Flag IP case action (#2539)

Co-authored-by: ci.datadog-api-spec <[email protected]>

Author: api-clients-generation-pipeline[bot]

.generated-info

@@ -1,4 +1,4 @@
 {
-  "spec_repo_commit": "06ccc32",
-  "generated": "2025-07-21 13:56:34.429"
+  "spec_repo_commit": "8ca2883",
+  "generated": "2025-07-22 07:16:03.042"
 }

.generator/schemas/v2/openapi.yaml

@@ -34296,9 +34296,22 @@ components:
           format: int64
           minimum: 0
           type: integer
+        flaggedIPType:
+          $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionOptionsFlaggedIPType'
         userBehaviorName:
           $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionOptionsUserBehaviorName'
       type: object
+    SecurityMonitoringRuleCaseActionOptionsFlaggedIPType:
+      description: Used with the case action of type 'flag_ip'. The value specified
+        in this field is applied as a flag to the IP addresses.
+      enum:
+      - SUSPICIOUS
+      - FLAGGED
+      example: FLAGGED
+      type: string
+      x-enum-varnames:
+      - SUSPICIOUS
+      - FLAGGED
     SecurityMonitoringRuleCaseActionOptionsUserBehaviorName:
       description: Used with the case action of type 'user_behavior'. The value specified
         in this field is applied as a risk tag to all users affected by the rule.
@@ -34309,11 +34322,13 @@ components:
       - block_ip
       - block_user
       - user_behavior
+      - flag_ip
       type: string
       x-enum-varnames:
       - BLOCK_IP
       - BLOCK_USER
       - USER_BEHAVIOR
+      - FLAG_IP
     SecurityMonitoringRuleCaseCreate:
       description: Case when signal is generated.
       properties:

cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-type-application_security-returns-OK-response_4179263030/frozen.json

@@ -1 +1 @@
-"2025-04-09T15:02:05.047Z"
+"2025-07-17T10:35:24.061Z"

cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-type-application_security-returns-OK-response_4179263030/recording.har

@@ -8,11 +8,11 @@
     },
     "entries": [
       {
-        "_id": "2f689fb3a0a54f45bf3637e6331a9f25",
+        "_id": "29eb6c549b50360bd2c38ca9462c0177",
         "_order": 0,
         "cache": {},
         "request": {
-          "bodySize": 723,
+          "bodySize": 780,
           "cookies": [],
           "headers": [
             {
@@ -32,17 +32,17 @@
           "postData": {
             "mimeType": "application/json",
             "params": [],
-            "text": "{\"cases\":[{\"actions\":[{\"options\":{\"duration\":900},\"type\":\"block_ip\"},{\"options\":{\"userBehaviorName\":\"behavior\"},\"type\":\"user_behavior\"}],\"condition\":\"a > 100000\",\"name\":\"\",\"notifications\":[],\"status\":\"info\"}],\"filters\":[],\"groupSignalsBy\":[\"service\"],\"isEnabled\":true,\"message\":\"Test rule\",\"name\":\"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1744210925_appsec_rule\",\"options\":{\"detectionMethod\":\"threshold\",\"evaluationWindow\":900,\"keepAlive\":3600,\"maxSignalDuration\":86400},\"queries\":[{\"aggregation\":\"count\",\"distinctFields\":[],\"groupByFields\":[\"service\",\"@http.client_ip\"],\"query\":\"@appsec.security_activity:business_logic.users.login.failure\"}],\"tags\":[],\"type\":\"application_security\"}"
+            "text": "{\"cases\":[{\"actions\":[{\"options\":{\"duration\":900},\"type\":\"block_ip\"},{\"options\":{\"userBehaviorName\":\"behavior\"},\"type\":\"user_behavior\"},{\"options\":{\"flaggedIPType\":\"FLAGGED\"},\"type\":\"flag_ip\"}],\"condition\":\"a > 100000\",\"name\":\"\",\"notifications\":[],\"status\":\"info\"}],\"filters\":[],\"groupSignalsBy\":[\"service\"],\"isEnabled\":true,\"message\":\"Test rule\",\"name\":\"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1752748524_appsec_rule\",\"options\":{\"detectionMethod\":\"threshold\",\"evaluationWindow\":900,\"keepAlive\":3600,\"maxSignalDuration\":86400},\"queries\":[{\"aggregation\":\"count\",\"distinctFields\":[],\"groupByFields\":[\"service\",\"@http.client_ip\"],\"query\":\"@appsec.security_activity:business_logic.users.login.failure\"}],\"tags\":[],\"type\":\"application_security\"}"
           },
           "queryString": [],
           "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules"
         },
         "response": {
-          "bodySize": 1227,
+          "bodySize": 1284,
           "content": {
             "mimeType": "application/json",
-            "size": 1227,
-            "text": "{\"name\":\"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1744210925_appsec_rule\",\"createdAt\":1744210925675,\"isDefault\":false,\"isPartner\":false,\"isEnabled\":true,\"isBeta\":false,\"isDeleted\":false,\"isDeprecated\":false,\"queries\":[{\"query\":\"@appsec.security_activity:business_logic.users.login.failure\",\"groupByFields\":[\"service\",\"@http.client_ip\"],\"hasOptionalGroupByFields\":false,\"distinctFields\":[],\"aggregation\":\"count\",\"name\":\"\",\"dataSource\":\"app_sec_spans\"}],\"options\":{\"evaluationWindow\":900,\"detectionMethod\":\"threshold\",\"maxSignalDuration\":86400,\"keepAlive\":3600},\"cases\":[{\"name\":\"\",\"status\":\"info\",\"notifications\":[],\"condition\":\"a \\u003e 100000\",\"actions\":[{\"type\":\"block_ip\",\"options\":{\"duration\":900}},{\"type\":\"user_behavior\",\"options\":{\"userBehaviorName\":\"behavior\"}}]}],\"message\":\"Test rule\",\"tags\":[],\"hasExtendedTitle\":false,\"type\":\"application_security\",\"filters\":[],\"version\":1,\"id\":\"lfr-zxg-fyc\",\"blocking\":true,\"groupSignalsBy\":[\"service\"],\"dependencies\":[\"business_logic.users.login.failure\"],\"metadata\":{\"entities\":null,\"sources\":null},\"creationAuthorId\":2320499,\"creator\":{\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"name\":\"CI Account\"},\"updater\":{\"handle\":\"\",\"name\":\"\"}}"
+            "size": 1284,
+            "text": "{\"name\":\"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1752748524_appsec_rule\",\"createdAt\":1752748524806,\"isDefault\":false,\"isPartner\":false,\"isEnabled\":true,\"isBeta\":false,\"isDeleted\":false,\"isDeprecated\":false,\"queries\":[{\"query\":\"@appsec.security_activity:business_logic.users.login.failure\",\"groupByFields\":[\"service\",\"@http.client_ip\"],\"hasOptionalGroupByFields\":false,\"distinctFields\":[],\"aggregation\":\"count\",\"name\":\"\",\"dataSource\":\"app_sec_spans\"}],\"options\":{\"evaluationWindow\":900,\"detectionMethod\":\"threshold\",\"maxSignalDuration\":86400,\"keepAlive\":3600},\"cases\":[{\"name\":\"\",\"status\":\"info\",\"notifications\":[],\"condition\":\"a \\u003e 100000\",\"actions\":[{\"type\":\"block_ip\",\"options\":{\"duration\":900}},{\"type\":\"user_behavior\",\"options\":{\"userBehaviorName\":\"behavior\"}},{\"type\":\"flag_ip\",\"options\":{\"flaggedIPType\":\"FLAGGED\"}}]}],\"message\":\"Test rule\",\"tags\":[],\"hasExtendedTitle\":false,\"type\":\"application_security\",\"filters\":[],\"version\":1,\"id\":\"wgo-lgy-ajy\",\"blocking\":true,\"groupSignalsBy\":[\"service\"],\"dependencies\":[\"business_logic.users.login.failure\"],\"metadata\":{\"entities\":null,\"sources\":null},\"creationAuthorId\":2320499,\"creator\":{\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"name\":\"CI Account\"},\"updater\":{\"handle\":\"\",\"name\":\"\"}}"
           },
           "cookies": [],
           "headers": [
@@ -57,11 +57,11 @@
           "status": 200,
           "statusText": "OK"
         },
-        "startedDateTime": "2025-04-09T15:02:05.465Z",
-        "time": 259
+        "startedDateTime": "2025-07-17T10:35:24.741Z",
+        "time": 100
       },
       {
-        "_id": "a32045c85c74ebb299fe6584f15ea321",
+        "_id": "eaf198f31c333ac309eb713901fb969e",
         "_order": 0,
         "cache": {},
         "request": {
@@ -78,7 +78,7 @@
           "httpVersion": "HTTP/1.1",
           "method": "DELETE",
           "queryString": [],
-          "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules/lfr-zxg-fyc"
+          "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules/wgo-lgy-ajy"
         },
         "response": {
           "bodySize": 0,
@@ -94,8 +94,8 @@
           "status": 204,
           "statusText": "No Content"
         },
-        "startedDateTime": "2025-04-09T15:02:05.734Z",
-        "time": 194
+        "startedDateTime": "2025-07-17T10:35:24.848Z",
+        "time": 105
       }
     ],
     "pages": [],

examples/v2/security-monitoring/CreateSecurityMonitoringRule_1965169892.ts

@@ -39,6 +39,12 @@ const params: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest = {
               userBehaviorName: "behavior",
             },
           },
+          {
+            type: "flag_ip",
+            options: {
+              flaggedIpType: "FLAGGED",
+            },
+          },
         ],
       },
     ],

features/v2/security_monitoring.feature

@@ -225,7 +225,7 @@ Feature: Security Monitoring
   @skip-validation @team:DataDog/k9-cloud-security-platform
   Scenario: Create a detection rule with type 'application_security 'returns "OK" response
     Given new "CreateSecurityMonitoringRule" request
-    And body with value {"type":"application_security","name":"{{unique}}_appsec_rule","queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","aggregation":"count","groupByFields":["service","@http.client_ip"],"distinctFields":[]}],"filters":[],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 100000","actions":[{"type":"block_ip","options":{"duration":900}}, {"type":"user_behavior","options":{"userBehaviorName":"behavior"}}]}],"options":{"keepAlive":3600,"maxSignalDuration":86400,"evaluationWindow":900,"detectionMethod":"threshold"},"isEnabled":true,"message":"Test rule","tags":[],"groupSignalsBy":["service"]}
+    And body with value {"type":"application_security","name":"{{unique}}_appsec_rule","queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","aggregation":"count","groupByFields":["service","@http.client_ip"],"distinctFields":[]}],"filters":[],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 100000","actions":[{"type":"block_ip","options":{"duration":900}}, {"type":"user_behavior","options":{"userBehaviorName":"behavior"}}, {"type":"flag_ip","options":{"flaggedIPType":"FLAGGED"}}]}],"options":{"keepAlive":3600,"maxSignalDuration":86400,"evaluationWindow":900,"detectionMethod":"threshold"},"isEnabled":true,"message":"Test rule","tags":[],"groupSignalsBy":["service"]}
     When the request is sent
     Then the response status is 200 OK
     And the response "name" is equal to "{{ unique }}_appsec_rule"

packages/datadog-api-client-v2/index.ts

@@ -2883,6 +2883,7 @@ export { SecurityMonitoringReferenceTable } from "./models/SecurityMonitoringRef
 export { SecurityMonitoringRuleCase } from "./models/SecurityMonitoringRuleCase";
 export { SecurityMonitoringRuleCaseAction } from "./models/SecurityMonitoringRuleCaseAction";
 export { SecurityMonitoringRuleCaseActionOptions } from "./models/SecurityMonitoringRuleCaseActionOptions";
+export { SecurityMonitoringRuleCaseActionOptionsFlaggedIPType } from "./models/SecurityMonitoringRuleCaseActionOptionsFlaggedIPType";
 export { SecurityMonitoringRuleCaseActionType } from "./models/SecurityMonitoringRuleCaseActionType";
 export { SecurityMonitoringRuleCaseCreate } from "./models/SecurityMonitoringRuleCaseCreate";
 export { SecurityMonitoringRuleConvertPayload } from "./models/SecurityMonitoringRuleConvertPayload";

packages/datadog-api-client-v2/models/ObjectSerializer.ts

@@ -2958,10 +2958,15 @@ const enumsMap: { [key: string]: any[] } = {
   SecurityFilterFilteredDataType: ["logs"],
   SecurityFilterType: ["security_filters"],
   SecurityMonitoringFilterAction: ["require", "suppress"],
+  SecurityMonitoringRuleCaseActionOptionsFlaggedIPType: [
+    "SUSPICIOUS",
+    "FLAGGED",
+  ],
   SecurityMonitoringRuleCaseActionType: [
     "block_ip",
     "block_user",
     "user_behavior",
+    "flag_ip",
   ],
   SecurityMonitoringRuleDetectionMethod: [
     "threshold",

packages/datadog-api-client-v2/models/SecurityMonitoringRuleCaseActionOptions.ts

@@ -3,6 +3,7 @@
  * This product includes software developed at Datadog (https://www.datadoghq.com/).
  * Copyright 2020-Present Datadog, Inc.
  */
+import { SecurityMonitoringRuleCaseActionOptionsFlaggedIPType } from "./SecurityMonitoringRuleCaseActionOptionsFlaggedIPType";
 
 import { AttributeTypeMap } from "../../datadog-api-client-common/util";
 
@@ -14,6 +15,10 @@ export class SecurityMonitoringRuleCaseActionOptions {
    * Duration of the action in seconds. 0 indicates no expiration.
    */
   "duration"?: number;
+  /**
+   * Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses.
+   */
+  "flaggedIpType"?: SecurityMonitoringRuleCaseActionOptionsFlaggedIPType;
   /**
    * Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
    */
@@ -40,6 +45,10 @@ export class SecurityMonitoringRuleCaseActionOptions {
       type: "number",
       format: "int64",
     },
+    flaggedIpType: {
+      baseName: "flaggedIPType",
+      type: "SecurityMonitoringRuleCaseActionOptionsFlaggedIPType",
+    },
     userBehaviorName: {
       baseName: "userBehaviorName",
       type: "string",

packages/datadog-api-client-v2/models/SecurityMonitoringRuleCaseActionOptionsFlaggedIPType.ts

@@ -0,0 +1,18 @@
+/**
+ * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
+ * This product includes software developed at Datadog (https://www.datadoghq.com/).
+ * Copyright 2020-Present Datadog, Inc.
+ */
+
+import { UnparsedObject } from "../../datadog-api-client-common/util";
+
+/**
+ * Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses.
+ */
+
+export type SecurityMonitoringRuleCaseActionOptionsFlaggedIPType =
+  | typeof SUSPICIOUS
+  | typeof FLAGGED
+  | UnparsedObject;
+export const SUSPICIOUS = "SUSPICIOUS";
+export const FLAGGED = "FLAGGED";