Index of the query under test.
payload
object
Payload used to test the rule query.
ddsource
string
Source of the payload.
ddtags
string
Tags associated with your data.
hostname
string
The name of the originating host of the log.
message
string
The message of the payload.
service
string
The name of the application or service generating the data.
{
"rule": {
"cases": [
{
"name": "",
"status": "info",
"notifications": [],
"condition": "a > 0"
}
],
"hasExtendedTitle": true,
"isEnabled": true,
"message": "My security monitoring rule message.",
"name": "My security monitoring rule.",
"options": {
"decreaseCriticalityBasedOnEnv": false,
"detectionMethod": "threshold",
"evaluationWindow": 0,
"keepAlive": 0,
"maxSignalDuration": 0
},
"queries": [
{
"query": "source:source_here",
"groupByFields": [
"@userIdentity.assumed_role"
],
"distinctFields": [],
"aggregation": "count",
"name": ""
}
],
"tags": [
"env:prod",
"team:security"
],
"type": "log_detection"
},
"ruleQueryPayloads": [
{
"expectedResult": true,
"index": 0,
"payload": {
"ddsource": "source_here",
"ddtags": "env:staging,version:5.1",
"hostname": "i-012345678",
"message": "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",
"service": "payment",
"userIdentity": {
"assumed_role": "fake assumed_role"
}
}
}
]
}
OK
Result of the test of the rule queries.
{
"results": []
}
Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}
Concurrent Modification
API error response.
{
"errors": [
"Bad Request"
]
}
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
Not Found
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/test" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
"rule": {
"cases": [
{
"name": "",
"status": "info",
"notifications": [],
"condition": "a > 0"
}
],
"hasExtendedTitle": true,
"isEnabled": true,
"message": "My security monitoring rule message.",
"name": "My security monitoring rule.",
"options": {
"decreaseCriticalityBasedOnEnv": false,
"detectionMethod": "threshold",
"evaluationWindow": 0,
"keepAlive": 0,
"maxSignalDuration": 0
},
"queries": [
{
"query": "source:source_here",
"groupByFields": [
"@userIdentity.assumed_role"
],
"distinctFields": [],
"aggregation": "count",
"name": ""
}
],
"tags": [
"env:prod",
"team:security"
],
"type": "log_detection"
},
"ruleQueryPayloads": [
{
"expectedResult": true,
"index": 0,
"payload": {
"ddsource": "source_here",
"ddtags": "env:staging,version:5.1",
"hostname": "i-012345678",
"message": "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",
"service": "payment",
"userIdentity": {
"assumed_role": "fake assumed_role"
}
}
}
]
}
EOF
// Test a rule returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
body := datadogV2.SecurityMonitoringRuleTestRequest{
Rule: &datadogV2.SecurityMonitoringRuleTestPayload{
SecurityMonitoringStandardRuleTestPayload: &datadogV2.SecurityMonitoringStandardRuleTestPayload{
Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{
{
Name: datadog.PtrString(""),
Status: datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
Notifications: []string{},
Condition: datadog.PtrString("a > 0"),
},
},
HasExtendedTitle: datadog.PtrBool(true),
IsEnabled: true,
Message: "My security monitoring rule message.",
Name: "My security monitoring rule.",
Options: datadogV2.SecurityMonitoringRuleOptions{
DecreaseCriticalityBasedOnEnv: datadog.PtrBool(false),
DetectionMethod: datadogV2.SECURITYMONITORINGRULEDETECTIONMETHOD_THRESHOLD.Ptr(),
EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_ZERO_MINUTES.Ptr(),
KeepAlive: datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ZERO_MINUTES.Ptr(),
MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ZERO_MINUTES.Ptr(),
},
Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{
{
Query: datadog.PtrString("source:source_here"),
GroupByFields: []string{
"@userIdentity.assumed_role",
},
DistinctFields: []string{},
Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
Name: datadog.PtrString(""),
},
},
Tags: []string{
"env:prod",
"team:security",
},
Type: datadogV2.SECURITYMONITORINGRULETYPETEST_LOG_DETECTION.Ptr(),
}},
RuleQueryPayloads: []datadogV2.SecurityMonitoringRuleQueryPayload{
{
ExpectedResult: datadog.PtrBool(true),
Index: datadog.PtrInt64(0),
Payload: &datadogV2.SecurityMonitoringRuleQueryPayloadData{
Ddsource: datadog.PtrString("source_here"),
Ddtags: datadog.PtrString("env:staging,version:5.1"),
Hostname: datadog.PtrString("i-012345678"),
Message: datadog.PtrString("2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World"),
Service: datadog.PtrString("payment"),
},
},
},
}
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
resp, r, err := api.TestSecurityMonitoringRule(ctx, body)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.TestSecurityMonitoringRule`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.TestSecurityMonitoringRule`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Test a rule returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryPayload;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryPayloadData;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTestPayload;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTestRequest;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTestResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeTest;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleTestPayload;
import java.util.Arrays;
import java.util.Collections;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
SecurityMonitoringRuleTestRequest body =
new SecurityMonitoringRuleTestRequest()
.rule(
new SecurityMonitoringRuleTestPayload(
new SecurityMonitoringStandardRuleTestPayload()
.cases(
Collections.singletonList(
new SecurityMonitoringRuleCaseCreate()
.name("")
.status(SecurityMonitoringRuleSeverity.INFO)
.condition("a > 0")))
.hasExtendedTitle(true)
.isEnabled(true)
.message("My security monitoring rule message.")
.name("My security monitoring rule.")
.options(
new SecurityMonitoringRuleOptions()
.decreaseCriticalityBasedOnEnv(false)
.detectionMethod(SecurityMonitoringRuleDetectionMethod.THRESHOLD)
.evaluationWindow(
SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES)
.keepAlive(SecurityMonitoringRuleKeepAlive.ZERO_MINUTES)
.maxSignalDuration(
SecurityMonitoringRuleMaxSignalDuration.ZERO_MINUTES))
.queries(
Collections.singletonList(
new SecurityMonitoringStandardRuleQuery()
.query("source:source_here")
.groupByFields(
Collections.singletonList("@userIdentity.assumed_role"))
.aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
.name("")))
.tags(Arrays.asList("env:prod", "team:security"))
.type(SecurityMonitoringRuleTypeTest.LOG_DETECTION)))
.ruleQueryPayloads(
Collections.singletonList(
new SecurityMonitoringRuleQueryPayload()
.expectedResult(true)
.index(0L)
.payload(
new SecurityMonitoringRuleQueryPayloadData()
.ddsource("source_here")
.ddtags("env:staging,version:5.1")
.hostname("i-012345678")
.message(
"2019-11-19T14:37:58,995 INFO [process.name][20081] Hello"
+ " World")
.service("payment"))));
try {
SecurityMonitoringRuleTestResponse result = apiInstance.testSecurityMonitoringRule(body);
System.out.println(result);
} catch (ApiException e) {
System.err.println("Exception when calling SecurityMonitoringApi#testSecurityMonitoringRule");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
"""
Test a rule returns "OK" response
"""
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_query_payload import SecurityMonitoringRuleQueryPayload
from datadog_api_client.v2.model.security_monitoring_rule_query_payload_data import (
SecurityMonitoringRuleQueryPayloadData,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_test_request import SecurityMonitoringRuleTestRequest
from datadog_api_client.v2.model.security_monitoring_rule_type_test import SecurityMonitoringRuleTypeTest
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery
from datadog_api_client.v2.model.security_monitoring_standard_rule_test_payload import (
SecurityMonitoringStandardRuleTestPayload,
)
body = SecurityMonitoringRuleTestRequest(
rule=SecurityMonitoringStandardRuleTestPayload(
cases=[
SecurityMonitoringRuleCaseCreate(
name="",
status=SecurityMonitoringRuleSeverity.INFO,
notifications=[],
condition="a > 0",
),
],
has_extended_title=True,
is_enabled=True,
message="My security monitoring rule message.",
name="My security monitoring rule.",
options=SecurityMonitoringRuleOptions(
decrease_criticality_based_on_env=False,
detection_method=SecurityMonitoringRuleDetectionMethod.THRESHOLD,
evaluation_window=SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES,
keep_alive=SecurityMonitoringRuleKeepAlive.ZERO_MINUTES,
max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ZERO_MINUTES,
),
queries=[
SecurityMonitoringStandardRuleQuery(
query="source:source_here",
group_by_fields=[
"@userIdentity.assumed_role",
],
distinct_fields=[],
aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
name="",
),
],
tags=[
"env:prod",
"team:security",
],
type=SecurityMonitoringRuleTypeTest.LOG_DETECTION,
),
rule_query_payloads=[
SecurityMonitoringRuleQueryPayload(
expected_result=True,
index=0,
payload=SecurityMonitoringRuleQueryPayloadData(
ddsource="source_here",
ddtags="env:staging,version:5.1",
hostname="i-012345678",
message="2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",
service="payment",
user_identity=dict([("assumed_role", "fake assumed_role")]),
),
),
],
)
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.test_security_monitoring_rule(body=body)
print(response)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Test a rule returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
body = DatadogAPIClient::V2::SecurityMonitoringRuleTestRequest.new({
rule: DatadogAPIClient::V2::SecurityMonitoringStandardRuleTestPayload.new({
cases: [
DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
name: "",
status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
notifications: [],
condition: "a > 0",
}),
],
has_extended_title: true,
is_enabled: true,
message: "My security monitoring rule message.",
name: "My security monitoring rule.",
options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
decrease_criticality_based_on_env: false,
detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::THRESHOLD,
evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES,
keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ZERO_MINUTES,
max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ZERO_MINUTES,
}),
queries: [
DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
query: "source:source_here",
group_by_fields: [
"@userIdentity.assumed_role",
],
distinct_fields: [],
aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
name: "",
}),
],
tags: [
"env:prod",
"team:security",
],
type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeTest::LOG_DETECTION,
}),
rule_query_payloads: [
DatadogAPIClient::V2::SecurityMonitoringRuleQueryPayload.new({
expected_result: true,
index: 0,
payload: DatadogAPIClient::V2::SecurityMonitoringRuleQueryPayloadData.new({
ddsource: "source_here",
ddtags: "env:staging,version:5.1",
hostname: "i-012345678",
message: "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",
service: "payment",
}),
}),
],
})
p api_instance.test_security_monitoring_rule(body)
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Test a rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleDetectionMethod;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryPayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryPayloadData;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTestPayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTestRequest;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeTest;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleTestPayload;
#[tokio::main]
async fn main() {
let body = SecurityMonitoringRuleTestRequest::new()
.rule(
SecurityMonitoringRuleTestPayload::SecurityMonitoringStandardRuleTestPayload(Box::new(
SecurityMonitoringStandardRuleTestPayload::new(
vec![SecurityMonitoringRuleCaseCreate::new(
SecurityMonitoringRuleSeverity::INFO,
)
.condition("a > 0".to_string())
.name("".to_string())
.notifications(vec![])],
true,
"My security monitoring rule message.".to_string(),
"My security monitoring rule.".to_string(),
SecurityMonitoringRuleOptions::new()
.decrease_criticality_based_on_env(false)
.detection_method(SecurityMonitoringRuleDetectionMethod::THRESHOLD)
.evaluation_window(SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES)
.keep_alive(SecurityMonitoringRuleKeepAlive::ZERO_MINUTES)
.max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::ZERO_MINUTES),
vec![SecurityMonitoringStandardRuleQuery::new()
.aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
.distinct_fields(vec![])
.group_by_fields(vec!["@userIdentity.assumed_role".to_string()])
.name("".to_string())
.query("source:source_here".to_string())],
)
.has_extended_title(true)
.tags(vec!["env:prod".to_string(), "team:security".to_string()])
.type_(SecurityMonitoringRuleTypeTest::LOG_DETECTION),
)),
)
.rule_query_payloads(vec![SecurityMonitoringRuleQueryPayload::new()
.expected_result(true)
.index(0)
.payload(
SecurityMonitoringRuleQueryPayloadData::new()
.ddsource("source_here".to_string())
.ddtags("env:staging,version:5.1".to_string())
.hostname("i-012345678".to_string())
.message(
"2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World"
.to_string(),
)
.service("payment".to_string()),
)]);
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api.test_security_monitoring_rule(body).await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
* Test a rule returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
const params: v2.SecurityMonitoringApiTestSecurityMonitoringRuleRequest = {
body: {
rule: {
cases: [
{
name: "",
status: "info",
notifications: [],
condition: "a > 0",
},
],
hasExtendedTitle: true,
isEnabled: true,
message: "My security monitoring rule message.",
name: "My security monitoring rule.",
options: {
decreaseCriticalityBasedOnEnv: false,
detectionMethod: "threshold",
evaluationWindow: 0,
keepAlive: 0,
maxSignalDuration: 0,
},
queries: [
{
query: "source:source_here",
groupByFields: ["@userIdentity.assumed_role"],
distinctFields: [],
aggregation: "count",
name: "",
},
],
tags: ["env:prod", "team:security"],
type: "log_detection",
},
ruleQueryPayloads: [
{
expectedResult: true,
index: 0,
payload: {
ddsource: "source_here",
ddtags: "env:staging,version:5.1",
hostname: "i-012345678",
message:
"2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",
service: "payment",
},
},
],
},
};
apiInstance
.testSecurityMonitoringRule(params)
.then((data: v2.SecurityMonitoringRuleTestResponse) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/validationhttps://api.datadoghq.eu/api/v2/security_monitoring/rules/validationhttps://api.ddog-gov.com/api/v2/security_monitoring/rules/validationhttps://api.datadoghq.com/api/v2/security_monitoring/rules/validationhttps://api.us3.datadoghq.com/api/v2/security_monitoring/rules/validationhttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules/validation
Validate a detection rule.
This endpoint requires the security_monitoring_rules_write
permission.
OAuth apps require the security_monitoring_rules_write
authorization scope to access this endpoint.
항목
유형
설명
Option 1
object
The payload of a rule.
cases [required]
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>
,>=
, &&
, ||
) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
boolean
Whether the rule is enabled.
message [required]
string
Message for generated signals.
name [required]
string
The name of the rule.
options [required]
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType
and regoRule
are mandatory when managing custom cloud_configuration
rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes
contains more than one item. Defaults to false.
regoRule
object
Rule details.
policy [required]
string
The policy written in rego
, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes
.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL
in production becomes HIGH
in non-production, HIGH
becomes MEDIUM
and so on. INFO
remains INFO
.
The decrement is applied when the environment tag of the signal starts with staging
, test
or dev
.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
hardcodedEvaluatorType
enum
Hardcoded evaluator type.
Allowed enum values: log4shell
impossibleTravelOptions
object
Options on impossible travel rules.
baselineUserLocations
boolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
hasOptionalGroupByFields
boolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A
, replacing the missing values.
metric
string
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max
aggregations. metrics
field should be used instead.
metrics
[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
string
Name of the query.
query
string
Query to run on logs.
referenceTables
[object]
Reference tables for the rule.
checkPresence
boolean
Whether to include or exclude the matched values.
columnName
string
The name of the column in the reference table.
logFieldPath
string
The field in the log to match against the reference table.
ruleQueryName
string
The name of the rule query to apply the reference table to.
tableName
string
The name of the reference table.
tags
[string]
Tags for generated signals.
thirdPartyCases
[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
query
string
A query to map a third party event to this case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
type
enum
The rule type.
Allowed enum values: application_security,log_detection,workload_security
Option 2
object
The payload of a signal correlation rule.
cases [required]
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>
,>=
, &&
, ||
) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
boolean
Whether the rule is enabled.
message [required]
string
Message for generated signals.
name [required]
string
The name of the rule.
options [required]
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType
and regoRule
are mandatory when managing custom cloud_configuration
rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes
contains more than one item. Defaults to false.
regoRule
object
Rule details.
policy [required]
string
The policy written in rego
, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes
.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL
in production becomes HIGH
in non-production, HIGH
becomes MEDIUM
and so on. INFO
remains INFO
.
The decrement is applied when the environment tag of the signal starts with staging
, test
or dev
.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
hardcodedEvaluatorType
enum
Hardcoded evaluator type.
Allowed enum values: log4shell
impossibleTravelOptions
object
Options on impossible travel rules.
baselineUserLocations
boolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
[object]
Queries for selecting signals which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
[string]
Fields to group by.
correlatedQueryIndex
int32
Index of the rule query used to retrieve the correlated field.
metrics
[string]
Group of target fields to aggregate over.
name
string
Name of the query.
ruleId [required]
string
Rule ID to match on signals.
tags
[string]
Tags for generated signals.
type
enum
The rule type.
Allowed enum values: signal_correlation
Option 3
object
The payload of a cloud configuration rule.
cases [required]
[object]
Description of generated findings and signals (severity and channels to be notified in case of a signal). Must contain exactly one item.
notifications
[string]
Notification targets for each rule case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
complianceSignalOptions [required]
object
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
boolean
The default activation status.
defaultGroupByFields
[string]
The default group by fields.
userActivationStatus
boolean
Whether signals will be sent.
userGroupByFields
[string]
Fields to use to group findings by when sending signals.
filters
[object]
Additional queries to filter matched events before they are processed.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
isEnabled [required]
boolean
Whether the rule is enabled.
message [required]
string
Message in markdown format for generated findings and signals.
name [required]
string
The name of the rule.
options [required]
object
Options on cloud configuration rules.
complianceRuleOptions [required]
object
Options for cloud_configuration rules.
Fields resourceType
and regoRule
are mandatory when managing custom cloud_configuration
rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes
contains more than one item. Defaults to false.
regoRule
object
Rule details.
policy [required]
string
The policy written in rego
, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes
.
tags
[string]
Tags for generated findings and signals.
type
enum
The rule type.
Allowed enum values: cloud_configuration
{
"cases": [
{
"name": "",
"status": "info",
"notifications": [],
"condition": "a > 0"
}
],
"hasExtendedTitle": true,
"isEnabled": true,
"message": "My security monitoring rule",
"name": "My security monitoring rule",
"options": {
"evaluationWindow": 1800,
"keepAlive": 1800,
"maxSignalDuration": 1800,
"detectionMethod": "threshold"
},
"queries": [
{
"query": "source:source_here",
"groupByFields": [
"@userIdentity.assumed_role"
],
"distinctFields": [],
"aggregation": "count",
"name": ""
}
],
"tags": [
"env:prod",
"team:security"
],
"type": "log_detection"
}
OK
Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/validation" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
"cases": [
{
"name": "",
"status": "info",
"notifications": [],
"condition": "a > 0"
}
],
"hasExtendedTitle": true,
"isEnabled": true,
"message": "My security monitoring rule",
"name": "My security monitoring rule",
"options": {
"evaluationWindow": 1800,
"keepAlive": 1800,
"maxSignalDuration": 1800,
"detectionMethod": "threshold"
},
"queries": [
{
"query": "source:source_here",
"groupByFields": [
"@userIdentity.assumed_role"
],
"distinctFields": [],
"aggregation": "count",
"name": ""
}
],
"tags": [
"env:prod",
"team:security"
],
"type": "log_detection"
}
EOF
// Validate a detection rule returns "OK" response
package main
import (
"context"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
body := datadogV2.SecurityMonitoringRuleValidatePayload{
SecurityMonitoringStandardRulePayload: &datadogV2.SecurityMonitoringStandardRulePayload{
Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{
{
Name: datadog.PtrString(""),
Status: datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
Notifications: []string{},
Condition: datadog.PtrString("a > 0"),
},
},
HasExtendedTitle: datadog.PtrBool(true),
IsEnabled: true,
Message: "My security monitoring rule",
Name: "My security monitoring rule",
Options: datadogV2.SecurityMonitoringRuleOptions{
EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_THIRTY_MINUTES.Ptr(),
KeepAlive: datadogV2.SECURITYMONITORINGRULEKEEPALIVE_THIRTY_MINUTES.Ptr(),
MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_THIRTY_MINUTES.Ptr(),
DetectionMethod: datadogV2.SECURITYMONITORINGRULEDETECTIONMETHOD_THRESHOLD.Ptr(),
},
Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{
{
Query: datadog.PtrString("source:source_here"),
GroupByFields: []string{
"@userIdentity.assumed_role",
},
DistinctFields: []string{},
Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
Name: datadog.PtrString(""),
},
},
Tags: []string{
"env:prod",
"team:security",
},
Type: datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(),
}}
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
r, err := api.ValidateSecurityMonitoringRule(ctx, body)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ValidateSecurityMonitoringRule`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Validate a detection rule returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleValidatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRulePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import java.util.Arrays;
import java.util.Collections;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
SecurityMonitoringRuleValidatePayload body =
new SecurityMonitoringRuleValidatePayload(
new SecurityMonitoringStandardRulePayload()
.cases(
Collections.singletonList(
new SecurityMonitoringRuleCaseCreate()
.name("")
.status(SecurityMonitoringRuleSeverity.INFO)
.condition("a > 0")))
.hasExtendedTitle(true)
.isEnabled(true)
.message("My security monitoring rule")
.name("My security monitoring rule")
.options(
new SecurityMonitoringRuleOptions()
.evaluationWindow(SecurityMonitoringRuleEvaluationWindow.THIRTY_MINUTES)
.keepAlive(SecurityMonitoringRuleKeepAlive.THIRTY_MINUTES)
.maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.THIRTY_MINUTES)
.detectionMethod(SecurityMonitoringRuleDetectionMethod.THRESHOLD))
.queries(
Collections.singletonList(
new SecurityMonitoringStandardRuleQuery()
.query("source:source_here")
.groupByFields(Collections.singletonList("@userIdentity.assumed_role"))
.aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
.name("")))
.tags(Arrays.asList("env:prod", "team:security"))
.type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION));
try {
apiInstance.validateSecurityMonitoringRule(body);
} catch (ApiException e) {
System.err.println(
"Exception when calling SecurityMonitoringApi#validateSecurityMonitoringRule");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
"""
Validate a detection rule returns "OK" response
"""
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
from datadog_api_client.v2.model.security_monitoring_standard_rule_payload import SecurityMonitoringStandardRulePayload
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery
body = SecurityMonitoringStandardRulePayload(
cases=[
SecurityMonitoringRuleCaseCreate(
name="",
status=SecurityMonitoringRuleSeverity.INFO,
notifications=[],
condition="a > 0",
),
],
has_extended_title=True,
is_enabled=True,
message="My security monitoring rule",
name="My security monitoring rule",
options=SecurityMonitoringRuleOptions(
evaluation_window=SecurityMonitoringRuleEvaluationWindow.THIRTY_MINUTES,
keep_alive=SecurityMonitoringRuleKeepAlive.THIRTY_MINUTES,
max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.THIRTY_MINUTES,
detection_method=SecurityMonitoringRuleDetectionMethod.THRESHOLD,
),
queries=[
SecurityMonitoringStandardRuleQuery(
query="source:source_here",
group_by_fields=[
"@userIdentity.assumed_role",
],
distinct_fields=[],
aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
name="",
),
],
tags=[
"env:prod",
"team:security",
],
type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
)
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
api_instance.validate_security_monitoring_rule(body=body)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Validate a detection rule returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
body = DatadogAPIClient::V2::SecurityMonitoringStandardRulePayload.new({
cases: [
DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
name: "",
status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
notifications: [],
condition: "a > 0",
}),
],
has_extended_title: true,
is_enabled: true,
message: "My security monitoring rule",
name: "My security monitoring rule",
options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::THIRTY_MINUTES,
keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::THIRTY_MINUTES,
max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::THIRTY_MINUTES,
detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::THRESHOLD,
}),
queries: [
DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
query: "source:source_here",
group_by_fields: [
"@userIdentity.assumed_role",
],
distinct_fields: [],
aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
name: "",
}),
],
tags: [
"env:prod",
"team:security",
],
type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
})
api_instance.validate_security_monitoring_rule(body)
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Validate a detection rule returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleDetectionMethod;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleValidatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRulePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;
#[tokio::main]
async fn main() {
let body =
SecurityMonitoringRuleValidatePayload::SecurityMonitoringStandardRulePayload(Box::new(
SecurityMonitoringStandardRulePayload::new(
vec![
SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO)
.condition("a > 0".to_string())
.name("".to_string())
.notifications(vec![]),
],
true,
"My security monitoring rule".to_string(),
"My security monitoring rule".to_string(),
SecurityMonitoringRuleOptions::new()
.detection_method(SecurityMonitoringRuleDetectionMethod::THRESHOLD)
.evaluation_window(SecurityMonitoringRuleEvaluationWindow::THIRTY_MINUTES)
.keep_alive(SecurityMonitoringRuleKeepAlive::THIRTY_MINUTES)
.max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::THIRTY_MINUTES),
vec![SecurityMonitoringStandardRuleQuery::new()
.aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
.distinct_fields(vec![])
.group_by_fields(vec!["@userIdentity.assumed_role".to_string()])
.name("".to_string())
.query("source:source_here".to_string())],
)
.has_extended_title(true)
.tags(vec!["env:prod".to_string(), "team:security".to_string()])
.type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION),
));
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api.validate_security_monitoring_rule(body).await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
* Validate a detection rule returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
const params: v2.SecurityMonitoringApiValidateSecurityMonitoringRuleRequest = {
body: {
cases: [
{
name: "",
status: "info",
notifications: [],
condition: "a > 0",
},
],
hasExtendedTitle: true,
isEnabled: true,
message: "My security monitoring rule",
name: "My security monitoring rule",
options: {
evaluationWindow: 1800,
keepAlive: 1800,
maxSignalDuration: 1800,
detectionMethod: "threshold",
},
queries: [
{
query: "source:source_here",
groupByFields: ["@userIdentity.assumed_role"],
distinctFields: [],
aggregation: "count",
name: "",
},
],
tags: ["env:prod", "team:security"],
type: "log_detection",
},
};
apiInstance
.validateSecurityMonitoringRule(params)
.then((data: any) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/converthttps://api.datadoghq.eu/api/v2/security_monitoring/rules/{rule_id}/converthttps://api.ddog-gov.com/api/v2/security_monitoring/rules/{rule_id}/converthttps://api.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/converthttps://api.us3.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/converthttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules/{rule_id}/convert
Convert an existing rule from JSON to Terraform for datadog provider
resource datadog_security_monitoring_rule.
This endpoint requires the security_monitoring_rules_read
permission.
OAuth apps require the security_monitoring_rules_read
authorization scope to access this endpoint.
이름
유형
설명
rule_id [required]
string
The ID of the rule.
OK
Result of the convert rule request containing Terraform content.
{
"terraformContent": "string"
}
Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
Not Found
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Path parameters
export rule_id="CHANGE_ME"
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/${rule_id}/convert" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
"""
Convert an existing rule from JSON to Terraform returns "OK" response
"""
from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
# there is a valid "security_rule" in the system
SECURITY_RULE_ID = environ["SECURITY_RULE_ID"]
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.convert_existing_security_monitoring_rule(
rule_id=SECURITY_RULE_ID,
)
print(response)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Convert an existing rule from JSON to Terraform returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
# there is a valid "security_rule" in the system
SECURITY_RULE_ID = ENV["SECURITY_RULE_ID"]
p api_instance.convert_existing_security_monitoring_rule(SECURITY_RULE_ID)
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Convert an existing rule from JSON to Terraform returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
// there is a valid "security_rule" in the system
SecurityRuleID := os.Getenv("SECURITY_RULE_ID")
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
resp, r, err := api.ConvertExistingSecurityMonitoringRule(ctx, SecurityRuleID)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ConvertExistingSecurityMonitoringRule`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ConvertExistingSecurityMonitoringRule`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Convert an existing rule from JSON to Terraform returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleConvertResponse;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
// there is a valid "security_rule" in the system
String SECURITY_RULE_ID = System.getenv("SECURITY_RULE_ID");
try {
SecurityMonitoringRuleConvertResponse result =
apiInstance.convertExistingSecurityMonitoringRule(SECURITY_RULE_ID);
System.out.println(result);
} catch (ApiException e) {
System.err.println(
"Exception when calling SecurityMonitoringApi#convertExistingSecurityMonitoringRule");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
// Convert an existing rule from JSON to Terraform returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
#[tokio::main]
async fn main() {
// there is a valid "security_rule" in the system
let security_rule_id = std::env::var("SECURITY_RULE_ID").unwrap();
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api
.convert_existing_security_monitoring_rule(security_rule_id.clone())
.await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
* Convert an existing rule from JSON to Terraform returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
// there is a valid "security_rule" in the system
const SECURITY_RULE_ID = process.env.SECURITY_RULE_ID as string;
const params: v2.SecurityMonitoringApiConvertExistingSecurityMonitoringRuleRequest =
{
ruleId: SECURITY_RULE_ID,
};
apiInstance
.convertExistingSecurityMonitoringRule(params)
.then((data: v2.SecurityMonitoringRuleConvertResponse) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/rules/converthttps://api.datadoghq.eu/api/v2/security_monitoring/rules/converthttps://api.ddog-gov.com/api/v2/security_monitoring/rules/converthttps://api.datadoghq.com/api/v2/security_monitoring/rules/converthttps://api.us3.datadoghq.com/api/v2/security_monitoring/rules/converthttps://api.us5.datadoghq.com/api/v2/security_monitoring/rules/convert
Convert a rule that doesn’t (yet) exist from JSON to Terraform for datadog provider
resource datadog_security_monitoring_rule.
This endpoint requires the security_monitoring_rules_write
permission.
OAuth apps require the security_monitoring_rules_write
authorization scope to access this endpoint.
항목
유형
설명
Option 1
object
The payload of a rule.
cases [required]
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>
,>=
, &&
, ||
) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
boolean
Whether the rule is enabled.
message [required]
string
Message for generated signals.
name [required]
string
The name of the rule.
options [required]
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType
and regoRule
are mandatory when managing custom cloud_configuration
rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes
contains more than one item. Defaults to false.
regoRule
object
Rule details.
policy [required]
string
The policy written in rego
, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes
.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL
in production becomes HIGH
in non-production, HIGH
becomes MEDIUM
and so on. INFO
remains INFO
.
The decrement is applied when the environment tag of the signal starts with staging
, test
or dev
.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
hardcodedEvaluatorType
enum
Hardcoded evaluator type.
Allowed enum values: log4shell
impossibleTravelOptions
object
Options on impossible travel rules.
baselineUserLocations
boolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
[object]
Queries for selecting logs which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
hasOptionalGroupByFields
boolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A
, replacing the missing values.
metric
string
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max
aggregations. metrics
field should be used instead.
metrics
[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
string
Name of the query.
query
string
Query to run on logs.
referenceTables
[object]
Reference tables for the rule.
checkPresence
boolean
Whether to include or exclude the matched values.
columnName
string
The name of the column in the reference table.
logFieldPath
string
The field in the log to match against the reference table.
ruleQueryName
string
The name of the rule query to apply the reference table to.
tableName
string
The name of the reference table.
tags
[string]
Tags for generated signals.
thirdPartyCases
[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
query
string
A query to map a third party event to this case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
type
enum
The rule type.
Allowed enum values: application_security,log_detection,workload_security
Option 2
object
The payload of a signal correlation rule.
cases [required]
[object]
Cases for generating signals.
condition
string
A rule case contains logical operations (>
,>=
, &&
, ||
) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
hasExtendedTitle
boolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
boolean
Whether the rule is enabled.
message [required]
string
Message for generated signals.
name [required]
string
The name of the rule.
options [required]
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType
and regoRule
are mandatory when managing custom cloud_configuration
rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes
contains more than one item. Defaults to false.
regoRule
object
Rule details.
policy [required]
string
The policy written in rego
, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes
.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL
in production becomes HIGH
in non-production, HIGH
becomes MEDIUM
and so on. INFO
remains INFO
.
The decrement is applied when the environment tag of the signal starts with staging
, test
or dev
.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
hardcodedEvaluatorType
enum
Hardcoded evaluator type.
Allowed enum values: log4shell
impossibleTravelOptions
object
Options on impossible travel rules.
baselineUserLocations
boolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
[object]
Queries for selecting signals which are part of the rule.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
[string]
Fields to group by.
correlatedQueryIndex
int32
Index of the rule query used to retrieve the correlated field.
metrics
[string]
Group of target fields to aggregate over.
name
string
Name of the query.
ruleId [required]
string
Rule ID to match on signals.
tags
[string]
Tags for generated signals.
type
enum
The rule type.
Allowed enum values: signal_correlation
{
"name": "Example-Security-Monitoring",
"queries": [
{
"query": "@test:true",
"aggregation": "count",
"groupByFields": [],
"distinctFields": [],
"metric": ""
}
],
"filters": [],
"cases": [
{
"name": "",
"status": "info",
"condition": "a > 0",
"notifications": []
}
],
"options": {
"evaluationWindow": 900,
"keepAlive": 3600,
"maxSignalDuration": 86400
},
"message": "Test rule",
"tags": [],
"isEnabled": true,
"type": "log_detection"
}
OK
Result of the convert rule request containing Terraform content.
{
"terraformContent": "string"
}
Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}
Concurrent Modification
API error response.
{
"errors": [
"Bad Request"
]
}
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
Not Found
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/rules/convert" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
"name": "Example-Security-Monitoring",
"queries": [
{
"query": "@test:true",
"aggregation": "count",
"groupByFields": [],
"distinctFields": [],
"metric": ""
}
],
"filters": [],
"cases": [
{
"name": "",
"status": "info",
"condition": "a > 0",
"notifications": []
}
],
"options": {
"evaluationWindow": 900,
"keepAlive": 3600,
"maxSignalDuration": 86400
},
"message": "Test rule",
"tags": [],
"isEnabled": true,
"type": "log_detection"
}
EOF
// Convert a rule from JSON to Terraform returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
body := datadogV2.SecurityMonitoringRuleConvertPayload{
SecurityMonitoringStandardRulePayload: &datadogV2.SecurityMonitoringStandardRulePayload{
Name: "Example-Security-Monitoring",
Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{
{
Query: datadog.PtrString("@test:true"),
Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(),
GroupByFields: []string{},
DistinctFields: []string{},
Metric: datadog.PtrString(""),
},
},
Filters: []datadogV2.SecurityMonitoringFilter{},
Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{
{
Name: datadog.PtrString(""),
Status: datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
Condition: datadog.PtrString("a > 0"),
Notifications: []string{},
},
},
Options: datadogV2.SecurityMonitoringRuleOptions{
EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(),
KeepAlive: datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(),
MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(),
},
Message: "Test rule",
Tags: []string{},
IsEnabled: true,
Type: datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(),
}}
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
resp, r, err := api.ConvertSecurityMonitoringRuleFromJSONToTerraform(ctx, body)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ConvertSecurityMonitoringRuleFromJSONToTerraform`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ConvertSecurityMonitoringRuleFromJSONToTerraform`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Convert a rule from JSON to Terraform returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleConvertPayload;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleConvertResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRulePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import java.util.Collections;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
SecurityMonitoringRuleConvertPayload body =
new SecurityMonitoringRuleConvertPayload(
new SecurityMonitoringStandardRulePayload()
.name("Example-Security-Monitoring")
.queries(
Collections.singletonList(
new SecurityMonitoringStandardRuleQuery()
.query("@test:true")
.aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
.metric("")))
.cases(
Collections.singletonList(
new SecurityMonitoringRuleCaseCreate()
.name("")
.status(SecurityMonitoringRuleSeverity.INFO)
.condition("a > 0")))
.options(
new SecurityMonitoringRuleOptions()
.evaluationWindow(SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES)
.keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR)
.maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ONE_DAY))
.message("Test rule")
.isEnabled(true)
.type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION));
try {
SecurityMonitoringRuleConvertResponse result =
apiInstance.convertSecurityMonitoringRuleFromJSONToTerraform(body);
System.out.println(result);
} catch (ApiException e) {
System.err.println(
"Exception when calling"
+ " SecurityMonitoringApi#convertSecurityMonitoringRuleFromJSONToTerraform");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
"""
Convert a rule from JSON to Terraform returns "OK" response
"""
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
from datadog_api_client.v2.model.security_monitoring_standard_rule_payload import SecurityMonitoringStandardRulePayload
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery
body = SecurityMonitoringStandardRulePayload(
name="Example-Security-Monitoring",
queries=[
SecurityMonitoringStandardRuleQuery(
query="@test:true",
aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
group_by_fields=[],
distinct_fields=[],
metric="",
),
],
filters=[],
cases=[
SecurityMonitoringRuleCaseCreate(
name="",
status=SecurityMonitoringRuleSeverity.INFO,
condition="a > 0",
notifications=[],
),
],
options=SecurityMonitoringRuleOptions(
evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,
keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR,
max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY,
),
message="Test rule",
tags=[],
is_enabled=True,
type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
)
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.convert_security_monitoring_rule_from_json_to_terraform(body=body)
print(response)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Convert a rule from JSON to Terraform returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
body = DatadogAPIClient::V2::SecurityMonitoringStandardRulePayload.new({
name: "Example-Security-Monitoring",
queries: [
DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
query: "@test:true",
aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
group_by_fields: [],
distinct_fields: [],
metric: "",
}),
],
filters: [],
cases: [
DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
name: "",
status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
condition: "a > 0",
notifications: [],
}),
],
options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR,
max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY,
}),
message: "Test rule",
tags: [],
is_enabled: true,
type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
})
p api_instance.convert_security_monitoring_rule_from_json_to_terraform(body)
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Convert a rule from JSON to Terraform returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleConvertPayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRulePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;
#[tokio::main]
async fn main() {
let body =
SecurityMonitoringRuleConvertPayload::SecurityMonitoringStandardRulePayload(Box::new(
SecurityMonitoringStandardRulePayload::new(
vec![
SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO)
.condition("a > 0".to_string())
.name("".to_string())
.notifications(vec![]),
],
true,
"Test rule".to_string(),
"Example-Security-Monitoring".to_string(),
SecurityMonitoringRuleOptions::new()
.evaluation_window(SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES)
.keep_alive(SecurityMonitoringRuleKeepAlive::ONE_HOUR)
.max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::ONE_DAY),
vec![SecurityMonitoringStandardRuleQuery::new()
.aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
.distinct_fields(vec![])
.group_by_fields(vec![])
.metric("".to_string())
.query("@test:true".to_string())],
)
.filters(vec![])
.tags(vec![])
.type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION),
));
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api
.convert_security_monitoring_rule_from_json_to_terraform(body)
.await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
* Convert a rule from JSON to Terraform returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
const params: v2.SecurityMonitoringApiConvertSecurityMonitoringRuleFromJSONToTerraformRequest =
{
body: {
name: "Example-Security-Monitoring",
queries: [
{
query: "@test:true",
aggregation: "count",
groupByFields: [],
distinctFields: [],
metric: "",
},
],
filters: [],
cases: [
{
name: "",
status: "info",
condition: "a > 0",
notifications: [],
},
],
options: {
evaluationWindow: 900,
keepAlive: 3600,
maxSignalDuration: 86400,
},
message: "Test rule",
tags: [],
isEnabled: true,
type: "log_detection",
},
};
apiInstance
.convertSecurityMonitoringRuleFromJSONToTerraform(params)
.then((data: v2.SecurityMonitoringRuleConvertResponse) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/signals/searchhttps://api.datadoghq.eu/api/v2/security_monitoring/signals/searchhttps://api.ddog-gov.com/api/v2/security_monitoring/signals/searchhttps://api.datadoghq.com/api/v2/security_monitoring/signals/searchhttps://api.us3.datadoghq.com/api/v2/security_monitoring/signals/searchhttps://api.us5.datadoghq.com/api/v2/security_monitoring/signals/search
Returns security signals that match a search query.
Both this endpoint and the GET endpoint can be used interchangeably for listing
security signals.
This endpoint requires the security_monitoring_signals_read
permission.
OAuth apps require the security_monitoring_signals_read
authorization scope to access this endpoint.
항목
유형
설명
filter
object
Search filters for listing security signals.
from
date-time
The minimum timestamp for requested security signals.
query
string
Search query for listing security signals.
to
date-time
The maximum timestamp for requested security signals.
page
object
The paging attributes for listing security signals.
cursor
string
A list of results using the cursor provided in the previous query.
limit
int32
The maximum number of security signals in the response.
default: 10
sort
enum
The sort parameters used for querying security signals.
Allowed enum values: timestamp,-timestamp
{
"filter": {
"from": "2021-11-11T10:56:11+00:00",
"query": "security:attack status:high",
"to": "2021-11-11T11:11:11+00:00"
},
"page": {
"limit": 2
},
"sort": "timestamp"
}
OK
The response object with all security signals matching the request and pagination information.
항목
유형
설명
data
[object]
An array of security signals matching the request.
attributes
object
The object containing all signal attributes and their associated values.
custom
object
A JSON object of attributes in the security signal.
message
string
The message in the security signal defined by the rule that generated the signal.
tags
[string]
An array of tags associated with the security signal.
timestamp
date-time
The timestamp of the security signal.
id
string
The unique ID of the security signal.
type
enum
The type of event.
Allowed enum values: signal
default: signal
links
object
Links attributes.
next
string
The link for the next set of results. Note: The request can also be made using the POST endpoint.
meta
object
Meta attributes.
page
object
Paging attributes.
after
string
The cursor used to get the next results, if any. To make the next request, use the same
parameters with the addition of the page[cursor]
.
{
"data": [
{
"attributes": {
"custom": {
"workflow": {
"first_seen": "2020-06-23T14:46:01.000Z",
"last_seen": "2020-06-23T14:46:49.000Z",
"rule": {
"id": "0f5-e0c-805",
"name": "Brute Force Attack Grouped By User ",
"version": 12
}
}
},
"message": "Detect Account Take Over (ATO) through brute force attempts",
"tags": [
"security:attack",
"technique:T1110-brute-force"
],
"timestamp": "2019-01-02T09:42:36.320Z"
},
"id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA",
"type": "signal"
}
],
"links": {
"next": "https://app.datadoghq.com/api/v2/security_monitoring/signals?filter[query]=foo\u0026page[cursor]=eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
},
"meta": {
"page": {
"after": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
}
}
}
Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/search" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
"filter": {
"from": "2021-11-11T10:56:11+00:00",
"query": "security:attack status:high",
"to": "2021-11-11T11:11:11+00:00"
},
"page": {
"limit": 2
},
"sort": "timestamp"
}
EOF
// Get a list of security signals returns "OK" response with pagination
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"time"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
body := datadogV2.SecurityMonitoringSignalListRequest{
Filter: &datadogV2.SecurityMonitoringSignalListRequestFilter{
From: datadog.PtrTime(time.Now().Add(time.Minute * -15)),
Query: datadog.PtrString("security:attack status:high"),
To: datadog.PtrTime(time.Now()),
},
Page: &datadogV2.SecurityMonitoringSignalListRequestPage{
Limit: datadog.PtrInt32(2),
},
Sort: datadogV2.SECURITYMONITORINGSIGNALSSORT_TIMESTAMP_ASCENDING.Ptr(),
}
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
resp, _ := api.SearchSecurityMonitoringSignalsWithPagination(ctx, *datadogV2.NewSearchSecurityMonitoringSignalsOptionalParameters().WithBody(body))
for paginationResult := range resp {
if paginationResult.Error != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.SearchSecurityMonitoringSignals`: %v\n", paginationResult.Error)
}
responseContent, _ := json.MarshalIndent(paginationResult.Item, "", " ")
fmt.Fprintf(os.Stdout, "%s\n", responseContent)
}
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Get a list of security signals returns "OK" response with pagination
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.PaginationIterable;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.api.SecurityMonitoringApi.SearchSecurityMonitoringSignalsOptionalParameters;
import com.datadog.api.client.v2.model.SecurityMonitoringSignal;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalListRequest;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalListRequestFilter;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalListRequestPage;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalsSort;
import java.time.OffsetDateTime;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
SecurityMonitoringSignalListRequest body =
new SecurityMonitoringSignalListRequest()
.filter(
new SecurityMonitoringSignalListRequestFilter()
.from(OffsetDateTime.now().plusMinutes(-15))
.query("security:attack status:high")
.to(OffsetDateTime.now()))
.page(new SecurityMonitoringSignalListRequestPage().limit(2))
.sort(SecurityMonitoringSignalsSort.TIMESTAMP_ASCENDING);
try {
PaginationIterable<SecurityMonitoringSignal> iterable =
apiInstance.searchSecurityMonitoringSignalsWithPagination(
new SearchSecurityMonitoringSignalsOptionalParameters().body(body));
for (SecurityMonitoringSignal item : iterable) {
System.out.println(item);
}
} catch (RuntimeException e) {
System.err.println(
"Exception when calling"
+ " SecurityMonitoringApi#searchSecurityMonitoringSignalsWithPagination");
System.err.println("Reason: " + e.getMessage());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
"""
Get a list of security signals returns "OK" response with pagination
"""
from datetime import datetime
from dateutil.relativedelta import relativedelta
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_signal_list_request import SecurityMonitoringSignalListRequest
from datadog_api_client.v2.model.security_monitoring_signal_list_request_filter import (
SecurityMonitoringSignalListRequestFilter,
)
from datadog_api_client.v2.model.security_monitoring_signal_list_request_page import (
SecurityMonitoringSignalListRequestPage,
)
from datadog_api_client.v2.model.security_monitoring_signals_sort import SecurityMonitoringSignalsSort
body = SecurityMonitoringSignalListRequest(
filter=SecurityMonitoringSignalListRequestFilter(
_from=(datetime.now() + relativedelta(minutes=-15)),
query="security:attack status:high",
to=datetime.now(),
),
page=SecurityMonitoringSignalListRequestPage(
limit=2,
),
sort=SecurityMonitoringSignalsSort.TIMESTAMP_ASCENDING,
)
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
items = api_instance.search_security_monitoring_signals_with_pagination(body=body)
for item in items:
print(item)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Get a list of security signals returns "OK" response with pagination
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
body = DatadogAPIClient::V2::SecurityMonitoringSignalListRequest.new({
filter: DatadogAPIClient::V2::SecurityMonitoringSignalListRequestFilter.new({
from: (Time.now + -15 * 60),
query: "security:attack status:high",
to: Time.now,
}),
page: DatadogAPIClient::V2::SecurityMonitoringSignalListRequestPage.new({
limit: 2,
}),
sort: DatadogAPIClient::V2::SecurityMonitoringSignalsSort::TIMESTAMP_ASCENDING,
})
opts = {
body: body,
}
api_instance.search_security_monitoring_signals_with_pagination(opts) { |item| puts item }
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Get a list of security signals returns "OK" response with pagination
use chrono::{DateTime, Utc};
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SearchSecurityMonitoringSignalsOptionalParams;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalListRequest;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalListRequestFilter;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalListRequestPage;
use datadog_api_client::datadogV2::model::SecurityMonitoringSignalsSort;
use futures_util::pin_mut;
use futures_util::stream::StreamExt;
#[tokio::main]
async fn main() {
let body = SecurityMonitoringSignalListRequest::new()
.filter(
SecurityMonitoringSignalListRequestFilter::new()
.from(
DateTime::parse_from_rfc3339("2021-11-11T10:56:11+00:00")
.expect("Failed to parse datetime")
.with_timezone(&Utc),
)
.query("security:attack status:high".to_string())
.to(DateTime::parse_from_rfc3339("2021-11-11T11:11:11+00:00")
.expect("Failed to parse datetime")
.with_timezone(&Utc)),
)
.page(SecurityMonitoringSignalListRequestPage::new().limit(2))
.sort(SecurityMonitoringSignalsSort::TIMESTAMP_ASCENDING);
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let response = api.search_security_monitoring_signals_with_pagination(
SearchSecurityMonitoringSignalsOptionalParams::default().body(body),
);
pin_mut!(response);
while let Some(resp) = response.next().await {
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
* Get a list of security signals returns "OK" response with pagination
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
const params: v2.SecurityMonitoringApiSearchSecurityMonitoringSignalsRequest = {
body: {
filter: {
from: new Date(new Date().getTime() + -15 * 60 * 1000),
query: "security:attack status:high",
to: new Date(),
},
page: {
limit: 2,
},
sort: "timestamp",
},
};
(async () => {
try {
for await (const item of apiInstance.searchSecurityMonitoringSignalsWithPagination(
params
)) {
console.log(item);
}
} catch (error) {
console.error(error);
}
})();
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}https://api.datadoghq.eu/api/v2/security_monitoring/signals/{signal_id}https://api.ddog-gov.com/api/v2/security_monitoring/signals/{signal_id}https://api.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/{signal_id}
Get a signal’s details.
This endpoint requires the security_monitoring_signals_read
permission.
OAuth apps require the security_monitoring_signals_read
authorization scope to access this endpoint.
이름
유형
설명
signal_id [required]
string
The ID of the signal.
OK
Security Signal response data object.
항목
유형
설명
data
object
Object description of a security signal.
attributes
object
The object containing all signal attributes and their associated values.
custom
object
A JSON object of attributes in the security signal.
message
string
The message in the security signal defined by the rule that generated the signal.
tags
[string]
An array of tags associated with the security signal.
timestamp
date-time
The timestamp of the security signal.
id
string
The unique ID of the security signal.
type
enum
The type of event.
Allowed enum values: signal
default: signal
{
"data": {
"attributes": {
"custom": {
"workflow": {
"first_seen": "2020-06-23T14:46:01.000Z",
"last_seen": "2020-06-23T14:46:49.000Z",
"rule": {
"id": "0f5-e0c-805",
"name": "Brute Force Attack Grouped By User ",
"version": 12
}
}
},
"message": "Detect Account Take Over (ATO) through brute force attempts",
"tags": [
"security:attack",
"technique:T1110-brute-force"
],
"timestamp": "2019-01-02T09:42:36.320Z"
},
"id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA",
"type": "signal"
}
}
Not Found
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Path parameters
export signal_id="CHANGE_ME"
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/signals/${signal_id}" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
"""
Get a signal's details returns "OK" response
"""
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.get_security_monitoring_signal(
signal_id="AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE",
)
print(response)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Get a signal's details returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.get_security_monitoring_signal("AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE")
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Get a signal's details returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
resp, r, err := api.GetSecurityMonitoringSignal(ctx, "AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE")
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSecurityMonitoringSignal`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSecurityMonitoringSignal`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Get a signal's details returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalResponse;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
try {
SecurityMonitoringSignalResponse result =
apiInstance.getSecurityMonitoringSignal(
"AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE");
System.out.println(result);
} catch (ApiException e) {
System.err.println(
"Exception when calling SecurityMonitoringApi#getSecurityMonitoringSignal");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
// Get a signal's details returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
#[tokio::main]
async fn main() {
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api
.get_security_monitoring_signal(
"AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE".to_string(),
)
.await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
* Get a signal's details returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
const params: v2.SecurityMonitoringApiGetSecurityMonitoringSignalRequest = {
signalId: "AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE",
};
apiInstance
.getSecurityMonitoringSignal(params)
.then((data: v2.SecurityMonitoringSignalResponse) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
DELETE https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}
Delete a specific security filter.
This endpoint requires the security_monitoring_filters_write
permission.
OAuth apps require the security_monitoring_filters_write
authorization scope to access this endpoint.
이름
유형
설명
security_filter_id [required]
string
The ID of the security filter.
OK
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
Not Found
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Path parameters
export security_filter_id="CHANGE_ME"
# Curl command
curl -X DELETE "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/${security_filter_id}" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
"""
Delete a security filter returns "OK" response
"""
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
api_instance.delete_security_filter(
security_filter_id="security_filter_id",
)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Delete a security filter returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
api_instance.delete_security_filter("security_filter_id")
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Delete a security filter returns "OK" response
package main
import (
"context"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
r, err := api.DeleteSecurityFilter(ctx, "security_filter_id")
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.DeleteSecurityFilter`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Delete a security filter returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
try {
apiInstance.deleteSecurityFilter("security_filter_id");
} catch (ApiException e) {
System.err.println("Exception when calling SecurityMonitoringApi#deleteSecurityFilter");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
// Delete a security filter returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
#[tokio::main]
async fn main() {
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api
.delete_security_filter("security_filter_id".to_string())
.await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
* Delete a security filter returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
const params: v2.SecurityMonitoringApiDeleteSecurityFilterRequest = {
securityFilterId: "security_filter_id",
};
apiInstance
.deleteSecurityFilter(params)
.then((data: any) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/signalshttps://api.datadoghq.eu/api/v2/security_monitoring/signalshttps://api.ddog-gov.com/api/v2/security_monitoring/signalshttps://api.datadoghq.com/api/v2/security_monitoring/signalshttps://api.us3.datadoghq.com/api/v2/security_monitoring/signalshttps://api.us5.datadoghq.com/api/v2/security_monitoring/signals
The list endpoint returns security signals that match a search query.
Both this endpoint and the POST endpoint can be used interchangeably when listing
security signals.
This endpoint requires the security_monitoring_signals_read
permission.
OAuth apps require the security_monitoring_signals_read
authorization scope to access this endpoint.
이름
유형
설명
filter[query]
string
The search query for security signals.
filter[from]
string
The minimum timestamp for requested security signals.
filter[to]
string
The maximum timestamp for requested security signals.
sort
enum
The order of the security signals in results.
Allowed enum values: timestamp, -timestamp
page[cursor]
string
A list of results using the cursor provided in the previous query.
page[limit]
integer
The maximum number of security signals in the response.
OK
The response object with all security signals matching the request and pagination information.
항목
유형
설명
data
[object]
An array of security signals matching the request.
attributes
object
The object containing all signal attributes and their associated values.
custom
object
A JSON object of attributes in the security signal.
message
string
The message in the security signal defined by the rule that generated the signal.
tags
[string]
An array of tags associated with the security signal.
timestamp
date-time
The timestamp of the security signal.
id
string
The unique ID of the security signal.
type
enum
The type of event.
Allowed enum values: signal
default: signal
links
object
Links attributes.
next
string
The link for the next set of results. Note: The request can also be made using the POST endpoint.
meta
object
Meta attributes.
page
object
Paging attributes.
after
string
The cursor used to get the next results, if any. To make the next request, use the same
parameters with the addition of the page[cursor]
.
{
"data": [
{
"attributes": {
"custom": {
"workflow": {
"first_seen": "2020-06-23T14:46:01.000Z",
"last_seen": "2020-06-23T14:46:49.000Z",
"rule": {
"id": "0f5-e0c-805",
"name": "Brute Force Attack Grouped By User ",
"version": 12
}
}
},
"message": "Detect Account Take Over (ATO) through brute force attempts",
"tags": [
"security:attack",
"technique:T1110-brute-force"
],
"timestamp": "2019-01-02T09:42:36.320Z"
},
"id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA",
"type": "signal"
}
],
"links": {
"next": "https://app.datadoghq.com/api/v2/security_monitoring/signals?filter[query]=foo\u0026page[cursor]=eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
},
"meta": {
"page": {
"after": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ=="
}
}
}
Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/signals" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
"""
Get a quick list of security signals returns "OK" response
"""
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.list_security_monitoring_signals()
print(response)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Get a quick list of security signals returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.list_security_monitoring_signals()
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Get a quick list of security signals returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
resp, r, err := api.ListSecurityMonitoringSignals(ctx, *datadogV2.NewListSecurityMonitoringSignalsOptionalParameters())
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListSecurityMonitoringSignals`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListSecurityMonitoringSignals`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Get a quick list of security signals returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringSignalsListResponse;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
try {
SecurityMonitoringSignalsListResponse result = apiInstance.listSecurityMonitoringSignals();
System.out.println(result);
} catch (ApiException e) {
System.err.println(
"Exception when calling SecurityMonitoringApi#listSecurityMonitoringSignals");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
// Get a quick list of security signals returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::ListSecurityMonitoringSignalsOptionalParams;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
#[tokio::main]
async fn main() {
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api
.list_security_monitoring_signals(ListSecurityMonitoringSignalsOptionalParams::default())
.await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
* Get a quick list of security signals returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
apiInstance
.listSecurityMonitoringSignals()
.then((data: v2.SecurityMonitoringSignalsListResponse) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
PATCH https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}
Update a specific security filter.
Returns the security filter object when the request is successful.
This endpoint requires the security_monitoring_filters_write
permission.
OAuth apps require the security_monitoring_filters_write
authorization scope to access this endpoint.
이름
유형
설명
security_filter_id [required]
string
The ID of the security filter.
New definition of the security filter.
항목
유형
설명
data [required]
object
The new security filter properties.
attributes [required]
object
The security filters properties to be updated.
exclusion_filters
[object]
Exclusion filters to exclude some logs from the security filter.
name [required]
string
Exclusion filter name.
query [required]
string
Exclusion filter query. Logs that match this query are excluded from the security filter.
filtered_data_type
enum
The filtered data type.
Allowed enum values: logs
is_enabled
boolean
Whether the security filter is enabled.
name
string
The name of the security filter.
query
string
The query of the security filter.
version
int32
The version of the security filter to update.
type [required]
enum
The type of the resource. The value should always be security_filters
.
Allowed enum values: security_filters
default: security_filters
{
"data": {
"attributes": {
"exclusion_filters": [],
"filtered_data_type": "logs",
"is_enabled": true,
"name": "Example-Security-Monitoring",
"query": "service:ExampleSecurityMonitoring",
"version": 1
},
"type": "security_filters"
}
}
OK
Response object which includes a single security filter.
항목
유형
설명
data
object
The security filter's properties.
attributes
object
The object describing a security filter.
exclusion_filters
[object]
The list of exclusion filters applied in this security filter.
name
string
The exclusion filter name.
query
string
The exclusion filter query.
filtered_data_type
enum
The filtered data type.
Allowed enum values: logs
is_builtin
boolean
Whether the security filter is the built-in filter.
is_enabled
boolean
Whether the security filter is enabled.
name
string
The security filter name.
query
string
The security filter query. Logs accepted by this query will be accepted by this filter.
version
int32
The version of the security filter.
id
string
The ID of the security filter.
type
enum
The type of the resource. The value should always be security_filters
.
Allowed enum values: security_filters
default: security_filters
meta
object
Optional metadata associated to the response.
warning
string
A warning message.
{
"data": {
"attributes": {
"exclusion_filters": [
{
"name": "Exclude staging",
"query": "source:staging"
}
],
"filtered_data_type": "logs",
"is_builtin": false,
"is_enabled": false,
"name": "Custom security filter",
"query": "service:api",
"version": 1
},
"id": "3dd-0uc-h1s",
"type": "security_filters"
},
"meta": {
"warning": "All the security filters are disabled. As a result, no logs are being analyzed."
}
}
Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
Not Found
API error response.
{
"errors": [
"Bad Request"
]
}
Concurrent Modification
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Path parameters
export security_filter_id="CHANGE_ME"
# Curl command
curl -X PATCH "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/${security_filter_id}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
"data": {
"attributes": {
"exclusion_filters": [],
"filtered_data_type": "logs",
"is_enabled": true,
"name": "Example-Security-Monitoring",
"query": "service:ExampleSecurityMonitoring",
"version": 1
},
"type": "security_filters"
}
}
EOF
// Update a security filter returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
// there is a valid "security_filter" in the system
SecurityFilterDataID := os.Getenv("SECURITY_FILTER_DATA_ID")
body := datadogV2.SecurityFilterUpdateRequest{
Data: datadogV2.SecurityFilterUpdateData{
Attributes: datadogV2.SecurityFilterUpdateAttributes{
ExclusionFilters: []datadogV2.SecurityFilterExclusionFilter{},
FilteredDataType: datadogV2.SECURITYFILTERFILTEREDDATATYPE_LOGS.Ptr(),
IsEnabled: datadog.PtrBool(true),
Name: datadog.PtrString("Example-Security-Monitoring"),
Query: datadog.PtrString("service:ExampleSecurityMonitoring"),
Version: datadog.PtrInt32(1),
},
Type: datadogV2.SECURITYFILTERTYPE_SECURITY_FILTERS,
},
}
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
resp, r, err := api.UpdateSecurityFilter(ctx, SecurityFilterDataID, body)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.UpdateSecurityFilter`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.UpdateSecurityFilter`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Update a security filter returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityFilterFilteredDataType;
import com.datadog.api.client.v2.model.SecurityFilterResponse;
import com.datadog.api.client.v2.model.SecurityFilterType;
import com.datadog.api.client.v2.model.SecurityFilterUpdateAttributes;
import com.datadog.api.client.v2.model.SecurityFilterUpdateData;
import com.datadog.api.client.v2.model.SecurityFilterUpdateRequest;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
// there is a valid "security_filter" in the system
String SECURITY_FILTER_DATA_ID = System.getenv("SECURITY_FILTER_DATA_ID");
SecurityFilterUpdateRequest body =
new SecurityFilterUpdateRequest()
.data(
new SecurityFilterUpdateData()
.attributes(
new SecurityFilterUpdateAttributes()
.filteredDataType(SecurityFilterFilteredDataType.LOGS)
.isEnabled(true)
.name("Example-Security-Monitoring")
.query("service:ExampleSecurityMonitoring")
.version(1))
.type(SecurityFilterType.SECURITY_FILTERS));
try {
SecurityFilterResponse result =
apiInstance.updateSecurityFilter(SECURITY_FILTER_DATA_ID, body);
System.out.println(result);
} catch (ApiException e) {
System.err.println("Exception when calling SecurityMonitoringApi#updateSecurityFilter");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
"""
Update a security filter returns "OK" response
"""
from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_filter_filtered_data_type import SecurityFilterFilteredDataType
from datadog_api_client.v2.model.security_filter_type import SecurityFilterType
from datadog_api_client.v2.model.security_filter_update_attributes import SecurityFilterUpdateAttributes
from datadog_api_client.v2.model.security_filter_update_data import SecurityFilterUpdateData
from datadog_api_client.v2.model.security_filter_update_request import SecurityFilterUpdateRequest
# there is a valid "security_filter" in the system
SECURITY_FILTER_DATA_ID = environ["SECURITY_FILTER_DATA_ID"]
body = SecurityFilterUpdateRequest(
data=SecurityFilterUpdateData(
attributes=SecurityFilterUpdateAttributes(
exclusion_filters=[],
filtered_data_type=SecurityFilterFilteredDataType.LOGS,
is_enabled=True,
name="Example-Security-Monitoring",
query="service:ExampleSecurityMonitoring",
version=1,
),
type=SecurityFilterType.SECURITY_FILTERS,
),
)
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.update_security_filter(security_filter_id=SECURITY_FILTER_DATA_ID, body=body)
print(response)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Update a security filter returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
# there is a valid "security_filter" in the system
SECURITY_FILTER_DATA_ID = ENV["SECURITY_FILTER_DATA_ID"]
body = DatadogAPIClient::V2::SecurityFilterUpdateRequest.new({
data: DatadogAPIClient::V2::SecurityFilterUpdateData.new({
attributes: DatadogAPIClient::V2::SecurityFilterUpdateAttributes.new({
exclusion_filters: [],
filtered_data_type: DatadogAPIClient::V2::SecurityFilterFilteredDataType::LOGS,
is_enabled: true,
name: "Example-Security-Monitoring",
query: "service:ExampleSecurityMonitoring",
version: 1,
}),
type: DatadogAPIClient::V2::SecurityFilterType::SECURITY_FILTERS,
}),
})
p api_instance.update_security_filter(SECURITY_FILTER_DATA_ID, body)
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Update a security filter returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityFilterFilteredDataType;
use datadog_api_client::datadogV2::model::SecurityFilterType;
use datadog_api_client::datadogV2::model::SecurityFilterUpdateAttributes;
use datadog_api_client::datadogV2::model::SecurityFilterUpdateData;
use datadog_api_client::datadogV2::model::SecurityFilterUpdateRequest;
#[tokio::main]
async fn main() {
// there is a valid "security_filter" in the system
let security_filter_data_id = std::env::var("SECURITY_FILTER_DATA_ID").unwrap();
let body = SecurityFilterUpdateRequest::new(SecurityFilterUpdateData::new(
SecurityFilterUpdateAttributes::new()
.exclusion_filters(vec![])
.filtered_data_type(SecurityFilterFilteredDataType::LOGS)
.is_enabled(true)
.name("Example-Security-Monitoring".to_string())
.query("service:ExampleSecurityMonitoring".to_string())
.version(1),
SecurityFilterType::SECURITY_FILTERS,
));
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api
.update_security_filter(security_filter_data_id.clone(), body)
.await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
* Update a security filter returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
// there is a valid "security_filter" in the system
const SECURITY_FILTER_DATA_ID = process.env.SECURITY_FILTER_DATA_ID as string;
const params: v2.SecurityMonitoringApiUpdateSecurityFilterRequest = {
body: {
data: {
attributes: {
exclusionFilters: [],
filteredDataType: "logs",
isEnabled: true,
name: "Example-Security-Monitoring",
query: "service:ExampleSecurityMonitoring",
version: 1,
},
type: "security_filters",
},
},
securityFilterId: SECURITY_FILTER_DATA_ID,
};
apiInstance
.updateSecurityFilter(params)
.then((data: v2.SecurityFilterResponse) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/{security_filter_id}
Get the details of a specific security filter.
See the security filter guide for more examples.
This endpoint requires thesecurity_monitoring_filters_read
permission.OAuth apps require the security_monitoring_filters_read
authorization scope to access this endpoint.
이름
유형
설명
security_filter_id [required]
string
The ID of the security filter.
OK
Response object which includes a single security filter.
항목
유형
설명
data
object
The security filter's properties.
attributes
object
The object describing a security filter.
exclusion_filters
[object]
The list of exclusion filters applied in this security filter.
name
string
The exclusion filter name.
query
string
The exclusion filter query.
filtered_data_type
enum
The filtered data type.
Allowed enum values: logs
is_builtin
boolean
Whether the security filter is the built-in filter.
is_enabled
boolean
Whether the security filter is enabled.
name
string
The security filter name.
query
string
The security filter query. Logs accepted by this query will be accepted by this filter.
version
int32
The version of the security filter.
id
string
The ID of the security filter.
type
enum
The type of the resource. The value should always be security_filters
.
Allowed enum values: security_filters
default: security_filters
meta
object
Optional metadata associated to the response.
warning
string
A warning message.
{
"data": {
"attributes": {
"exclusion_filters": [
{
"name": "Exclude staging",
"query": "source:staging"
}
],
"filtered_data_type": "logs",
"is_builtin": false,
"is_enabled": false,
"name": "Custom security filter",
"query": "service:api",
"version": 1
},
"id": "3dd-0uc-h1s",
"type": "security_filters"
},
"meta": {
"warning": "All the security filters are disabled. As a result, no logs are being analyzed."
}
}
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
Not Found
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Path parameters
export security_filter_id="CHANGE_ME"
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters/${security_filter_id}" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
"""
Get a security filter returns "OK" response
"""
from os import environ
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
# there is a valid "security_filter" in the system
SECURITY_FILTER_DATA_ID = environ["SECURITY_FILTER_DATA_ID"]
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.get_security_filter(
security_filter_id=SECURITY_FILTER_DATA_ID,
)
print(response)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Get a security filter returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
# there is a valid "security_filter" in the system
SECURITY_FILTER_DATA_ID = ENV["SECURITY_FILTER_DATA_ID"]
p api_instance.get_security_filter(SECURITY_FILTER_DATA_ID)
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Get a security filter returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
// there is a valid "security_filter" in the system
SecurityFilterDataID := os.Getenv("SECURITY_FILTER_DATA_ID")
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
resp, r, err := api.GetSecurityFilter(ctx, SecurityFilterDataID)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.GetSecurityFilter`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.GetSecurityFilter`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Get a security filter returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityFilterResponse;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
// there is a valid "security_filter" in the system
String SECURITY_FILTER_DATA_ID = System.getenv("SECURITY_FILTER_DATA_ID");
try {
SecurityFilterResponse result = apiInstance.getSecurityFilter(SECURITY_FILTER_DATA_ID);
System.out.println(result);
} catch (ApiException e) {
System.err.println("Exception when calling SecurityMonitoringApi#getSecurityFilter");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
// Get a security filter returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
#[tokio::main]
async fn main() {
// there is a valid "security_filter" in the system
let security_filter_data_id = std::env::var("SECURITY_FILTER_DATA_ID").unwrap();
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api
.get_security_filter(security_filter_data_id.clone())
.await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
* Get a security filter returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
// there is a valid "security_filter" in the system
const SECURITY_FILTER_DATA_ID = process.env.SECURITY_FILTER_DATA_ID as string;
const params: v2.SecurityMonitoringApiGetSecurityFilterRequest = {
securityFilterId: SECURITY_FILTER_DATA_ID,
};
apiInstance
.getSecurityFilter(params)
.then((data: v2.SecurityFilterResponse) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
POST https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/security_filtershttps://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filtershttps://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filtershttps://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filtershttps://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filtershttps://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters
Create a security filter.
See the security filter guide for more examples.
This endpoint requires thesecurity_monitoring_filters_write
permission.OAuth apps require the security_monitoring_filters_write
authorization scope to access this endpoint.
The definition of the new security filter.
항목
유형
설명
data [required]
object
Object for a single security filter.
attributes [required]
object
Object containing the attributes of the security filter to be created.
exclusion_filters [required]
[object]
Exclusion filters to exclude some logs from the security filter.
name [required]
string
Exclusion filter name.
query [required]
string
Exclusion filter query. Logs that match this query are excluded from the security filter.
filtered_data_type [required]
enum
The filtered data type.
Allowed enum values: logs
is_enabled [required]
boolean
Whether the security filter is enabled.
name [required]
string
The name of the security filter.
query [required]
string
The query of the security filter.
type [required]
enum
The type of the resource. The value should always be security_filters
.
Allowed enum values: security_filters
default: security_filters
{
"data": {
"attributes": {
"exclusion_filters": [
{
"name": "Exclude staging",
"query": "source:staging"
}
],
"filtered_data_type": "logs",
"is_enabled": true,
"name": "Example-Security-Monitoring",
"query": "service:ExampleSecurityMonitoring"
},
"type": "security_filters"
}
}
OK
Response object which includes a single security filter.
항목
유형
설명
data
object
The security filter's properties.
attributes
object
The object describing a security filter.
exclusion_filters
[object]
The list of exclusion filters applied in this security filter.
name
string
The exclusion filter name.
query
string
The exclusion filter query.
filtered_data_type
enum
The filtered data type.
Allowed enum values: logs
is_builtin
boolean
Whether the security filter is the built-in filter.
is_enabled
boolean
Whether the security filter is enabled.
name
string
The security filter name.
query
string
The security filter query. Logs accepted by this query will be accepted by this filter.
version
int32
The version of the security filter.
id
string
The ID of the security filter.
type
enum
The type of the resource. The value should always be security_filters
.
Allowed enum values: security_filters
default: security_filters
meta
object
Optional metadata associated to the response.
warning
string
A warning message.
{
"data": {
"attributes": {
"exclusion_filters": [
{
"name": "Exclude staging",
"query": "source:staging"
}
],
"filtered_data_type": "logs",
"is_builtin": false,
"is_enabled": false,
"name": "Custom security filter",
"query": "service:api",
"version": 1
},
"id": "3dd-0uc-h1s",
"type": "security_filters"
},
"meta": {
"warning": "All the security filters are disabled. As a result, no logs are being analyzed."
}
}
Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
Conflict
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
"data": {
"attributes": {
"exclusion_filters": [
{
"name": "Exclude staging",
"query": "source:staging"
}
],
"filtered_data_type": "logs",
"is_enabled": true,
"name": "Example-Security-Monitoring",
"query": "service:ExampleSecurityMonitoring"
},
"type": "security_filters"
}
}
EOF
// Create a security filter returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
body := datadogV2.SecurityFilterCreateRequest{
Data: datadogV2.SecurityFilterCreateData{
Attributes: datadogV2.SecurityFilterCreateAttributes{
ExclusionFilters: []datadogV2.SecurityFilterExclusionFilter{
{
Name: "Exclude staging",
Query: "source:staging",
},
},
FilteredDataType: datadogV2.SECURITYFILTERFILTEREDDATATYPE_LOGS,
IsEnabled: true,
Name: "Example-Security-Monitoring",
Query: "service:ExampleSecurityMonitoring",
},
Type: datadogV2.SECURITYFILTERTYPE_SECURITY_FILTERS,
},
}
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
resp, r, err := api.CreateSecurityFilter(ctx, body)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityFilter`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityFilter`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Create a security filter returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityFilterCreateAttributes;
import com.datadog.api.client.v2.model.SecurityFilterCreateData;
import com.datadog.api.client.v2.model.SecurityFilterCreateRequest;
import com.datadog.api.client.v2.model.SecurityFilterExclusionFilter;
import com.datadog.api.client.v2.model.SecurityFilterFilteredDataType;
import com.datadog.api.client.v2.model.SecurityFilterResponse;
import com.datadog.api.client.v2.model.SecurityFilterType;
import java.util.Collections;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
SecurityFilterCreateRequest body =
new SecurityFilterCreateRequest()
.data(
new SecurityFilterCreateData()
.attributes(
new SecurityFilterCreateAttributes()
.exclusionFilters(
Collections.singletonList(
new SecurityFilterExclusionFilter()
.name("Exclude staging")
.query("source:staging")))
.filteredDataType(SecurityFilterFilteredDataType.LOGS)
.isEnabled(true)
.name("Example-Security-Monitoring")
.query("service:ExampleSecurityMonitoring"))
.type(SecurityFilterType.SECURITY_FILTERS));
try {
SecurityFilterResponse result = apiInstance.createSecurityFilter(body);
System.out.println(result);
} catch (ApiException e) {
System.err.println("Exception when calling SecurityMonitoringApi#createSecurityFilter");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
"""
Create a security filter returns "OK" response
"""
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_filter_create_attributes import SecurityFilterCreateAttributes
from datadog_api_client.v2.model.security_filter_create_data import SecurityFilterCreateData
from datadog_api_client.v2.model.security_filter_create_request import SecurityFilterCreateRequest
from datadog_api_client.v2.model.security_filter_exclusion_filter import SecurityFilterExclusionFilter
from datadog_api_client.v2.model.security_filter_filtered_data_type import SecurityFilterFilteredDataType
from datadog_api_client.v2.model.security_filter_type import SecurityFilterType
body = SecurityFilterCreateRequest(
data=SecurityFilterCreateData(
attributes=SecurityFilterCreateAttributes(
exclusion_filters=[
SecurityFilterExclusionFilter(
name="Exclude staging",
query="source:staging",
),
],
filtered_data_type=SecurityFilterFilteredDataType.LOGS,
is_enabled=True,
name="Example-Security-Monitoring",
query="service:ExampleSecurityMonitoring",
),
type=SecurityFilterType.SECURITY_FILTERS,
),
)
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.create_security_filter(body=body)
print(response)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Create a security filter returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
body = DatadogAPIClient::V2::SecurityFilterCreateRequest.new({
data: DatadogAPIClient::V2::SecurityFilterCreateData.new({
attributes: DatadogAPIClient::V2::SecurityFilterCreateAttributes.new({
exclusion_filters: [
DatadogAPIClient::V2::SecurityFilterExclusionFilter.new({
name: "Exclude staging",
query: "source:staging",
}),
],
filtered_data_type: DatadogAPIClient::V2::SecurityFilterFilteredDataType::LOGS,
is_enabled: true,
name: "Example-Security-Monitoring",
query: "service:ExampleSecurityMonitoring",
}),
type: DatadogAPIClient::V2::SecurityFilterType::SECURITY_FILTERS,
}),
})
p api_instance.create_security_filter(body)
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Create a security filter returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityFilterCreateAttributes;
use datadog_api_client::datadogV2::model::SecurityFilterCreateData;
use datadog_api_client::datadogV2::model::SecurityFilterCreateRequest;
use datadog_api_client::datadogV2::model::SecurityFilterExclusionFilter;
use datadog_api_client::datadogV2::model::SecurityFilterFilteredDataType;
use datadog_api_client::datadogV2::model::SecurityFilterType;
#[tokio::main]
async fn main() {
let body = SecurityFilterCreateRequest::new(SecurityFilterCreateData::new(
SecurityFilterCreateAttributes::new(
vec![SecurityFilterExclusionFilter::new(
"Exclude staging".to_string(),
"source:staging".to_string(),
)],
SecurityFilterFilteredDataType::LOGS,
true,
"Example-Security-Monitoring".to_string(),
"service:ExampleSecurityMonitoring".to_string(),
),
SecurityFilterType::SECURITY_FILTERS,
));
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api.create_security_filter(body).await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
* Create a security filter returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
const params: v2.SecurityMonitoringApiCreateSecurityFilterRequest = {
body: {
data: {
attributes: {
exclusionFilters: [
{
name: "Exclude staging",
query: "source:staging",
},
],
filteredDataType: "logs",
isEnabled: true,
name: "Example-Security-Monitoring",
query: "service:ExampleSecurityMonitoring",
},
type: "security_filters",
},
},
};
apiInstance
.createSecurityFilter(params)
.then((data: v2.SecurityFilterResponse) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
GET https://api.ap1.datadoghq.com/api/v2/security_monitoring/configuration/security_filtershttps://api.datadoghq.eu/api/v2/security_monitoring/configuration/security_filtershttps://api.ddog-gov.com/api/v2/security_monitoring/configuration/security_filtershttps://api.datadoghq.com/api/v2/security_monitoring/configuration/security_filtershttps://api.us3.datadoghq.com/api/v2/security_monitoring/configuration/security_filtershttps://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters
Get the list of configured security filters with their definitions.
This endpoint requires the security_monitoring_filters_read
permission.
OAuth apps require the security_monitoring_filters_read
authorization scope to access this endpoint.
OK
All the available security filters objects.
항목
유형
설명
data
[object]
A list of security filters objects.
attributes
object
The object describing a security filter.
exclusion_filters
[object]
The list of exclusion filters applied in this security filter.
name
string
The exclusion filter name.
query
string
The exclusion filter query.
filtered_data_type
enum
The filtered data type.
Allowed enum values: logs
is_builtin
boolean
Whether the security filter is the built-in filter.
is_enabled
boolean
Whether the security filter is enabled.
name
string
The security filter name.
query
string
The security filter query. Logs accepted by this query will be accepted by this filter.
version
int32
The version of the security filter.
id
string
The ID of the security filter.
type
enum
The type of the resource. The value should always be security_filters
.
Allowed enum values: security_filters
default: security_filters
meta
object
Optional metadata associated to the response.
warning
string
A warning message.
{
"data": [
{
"attributes": {
"exclusion_filters": [
{
"name": "Exclude staging",
"query": "source:staging"
}
],
"filtered_data_type": "logs",
"is_builtin": false,
"is_enabled": false,
"name": "Custom security filter",
"query": "service:api",
"version": 1
},
"id": "3dd-0uc-h1s",
"type": "security_filters"
}
],
"meta": {
"warning": "All the security filters are disabled. As a result, no logs are being analyzed."
}
}
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/security_monitoring/configuration/security_filters" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
"""
Get all security filters returns "OK" response
"""
from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.list_security_filters()
print(response)
First install the library and its dependencies and then save the example to example.py
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" python3 "example.py"
# Get all security filters returns "OK" response
require "datadog_api_client"
api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
p api_instance.list_security_filters()
First install the library and its dependencies and then save the example to example.rb
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" rb "example.rb"
// Get all security filters returns "OK" response
package main
import (
"context"
"encoding/json"
"fmt"
"os"
"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)
func main() {
ctx := datadog.NewDefaultContext(context.Background())
configuration := datadog.NewConfiguration()
apiClient := datadog.NewAPIClient(configuration)
api := datadogV2.NewSecurityMonitoringApi(apiClient)
resp, r, err := api.ListSecurityFilters(ctx)
if err != nil {
fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ListSecurityFilters`: %v\n", err)
fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
}
responseContent, _ := json.MarshalIndent(resp, "", " ")
fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.ListSecurityFilters`:\n%s\n", responseContent)
}
First install the library and its dependencies and then save the example to main.go
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" go run "main.go"
// Get all security filters returns "OK" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityFiltersResponse;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
try {
SecurityFiltersResponse result = apiInstance.listSecurityFilters();
System.out.println(result);
} catch (ApiException e) {
System.err.println("Exception when calling SecurityMonitoringApi#listSecurityFilters");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
First install the library and its dependencies and then save the example to Example.java
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" java "Example.java"
// Get all security filters returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
#[tokio::main]
async fn main() {
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api.list_security_filters().await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
First install the library and its dependencies and then save the example to src/main.rs
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" cargo run
/**
* Get all security filters returns "OK" response
*/
import { client, v2 } from "@datadog/datadog-api-client";
const configuration = client.createConfiguration();
const apiInstance = new v2.SecurityMonitoringApi(configuration);
apiInstance
.listSecurityFilters()
.then((data: v2.SecurityFiltersResponse) => {
console.log(
"API called successfully. Returned data: " + JSON.stringify(data)
);
})
.catch((error: any) => console.error(error));
First install the library and its dependencies and then save the example to example.ts
and run following commands:
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comddog-gov.com" DD_API_KEY="<DD_API_KEY>" DD_APP_KEY="<DD_APP_KEY>" tsc "example.ts"
Note: This endpoint is in beta and may be subject to changes. Please check the documentation regularly for updates.
POST https://api.ap1.datadoghq.com/api/v2/siem-historical-detections/jobshttps://api.datadoghq.eu/api/v2/siem-historical-detections/jobshttps://api.ddog-gov.com/api/v2/siem-historical-detections/jobshttps://api.datadoghq.com/api/v2/siem-historical-detections/jobshttps://api.us3.datadoghq.com/api/v2/siem-historical-detections/jobshttps://api.us5.datadoghq.com/api/v2/siem-historical-detections/jobs
Run a historical job.
항목
유형
설명
data
object
Data for running a historical job request.
attributes
object
Run a historical job request.
fromRule
object
Definition of a historical job based on a security monitoring rule.
caseIndex [required]
int32
Index of the rule case applied by the job.
from [required]
int64
Starting time of data analyzed by the job.
id [required]
string
ID of the detection rule used to create the job.
index [required]
string
Index used to load the data.
notifications
[string]
Notifications sent when the job is completed.
to [required]
int64
Ending time of data analyzed by the job.
id
string
Request ID.
jobDefinition
object
Definition of a historical job.
calculatedFields
[object]
Calculated fields.
expression [required]
string
Expression.
name [required]
string
Field name.
cases [required]
[object]
Cases used for generating job results.
condition
string
A rule case contains logical operations (>
,>=
, &&
, ||
) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
from [required]
int64
Starting time of data analyzed by the job.
index [required]
string
Index used to load the data.
message [required]
string
Message for generated results.
name [required]
string
Job name.
options
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType
and regoRule
are mandatory when managing custom cloud_configuration
rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes
contains more than one item. Defaults to false.
regoRule
object
Rule details.
policy [required]
string
The policy written in rego
, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes
.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL
in production becomes HIGH
in non-production, HIGH
becomes MEDIUM
and so on. INFO
remains INFO
.
The decrement is applied when the environment tag of the signal starts with staging
, test
or dev
.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
hardcodedEvaluatorType
enum
Hardcoded evaluator type.
Allowed enum values: log4shell
impossibleTravelOptions
object
Options on impossible travel rules.
baselineUserLocations
boolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
[object]
Queries for selecting logs analyzed by the job.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
hasOptionalGroupByFields
boolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A
, replacing the missing values.
metric
string
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max
aggregations. metrics
field should be used instead.
metrics
[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
string
Name of the query.
query
string
Query to run on logs.
referenceTables
[object]
Reference tables for the rule.
checkPresence
boolean
Whether to include or exclude the matched values.
columnName
string
The name of the column in the reference table.
logFieldPath
string
The field in the log to match against the reference table.
ruleQueryName
string
The name of the rule query to apply the reference table to.
tableName
string
The name of the reference table.
tags
[string]
Tags for generated signals.
thirdPartyCases
[object]
Cases for generating results from third-party rules. Only available for third-party rules.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
query
string
A query to map a third party event to this case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
to [required]
int64
Ending time of data analyzed by the job.
type
string
Job type.
type
enum
Type of data.
Allowed enum values: historicalDetectionsJobCreate
{
"data": {
"type": "historicalDetectionsJobCreate",
"attributes": {
"jobDefinition": {
"type": "log_detection",
"name": "Excessive number of failed attempts.",
"queries": [
{
"query": "source:non_existing_src_weekend",
"aggregation": "count",
"groupByFields": [],
"distinctFields": []
}
],
"cases": [
{
"name": "Condition 1",
"status": "info",
"notifications": [],
"condition": "a > 1"
}
],
"options": {
"keepAlive": 3600,
"maxSignalDuration": 86400,
"evaluationWindow": 900
},
"message": "A large number of failed login attempts.",
"tags": [],
"from": 1730387522611,
"to": 1730387532611,
"index": "main"
}
}
}
}
Status created
Run a historical job response.
항목
유형
설명
data
object
The definition of JobCreateResponseData
object.
id
string
ID of the created job.
type
enum
Type of payload.
Allowed enum values: historicalDetectionsJob
{
"data": {
"id": "string",
"type": "string"
}
}
Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}
Concurrent Modification
API error response.
{
"errors": [
"Bad Request"
]
}
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
Not Found
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/siem-historical-detections/jobs" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
"data": {
"type": "historicalDetectionsJobCreate",
"attributes": {
"jobDefinition": {
"type": "log_detection",
"name": "Excessive number of failed attempts.",
"queries": [
{
"query": "source:non_existing_src_weekend",
"aggregation": "count",
"groupByFields": [],
"distinctFields": []
}
],
"cases": [
{
"name": "Condition 1",
"status": "info",
"notifications": [],
"condition": "a > 1"
}
],
"options": {
"keepAlive": 3600,
"maxSignalDuration": 86400,
"evaluationWindow": 900
},
"message": "A large number of failed login attempts.",
"tags": [],
"from": 1730387522611,
"to": 1730387532611,
"index": "main"
}
}
}
}
EOF
Note: This endpoint is in beta and may be subject to changes. Please check the documentation regularly for updates.
GET https://api.ap1.datadoghq.com/api/v2/siem-historical-detections/jobshttps://api.datadoghq.eu/api/v2/siem-historical-detections/jobshttps://api.ddog-gov.com/api/v2/siem-historical-detections/jobshttps://api.datadoghq.com/api/v2/siem-historical-detections/jobshttps://api.us3.datadoghq.com/api/v2/siem-historical-detections/jobshttps://api.us5.datadoghq.com/api/v2/siem-historical-detections/jobs
List historical jobs.
이름
유형
설명
page[size]
integer
Size for a given page. The maximum allowed value is 100.
page[number]
integer
Specific page number to return.
sort
string
The order of the jobs in results.
filter[query]
string
Query used to filter items from the fetched list.
OK
List of historical jobs.
항목
유형
설명
data
[object]
Array containing the list of historical jobs.
attributes
object
Historical job attributes.
createdAt
string
Time when the job was created.
createdByHandle
string
The handle of the user who created the job.
createdByName
string
The name of the user who created the job.
createdFromRuleId
string
ID of the rule used to create the job (if it is created from a rule).
jobDefinition
object
Definition of a historical job.
calculatedFields
[object]
Calculated fields.
expression [required]
string
Expression.
name [required]
string
Field name.
cases [required]
[object]
Cases used for generating job results.
condition
string
A rule case contains logical operations (>
,>=
, &&
, ||
) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
from [required]
int64
Starting time of data analyzed by the job.
index [required]
string
Index used to load the data.
message [required]
string
Message for generated results.
name [required]
string
Job name.
options
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType
and regoRule
are mandatory when managing custom cloud_configuration
rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes
contains more than one item. Defaults to false.
regoRule
object
Rule details.
policy [required]
string
The policy written in rego
, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes
.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL
in production becomes HIGH
in non-production, HIGH
becomes MEDIUM
and so on. INFO
remains INFO
.
The decrement is applied when the environment tag of the signal starts with staging
, test
or dev
.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
hardcodedEvaluatorType
enum
Hardcoded evaluator type.
Allowed enum values: log4shell
impossibleTravelOptions
object
Options on impossible travel rules.
baselineUserLocations
boolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
[object]
Queries for selecting logs analyzed by the job.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
hasOptionalGroupByFields
boolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A
, replacing the missing values.
metric
string
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max
aggregations. metrics
field should be used instead.
metrics
[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
string
Name of the query.
query
string
Query to run on logs.
referenceTables
[object]
Reference tables for the rule.
checkPresence
boolean
Whether to include or exclude the matched values.
columnName
string
The name of the column in the reference table.
logFieldPath
string
The field in the log to match against the reference table.
ruleQueryName
string
The name of the rule query to apply the reference table to.
tableName
string
The name of the reference table.
tags
[string]
Tags for generated signals.
thirdPartyCases
[object]
Cases for generating results from third-party rules. Only available for third-party rules.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
query
string
A query to map a third party event to this case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
to [required]
int64
Ending time of data analyzed by the job.
type
string
Job type.
jobName
string
Job name.
jobStatus
string
Job status.
modifiedAt
string
Last modification time of the job.
id
string
ID of the job.
type
enum
Type of payload.
Allowed enum values: historicalDetectionsJob
meta
object
Metadata about the list of jobs.
totalCount
int32
Number of jobs in the list.
{
"data": [
{
"attributes": {
"createdAt": "string",
"createdByHandle": "string",
"createdByName": "string",
"createdFromRuleId": "string",
"jobDefinition": {
"calculatedFields": [
{
"expression": "@request_end_timestamp - @request_start_timestamp",
"name": "response_time"
}
],
"cases": [
{
"condition": "string",
"name": "string",
"notifications": [],
"status": "critical"
}
],
"filters": [
{
"action": "string",
"query": "string"
}
],
"from": 1729843470000,
"index": "cloud_siem",
"message": "A large number of failed login attempts.",
"name": "Excessive number of failed attempts.",
"options": {
"complianceRuleOptions": {
"complexRule": false,
"regoRule": {
"policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n # Logic that evaluates to true if the resource should be skipped\n true\n} else = \"pass\" {\n # Logic that evaluates to true if the resource is compliant\n true\n} else = \"fail\" {\n # Logic that evaluates to true if the resource is not compliant\n true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n some resource in input.resources[input.main_resource_type]\n result := dd_output.format(resource, eval(resource))\n}\n",
"resourceTypes": [
"gcp_iam_service_account",
"gcp_iam_policy"
]
},
"resourceType": "aws_acm"
},
"decreaseCriticalityBasedOnEnv": false,
"detectionMethod": "string",
"evaluationWindow": "integer",
"hardcodedEvaluatorType": "string",
"impossibleTravelOptions": {
"baselineUserLocations": true
},
"keepAlive": "integer",
"maxSignalDuration": "integer",
"newValueOptions": {
"forgetAfter": "integer",
"learningDuration": "integer",
"learningMethod": "string",
"learningThreshold": "integer"
},
"thirdPartyRuleOptions": {
"defaultNotifications": [],
"defaultStatus": "critical",
"rootQueries": [
{
"groupByFields": [],
"query": "source:cloudtrail"
}
],
"signalTitleTemplate": "string"
}
},
"queries": [
{
"aggregation": "string",
"distinctFields": [],
"groupByFields": [],
"hasOptionalGroupByFields": false,
"metric": "string",
"metrics": [],
"name": "string",
"query": "a > 3"
}
],
"referenceTables": [
{
"checkPresence": false,
"columnName": "string",
"logFieldPath": "string",
"ruleQueryName": "string",
"tableName": "string"
}
],
"tags": [],
"thirdPartyCases": [
{
"name": "string",
"notifications": [],
"query": "string",
"status": "critical"
}
],
"to": 1729847070000,
"type": "string"
},
"jobName": "string",
"jobStatus": "string",
"modifiedAt": "string"
},
"id": "string",
"type": "string"
}
],
"meta": {
"totalCount": "integer"
}
}
Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/siem-historical-detections/jobs" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
Note: This endpoint is in beta and may be subject to changes. Please check the documentation regularly for updates.
GET https://api.ap1.datadoghq.com/api/v2/siem-historical-detections/jobs/{job_id}https://api.datadoghq.eu/api/v2/siem-historical-detections/jobs/{job_id}https://api.ddog-gov.com/api/v2/siem-historical-detections/jobs/{job_id}https://api.datadoghq.com/api/v2/siem-historical-detections/jobs/{job_id}https://api.us3.datadoghq.com/api/v2/siem-historical-detections/jobs/{job_id}https://api.us5.datadoghq.com/api/v2/siem-historical-detections/jobs/{job_id}
Get a job’s details.
이름
유형
설명
job_id [required]
string
The ID of the job.
OK
Historical job response.
항목
유형
설명
data
object
Historical job response data.
attributes
object
Historical job attributes.
createdAt
string
Time when the job was created.
createdByHandle
string
The handle of the user who created the job.
createdByName
string
The name of the user who created the job.
createdFromRuleId
string
ID of the rule used to create the job (if it is created from a rule).
jobDefinition
object
Definition of a historical job.
calculatedFields
[object]
Calculated fields.
expression [required]
string
Expression.
name [required]
string
Field name.
cases [required]
[object]
Cases used for generating job results.
condition
string
A rule case contains logical operations (>
,>=
, &&
, ||
) to determine if a signal should be generated
based on the event counts in the previously defined queries.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
filters
[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
enum
The type of filtering action.
Allowed enum values: require,suppress
query
string
Query for selecting logs to apply the filtering action.
from [required]
int64
Starting time of data analyzed by the job.
index [required]
string
Index used to load the data.
message [required]
string
Message for generated results.
name [required]
string
Job name.
options
object
Options on rules.
complianceRuleOptions
object
Options for cloud_configuration rules.
Fields resourceType
and regoRule
are mandatory when managing custom cloud_configuration
rules.
complexRule
boolean
Whether the rule is a complex one.
Must be set to true if regoRule.resourceTypes
contains more than one item. Defaults to false.
regoRule
object
Rule details.
policy [required]
string
The policy written in rego
, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
string
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes
.
decreaseCriticalityBasedOnEnv
boolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.
The severity is decreased by one level: CRITICAL
in production becomes HIGH
in non-production, HIGH
becomes MEDIUM
and so on. INFO
remains INFO
.
The decrement is applied when the environment tag of the signal starts with staging
, test
or dev
.
detectionMethod
enum
The detection method.
Allowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold
evaluationWindow
enum
A time window is specified to match when at least one of the cases matches true. This is a sliding window
and evaluates in real time. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200
hardcodedEvaluatorType
enum
Hardcoded evaluator type.
Allowed enum values: log4shell
impossibleTravelOptions
object
Options on impossible travel rules.
baselineUserLocations
boolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
enum
Once a signal is generated, the signal will remain “open” if a case is matched at least once within
this keep alive window. For third party rules, this field is not used.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600
maxSignalDuration
enum
A signal will “close” regardless of the query being matched once the time exceeds the maximum duration.
This time is calculated from the first seen timestamp.
Allowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
object
Options on new value rules.
forgetAfter
enum
The duration in days after which a learned value is forgotten.
Allowed enum values: 1,2,7,14,21,28
learningDuration
enum
The duration in days during which values are learned, and after which signals will be generated for values that
weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
Allowed enum values: 0,1,7
learningMethod
enum
The learning method used to determine when signals should be generated for values that weren't learned.
Allowed enum values: duration,threshold
default: duration
learningThreshold
enum
A number of occurrences after which signals will be generated for values that weren't learned.
Allowed enum values: 0,1
thirdPartyRuleOptions
object
Options on third party rules.
defaultNotifications
[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
rootQueries
[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
[string]
Fields to group by.
query
string
Query to run on logs.
signalTitleTemplate
string
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
[object]
Queries for selecting logs analyzed by the job.
aggregation
enum
The aggregation type.
Allowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
distinctFields
[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
[string]
Fields to group by.
hasOptionalGroupByFields
boolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A
, replacing the missing values.
metric
string
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max
aggregations. metrics
field should be used instead.
metrics
[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
string
Name of the query.
query
string
Query to run on logs.
referenceTables
[object]
Reference tables for the rule.
checkPresence
boolean
Whether to include or exclude the matched values.
columnName
string
The name of the column in the reference table.
logFieldPath
string
The field in the log to match against the reference table.
ruleQueryName
string
The name of the rule query to apply the reference table to.
tableName
string
The name of the reference table.
tags
[string]
Tags for generated signals.
thirdPartyCases
[object]
Cases for generating results from third-party rules. Only available for third-party rules.
name
string
Name of the case.
notifications
[string]
Notification targets for each rule case.
query
string
A query to map a third party event to this case.
status [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
to [required]
int64
Ending time of data analyzed by the job.
type
string
Job type.
jobName
string
Job name.
jobStatus
string
Job status.
modifiedAt
string
Last modification time of the job.
id
string
ID of the job.
type
enum
Type of payload.
Allowed enum values: historicalDetectionsJob
{
"data": {
"attributes": {
"createdAt": "string",
"createdByHandle": "string",
"createdByName": "string",
"createdFromRuleId": "string",
"jobDefinition": {
"calculatedFields": [
{
"expression": "@request_end_timestamp - @request_start_timestamp",
"name": "response_time"
}
],
"cases": [
{
"condition": "string",
"name": "string",
"notifications": [],
"status": "critical"
}
],
"filters": [
{
"action": "string",
"query": "string"
}
],
"from": 1729843470000,
"index": "cloud_siem",
"message": "A large number of failed login attempts.",
"name": "Excessive number of failed attempts.",
"options": {
"complianceRuleOptions": {
"complexRule": false,
"regoRule": {
"policy": "package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n # Logic that evaluates to true if the resource should be skipped\n true\n} else = \"pass\" {\n # Logic that evaluates to true if the resource is compliant\n true\n} else = \"fail\" {\n # Logic that evaluates to true if the resource is not compliant\n true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n some resource in input.resources[input.main_resource_type]\n result := dd_output.format(resource, eval(resource))\n}\n",
"resourceTypes": [
"gcp_iam_service_account",
"gcp_iam_policy"
]
},
"resourceType": "aws_acm"
},
"decreaseCriticalityBasedOnEnv": false,
"detectionMethod": "string",
"evaluationWindow": "integer",
"hardcodedEvaluatorType": "string",
"impossibleTravelOptions": {
"baselineUserLocations": true
},
"keepAlive": "integer",
"maxSignalDuration": "integer",
"newValueOptions": {
"forgetAfter": "integer",
"learningDuration": "integer",
"learningMethod": "string",
"learningThreshold": "integer"
},
"thirdPartyRuleOptions": {
"defaultNotifications": [],
"defaultStatus": "critical",
"rootQueries": [
{
"groupByFields": [],
"query": "source:cloudtrail"
}
],
"signalTitleTemplate": "string"
}
},
"queries": [
{
"aggregation": "string",
"distinctFields": [],
"groupByFields": [],
"hasOptionalGroupByFields": false,
"metric": "string",
"metrics": [],
"name": "string",
"query": "a > 3"
}
],
"referenceTables": [
{
"checkPresence": false,
"columnName": "string",
"logFieldPath": "string",
"ruleQueryName": "string",
"tableName": "string"
}
],
"tags": [],
"thirdPartyCases": [
{
"name": "string",
"notifications": [],
"query": "string",
"status": "critical"
}
],
"to": 1729847070000,
"type": "string"
},
"jobName": "string",
"jobStatus": "string",
"modifiedAt": "string"
},
"id": "string",
"type": "string"
}
}
Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
Not Found
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Path parameters
export job_id="CHANGE_ME"
# Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/siem-historical-detections/jobs/${job_id}" \
-H "Accept: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
Note: This endpoint is in beta and may be subject to changes. Please check the documentation regularly for updates.
PATCH https://api.ap1.datadoghq.com/api/v2/siem-historical-detections/jobs/{job_id}/cancelhttps://api.datadoghq.eu/api/v2/siem-historical-detections/jobs/{job_id}/cancelhttps://api.ddog-gov.com/api/v2/siem-historical-detections/jobs/{job_id}/cancelhttps://api.datadoghq.com/api/v2/siem-historical-detections/jobs/{job_id}/cancelhttps://api.us3.datadoghq.com/api/v2/siem-historical-detections/jobs/{job_id}/cancelhttps://api.us5.datadoghq.com/api/v2/siem-historical-detections/jobs/{job_id}/cancel
Cancel a historical job.
이름
유형
설명
job_id [required]
string
The ID of the job.
OK
Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}
Concurrent Modification
API error response.
{
"errors": [
"Bad Request"
]
}
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
Not Found
API error response.
{
"errors": [
"Bad Request"
]
}
Conflict
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Path parameters
export job_id="CHANGE_ME"
# Curl command
curl -X PATCH "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/siem-historical-detections/jobs/${job_id}/cancel" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
Note: This endpoint is in beta and may be subject to changes. Please check the documentation regularly for updates.
DELETE https://api.ap1.datadoghq.com/api/v2/siem-historical-detections/jobs/{job_id}https://api.datadoghq.eu/api/v2/siem-historical-detections/jobs/{job_id}https://api.ddog-gov.com/api/v2/siem-historical-detections/jobs/{job_id}https://api.datadoghq.com/api/v2/siem-historical-detections/jobs/{job_id}https://api.us3.datadoghq.com/api/v2/siem-historical-detections/jobs/{job_id}https://api.us5.datadoghq.com/api/v2/siem-historical-detections/jobs/{job_id}
Delete an existing job.
이름
유형
설명
job_id [required]
string
The ID of the job.
OK
Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}
Concurrent Modification
API error response.
{
"errors": [
"Bad Request"
]
}
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
Not Found
API error response.
{
"errors": [
"Bad Request"
]
}
Conflict
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Path parameters
export job_id="CHANGE_ME"
# Curl command
curl -X DELETE "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/siem-historical-detections/jobs/${job_id}" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
Note: This endpoint is in beta and may be subject to changes. Please check the documentation regularly for updates.
POST https://api.ap1.datadoghq.com/api/v2/siem-historical-detections/jobs/signal_converthttps://api.datadoghq.eu/api/v2/siem-historical-detections/jobs/signal_converthttps://api.ddog-gov.com/api/v2/siem-historical-detections/jobs/signal_converthttps://api.datadoghq.com/api/v2/siem-historical-detections/jobs/signal_converthttps://api.us3.datadoghq.com/api/v2/siem-historical-detections/jobs/signal_converthttps://api.us5.datadoghq.com/api/v2/siem-historical-detections/jobs/signal_convert
Convert a job result to a signal.
항목
유형
설명
data
object
Data for converting historical job results to signals.
attributes
object
Attributes for converting historical job results to signals.
id
string
Request ID.
jobResultIds [required]
[string]
Job result IDs.
notifications [required]
[string]
Notifications sent.
signalMessage [required]
string
Message of generated signals.
signalSeverity [required]
enum
Severity of the Security Signal.
Allowed enum values: info,low,medium,high,critical
type
enum
Type of payload.
Allowed enum values: historicalDetectionsJobResultSignalConversion
{
"data": {
"attributes": {
"id": "string",
"jobResultIds": [
""
],
"notifications": [
""
],
"signalMessage": "A large number of failed login attempts.",
"signalSeverity": "critical"
},
"type": "string"
}
}
OK
Bad Request
API error response.
{
"errors": [
"Bad Request"
]
}
Concurrent Modification
API error response.
{
"errors": [
"Bad Request"
]
}
Not Authorized
API error response.
{
"errors": [
"Bad Request"
]
}
Not Found
API error response.
{
"errors": [
"Bad Request"
]
}
Too many requests
API error response.
{
"errors": [
"Bad Request"
]
}
# Curl command
curl -X POST "https://api.ap1.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/siem-historical-detections/jobs/signal_convert" \
-H "Content-Type: application/json" \
-H "DD-API-KEY: ${DD_API_KEY}" \
-H "DD-APPLICATION-KEY: ${DD_APP_KEY}" \
-d @- << EOF
{
"data": {
"attributes": {
"jobResultIds": [
""
],
"notifications": [
""
],
"signalMessage": "A large number of failed login attempts.",
"signalSeverity": "critical"
}
}
}
EOF