Flag IP case action (#2714)

Co-authored-by: ci.datadog-api-spec <[email protected]>

Author: api-clients-generation-pipeline[bot]

.generated-info

@@ -1,4 +1,4 @@
 {
-  "spec_repo_commit": "06ccc32",
-  "generated": "2025-07-21 13:55:33.672"
+  "spec_repo_commit": "8ca2883",
+  "generated": "2025-07-22 07:15:04.416"
 }

.generator/schemas/v2/openapi.yaml

@@ -34296,9 +34296,22 @@ components:
           format: int64
           minimum: 0
           type: integer
+        flaggedIPType:
+          $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionOptionsFlaggedIPType'
         userBehaviorName:
           $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionOptionsUserBehaviorName'
       type: object
+    SecurityMonitoringRuleCaseActionOptionsFlaggedIPType:
+      description: Used with the case action of type 'flag_ip'. The value specified
+        in this field is applied as a flag to the IP addresses.
+      enum:
+      - SUSPICIOUS
+      - FLAGGED
+      example: FLAGGED
+      type: string
+      x-enum-varnames:
+      - SUSPICIOUS
+      - FLAGGED
     SecurityMonitoringRuleCaseActionOptionsUserBehaviorName:
       description: Used with the case action of type 'user_behavior'. The value specified
         in this field is applied as a risk tag to all users affected by the rule.
@@ -34309,11 +34322,13 @@ components:
       - block_ip
       - block_user
       - user_behavior
+      - flag_ip
       type: string
       x-enum-varnames:
       - BLOCK_IP
       - BLOCK_USER
       - USER_BEHAVIOR
+      - FLAG_IP
     SecurityMonitoringRuleCaseCreate:
       description: Case when signal is generated.
       properties:

docs/datadog_api_client.v2.model.rst

@@ -14963,6 +14963,13 @@ datadog\_api\_client.v2.model.security\_monitoring\_rule\_case\_action\_options
    :members:
    :show-inheritance:
 
+datadog\_api\_client.v2.model.security\_monitoring\_rule\_case\_action\_options\_flagged\_ip\_type module
+---------------------------------------------------------------------------------------------------------
+
+.. automodule:: datadog_api_client.v2.model.security_monitoring_rule_case_action_options_flagged_ip_type
+   :members:
+   :show-inheritance:
+
 datadog\_api\_client.v2.model.security\_monitoring\_rule\_case\_action\_type module
 -----------------------------------------------------------------------------------
 

examples/v2/security-monitoring/CreateSecurityMonitoringRule_1965169892.py

@@ -8,6 +8,9 @@
 from datadog_api_client.v2.model.security_monitoring_rule_case_action_options import (
     SecurityMonitoringRuleCaseActionOptions,
 )
+from datadog_api_client.v2.model.security_monitoring_rule_case_action_options_flagged_ip_type import (
+    SecurityMonitoringRuleCaseActionOptionsFlaggedIPType,
+)
 from datadog_api_client.v2.model.security_monitoring_rule_case_action_type import SecurityMonitoringRuleCaseActionType
 from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
 from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod
@@ -63,6 +66,12 @@
                         user_behavior_name="behavior",
                     ),
                 ),
+                SecurityMonitoringRuleCaseAction(
+                    type=SecurityMonitoringRuleCaseActionType.FLAG_IP,
+                    options=SecurityMonitoringRuleCaseActionOptions(
+                        flagged_ip_type=SecurityMonitoringRuleCaseActionOptionsFlaggedIPType.FLAGGED,
+                    ),
+                ),
             ],
         ),
     ],

src/datadog_api_client/v2/model/security_monitoring_rule_case_action_options.py

@@ -3,7 +3,7 @@
 # Copyright 2019-Present Datadog, Inc.
 from __future__ import annotations
 
-from typing import Union
+from typing import Union, TYPE_CHECKING
 
 from datadog_api_client.model_utils import (
     ModelNormal,
@@ -13,6 +13,12 @@
 )
 
 
+if TYPE_CHECKING:
+    from datadog_api_client.v2.model.security_monitoring_rule_case_action_options_flagged_ip_type import (
+        SecurityMonitoringRuleCaseActionOptionsFlaggedIPType,
+    )
+
+
 class SecurityMonitoringRuleCaseActionOptions(ModelNormal):
     validations = {
         "duration": {
@@ -22,30 +28,45 @@ class SecurityMonitoringRuleCaseActionOptions(ModelNormal):
 
     @cached_property
     def openapi_types(_):
+        from datadog_api_client.v2.model.security_monitoring_rule_case_action_options_flagged_ip_type import (
+            SecurityMonitoringRuleCaseActionOptionsFlaggedIPType,
+        )
+
         return {
             "duration": (int,),
+            "flagged_ip_type": (SecurityMonitoringRuleCaseActionOptionsFlaggedIPType,),
             "user_behavior_name": (str,),
         }
 
     attribute_map = {
         "duration": "duration",
+        "flagged_ip_type": "flaggedIPType",
         "user_behavior_name": "userBehaviorName",
     }
 
     def __init__(
-        self_, duration: Union[int, UnsetType] = unset, user_behavior_name: Union[str, UnsetType] = unset, **kwargs
+        self_,
+        duration: Union[int, UnsetType] = unset,
+        flagged_ip_type: Union[SecurityMonitoringRuleCaseActionOptionsFlaggedIPType, UnsetType] = unset,
+        user_behavior_name: Union[str, UnsetType] = unset,
+        **kwargs,
     ):
         """
         Options for the rule action
 
         :param duration: Duration of the action in seconds. 0 indicates no expiration.
         :type duration: int, optional
 
+        :param flagged_ip_type: Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses.
+        :type flagged_ip_type: SecurityMonitoringRuleCaseActionOptionsFlaggedIPType, optional
+
         :param user_behavior_name: Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
         :type user_behavior_name: str, optional
         """
         if duration is not unset:
             kwargs["duration"] = duration
+        if flagged_ip_type is not unset:
+            kwargs["flagged_ip_type"] = flagged_ip_type
         if user_behavior_name is not unset:
             kwargs["user_behavior_name"] = user_behavior_name
         super().__init__(kwargs)

src/datadog_api_client/v2/model/security_monitoring_rule_case_action_options_flagged_ip_type.py

@@ -0,0 +1,42 @@
+# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
+# This product includes software developed at Datadog (https://www.datadoghq.com/).
+# Copyright 2019-Present Datadog, Inc.
+from __future__ import annotations
+
+
+from datadog_api_client.model_utils import (
+    ModelSimple,
+    cached_property,
+)
+
+from typing import ClassVar
+
+
+class SecurityMonitoringRuleCaseActionOptionsFlaggedIPType(ModelSimple):
+    """
+    Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses.
+
+    :param value: Must be one of ["SUSPICIOUS", "FLAGGED"].
+    :type value: str
+    """
+
+    allowed_values = {
+        "SUSPICIOUS",
+        "FLAGGED",
+    }
+    SUSPICIOUS: ClassVar["SecurityMonitoringRuleCaseActionOptionsFlaggedIPType"]
+    FLAGGED: ClassVar["SecurityMonitoringRuleCaseActionOptionsFlaggedIPType"]
+
+    @cached_property
+    def openapi_types(_):
+        return {
+            "value": (str,),
+        }
+
+
+SecurityMonitoringRuleCaseActionOptionsFlaggedIPType.SUSPICIOUS = SecurityMonitoringRuleCaseActionOptionsFlaggedIPType(
+    "SUSPICIOUS"
+)
+SecurityMonitoringRuleCaseActionOptionsFlaggedIPType.FLAGGED = SecurityMonitoringRuleCaseActionOptionsFlaggedIPType(
+    "FLAGGED"
+)

src/datadog_api_client/v2/model/security_monitoring_rule_case_action_type.py

@@ -16,18 +16,20 @@ class SecurityMonitoringRuleCaseActionType(ModelSimple):
     """
     The action type.
 
-    :param value: Must be one of ["block_ip", "block_user", "user_behavior"].
+    :param value: Must be one of ["block_ip", "block_user", "user_behavior", "flag_ip"].
     :type value: str
     """
 
     allowed_values = {
         "block_ip",
         "block_user",
         "user_behavior",
+        "flag_ip",
     }
     BLOCK_IP: ClassVar["SecurityMonitoringRuleCaseActionType"]
     BLOCK_USER: ClassVar["SecurityMonitoringRuleCaseActionType"]
     USER_BEHAVIOR: ClassVar["SecurityMonitoringRuleCaseActionType"]
+    FLAG_IP: ClassVar["SecurityMonitoringRuleCaseActionType"]
 
     @cached_property
     def openapi_types(_):
@@ -39,3 +41,4 @@ def openapi_types(_):
 SecurityMonitoringRuleCaseActionType.BLOCK_IP = SecurityMonitoringRuleCaseActionType("block_ip")
 SecurityMonitoringRuleCaseActionType.BLOCK_USER = SecurityMonitoringRuleCaseActionType("block_user")
 SecurityMonitoringRuleCaseActionType.USER_BEHAVIOR = SecurityMonitoringRuleCaseActionType("user_behavior")
+SecurityMonitoringRuleCaseActionType.FLAG_IP = SecurityMonitoringRuleCaseActionType("flag_ip")

src/datadog_api_client/v2/models/__init__.py

@@ -2918,6 +2918,9 @@
 from datadog_api_client.v2.model.security_monitoring_rule_case_action_options import (
     SecurityMonitoringRuleCaseActionOptions,
 )
+from datadog_api_client.v2.model.security_monitoring_rule_case_action_options_flagged_ip_type import (
+    SecurityMonitoringRuleCaseActionOptionsFlaggedIPType,
+)
 from datadog_api_client.v2.model.security_monitoring_rule_case_action_type import SecurityMonitoringRuleCaseActionType
 from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
 from datadog_api_client.v2.model.security_monitoring_rule_convert_payload import SecurityMonitoringRuleConvertPayload
@@ -5768,6 +5771,7 @@
     "SecurityMonitoringRuleCase",
     "SecurityMonitoringRuleCaseAction",
     "SecurityMonitoringRuleCaseActionOptions",
+    "SecurityMonitoringRuleCaseActionOptionsFlaggedIPType",
     "SecurityMonitoringRuleCaseActionType",
     "SecurityMonitoringRuleCaseCreate",
     "SecurityMonitoringRuleConvertPayload",

tests/v2/cassettes/test_scenarios/test_create_a_detection_rule_with_type_application_security_returns_ok_response.frozen

@@ -1 +1 @@
-2025-04-09T15:02:05.047Z
+2025-07-17T10:35:24.061Z

tests/v2/cassettes/test_scenarios/test_create_a_detection_rule_with_type_application_security_returns_ok_response.yaml

@@ -1,8 +1,8 @@
 interactions:
 - request:
-    body: '{"cases":[{"actions":[{"options":{"duration":900},"type":"block_ip"},{"options":{"userBehaviorName":"behavior"},"type":"user_behavior"}],"condition":"a
+    body: '{"cases":[{"actions":[{"options":{"duration":900},"type":"block_ip"},{"options":{"userBehaviorName":"behavior"},"type":"user_behavior"},{"options":{"flaggedIPType":"FLAGGED"},"type":"flag_ip"}],"condition":"a
       > 100000","name":"","notifications":[],"status":"info"}],"filters":[],"groupSignalsBy":["service"],"isEnabled":true,"message":"Test
-      rule","name":"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1744210925_appsec_rule","options":{"detectionMethod":"threshold","evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"queries":[{"aggregation":"count","distinctFields":[],"groupByFields":["service","@http.client_ip"],"query":"@appsec.security_activity:business_logic.users.login.failure"}],"tags":[],"type":"application_security"}'
+      rule","name":"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1752748524_appsec_rule","options":{"detectionMethod":"threshold","evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"queries":[{"aggregation":"count","distinctFields":[],"groupByFields":["service","@http.client_ip"],"query":"@appsec.security_activity:business_logic.users.login.failure"}],"tags":[],"type":"application_security"}'
     headers:
       accept:
       - application/json
@@ -12,9 +12,9 @@ interactions:
     uri: https://api.datadoghq.com/api/v2/security_monitoring/rules
   response:
     body:
-      string: '{"name":"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1744210925_appsec_rule","createdAt":1744210925675,"isDefault":false,"isPartner":false,"isEnabled":true,"isBeta":false,"isDeleted":false,"isDeprecated":false,"queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","groupByFields":["service","@http.client_ip"],"hasOptionalGroupByFields":false,"distinctFields":[],"aggregation":"count","name":"","dataSource":"app_sec_spans"}],"options":{"evaluationWindow":900,"detectionMethod":"threshold","maxSignalDuration":86400,"keepAlive":3600},"cases":[{"name":"","status":"info","notifications":[],"condition":"a
-        \u003e 100000","actions":[{"type":"block_ip","options":{"duration":900}},{"type":"user_behavior","options":{"userBehaviorName":"behavior"}}]}],"message":"Test
-        rule","tags":[],"hasExtendedTitle":false,"type":"application_security","filters":[],"version":1,"id":"lfr-zxg-fyc","blocking":true,"groupSignalsBy":["service"],"dependencies":["business_logic.users.login.failure"],"metadata":{"entities":null,"sources":null},"creationAuthorId":2320499,"creator":{"handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","name":"CI
+      string: '{"name":"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1752748524_appsec_rule","createdAt":1752748524806,"isDefault":false,"isPartner":false,"isEnabled":true,"isBeta":false,"isDeleted":false,"isDeprecated":false,"queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","groupByFields":["service","@http.client_ip"],"hasOptionalGroupByFields":false,"distinctFields":[],"aggregation":"count","name":"","dataSource":"app_sec_spans"}],"options":{"evaluationWindow":900,"detectionMethod":"threshold","maxSignalDuration":86400,"keepAlive":3600},"cases":[{"name":"","status":"info","notifications":[],"condition":"a
+        \u003e 100000","actions":[{"type":"block_ip","options":{"duration":900}},{"type":"user_behavior","options":{"userBehaviorName":"behavior"}},{"type":"flag_ip","options":{"flaggedIPType":"FLAGGED"}}]}],"message":"Test
+        rule","tags":[],"hasExtendedTitle":false,"type":"application_security","filters":[],"version":1,"id":"wgo-lgy-ajy","blocking":true,"groupSignalsBy":["service"],"dependencies":["business_logic.users.login.failure"],"metadata":{"entities":null,"sources":null},"creationAuthorId":2320499,"creator":{"handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","name":"CI
         Account"},"updater":{"handle":"","name":""}}'
     headers:
       content-type:
@@ -28,7 +28,7 @@ interactions:
       accept:
       - '*/*'
     method: DELETE
-    uri: https://api.datadoghq.com/api/v2/security_monitoring/rules/lfr-zxg-fyc
+    uri: https://api.datadoghq.com/api/v2/security_monitoring/rules/wgo-lgy-ajy
   response:
     body:
       string: ''