Skip to content

Add sequence detection to security monitoring rules #914

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
api-clients-generation-pipeline merged 1 commit into from
Sep 19, 2025
Merged

Add sequence detection to security monitoring rules #914

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions .generator/schemas/v2/openapi.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20470,6 +20470,8 @@ components:
$ref: '#/components/schemas/SecurityMonitoringRuleMaxSignalDuration'
newValueOptions:
$ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptions'
sequenceDetectionOptions:
$ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionOptions'
thirdPartyRuleOptions:
$ref: '#/components/schemas/SecurityMonitoringRuleThirdPartyOptions'
type: object
Expand Down Expand Up @@ -40786,6 +40788,7 @@ components:
- hardcoded
- third_party
- anomaly_threshold
- sequence_detection
type: string
x-enum-varnames:
- THRESHOLD
Expand All @@ -40795,6 +40798,7 @@ components:
- HARDCODED
- THIRD_PARTY
- ANOMALY_THRESHOLD
- SEQUENCE_DETECTION
SecurityMonitoringRuleEvaluationWindow:
description: 'A time window is specified to match when at least one of the cases
matches true. This is a sliding window
Expand Down Expand Up @@ -41008,6 +41012,8 @@ components:
$ref: '#/components/schemas/SecurityMonitoringRuleMaxSignalDuration'
newValueOptions:
$ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptions'
sequenceDetectionOptions:
$ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionOptions'
thirdPartyRuleOptions:
$ref: '#/components/schemas/SecurityMonitoringRuleThirdPartyOptions'
type: object
Expand Down Expand Up @@ -41083,6 +41089,47 @@ components:
oneOf:
- $ref: '#/components/schemas/SecurityMonitoringStandardRuleResponse'
- $ref: '#/components/schemas/SecurityMonitoringSignalRuleResponse'
SecurityMonitoringRuleSequenceDetectionOptions:
description: Options on sequence detection method.
properties:
stepTransitions:
description: Transitions defining the allowed order of steps and their evaluation
windows.
items:
$ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionStepTransition'
type: array
steps:
description: Steps that define the conditions to be matched in sequence.
items:
$ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionStep'
type: array
type: object
SecurityMonitoringRuleSequenceDetectionStep:
description: Step definition for sequence detection containing the step name,
condition, and evaluation window.
properties:
condition:
description: Condition referencing rule queries (e.g., `a > 0`).
type: string
evaluationWindow:
$ref: '#/components/schemas/SecurityMonitoringRuleEvaluationWindow'
name:
description: Unique name identifying the step.
type: string
type: object
SecurityMonitoringRuleSequenceDetectionStepTransition:
description: Transition from a parent step to a child step within a sequence
detection rule.
properties:
child:
description: Name of the child step.
type: string
evaluationWindow:
$ref: '#/components/schemas/SecurityMonitoringRuleEvaluationWindow'
parent:
description: Name of the parent step.
type: string
type: object
SecurityMonitoringRuleSeverity:
description: Severity of the Security Signal.
enum:
Expand Down
96 changes: 96 additions & 0 deletions examples/v2_security-monitoring_CreateSecurityMonitoringRule_2899714190.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
// Create a detection rule with detection method 'sequence_detection' returns "OK"
// response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCreatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleDetectionMethod;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSequenceDetectionOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSequenceDetectionStep;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSequenceDetectionStepTransition;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardDataSource;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleCreatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;

#[tokio::main]
async fn main() {
let body =
SecurityMonitoringRuleCreatePayload::SecurityMonitoringStandardRuleCreatePayload(Box::new(
SecurityMonitoringStandardRuleCreatePayload::new(
vec![
SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO)
.condition("step_b > 0".to_string())
.name("".to_string())
.notifications(vec![]),
],
true,
"Logs and signals asdf".to_string(),
"Example-Security-Monitoring".to_string(),
SecurityMonitoringRuleOptions::new()
.detection_method(SecurityMonitoringRuleDetectionMethod::SEQUENCE_DETECTION)
.evaluation_window(SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES)
.keep_alive(SecurityMonitoringRuleKeepAlive::FIVE_MINUTES)
.max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES)
.sequence_detection_options(
SecurityMonitoringRuleSequenceDetectionOptions::new()
.step_transitions(vec![
SecurityMonitoringRuleSequenceDetectionStepTransition::new()
.child("step_b".to_string())
.evaluation_window(
SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
)
.parent("step_a".to_string()),
])
.steps(vec![
SecurityMonitoringRuleSequenceDetectionStep::new()
.condition("a > 0".to_string())
.evaluation_window(
SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE,
)
.name("step_a".to_string()),
SecurityMonitoringRuleSequenceDetectionStep::new()
.condition("b > 0".to_string())
.evaluation_window(
SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE,
)
.name("step_b".to_string()),
]),
),
vec![
SecurityMonitoringStandardRuleQuery::new()
.aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
.data_source(SecurityMonitoringStandardDataSource::LOGS)
.distinct_fields(vec![])
.group_by_fields(vec![])
.has_optional_group_by_fields(false)
.name("".to_string())
.query("service:logs-rule-reducer source:paul test2".to_string()),
SecurityMonitoringStandardRuleQuery::new()
.aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
.data_source(SecurityMonitoringStandardDataSource::LOGS)
.distinct_fields(vec![])
.group_by_fields(vec![])
.has_optional_group_by_fields(false)
.name("".to_string())
.query("service:logs-rule-reducer source:paul test1".to_string()),
],
)
.tags(vec![])
.type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION),
));
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api.create_security_monitoring_rule(body).await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
92 changes: 92 additions & 0 deletions examples/v2_security-monitoring_ValidateSecurityMonitoringRule_4152369508.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
// Validate a detection rule with detection method 'sequence_detection' returns
// "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleDetectionMethod;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSequenceDetectionOptions;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSequenceDetectionStep;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSequenceDetectionStepTransition;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate;
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleValidatePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRulePayload;
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;

#[tokio::main]
async fn main() {
let body =
SecurityMonitoringRuleValidatePayload::SecurityMonitoringStandardRulePayload(Box::new(
SecurityMonitoringStandardRulePayload::new(
vec![
SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO)
.condition("step_b > 0".to_string())
.name("".to_string())
.notifications(vec![]),
],
true,
"My security monitoring rule".to_string(),
"My security monitoring rule".to_string(),
SecurityMonitoringRuleOptions::new()
.detection_method(SecurityMonitoringRuleDetectionMethod::SEQUENCE_DETECTION)
.evaluation_window(SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES)
.keep_alive(SecurityMonitoringRuleKeepAlive::FIVE_MINUTES)
.max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES)
.sequence_detection_options(
SecurityMonitoringRuleSequenceDetectionOptions::new()
.step_transitions(vec![
SecurityMonitoringRuleSequenceDetectionStepTransition::new()
.child("step_b".to_string())
.evaluation_window(
SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
)
.parent("step_a".to_string()),
])
.steps(vec![
SecurityMonitoringRuleSequenceDetectionStep::new()
.condition("a > 0".to_string())
.evaluation_window(
SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE,
)
.name("step_a".to_string()),
SecurityMonitoringRuleSequenceDetectionStep::new()
.condition("b > 0".to_string())
.evaluation_window(
SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE,
)
.name("step_b".to_string()),
]),
),
vec![
SecurityMonitoringStandardRuleQuery::new()
.aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
.distinct_fields(vec![])
.group_by_fields(vec!["@userIdentity.assumed_role".to_string()])
.name("".to_string())
.query("source:source_here".to_string()),
SecurityMonitoringStandardRuleQuery::new()
.aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
.distinct_fields(vec![])
.group_by_fields(vec![])
.name("".to_string())
.query("source:source_here2".to_string()),
],
)
.has_extended_title(true)
.tags(vec!["env:prod".to_string(), "team:security".to_string()])
.type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION),
));
let configuration = datadog::Configuration::new();
let api = SecurityMonitoringAPI::with_config(configuration);
let resp = api.validate_security_monitoring_rule(body).await;
if let Ok(value) = resp {
println!("{:#?}", value);
} else {
println!("{:#?}", resp.unwrap_err());
}
}
6 changes: 6 additions & 0 deletions src/datadogV2/model/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5222,6 +5222,12 @@ pub mod model_security_monitoring_rule_new_value_options_learning_method;
pub use self::model_security_monitoring_rule_new_value_options_learning_method::SecurityMonitoringRuleNewValueOptionsLearningMethod;
pub mod model_security_monitoring_rule_new_value_options_learning_threshold;
pub use self::model_security_monitoring_rule_new_value_options_learning_threshold::SecurityMonitoringRuleNewValueOptionsLearningThreshold;
pub mod model_security_monitoring_rule_sequence_detection_options;
pub use self::model_security_monitoring_rule_sequence_detection_options::SecurityMonitoringRuleSequenceDetectionOptions;
pub mod model_security_monitoring_rule_sequence_detection_step_transition;
pub use self::model_security_monitoring_rule_sequence_detection_step_transition::SecurityMonitoringRuleSequenceDetectionStepTransition;
pub mod model_security_monitoring_rule_sequence_detection_step;
pub use self::model_security_monitoring_rule_sequence_detection_step::SecurityMonitoringRuleSequenceDetectionStep;
pub mod model_security_monitoring_rule_third_party_options;
pub use self::model_security_monitoring_rule_third_party_options::SecurityMonitoringRuleThirdPartyOptions;
pub mod model_security_monitoring_third_party_root_query;
Expand Down
24 changes: 24 additions & 0 deletions src/datadogV2/model/model_historical_job_options.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,10 @@ pub struct HistoricalJobOptions {
/// Options on new value detection method.
#[serde(rename = "newValueOptions")]
pub new_value_options: Option<crate::datadogV2::model::SecurityMonitoringRuleNewValueOptions>,
/// Options on sequence detection method.
#[serde(rename = "sequenceDetectionOptions")]
pub sequence_detection_options:
Option<crate::datadogV2::model::SecurityMonitoringRuleSequenceDetectionOptions>,
/// Options on third party detection method.
#[serde(rename = "thirdPartyRuleOptions")]
pub third_party_rule_options:
Expand All @@ -54,6 +58,7 @@ impl HistoricalJobOptions {
keep_alive: None,
max_signal_duration: None,
new_value_options: None,
sequence_detection_options: None,
third_party_rule_options: None,
additional_properties: std::collections::BTreeMap::new(),
_unparsed: false,
Expand Down Expand Up @@ -108,6 +113,14 @@ impl HistoricalJobOptions {
self
}

pub fn sequence_detection_options(
mut self,
value: crate::datadogV2::model::SecurityMonitoringRuleSequenceDetectionOptions,
) -> Self {
self.sequence_detection_options = Some(value);
self
}

pub fn third_party_rule_options(
mut self,
value: crate::datadogV2::model::SecurityMonitoringRuleThirdPartyOptions,
Expand Down Expand Up @@ -166,6 +179,9 @@ impl<'de> Deserialize<'de> for HistoricalJobOptions {
let mut new_value_options: Option<
crate::datadogV2::model::SecurityMonitoringRuleNewValueOptions,
> = None;
let mut sequence_detection_options: Option<
crate::datadogV2::model::SecurityMonitoringRuleSequenceDetectionOptions,
> = None;
let mut third_party_rule_options: Option<
crate::datadogV2::model::SecurityMonitoringRuleThirdPartyOptions,
> = None;
Expand Down Expand Up @@ -250,6 +266,13 @@ impl<'de> Deserialize<'de> for HistoricalJobOptions {
new_value_options =
Some(serde_json::from_value(v).map_err(M::Error::custom)?);
}
"sequenceDetectionOptions" => {
if v.is_null() {
continue;
}
sequence_detection_options =
Some(serde_json::from_value(v).map_err(M::Error::custom)?);
}
"thirdPartyRuleOptions" => {
if v.is_null() {
continue;
Expand All @@ -272,6 +295,7 @@ impl<'de> Deserialize<'de> for HistoricalJobOptions {
keep_alive,
max_signal_duration,
new_value_options,
sequence_detection_options,
third_party_rule_options,
additional_properties,
_unparsed,
Expand Down
3 changes: 3 additions & 0 deletions src/datadogV2/model/model_security_monitoring_rule_detection_method.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ pub enum SecurityMonitoringRuleDetectionMethod {
HARDCODED,
THIRD_PARTY,
ANOMALY_THRESHOLD,
SEQUENCE_DETECTION,
UnparsedObject(crate::datadog::UnparsedObject),
}

Expand All @@ -27,6 +28,7 @@ impl ToString for SecurityMonitoringRuleDetectionMethod {
Self::HARDCODED => String::from("hardcoded"),
Self::THIRD_PARTY => String::from("third_party"),
Self::ANOMALY_THRESHOLD => String::from("anomaly_threshold"),
Self::SEQUENCE_DETECTION => String::from("sequence_detection"),
Self::UnparsedObject(v) => v.value.to_string(),
}
}
Expand Down Expand Up @@ -58,6 +60,7 @@ impl<'de> Deserialize<'de> for SecurityMonitoringRuleDetectionMethod {
"hardcoded" => Self::HARDCODED,
"third_party" => Self::THIRD_PARTY,
"anomaly_threshold" => Self::ANOMALY_THRESHOLD,
"sequence_detection" => Self::SEQUENCE_DETECTION,
_ => Self::UnparsedObject(crate::datadog::UnparsedObject {
value: serde_json::Value::String(s.into()),
}),
Expand Down
Loading
Loading