Security Monitoring Suppression - Add data_exclusion_query field (#1940)

api-clients-generation-pipeline[bot] · ci.datadog-api-spec · web-flow · commit a570a0874705 · 2024-04-10T17:15:42.000Z
Co-authored-by: ci.datadog-api-spec &lt;packages@datadoghq.com&gt;
Co-authored-by: api-clients-generation-pipeline[bot] &lt;54105614+api-clients-generation-pipeline[bot]@users.noreply.github.com&gt;
diff --git a/.apigentools-info b/.apigentools-info
@@ -4,13 +4,13 @@
     "spec_versions": {
         "v1": {
             "apigentools_version": "1.6.6",
-            "regenerated": "2024-04-09 18:05:43.533229",
-            "spec_repo_commit": "fc718bc2"
+            "regenerated": "2024-04-10 15:01:01.395898",
+            "spec_repo_commit": "7e61ac0f"
         },
         "v2": {
             "apigentools_version": "1.6.6",
-            "regenerated": "2024-04-09 18:05:43.550344",
-            "spec_repo_commit": "fc718bc2"
+            "regenerated": "2024-04-10 15:01:01.412691",
+            "spec_repo_commit": "7e61ac0f"
         }
     }
 }
diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml
@@ -18282,6 +18282,13 @@ components:
           type: integer
         creator:
           $ref: '#/components/schemas/SecurityMonitoringUser'
+        data_exclusion_query:
+          description: An exclusion query on the input data of the security rules,
+            which could be logs, Agent events, or other types of data based on the
+            security rule. Events matching this query are ignored by any detection
+            rules referenced in the suppression rule.
+          example: source:cloudtrail account_id:12345
+          type: string
         description:
           description: A description for the suppression rule.
           example: This rule suppresses low-severity signals in staging environments.
@@ -18330,6 +18337,13 @@ components:
       description: Object containing the attributes of the suppression rule to be
         created.
       properties:
+        data_exclusion_query:
+          description: An exclusion query on the input data of the security rules,
+            which could be logs, Agent events, or other types of data based on the
+            security rule. Events matching this query are ignored by any detection
+            rules referenced in the suppression rule.
+          example: source:cloudtrail account_id:12345
+          type: string
         description:
           description: A description for the suppression rule.
           example: This rule suppresses low-severity signals in staging environments.
@@ -18355,15 +18369,14 @@ components:
           type: string
         suppression_query:
           description: The suppression query of the suppression rule. If a signal
-            matches this query, it is suppressed and is not triggered . Same syntax
-            as the queries to search signals in the signal explorer.
+            matches this query, it is suppressed and is not triggered. It uses the
+            same syntax as the queries to search signals in the Signals Explorer.
           example: env:staging status:low
           type: string
       required:
       - name
       - enabled
       - rule_query
-      - suppression_query
       type: object
     SecurityMonitoringSuppressionCreateData:
       description: Object for a single suppression rule.
@@ -18407,6 +18420,13 @@ components:
     SecurityMonitoringSuppressionUpdateAttributes:
       description: The suppression rule properties to be updated.
       properties:
+        data_exclusion_query:
+          description: An exclusion query on the input data of the security rules,
+            which could be logs, Agent events, or other types of data based on the
+            security rule. Events matching this query are ignored by any detection
+            rules referenced in the suppression rule.
+          example: source:cloudtrail account_id:12345
+          type: string
         description:
           description: A description for the suppression rule.
           example: This rule suppresses low-severity signals in staging environments.
diff --git a/examples/v2/security-monitoring/CreateSecurityMonitoringSuppression_3192265332.py b/examples/v2/security-monitoring/CreateSecurityMonitoringSuppression_3192265332.py
@@ -0,0 +1,37 @@
+"""
+Create a suppression rule with an exclusion query returns "OK" response
+"""
+
+from datadog_api_client import ApiClient, Configuration
+from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
+from datadog_api_client.v2.model.security_monitoring_suppression_create_attributes import (
+    SecurityMonitoringSuppressionCreateAttributes,
+)
+from datadog_api_client.v2.model.security_monitoring_suppression_create_data import (
+    SecurityMonitoringSuppressionCreateData,
+)
+from datadog_api_client.v2.model.security_monitoring_suppression_create_request import (
+    SecurityMonitoringSuppressionCreateRequest,
+)
+from datadog_api_client.v2.model.security_monitoring_suppression_type import SecurityMonitoringSuppressionType
+
+body = SecurityMonitoringSuppressionCreateRequest(
+    data=SecurityMonitoringSuppressionCreateData(
+        attributes=SecurityMonitoringSuppressionCreateAttributes(
+            description="This rule suppresses low-severity signals in staging environments.",
+            enabled=True,
+            expiration_date=1703187336000,
+            name="Example-Security-Monitoring",
+            rule_query="type:log_detection source:cloudtrail",
+            data_exclusion_query="account_id:12345",
+        ),
+        type=SecurityMonitoringSuppressionType.SUPPRESSIONS,
+    ),
+)
+
+configuration = Configuration()
+with ApiClient(configuration) as api_client:
+    api_instance = SecurityMonitoringApi(api_client)
+    response = api_instance.create_security_monitoring_suppression(body=body)
+
+    print(response)
diff --git a/src/datadog_api_client/v2/model/security_monitoring_suppression_attributes.py b/src/datadog_api_client/v2/model/security_monitoring_suppression_attributes.py
@@ -31,6 +31,7 @@ def openapi_types(_):
         return {
             "creation_date": (int,),
             "creator": (SecurityMonitoringUser,),
+            "data_exclusion_query": (str,),
             "description": (str,),
             "enabled": (bool,),
             "expiration_date": (int,),
@@ -45,6 +46,7 @@ def openapi_types(_):
     attribute_map = {
         "creation_date": "creation_date",
         "creator": "creator",
+        "data_exclusion_query": "data_exclusion_query",
         "description": "description",
         "enabled": "enabled",
         "expiration_date": "expiration_date",
@@ -60,6 +62,7 @@ def __init__(
         self_,
         creation_date: Union[int, UnsetType] = unset,
         creator: Union[SecurityMonitoringUser, UnsetType] = unset,
+        data_exclusion_query: Union[str, UnsetType] = unset,
         description: Union[str, UnsetType] = unset,
         enabled: Union[bool, UnsetType] = unset,
         expiration_date: Union[int, UnsetType] = unset,
@@ -80,6 +83,9 @@ def __init__(
         :param creator: A user.
         :type creator: SecurityMonitoringUser, optional
 
+        :param data_exclusion_query: An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule.
+        :type data_exclusion_query: str, optional
+
         :param description: A description for the suppression rule.
         :type description: str, optional
 
@@ -111,6 +117,8 @@ def __init__(
             kwargs["creation_date"] = creation_date
         if creator is not unset:
             kwargs["creator"] = creator
+        if data_exclusion_query is not unset:
+            kwargs["data_exclusion_query"] = data_exclusion_query
         if description is not unset:
             kwargs["description"] = description
         if enabled is not unset:
diff --git a/src/datadog_api_client/v2/model/security_monitoring_suppression_create_attributes.py b/src/datadog_api_client/v2/model/security_monitoring_suppression_create_attributes.py
@@ -17,6 +17,7 @@ class SecurityMonitoringSuppressionCreateAttributes(ModelNormal):
     @cached_property
     def openapi_types(_):
         return {
+            "data_exclusion_query": (str,),
             "description": (str,),
             "enabled": (bool,),
             "expiration_date": (int,),
@@ -26,6 +27,7 @@ def openapi_types(_):
         }
 
     attribute_map = {
+        "data_exclusion_query": "data_exclusion_query",
         "description": "description",
         "enabled": "enabled",
         "expiration_date": "expiration_date",
@@ -39,14 +41,18 @@ def __init__(
         enabled: bool,
         name: str,
         rule_query: str,
-        suppression_query: str,
+        data_exclusion_query: Union[str, UnsetType] = unset,
         description: Union[str, UnsetType] = unset,
         expiration_date: Union[int, UnsetType] = unset,
+        suppression_query: Union[str, UnsetType] = unset,
         **kwargs,
     ):
         """
         Object containing the attributes of the suppression rule to be created.
 
+        :param data_exclusion_query: An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule.
+        :type data_exclusion_query: str, optional
+
         :param description: A description for the suppression rule.
         :type description: str, optional
 
@@ -62,16 +68,19 @@ def __init__(
         :param rule_query: The rule query of the suppression rule, with the same syntax as the search bar for detection rules.
         :type rule_query: str
 
-        :param suppression_query: The suppression query of the suppression rule. If a signal matches this query, it is suppressed and is not triggered . Same syntax as the queries to search signals in the signal explorer.
-        :type suppression_query: str
+        :param suppression_query: The suppression query of the suppression rule. If a signal matches this query, it is suppressed and is not triggered. It uses the same syntax as the queries to search signals in the Signals Explorer.
+        :type suppression_query: str, optional
         """
+        if data_exclusion_query is not unset:
+            kwargs["data_exclusion_query"] = data_exclusion_query
         if description is not unset:
             kwargs["description"] = description
         if expiration_date is not unset:
             kwargs["expiration_date"] = expiration_date
+        if suppression_query is not unset:
+            kwargs["suppression_query"] = suppression_query
         super().__init__(kwargs)
 
         self_.enabled = enabled
         self_.name = name
         self_.rule_query = rule_query
-        self_.suppression_query = suppression_query
diff --git a/src/datadog_api_client/v2/model/security_monitoring_suppression_update_attributes.py b/src/datadog_api_client/v2/model/security_monitoring_suppression_update_attributes.py
@@ -24,6 +24,7 @@ class SecurityMonitoringSuppressionUpdateAttributes(ModelNormal):
     @cached_property
     def openapi_types(_):
         return {
+            "data_exclusion_query": (str,),
             "description": (str,),
             "enabled": (bool,),
             "expiration_date": (int, none_type),
@@ -34,6 +35,7 @@ def openapi_types(_):
         }
 
     attribute_map = {
+        "data_exclusion_query": "data_exclusion_query",
         "description": "description",
         "enabled": "enabled",
         "expiration_date": "expiration_date",
@@ -45,6 +47,7 @@ def openapi_types(_):
 
     def __init__(
         self_,
+        data_exclusion_query: Union[str, UnsetType] = unset,
         description: Union[str, UnsetType] = unset,
         enabled: Union[bool, UnsetType] = unset,
         expiration_date: Union[int, none_type, UnsetType] = unset,
@@ -57,6 +60,9 @@ def __init__(
         """
         The suppression rule properties to be updated.
 
+        :param data_exclusion_query: An exclusion query on the input data of the security rules, which could be logs, Agent events, or other types of data based on the security rule. Events matching this query are ignored by any detection rules referenced in the suppression rule.
+        :type data_exclusion_query: str, optional
+
         :param description: A description for the suppression rule.
         :type description: str, optional
 
@@ -78,6 +84,8 @@ def __init__(
         :param version: The current version of the suppression. This is optional, but it can help prevent concurrent modifications.
         :type version: int, optional
         """
+        if data_exclusion_query is not unset:
+            kwargs["data_exclusion_query"] = data_exclusion_query
         if description is not unset:
             kwargs["description"] = description
         if enabled is not unset:
diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_suppression_rule_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_create_a_suppression_rule_returns_ok_response.frozen
@@ -1 +1 @@
-2024-01-11T10:06:23.179Z
+2024-04-08T09:56:58.589Z
diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_suppression_rule_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_create_a_suppression_rule_returns_ok_response.yaml
@@ -1,7 +1,7 @@
 interactions:
 - request:
     body: '{"data":{"attributes":{"description":"This rule suppresses low-severity
-      signals in staging environments.","enabled":true,"expiration_date":1703187336000,"name":"Test-Create_a_suppression_rule_returns_OK_response-1704967583","rule_query":"type:log_detection
+      signals in staging environments.","enabled":true,"expiration_date":1703187336000,"name":"Test-Create_a_suppression_rule_returns_OK_response-1712570218","rule_query":"type:log_detection
       source:cloudtrail","suppression_query":"env:staging status:low"},"type":"suppressions"}}'
     headers:
       accept:
@@ -12,9 +12,9 @@ interactions:
     uri: https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions
   response:
     body:
-      string: '{"data":{"id":"5sx-nhj-htc","attributes":{"name":"Test-Create_a_suppression_rule_returns_OK_response-1704967583","enabled":true,"description":"This
+      string: '{"data":{"id":"mu8-qje-pys","attributes":{"name":"Test-Create_a_suppression_rule_returns_OK_response-1712570218","enabled":true,"description":"This
         rule suppresses low-severity signals in staging environments.","rule_query":"type:log_detection
-        source:cloudtrail","suppression_query":"env:staging status:low","expiration_date":1703187336000,"version":1,"creation_date":1704967583506,"update_date":1704967583506,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"suppressions"}}
+        source:cloudtrail","suppression_query":"env:staging status:low","log_exclusion_query":"","data_exclusion_query":"","expiration_date":1703187336000,"version":1,"creation_date":1712570219298,"update_date":1712570219298,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"suppressions"}}
 
         '
     headers:
@@ -29,7 +29,7 @@ interactions:
       accept:
       - '*/*'
     method: DELETE
-    uri: https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/5sx-nhj-htc
+    uri: https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/mu8-qje-pys
   response:
     body:
       string: ''
diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_suppression_rule_with_an_exclusion_query_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_create_a_suppression_rule_with_an_exclusion_query_returns_ok_response.frozen
@@ -0,0 +1 @@
+2024-04-08T09:57:01.815Z
diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_suppression_rule_with_an_exclusion_query_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_create_a_suppression_rule_with_an_exclusion_query_returns_ok_response.yaml
@@ -0,0 +1,42 @@
+interactions:
+- request:
+    body: '{"data":{"attributes":{"data_exclusion_query":"account_id:12345","description":"This
+      rule suppresses low-severity signals in staging environments.","enabled":true,"expiration_date":1703187336000,"name":"Test-Create_a_suppression_rule_with_an_exclusion_query_returns_OK_response-1712570221","rule_query":"type:log_detection
+      source:cloudtrail"},"type":"suppressions"}}'
+    headers:
+      accept:
+      - application/json
+      content-type:
+      - application/json
+    method: POST
+    uri: https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions
+  response:
+    body:
+      string: '{"data":{"id":"2dj-cxs-dg6","attributes":{"name":"Test-Create_a_suppression_rule_with_an_exclusion_query_returns_OK_response-1712570221","enabled":true,"description":"This
+        rule suppresses low-severity signals in staging environments.","rule_query":"type:log_detection
+        source:cloudtrail","suppression_query":"","log_exclusion_query":"account_id:12345","data_exclusion_query":"account_id:12345","expiration_date":1703187336000,"version":1,"creation_date":1712570222285,"update_date":1712570222285,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"suppressions"}}
+
+        '
+    headers:
+      content-type:
+      - application/json
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      accept:
+      - '*/*'
+    method: DELETE
+    uri: https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/2dj-cxs-dg6
+  response:
+    body:
+      string: ''
+    headers:
+      content-type:
+      - text/html; charset=utf-8
+    status:
+      code: 204
+      message: No Content
+version: 1
diff --git a/tests/v2/cassettes/test_scenarios/test_get_a_suppression_rule_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_get_a_suppression_rule_returns_ok_response.frozen
@@ -1 +1 @@
-2024-01-11T10:06:31.876Z
+2024-04-08T09:57:31.186Z
diff --git a/tests/v2/cassettes/test_scenarios/test_get_a_suppression_rule_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_get_a_suppression_rule_returns_ok_response.yaml
@@ -1,6 +1,6 @@
 interactions:
 - request:
-    body: '{"data":{"attributes":{"description":"Test-Get_a_suppression_rule_returns_OK_response-1704967591","enabled":true,"name":"Test-Get_a_suppression_rule_returns_OK_response-1704967591","rule_query":"source:cloudtrail","suppression_query":"env:test"},"type":"suppressions"}}'
+    body: '{"data":{"attributes":{"description":"Test-Get_a_suppression_rule_returns_OK_response-1712570251","enabled":true,"name":"Test-Get_a_suppression_rule_returns_OK_response-1712570251","rule_query":"source:cloudtrail","suppression_query":"env:test"},"type":"suppressions"}}'
     headers:
       accept:
       - application/json
@@ -10,7 +10,7 @@ interactions:
     uri: https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions
   response:
     body:
-      string: '{"data":{"id":"vac-d9u-mmr","attributes":{"name":"Test-Get_a_suppression_rule_returns_OK_response-1704967591","enabled":true,"description":"Test-Get_a_suppression_rule_returns_OK_response-1704967591","rule_query":"source:cloudtrail","suppression_query":"env:test","version":1,"creation_date":1704967592204,"update_date":1704967592204,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"suppressions"}}
+      string: '{"data":{"id":"zrh-zwa-bgu","attributes":{"name":"Test-Get_a_suppression_rule_returns_OK_response-1712570251","enabled":true,"description":"Test-Get_a_suppression_rule_returns_OK_response-1712570251","rule_query":"source:cloudtrail","suppression_query":"env:test","log_exclusion_query":"","data_exclusion_query":"","version":1,"creation_date":1712570252683,"update_date":1712570252683,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"suppressions"}}
 
         '
     headers:
@@ -25,10 +25,10 @@ interactions:
       accept:
       - application/json
     method: GET
-    uri: https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/vac-d9u-mmr
+    uri: https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/zrh-zwa-bgu
   response:
     body:
-      string: '{"data":{"id":"vac-d9u-mmr","attributes":{"name":"Test-Get_a_suppression_rule_returns_OK_response-1704967591","enabled":true,"description":"Test-Get_a_suppression_rule_returns_OK_response-1704967591","rule_query":"source:cloudtrail","suppression_query":"env:test","version":1,"creation_date":1704967592204,"update_date":1704967592204,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"suppressions"}}
+      string: '{"data":{"id":"zrh-zwa-bgu","attributes":{"name":"Test-Get_a_suppression_rule_returns_OK_response-1712570251","enabled":true,"description":"Test-Get_a_suppression_rule_returns_OK_response-1712570251","rule_query":"source:cloudtrail","suppression_query":"env:test","log_exclusion_query":"","data_exclusion_query":"","version":1,"creation_date":1712570252683,"update_date":1712570252683,"creator":{"name":null,"handle":"frog@datadoghq.com"},"updater":{"name":null,"handle":"frog@datadoghq.com"}},"type":"suppressions"}}
 
         '
     headers:
@@ -43,7 +43,7 @@ interactions:
       accept:
       - '*/*'
     method: DELETE
-    uri: https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/vac-d9u-mmr
+    uri: https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/zrh-zwa-bgu
   response:
     body:
       string: ''
diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_suppression_rule_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_update_a_suppression_rule_returns_ok_response.frozen
@@ -1 +1 @@
-2024-01-11T10:06:37.000Z
+2024-04-08T09:57:43.431Z
diff --git a/tests/v2/cassettes/test_scenarios/test_update_a_suppression_rule_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_update_a_suppression_rule_returns_ok_response.yaml
diff --git a/tests/v2/features/security_monitoring.feature b/tests/v2/features/security_monitoring.feature

Original file line number	Diff line number	Diff line change
`@@ -4,13 +4,13 @@`
`4`	`4`	`"spec_versions": {`
`5`	`5`	`"v1": {`
`6`	`6`	`"apigentools_version": "1.6.6",`
`7`		`- "regenerated": "2024-04-09 18:05:43.533229",`
`8`		`- "spec_repo_commit": "fc718bc2"`
	`7`	`+ "regenerated": "2024-04-10 15:01:01.395898",`
	`8`	`+ "spec_repo_commit": "7e61ac0f"`
`9`	`9`	`},`
`10`	`10`	`"v2": {`
`11`	`11`	`"apigentools_version": "1.6.6",`
`12`		`- "regenerated": "2024-04-09 18:05:43.550344",`
`13`		`- "spec_repo_commit": "fc718bc2"`
	`12`	`+ "regenerated": "2024-04-10 15:01:01.412691",`
	`13`	`+ "spec_repo_commit": "7e61ac0f"`
`14`	`14`	`}`
`15`	`15`	`}`
`16`	`16`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-2024-01-11T10:06:23.179Z`
	`1`	`+2024-04-08T09:56:58.589Z`