Support Cloud SIEM scheduled rules in API client (#2725)

Co-authored-by: ci.datadog-api-spec <[email protected]>

Author: api-clients-generation-pipeline[bot]

.generated-info

@@ -1,4 +1,4 @@
 {
-  "spec_repo_commit": "c5cca50",
-  "generated": "2025-08-07 18:03:26.051"
+  "spec_repo_commit": "d02c8a3",
+  "generated": "2025-08-08 12:07:20.979"
 }

.generator/schemas/v2/openapi.yaml

@@ -36336,6 +36336,12 @@ components:
     SecurityMonitoringRuleUpdatePayload:
       description: Update an existing rule.
       properties:
+        calculatedFields:
+          description: Calculated fields. Only allowed for scheduled rules - in other
+            words, when schedulingOptions is also defined.
+          items:
+            $ref: '#/components/schemas/CalculatedField'
+          type: array
         cases:
           description: Cases for generating signals.
           items:
@@ -36392,6 +36398,8 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringReferenceTable'
           type: array
+        schedulingOptions:
+          $ref: '#/components/schemas/SecurityMonitoringSchedulingOptions'
         tags:
           description: Tags for generated signals.
           items:
@@ -36418,6 +36426,27 @@ components:
       - $ref: '#/components/schemas/SecurityMonitoringStandardRulePayload'
       - $ref: '#/components/schemas/SecurityMonitoringSignalRulePayload'
       - $ref: '#/components/schemas/CloudConfigurationRulePayload'
+    SecurityMonitoringSchedulingOptions:
+      description: Options for scheduled rules. When this field is present, the rule
+        runs based on the schedule. When absent, it runs real-time on ingested logs.
+      nullable: true
+      properties:
+        rrule:
+          description: Schedule for the rule queries, written in RRULE syntax. See
+            [RFC](https://icalendar.org/iCalendar-RFC-5545/3-8-5-3-recurrence-rule.html)
+            for syntax reference.
+          example: FREQ=HOURLY;INTERVAL=1;
+          type: string
+        start:
+          description: Start date for the schedule, in ISO 8601 format without timezone.
+          example: '2025-07-14T12:00:00'
+          type: string
+        timezone:
+          description: Time zone of the start date, in the [tz database](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones)
+            format.
+          example: America/New_York
+          type: string
+      type: object
     SecurityMonitoringSignal:
       description: Object description of a security signal.
       properties:
@@ -37096,6 +37125,12 @@ components:
     SecurityMonitoringStandardRuleCreatePayload:
       description: Create a new rule.
       properties:
+        calculatedFields:
+          description: Calculated fields. Only allowed for scheduled rules - in other
+            words, when schedulingOptions is also defined.
+          items:
+            $ref: '#/components/schemas/CalculatedField'
+          type: array
         cases:
           description: Cases for generating signals.
           example: []
@@ -37148,6 +37183,8 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringReferenceTable'
           type: array
+        schedulingOptions:
+          $ref: '#/components/schemas/SecurityMonitoringSchedulingOptions'
         tags:
           description: Tags for generated signals.
           example:
@@ -37177,6 +37214,12 @@ components:
     SecurityMonitoringStandardRulePayload:
       description: The payload of a rule.
       properties:
+        calculatedFields:
+          description: Calculated fields. Only allowed for scheduled rules - in other
+            words, when schedulingOptions is also defined.
+          items:
+            $ref: '#/components/schemas/CalculatedField'
+          type: array
         cases:
           description: Cases for generating signals.
           example: []
@@ -37237,6 +37280,8 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringReferenceTable'
           type: array
+        schedulingOptions:
+          $ref: '#/components/schemas/SecurityMonitoringSchedulingOptions'
         tags:
           description: Tags for generated signals.
           example:
@@ -37293,6 +37338,14 @@ components:
           example: false
           readOnly: true
           type: boolean
+        index:
+          description: '**This field is currently unstable and might be removed in
+            a minor version upgrade.**
+
+            The index to run the query on, if the `dataSource` is `logs`. Only used
+            for scheduled rules - in other words, when the `schedulingOptions` field
+            is present in the rule payload.'
+          type: string
         metric:
           deprecated: true
           description: '(Deprecated) The target field to aggregate over when using
@@ -37320,6 +37373,12 @@ components:
     SecurityMonitoringStandardRuleResponse:
       description: Rule.
       properties:
+        calculatedFields:
+          description: Calculated fields. Only allowed for scheduled rules - in other
+            words, when schedulingOptions is also defined.
+          items:
+            $ref: '#/components/schemas/CalculatedField'
+          type: array
         cases:
           description: Cases for generating signals.
           items:
@@ -37405,6 +37464,8 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringReferenceTable'
           type: array
+        schedulingOptions:
+          $ref: '#/components/schemas/SecurityMonitoringSchedulingOptions'
         tags:
           description: Tags for generated signals.
           items:
@@ -37436,6 +37497,12 @@ components:
     SecurityMonitoringStandardRuleTestPayload:
       description: The payload of a rule to test
       properties:
+        calculatedFields:
+          description: Calculated fields. Only allowed for scheduled rules - in other
+            words, when schedulingOptions is also defined.
+          items:
+            $ref: '#/components/schemas/CalculatedField'
+          type: array
         cases:
           description: Cases for generating signals.
           example: []
@@ -37488,6 +37555,8 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringReferenceTable'
           type: array
+        schedulingOptions:
+          $ref: '#/components/schemas/SecurityMonitoringSchedulingOptions'
         tags:
           description: Tags for generated signals.
           example:

docs/datadog_api_client.v2.model.rst

@@ -16237,6 +16237,13 @@ datadog\_api\_client.v2.model.security\_monitoring\_rule\_validate\_payload modu
    :members:
    :show-inheritance:
 
+datadog\_api\_client.v2.model.security\_monitoring\_scheduling\_options module
+------------------------------------------------------------------------------
+
+.. automodule:: datadog_api_client.v2.model.security_monitoring_scheduling_options
+   :members:
+   :show-inheritance:
+
 datadog\_api\_client.v2.model.security\_monitoring\_signal module
 -----------------------------------------------------------------
 

examples/v2/security-monitoring/CreateSecurityMonitoringRule_868881438.py

@@ -0,0 +1,68 @@
+"""
+Create a scheduled detection rule returns "OK" response
+"""
+
+from datadog_api_client import ApiClient, Configuration
+from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
+from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
+from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
+    SecurityMonitoringRuleEvaluationWindow,
+)
+from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
+from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
+    SecurityMonitoringRuleMaxSignalDuration,
+)
+from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
+from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
+    SecurityMonitoringRuleQueryAggregation,
+)
+from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
+from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
+from datadog_api_client.v2.model.security_monitoring_scheduling_options import SecurityMonitoringSchedulingOptions
+from datadog_api_client.v2.model.security_monitoring_standard_rule_create_payload import (
+    SecurityMonitoringStandardRuleCreatePayload,
+)
+from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery
+
+body = SecurityMonitoringStandardRuleCreatePayload(
+    name="Example-Security-Monitoring",
+    queries=[
+        SecurityMonitoringStandardRuleQuery(
+            query="@test:true",
+            aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
+            group_by_fields=[],
+            distinct_fields=[],
+            index="main",
+        ),
+    ],
+    filters=[],
+    cases=[
+        SecurityMonitoringRuleCaseCreate(
+            name="",
+            status=SecurityMonitoringRuleSeverity.INFO,
+            condition="a > 0",
+            notifications=[],
+        ),
+    ],
+    options=SecurityMonitoringRuleOptions(
+        evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,
+        keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR,
+        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY,
+    ),
+    message="Test rule",
+    tags=[],
+    is_enabled=True,
+    type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
+    scheduling_options=SecurityMonitoringSchedulingOptions(
+        rrule="FREQ=HOURLY;INTERVAL=2;",
+        start="2025-06-18T12:00:00",
+        timezone="Europe/Paris",
+    ),
+)
+
+configuration = Configuration()
+with ApiClient(configuration) as api_client:
+    api_instance = SecurityMonitoringApi(api_client)
+    response = api_instance.create_security_monitoring_rule(body=body)
+
+    print(response)

src/datadog_api_client/v2/model/security_monitoring_rule_convert_payload.py

@@ -15,6 +15,9 @@ def __init__(self, **kwargs):
         """
         Convert a rule from JSON to Terraform.
 
+        :param calculated_fields: Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.
+        :type calculated_fields: [CalculatedField], optional
+
         :param cases: Cases for generating signals.
         :type cases: [SecurityMonitoringRuleCaseCreate]
 
@@ -51,6 +54,9 @@ def __init__(self, **kwargs):
         :param reference_tables: Reference tables for the rule.
         :type reference_tables: [SecurityMonitoringReferenceTable], optional
 
+        :param scheduling_options: Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
+        :type scheduling_options: SecurityMonitoringSchedulingOptions, none_type, optional
+
         :param tags: Tags for generated signals.
         :type tags: [str], optional
 

src/datadog_api_client/v2/model/security_monitoring_rule_create_payload.py

@@ -15,6 +15,9 @@ def __init__(self, **kwargs):
         """
         Create a new rule.
 
+        :param calculated_fields: Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.
+        :type calculated_fields: [CalculatedField], optional
+
         :param cases: Cases for generating signals.
         :type cases: [SecurityMonitoringRuleCaseCreate]
 
@@ -45,6 +48,9 @@ def __init__(self, **kwargs):
         :param reference_tables: Reference tables for the rule.
         :type reference_tables: [SecurityMonitoringReferenceTable], optional
 
+        :param scheduling_options: Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
+        :type scheduling_options: SecurityMonitoringSchedulingOptions, none_type, optional
+
         :param tags: Tags for generated signals.
         :type tags: [str], optional
 

src/datadog_api_client/v2/model/security_monitoring_rule_query.py

@@ -33,6 +33,10 @@ def __init__(self, **kwargs):
         :param has_optional_group_by_fields: When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with `N/A`, replacing the missing values.
         :type has_optional_group_by_fields: bool, optional
 
+        :param index: **This field is currently unstable and might be removed in a minor version upgrade.**
+            The index to run the query on, if the `dataSource` is `logs`. Only used for scheduled rules - in other words, when the `schedulingOptions` field is present in the rule payload.
+        :type index: str, optional
+
         :param metric: (Deprecated) The target field to aggregate over when using the sum or max
             aggregations. `metrics` field should be used instead.
         :type metric: str, optional

src/datadog_api_client/v2/model/security_monitoring_rule_response.py

@@ -15,6 +15,9 @@ def __init__(self, **kwargs):
         """
         Create a new rule.
 
+        :param calculated_fields: Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.
+        :type calculated_fields: [CalculatedField], optional
+
         :param cases: Cases for generating signals.
         :type cases: [SecurityMonitoringRuleCase], optional
 
@@ -75,6 +78,9 @@ def __init__(self, **kwargs):
         :param reference_tables: Reference tables for the rule.
         :type reference_tables: [SecurityMonitoringReferenceTable], optional
 
+        :param scheduling_options: Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
+        :type scheduling_options: SecurityMonitoringSchedulingOptions, none_type, optional
+
         :param tags: Tags for generated signals.
         :type tags: [str], optional
 

src/datadog_api_client/v2/model/security_monitoring_rule_test_payload.py

@@ -15,6 +15,9 @@ def __init__(self, **kwargs):
         """
         Test a rule.
 
+        :param calculated_fields: Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.
+        :type calculated_fields: [CalculatedField], optional
+
         :param cases: Cases for generating signals.
         :type cases: [SecurityMonitoringRuleCaseCreate]
 
@@ -45,6 +48,9 @@ def __init__(self, **kwargs):
         :param reference_tables: Reference tables for the rule.
         :type reference_tables: [SecurityMonitoringReferenceTable], optional
 
+        :param scheduling_options: Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
+        :type scheduling_options: SecurityMonitoringSchedulingOptions, none_type, optional
+
         :param tags: Tags for generated signals.
         :type tags: [str], optional