Flag IP case action (DataDog#2549)

api-clients-generation-pipeline[bot] · ci.datadog-api-spec · web-flow · commit 2b4e9c2a192c · 2025-07-22T08:25:35.000Z
Co-authored-by: ci.datadog-api-spec &lt;packages@datadoghq.com&gt;
diff --git a/.generated-info b/.generated-info
@@ -1,4 +1,4 @@
 {
-  "spec_repo_commit": "06ccc32",
-  "generated": "2025-07-21 13:55:17.296"
+  "spec_repo_commit": "8ca2883",
+  "generated": "2025-07-22 07:14:48.428"
 }
diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml
@@ -34296,9 +34296,22 @@ components:
           format: int64
           minimum: 0
           type: integer
+        flaggedIPType:
+          $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionOptionsFlaggedIPType'
         userBehaviorName:
           $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionOptionsUserBehaviorName'
       type: object
+    SecurityMonitoringRuleCaseActionOptionsFlaggedIPType:
+      description: Used with the case action of type 'flag_ip'. The value specified
+        in this field is applied as a flag to the IP addresses.
+      enum:
+      - SUSPICIOUS
+      - FLAGGED
+      example: FLAGGED
+      type: string
+      x-enum-varnames:
+      - SUSPICIOUS
+      - FLAGGED
     SecurityMonitoringRuleCaseActionOptionsUserBehaviorName:
       description: Used with the case action of type 'user_behavior'. The value specified
         in this field is applied as a risk tag to all users affected by the rule.
@@ -34309,11 +34322,13 @@ components:
       - block_ip
       - block_user
       - user_behavior
+      - flag_ip
       type: string
       x-enum-varnames:
       - BLOCK_IP
       - BLOCK_USER
       - USER_BEHAVIOR
+      - FLAG_IP
     SecurityMonitoringRuleCaseCreate:
       description: Case when signal is generated.
       properties:
diff --git a/cassettes/features/v2/security_monitoring/Create-a-detection-rule-with-type-application-security-returns-OK-response.frozen b/cassettes/features/v2/security_monitoring/Create-a-detection-rule-with-type-application-security-returns-OK-response.frozen
@@ -1 +1 @@
-2025-04-09T15:02:05.047Z
+2025-07-17T10:35:24.061Z
diff --git a/cassettes/features/v2/security_monitoring/Create-a-detection-rule-with-type-application-security-returns-OK-response.yml b/cassettes/features/v2/security_monitoring/Create-a-detection-rule-with-type-application-security-returns-OK-response.yml
diff --git a/examples/v2/security-monitoring/CreateSecurityMonitoringRule_1965169892.rb b/examples/v2/security-monitoring/CreateSecurityMonitoringRule_1965169892.rb
@@ -37,6 +37,12 @@
             user_behavior_name: "behavior",
           }),
         }),
+        DatadogAPIClient::V2::SecurityMonitoringRuleCaseAction.new({
+          type: DatadogAPIClient::V2::SecurityMonitoringRuleCaseActionType::FLAG_IP,
+          options: DatadogAPIClient::V2::SecurityMonitoringRuleCaseActionOptions.new({
+            flagged_ip_type: DatadogAPIClient::V2::SecurityMonitoringRuleCaseActionOptionsFlaggedIPType::FLAGGED,
+          }),
+        }),
       ],
     }),
   ],
diff --git a/features/v2/security_monitoring.feature b/features/v2/security_monitoring.feature
@@ -225,7 +225,7 @@ Feature: Security Monitoring
   @skip-validation @team:DataDog/k9-cloud-security-platform
   Scenario: Create a detection rule with type 'application_security 'returns "OK" response
     Given new "CreateSecurityMonitoringRule" request
-    And body with value {"type":"application_security","name":"{{unique}}_appsec_rule","queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","aggregation":"count","groupByFields":["service","@http.client_ip"],"distinctFields":[]}],"filters":[],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 100000","actions":[{"type":"block_ip","options":{"duration":900}}, {"type":"user_behavior","options":{"userBehaviorName":"behavior"}}]}],"options":{"keepAlive":3600,"maxSignalDuration":86400,"evaluationWindow":900,"detectionMethod":"threshold"},"isEnabled":true,"message":"Test rule","tags":[],"groupSignalsBy":["service"]}
+    And body with value {"type":"application_security","name":"{{unique}}_appsec_rule","queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","aggregation":"count","groupByFields":["service","@http.client_ip"],"distinctFields":[]}],"filters":[],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 100000","actions":[{"type":"block_ip","options":{"duration":900}}, {"type":"user_behavior","options":{"userBehaviorName":"behavior"}}, {"type":"flag_ip","options":{"flaggedIPType":"FLAGGED"}}]}],"options":{"keepAlive":3600,"maxSignalDuration":86400,"evaluationWindow":900,"detectionMethod":"threshold"},"isEnabled":true,"message":"Test rule","tags":[],"groupSignalsBy":["service"]}
     When the request is sent
     Then the response status is 200 OK
     And the response "name" is equal to "{{ unique }}_appsec_rule"
diff --git a/lib/datadog_api_client/inflector.rb b/lib/datadog_api_client/inflector.rb
@@ -3058,6 +3058,7 @@ def overrides
           "v2.security_monitoring_rule_case" => "SecurityMonitoringRuleCase",
           "v2.security_monitoring_rule_case_action" => "SecurityMonitoringRuleCaseAction",
           "v2.security_monitoring_rule_case_action_options" => "SecurityMonitoringRuleCaseActionOptions",
+          "v2.security_monitoring_rule_case_action_options_flagged_ip_type" => "SecurityMonitoringRuleCaseActionOptionsFlaggedIPType",
           "v2.security_monitoring_rule_case_action_type" => "SecurityMonitoringRuleCaseActionType",
           "v2.security_monitoring_rule_case_create" => "SecurityMonitoringRuleCaseCreate",
           "v2.security_monitoring_rule_convert_payload" => "SecurityMonitoringRuleConvertPayload",
diff --git a/lib/datadog_api_client/v2/models/security_monitoring_rule_case_action_options.rb b/lib/datadog_api_client/v2/models/security_monitoring_rule_case_action_options.rb
@@ -24,6 +24,9 @@ class SecurityMonitoringRuleCaseActionOptions
     # Duration of the action in seconds. 0 indicates no expiration.
     attr_reader :duration
 
+    # Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses.
+    attr_accessor :flagged_ip_type
+
     # Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
     attr_accessor :user_behavior_name
 
@@ -34,6 +37,7 @@ class SecurityMonitoringRuleCaseActionOptions
     def self.attribute_map
       {
         :'duration' => :'duration',
+        :'flagged_ip_type' => :'flaggedIPType',
         :'user_behavior_name' => :'userBehaviorName'
       }
     end
@@ -43,6 +47,7 @@ def self.attribute_map
     def self.openapi_types
       {
         :'duration' => :'Integer',
+        :'flagged_ip_type' => :'SecurityMonitoringRuleCaseActionOptionsFlaggedIPType',
         :'user_behavior_name' => :'String'
       }
     end
@@ -69,6 +74,10 @@ def initialize(attributes = {})
         self.duration = attributes[:'duration']
       end
 
+      if attributes.key?(:'flagged_ip_type')
+        self.flagged_ip_type = attributes[:'flagged_ip_type']
+      end
+
       if attributes.key?(:'user_behavior_name')
         self.user_behavior_name = attributes[:'user_behavior_name']
       end
@@ -119,6 +128,7 @@ def ==(o)
       return true if self.equal?(o)
       self.class == o.class &&
           duration == o.duration &&
+          flagged_ip_type == o.flagged_ip_type &&
           user_behavior_name == o.user_behavior_name &&
           additional_properties == o.additional_properties
     end
@@ -127,7 +137,7 @@ def ==(o)
     # @return [Integer] Hash code
     # @!visibility private
     def hash
-      [duration, user_behavior_name, additional_properties].hash
+      [duration, flagged_ip_type, user_behavior_name, additional_properties].hash
     end
   end
 end
diff --git a/lib/datadog_api_client/v2/models/security_monitoring_rule_case_action_options_flagged_ip_type.rb b/lib/datadog_api_client/v2/models/security_monitoring_rule_case_action_options_flagged_ip_type.rb
@@ -0,0 +1,27 @@
+=begin
+#Datadog API V2 Collection
+
+#Collection of all Datadog Public endpoints.
+
+The version of the OpenAPI document: 1.0
+Contact: support@datadoghq.com
+Generated by: https://github.com/DataDog/datadog-api-client-ruby/tree/master/.generator
+
+ Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
+ This product includes software developed at Datadog (https://www.datadoghq.com/).
+ Copyright 2020-Present Datadog, Inc.
+
+=end
+
+require 'date'
+require 'time'
+
+module DatadogAPIClient::V2
+  # Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses.
+  class SecurityMonitoringRuleCaseActionOptionsFlaggedIPType
+    include BaseEnumModel
+
+    SUSPICIOUS = "SUSPICIOUS".freeze
+    FLAGGED = "FLAGGED".freeze
+  end
+end
diff --git a/lib/datadog_api_client/v2/models/security_monitoring_rule_case_action_type.rb b/lib/datadog_api_client/v2/models/security_monitoring_rule_case_action_type.rb
@@ -24,5 +24,6 @@ class SecurityMonitoringRuleCaseActionType
     BLOCK_IP = "block_ip".freeze
     BLOCK_USER = "block_user".freeze
     USER_BEHAVIOR = "user_behavior".freeze
+    FLAG_IP = "flag_ip".freeze
   end
 end

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`	`1`	`{`
`2`		`- "spec_repo_commit": "06ccc32",`
`3`		`- "generated": "2025-07-21 13:55:17.296"`
	`2`	`+ "spec_repo_commit": "8ca2883",`
	`3`	`+ "generated": "2025-07-22 07:14:48.428"`
`4`	`4`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-2025-04-09T15:02:05.047Z`
	`1`	`+2025-07-17T10:35:24.061Z`