Add sequence detection to security monitoring rules (#2666)

Co-authored-by: ci.datadog-api-spec <[email protected]>

Author: api-clients-generation-pipeline[bot]

.generator/schemas/v2/openapi.yaml

@@ -20470,6 +20470,8 @@ components:
           $ref: '#/components/schemas/SecurityMonitoringRuleMaxSignalDuration'
         newValueOptions:
           $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptions'
+        sequenceDetectionOptions:
+          $ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionOptions'
         thirdPartyRuleOptions:
           $ref: '#/components/schemas/SecurityMonitoringRuleThirdPartyOptions'
       type: object
@@ -40786,6 +40788,7 @@ components:
       - hardcoded
       - third_party
       - anomaly_threshold
+      - sequence_detection
       type: string
       x-enum-varnames:
       - THRESHOLD
@@ -40795,6 +40798,7 @@ components:
       - HARDCODED
       - THIRD_PARTY
       - ANOMALY_THRESHOLD
+      - SEQUENCE_DETECTION
     SecurityMonitoringRuleEvaluationWindow:
       description: 'A time window is specified to match when at least one of the cases
         matches true. This is a sliding window
@@ -41008,6 +41012,8 @@ components:
           $ref: '#/components/schemas/SecurityMonitoringRuleMaxSignalDuration'
         newValueOptions:
           $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptions'
+        sequenceDetectionOptions:
+          $ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionOptions'
         thirdPartyRuleOptions:
           $ref: '#/components/schemas/SecurityMonitoringRuleThirdPartyOptions'
       type: object
@@ -41083,6 +41089,47 @@ components:
       oneOf:
       - $ref: '#/components/schemas/SecurityMonitoringStandardRuleResponse'
       - $ref: '#/components/schemas/SecurityMonitoringSignalRuleResponse'
+    SecurityMonitoringRuleSequenceDetectionOptions:
+      description: Options on sequence detection method.
+      properties:
+        stepTransitions:
+          description: Transitions defining the allowed order of steps and their evaluation
+            windows.
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionStepTransition'
+          type: array
+        steps:
+          description: Steps that define the conditions to be matched in sequence.
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionStep'
+          type: array
+      type: object
+    SecurityMonitoringRuleSequenceDetectionStep:
+      description: Step definition for sequence detection containing the step name,
+        condition, and evaluation window.
+      properties:
+        condition:
+          description: Condition referencing rule queries (e.g., `a > 0`).
+          type: string
+        evaluationWindow:
+          $ref: '#/components/schemas/SecurityMonitoringRuleEvaluationWindow'
+        name:
+          description: Unique name identifying the step.
+          type: string
+      type: object
+    SecurityMonitoringRuleSequenceDetectionStepTransition:
+      description: Transition from a parent step to a child step within a sequence
+        detection rule.
+      properties:
+        child:
+          description: Name of the child step.
+          type: string
+        evaluationWindow:
+          $ref: '#/components/schemas/SecurityMonitoringRuleEvaluationWindow'
+        parent:
+          description: Name of the parent step.
+          type: string
+      type: object
     SecurityMonitoringRuleSeverity:
       description: Severity of the Security Signal.
       enum:

cassettes/features/v2/security_monitoring/Create-a-detection-rule-with-detection-method-sequence-detection-returns-OK-response.frozen

@@ -0,0 +1 @@
+2025-09-12T15:45:55.719Z

cassettes/features/v2/security_monitoring/Create-a-detection-rule-with-detection-method-sequence-detection-returns-OK-response.yml

@@ -0,0 +1 @@
+2025-09-12T15:43:48.016Z

cassettes/features/v2/security_monitoring/Validate-a-detection-rule-with-detection-method-sequence-detection-returns-OK-response.frozen

@@ -0,0 +1,68 @@
+# Create a detection rule with detection method 'sequence_detection' returns "OK" response
+
+require "datadog_api_client"
+api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
+
+body = DatadogAPIClient::V2::SecurityMonitoringStandardRuleCreatePayload.new({
+  name: "Example-Security-Monitoring",
+  type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
+  is_enabled: true,
+  queries: [
+    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
+      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
+      data_source: DatadogAPIClient::V2::SecurityMonitoringStandardDataSource::LOGS,
+      distinct_fields: [],
+      group_by_fields: [],
+      has_optional_group_by_fields: false,
+      name: "",
+      query: "service:logs-rule-reducer source:paul test2",
+    }),
+    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
+      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
+      data_source: DatadogAPIClient::V2::SecurityMonitoringStandardDataSource::LOGS,
+      distinct_fields: [],
+      group_by_fields: [],
+      has_optional_group_by_fields: false,
+      name: "",
+      query: "service:logs-rule-reducer source:paul test1",
+    }),
+  ],
+  cases: [
+    DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
+      name: "",
+      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
+      notifications: [],
+      condition: "step_b > 0",
+    }),
+  ],
+  message: "Logs and signals asdf",
+  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
+    detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::SEQUENCE_DETECTION,
+    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES,
+    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::FIVE_MINUTES,
+    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES,
+    sequence_detection_options: DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionOptions.new({
+      step_transitions: [
+        DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionStepTransition.new({
+          child: "step_b",
+          evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
+          parent: "step_a",
+        }),
+      ],
+      steps: [
+        DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionStep.new({
+          condition: "a > 0",
+          evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE,
+          name: "step_a",
+        }),
+        DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionStep.new({
+          condition: "b > 0",
+          evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE,
+          name: "step_b",
+        }),
+      ],
+    }),
+  }),
+  tags: [],
+})
+p api_instance.create_security_monitoring_rule(body)

cassettes/features/v2/security_monitoring/Validate-a-detection-rule-with-detection-method-sequence-detection-returns-OK-response.yml

@@ -0,0 +1,70 @@
+# Validate a detection rule with detection method 'sequence_detection' returns "OK" response
+
+require "datadog_api_client"
+api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
+
+body = DatadogAPIClient::V2::SecurityMonitoringStandardRulePayload.new({
+  cases: [
+    DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
+      name: "",
+      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
+      notifications: [],
+      condition: "step_b > 0",
+    }),
+  ],
+  has_extended_title: true,
+  is_enabled: true,
+  message: "My security monitoring rule",
+  name: "My security monitoring rule",
+  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
+    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES,
+    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::FIVE_MINUTES,
+    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES,
+    detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::SEQUENCE_DETECTION,
+    sequence_detection_options: DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionOptions.new({
+      step_transitions: [
+        DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionStepTransition.new({
+          child: "step_b",
+          evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
+          parent: "step_a",
+        }),
+      ],
+      steps: [
+        DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionStep.new({
+          condition: "a > 0",
+          evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE,
+          name: "step_a",
+        }),
+        DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionStep.new({
+          condition: "b > 0",
+          evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE,
+          name: "step_b",
+        }),
+      ],
+    }),
+  }),
+  queries: [
+    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
+      query: "source:source_here",
+      group_by_fields: [
+        "@userIdentity.assumed_role",
+      ],
+      distinct_fields: [],
+      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
+      name: "",
+    }),
+    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
+      query: "source:source_here2",
+      group_by_fields: [],
+      distinct_fields: [],
+      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
+      name: "",
+    }),
+  ],
+  tags: [
+    "env:prod",
+    "team:security",
+  ],
+  type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
+})
+api_instance.validate_security_monitoring_rule(body)

examples/v2/security-monitoring/CreateSecurityMonitoringRule_2899714190.rb

@@ -211,6 +211,16 @@ Feature: Security Monitoring
     And the response "message" is equal to "Test rule"
     And the response "referenceTables" is equal to [{"tableName": "synthetics_test_reference_table_dont_delete", "columnName": "value", "logFieldPath":"testtag", "checkPresence":true, "ruleQueryName":"a"}]
 
+  @team:DataDog/k9-cloud-security-platform
+  Scenario: Create a detection rule with detection method 'sequence_detection' returns "OK" response
+    Given new "CreateSecurityMonitoringRule" request
+    And body with value {"name":"{{ unique }}","type":"log_detection","isEnabled":true,"queries":[{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":[],"hasOptionalGroupByFields":false,"name":"","query":"service:logs-rule-reducer source:paul test2"},{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":[],"hasOptionalGroupByFields":false,"name":"","query":"service:logs-rule-reducer source:paul test1"}],"cases":[{"name":"","status":"info","notifications":[],"condition":"step_b > 0"}],"message":"Logs and signals asdf","options":{"detectionMethod":"sequence_detection","evaluationWindow":0,"keepAlive":300,"maxSignalDuration":600,"sequenceDetectionOptions":{"stepTransitions":[{"child":"step_b","evaluationWindow":900,"parent":"step_a"}],"steps":[{"condition":"a > 0","evaluationWindow":60,"name":"step_a"},{"condition":"b > 0","evaluationWindow":60,"name":"step_b"}]}},"tags":[]}
+    When the request is sent
+    Then the response status is 200 OK
+    And the response "name" is equal to "{{ unique }}"
+    And the response "type" is equal to "log_detection"
+    And the response "options.detectionMethod" is equal to "sequence_detection"
+
   @team:DataDog/k9-cloud-security-platform
   Scenario: Create a detection rule with detection method 'third_party' returns "OK" response
     Given new "CreateSecurityMonitoringRule" request
@@ -1483,6 +1493,13 @@ Feature: Security Monitoring
     When the request is sent
     Then the response status is 204 OK
 
+  @team:DataDog/k9-cloud-security-platform
+  Scenario: Validate a detection rule with detection method 'sequence_detection' returns "OK" response
+    Given new "ValidateSecurityMonitoringRule" request
+    And body with value {"cases":[{"name":"","status":"info","notifications":[],"condition":"step_b > 0"}],"hasExtendedTitle":true,"isEnabled":true,"message":"My security monitoring rule","name":"My security monitoring rule","options":{"evaluationWindow":0,"keepAlive":300,"maxSignalDuration":600,"detectionMethod":"sequence_detection","sequenceDetectionOptions":{"stepTransitions":[{"child":"step_b","evaluationWindow":900,"parent":"step_a"}],"steps":[{"condition":"a > 0","evaluationWindow":60,"name":"step_a"},{"condition":"b > 0","evaluationWindow":60,"name":"step_b"}]}},"queries":[{"query":"source:source_here","groupByFields":["@userIdentity.assumed_role"],"distinctFields":[],"aggregation":"count","name":""},{"query":"source:source_here2","groupByFields":[],"distinctFields":[],"aggregation":"count","name":""}],"tags":["env:prod","team:security"],"type":"log_detection"}
+    When the request is sent
+    Then the response status is 204 OK
+
   @team:DataDog/k9-cloud-security-platform
   Scenario: Validate a suppression rule returns "Bad Request" response
     Given new "ValidateSecurityMonitoringSuppression" request

examples/v2/security-monitoring/ValidateSecurityMonitoringRule_4152369508.rb

@@ -3521,6 +3521,9 @@ def overrides
           "v2.security_monitoring_rule_query_payload" => "SecurityMonitoringRuleQueryPayload",
           "v2.security_monitoring_rule_query_payload_data" => "SecurityMonitoringRuleQueryPayloadData",
           "v2.security_monitoring_rule_response" => "SecurityMonitoringRuleResponse",
+          "v2.security_monitoring_rule_sequence_detection_options" => "SecurityMonitoringRuleSequenceDetectionOptions",
+          "v2.security_monitoring_rule_sequence_detection_step" => "SecurityMonitoringRuleSequenceDetectionStep",
+          "v2.security_monitoring_rule_sequence_detection_step_transition" => "SecurityMonitoringRuleSequenceDetectionStepTransition",
           "v2.security_monitoring_rule_severity" => "SecurityMonitoringRuleSeverity",
           "v2.security_monitoring_rule_test_payload" => "SecurityMonitoringRuleTestPayload",
           "v2.security_monitoring_rule_test_request" => "SecurityMonitoringRuleTestRequest",