Improve the spec of Cloud SIEM historical jobs (#1927)

Co-authored-by: ci.datadog-api-spec <[email protected]>

Author: api-clients-generation-pipeline[bot]

.apigentools-info

@@ -4,13 +4,13 @@
     "spec_versions": {
         "v1": {
             "apigentools_version": "1.6.6",
-            "regenerated": "2024-12-18 19:23:38.107841",
-            "spec_repo_commit": "3f22290a"
+            "regenerated": "2024-12-19 07:26:26.500720",
+            "spec_repo_commit": "5dd2cbe4"
         },
         "v2": {
             "apigentools_version": "1.6.6",
-            "regenerated": "2024-12-18 19:23:38.122969",
-            "spec_repo_commit": "3f22290a"
+            "regenerated": "2024-12-19 07:26:26.515806",
+            "spec_repo_commit": "5dd2cbe4"
         }
     }
 }

.generator/schemas/v2/openapi.yaml

@@ -12250,6 +12250,65 @@ components:
           maximum: 2147483647
           type: integer
       type: object
+    HistoricalJobOptions:
+      description: Job options.
+      properties:
+        detectionMethod:
+          $ref: '#/components/schemas/SecurityMonitoringRuleDetectionMethod'
+        evaluationWindow:
+          $ref: '#/components/schemas/SecurityMonitoringRuleEvaluationWindow'
+        impossibleTravelOptions:
+          $ref: '#/components/schemas/SecurityMonitoringRuleImpossibleTravelOptions'
+        keepAlive:
+          $ref: '#/components/schemas/SecurityMonitoringRuleKeepAlive'
+        maxSignalDuration:
+          $ref: '#/components/schemas/SecurityMonitoringRuleMaxSignalDuration'
+        newValueOptions:
+          $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptions'
+        thirdPartyRuleOptions:
+          $ref: '#/components/schemas/SecurityMonitoringRuleThirdPartyOptions'
+      type: object
+    HistoricalJobQuery:
+      description: Query for selecting logs analyzed by the historical job.
+      properties:
+        aggregation:
+          $ref: '#/components/schemas/SecurityMonitoringRuleQueryAggregation'
+        distinctFields:
+          description: Field for which the cardinality is measured. Sent as an array.
+          items:
+            description: Field.
+            type: string
+          type: array
+        groupByFields:
+          description: Fields to group by.
+          items:
+            description: Field.
+            type: string
+          type: array
+        hasOptionalGroupByFields:
+          description: When false, events without a group-by value are ignored by
+            the query. When true, events with missing group-by fields are processed
+            with `N/A`, replacing the missing values.
+          example: false
+          readOnly: true
+          type: boolean
+        metrics:
+          description: Group of target fields to aggregate over when using the sum,
+            max, geo data, or new value aggregations. The sum, max, and geo data aggregations
+            only accept one value in this list, whereas the new value aggregation
+            accepts up to five values.
+          items:
+            description: Field.
+            type: string
+          type: array
+        name:
+          description: Name of the query.
+          type: string
+        query:
+          description: Query to run on logs.
+          example: a > 3
+          type: string
+      type: object
     HistoricalJobResponse:
       description: Historical job response.
       properties:
@@ -14824,13 +14883,6 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringRuleCaseCreate'
           type: array
-        filters:
-          description: Additional queries to filter matched events before they are
-            processed. This field is deprecated for log detection, signal correlation,
-            and workload security rules.
-          items:
-            $ref: '#/components/schemas/SecurityMonitoringFilter'
-          type: array
         from:
           description: Starting time of data analyzed by the job.
           example: 1729843470000
@@ -14849,14 +14901,14 @@ components:
           example: Excessive number of failed attempts.
           type: string
         options:
-          $ref: '#/components/schemas/SecurityMonitoringRuleOptions'
+          $ref: '#/components/schemas/HistoricalJobOptions'
         queries:
           description: Queries for selecting logs analyzed by the job.
           items:
-            $ref: '#/components/schemas/SecurityMonitoringStandardRuleQuery'
+            $ref: '#/components/schemas/HistoricalJobQuery'
           type: array
         referenceTables:
-          description: Reference tables for the rule.
+          description: Reference tables used in the queries.
           items:
             $ref: '#/components/schemas/SecurityMonitoringReferenceTable'
           type: array
@@ -14866,8 +14918,8 @@ components:
             type: string
           type: array
         thirdPartyCases:
-          description: Cases for generating results from third-party rules. Only available
-            for third-party rules.
+          description: Cases for generating results from third-party detection method.
+            Only available for third-party detection method.
           example: []
           items:
             $ref: '#/components/schemas/SecurityMonitoringThirdPartyRuleCaseCreate'
@@ -22792,7 +22844,7 @@ components:
           $ref: '#/components/schemas/ResponseMetaAttributes'
       type: object
     SecurityMonitoringReferenceTable:
-      description: Reference table for the rule.
+      description: Reference tables used in the queries.
       properties:
         checkPresence:
           description: Whether to include or exclude the matched values.
@@ -22804,7 +22856,7 @@ components:
           description: The field in the log to match against the reference table.
           type: string
         ruleQueryName:
-          description: The name of the rule query to apply the reference table to.
+          description: The name of the query to apply the reference table to.
           type: string
         tableName:
           description: The name of the reference table.
@@ -22835,7 +22887,7 @@ components:
       description: Case when signal is generated.
       properties:
         condition:
-          description: 'A rule case contains logical operations (`>`,`>=`, `&&`, `||`)
+          description: 'A case contains logical operations (`>`,`>=`, `&&`, `||`)
             to determine if a signal should be generated
 
             based on the event counts in the previously defined queries.'
@@ -22844,7 +22896,7 @@ components:
           description: Name of the case.
           type: string
         notifications:
-          description: Notification targets for each rule case.
+          description: Notification targets.
           items:
             description: Notification.
             type: string
@@ -22906,7 +22958,8 @@ components:
       description: 'A time window is specified to match when at least one of the cases
         matches true. This is a sliding window
 
-        and evaluates in real time. For third party rules, this field is not used.'
+        and evaluates in real time. For third party detection method, this field is
+        not used.'
       enum:
       - 0
       - 60
@@ -22935,7 +22988,7 @@ components:
       x-enum-varnames:
       - LOG4SHELL
     SecurityMonitoringRuleImpossibleTravelOptions:
-      description: Options on impossible travel rules.
+      description: Options on impossible travel detection method.
       properties:
         baselineUserLocations:
           $ref: '#/components/schemas/SecurityMonitoringRuleImpossibleTravelOptionsBaselineUserLocations'
@@ -22951,7 +23004,7 @@ components:
     SecurityMonitoringRuleKeepAlive:
       description: "Once a signal is generated, the signal will remain \u201Copen\u201D
         if a case is matched at least once within\nthis keep alive window. For third
-        party rules, this field is not used."
+        party detection method, this field is not used."
       enum:
       - 0
       - 60
@@ -23009,7 +23062,7 @@ components:
       - TWELVE_HOURS
       - ONE_DAY
     SecurityMonitoringRuleNewValueOptions:
-      description: Options on new value rules.
+      description: Options on new value detection method.
       properties:
         forgetAfter:
           $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsForgetAfter'
@@ -23079,7 +23132,7 @@ components:
       - ZERO_OCCURRENCES
       - ONE_OCCURRENCE
     SecurityMonitoringRuleOptions:
-      description: Options on rules.
+      description: Options.
       properties:
         complianceRuleOptions:
           $ref: '#/components/schemas/CloudConfigurationComplianceRuleOptions'
@@ -23221,7 +23274,7 @@ components:
           type: array
       type: object
     SecurityMonitoringRuleThirdPartyOptions:
-      description: Options on third party rules.
+      description: Options on third party detection method.
       properties:
         defaultNotifications:
           description: Notification targets for the logs that do not correspond to
@@ -24621,7 +24674,7 @@ components:
           description: Name of the case.
           type: string
         notifications:
-          description: Notification targets for each rule case.
+          description: Notification targets for each case.
           items:
             description: Notification.
             type: string

cassettes/v2/Security-Monitoring_1187227211/Get-a-job-s-details-returns-OK-response_1805717789/frozen.json

@@ -1 +1 @@
-"2024-11-08T09:54:39.695Z"
+"2024-12-18T17:02:38.823Z"

cassettes/v2/Security-Monitoring_1187227211/Get-a-job-s-details-returns-OK-response_1805717789/recording.har

@@ -42,7 +42,7 @@
           "content": {
             "mimeType": "application/vnd.api+json",
             "size": 87,
-            "text": "{\"data\":{\"id\":\"f1753ed6-8c47-4168-9d6b-d11b9612fb3c\",\"type\":\"historicalDetectionsJob\"}}"
+            "text": "{\"data\":{\"id\":\"fa90e7ac-998d-4bf4-9d32-2e831a1e9479\",\"type\":\"historicalDetectionsJob\"}}"
           },
           "cookies": [],
           "headers": [
@@ -57,11 +57,11 @@
           "status": 201,
           "statusText": "Created"
         },
-        "startedDateTime": "2024-11-08T09:54:39.697Z",
-        "time": 146
+        "startedDateTime": "2024-12-18T17:02:39.209Z",
+        "time": 474
       },
       {
-        "_id": "fd2565a2df2009def41ec75cf6591662",
+        "_id": "7b01960b436d672769de5d7f5dd093c1",
         "_order": 0,
         "cache": {},
         "request": {
@@ -78,14 +78,14 @@
           "httpVersion": "HTTP/1.1",
           "method": "GET",
           "queryString": [],
-          "url": "https://api.datadoghq.com/api/v2/siem-historical-detections/jobs/f1753ed6-8c47-4168-9d6b-d11b9612fb3c"
+          "url": "https://api.datadoghq.com/api/v2/siem-historical-detections/jobs/fa90e7ac-998d-4bf4-9d32-2e831a1e9479"
         },
         "response": {
-          "bodySize": 927,
+          "bodySize": 914,
           "content": {
             "mimeType": "application/vnd.api+json",
-            "size": 927,
-            "text": "{\"data\":{\"id\":\"f1753ed6-8c47-4168-9d6b-d11b9612fb3c\",\"type\":\"historicalDetectionsJob\",\"attributes\":{\"createdAt\":\"2024-11-08 09:54:39.761792+00\",\"createdByHandle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"createdByName\":\"CI Account\",\"jobDefinition\":{\"from\":1730387522611,\"to\":1730387532611,\"index\":\"main\",\"name\":\"Excessive number of failed attempts.\",\"cases\":[{\"name\":\"Condition 1\",\"status\":\"info\",\"notifications\":[],\"condition\":\"a \\u003e 1\"}],\"queries\":[{\"query\":\"source:non_existing_src_weekend\",\"groupByFields\":[],\"hasOptionalGroupByFields\":false,\"distinctFields\":[],\"aggregation\":\"count\",\"name\":\"\"}],\"options\":{\"evaluationWindow\":900,\"detectionMethod\":\"threshold\",\"maxSignalDuration\":86400,\"keepAlive\":3600},\"message\":\"A large number of failed login attempts.\",\"tags\":[],\"type\":\"log_detection\",\"filters\":[]},\"jobName\":\"Excessive number of failed attempts.\",\"jobStatus\":\"pending\",\"modifiedAt\":\"2024-11-08 09:54:39.761792+00\"}}}"
+            "size": 914,
+            "text": "{\"data\":{\"id\":\"fa90e7ac-998d-4bf4-9d32-2e831a1e9479\",\"type\":\"historicalDetectionsJob\",\"attributes\":{\"createdAt\":\"2024-12-18 17:02:39.551791+00\",\"createdByHandle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"createdByName\":\"CI Account\",\"jobDefinition\":{\"from\":1730387522611,\"to\":1730387532611,\"index\":\"main\",\"name\":\"Excessive number of failed attempts.\",\"cases\":[{\"name\":\"Condition 1\",\"status\":\"info\",\"notifications\":[],\"condition\":\"a \\u003e 1\"}],\"queries\":[{\"query\":\"source:non_existing_src_weekend\",\"groupByFields\":[],\"hasOptionalGroupByFields\":false,\"distinctFields\":[],\"aggregation\":\"count\",\"name\":\"\"}],\"options\":{\"evaluationWindow\":900,\"detectionMethod\":\"threshold\",\"maxSignalDuration\":86400,\"keepAlive\":3600},\"message\":\"A large number of failed login attempts.\",\"tags\":[],\"type\":\"log_detection\"},\"jobName\":\"Excessive number of failed attempts.\",\"jobStatus\":\"pending\",\"modifiedAt\":\"2024-12-18 17:02:39.551791+00\"}}}"
           },
           "cookies": [],
           "headers": [
@@ -100,8 +100,8 @@
           "status": 200,
           "statusText": "OK"
         },
-        "startedDateTime": "2024-11-08T09:54:39.848Z",
-        "time": 69
+        "startedDateTime": "2024-12-18T17:02:39.691Z",
+        "time": 171
       }
     ],
     "pages": [],

cassettes/v2/Security-Monitoring_1187227211/List-historical-jobs-returns-OK-response_1213227315/frozen.json

@@ -1 +1 @@
-"2024-11-08T09:54:39.932Z"
+"2024-12-18T17:02:39.880Z"

cassettes/v2/Security-Monitoring_1187227211/List-historical-jobs-returns-OK-response_1213227315/recording.har

@@ -42,7 +42,7 @@
           "content": {
             "mimeType": "application/vnd.api+json",
             "size": 87,
-            "text": "{\"data\":{\"id\":\"34df4a54-9d84-4b4c-bc7e-0464d374ee19\",\"type\":\"historicalDetectionsJob\"}}"
+            "text": "{\"data\":{\"id\":\"7b16f110-0ce9-46cd-9dad-b658ced2ac50\",\"type\":\"historicalDetectionsJob\"}}"
           },
           "cookies": [],
           "headers": [
@@ -57,11 +57,11 @@
           "status": 201,
           "statusText": "Created"
         },
-        "startedDateTime": "2024-11-08T09:54:39.935Z",
-        "time": 98
+        "startedDateTime": "2024-12-18T17:02:39.882Z",
+        "time": 402
       },
       {
-        "_id": "3de0815b9a4e5dcb86f2d0ef4a3c963f",
+        "_id": "0728d69cabf496956f86d405f93de5cf",
         "_order": 0,
         "cache": {},
         "request": {
@@ -81,18 +81,18 @@
             {
               "name": "filter",
               "value": {
-                "query": "id:34df4a54-9d84-4b4c-bc7e-0464d374ee19"
+                "query": "id:7b16f110-0ce9-46cd-9dad-b658ced2ac50"
               }
             }
           ],
-          "url": "https://api.datadoghq.com/api/v2/siem-historical-detections/jobs?filter%5Bquery%5D=id%3A34df4a54-9d84-4b4c-bc7e-0464d374ee19"
+          "url": "https://api.datadoghq.com/api/v2/siem-historical-detections/jobs?filter%5Bquery%5D=id%3A7b16f110-0ce9-46cd-9dad-b658ced2ac50"
         },
         "response": {
-          "bodySize": 953,
+          "bodySize": 940,
           "content": {
             "mimeType": "application/vnd.api+json",
-            "size": 953,
-            "text": "{\"data\":[{\"id\":\"34df4a54-9d84-4b4c-bc7e-0464d374ee19\",\"type\":\"historicalDetectionsJob\",\"attributes\":{\"createdAt\":\"2024-11-08 09:54:40.000915+00\",\"createdByHandle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"createdByName\":\"CI Account\",\"jobDefinition\":{\"from\":1730387522611,\"to\":1730387532611,\"index\":\"main\",\"name\":\"Excessive number of failed attempts.\",\"cases\":[{\"name\":\"Condition 1\",\"status\":\"info\",\"notifications\":[],\"condition\":\"a \\u003e 1\"}],\"queries\":[{\"query\":\"source:non_existing_src_weekend\",\"groupByFields\":[],\"hasOptionalGroupByFields\":false,\"distinctFields\":[],\"aggregation\":\"count\",\"name\":\"\"}],\"options\":{\"evaluationWindow\":900,\"detectionMethod\":\"threshold\",\"maxSignalDuration\":86400,\"keepAlive\":3600},\"message\":\"A large number of failed login attempts.\",\"tags\":[],\"type\":\"log_detection\",\"filters\":[]},\"jobName\":\"Excessive number of failed attempts.\",\"jobStatus\":\"pending\",\"modifiedAt\":\"2024-11-08 09:54:40.000915+00\"}}],\"meta\":{\"totalCount\":1}}"
+            "size": 940,
+            "text": "{\"data\":[{\"id\":\"7b16f110-0ce9-46cd-9dad-b658ced2ac50\",\"type\":\"historicalDetectionsJob\",\"attributes\":{\"createdAt\":\"2024-12-18 17:02:40.144396+00\",\"createdByHandle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"createdByName\":\"CI Account\",\"jobDefinition\":{\"from\":1730387522611,\"to\":1730387532611,\"index\":\"main\",\"name\":\"Excessive number of failed attempts.\",\"cases\":[{\"name\":\"Condition 1\",\"status\":\"info\",\"notifications\":[],\"condition\":\"a \\u003e 1\"}],\"queries\":[{\"query\":\"source:non_existing_src_weekend\",\"groupByFields\":[],\"hasOptionalGroupByFields\":false,\"distinctFields\":[],\"aggregation\":\"count\",\"name\":\"\"}],\"options\":{\"evaluationWindow\":900,\"detectionMethod\":\"threshold\",\"maxSignalDuration\":86400,\"keepAlive\":3600},\"message\":\"A large number of failed login attempts.\",\"tags\":[],\"type\":\"log_detection\"},\"jobName\":\"Excessive number of failed attempts.\",\"jobStatus\":\"pending\",\"modifiedAt\":\"2024-12-18 17:02:40.144396+00\"}}],\"meta\":{\"totalCount\":1}}"
           },
           "cookies": [],
           "headers": [
@@ -107,8 +107,8 @@
           "status": 200,
           "statusText": "OK"
         },
-        "startedDateTime": "2024-11-08T09:54:40.040Z",
-        "time": 62
+        "startedDateTime": "2024-12-18T17:02:40.290Z",
+        "time": 189
       }
     ],
     "pages": [],

packages/datadog-api-client-v2/index.ts

@@ -1315,6 +1315,8 @@ export { GetTeamMembershipsSort } from "./models/GetTeamMembershipsSort";
 export { GroupScalarColumn } from "./models/GroupScalarColumn";
 export { HistoricalJobDataType } from "./models/HistoricalJobDataType";
 export { HistoricalJobListMeta } from "./models/HistoricalJobListMeta";
+export { HistoricalJobOptions } from "./models/HistoricalJobOptions";
+export { HistoricalJobQuery } from "./models/HistoricalJobQuery";
 export { HistoricalJobResponse } from "./models/HistoricalJobResponse";
 export { HistoricalJobResponseAttributes } from "./models/HistoricalJobResponseAttributes";
 export { HistoricalJobResponseData } from "./models/HistoricalJobResponseData";