Flag IP case action (#2538)

Co-authored-by: ci.datadog-api-spec <[email protected]>

Author: api-clients-generation-pipeline[bot]

.generated-info

@@ -1,4 +1,4 @@
 {
-  "spec_repo_commit": "18085f2",
-  "generated": "2025-07-21 20:56:05.626"
+  "spec_repo_commit": "8ca2883",
+  "generated": "2025-07-22 07:14:50.564"
 }

.generator/schemas/v2/openapi.yaml

@@ -34296,9 +34296,22 @@ components:
           format: int64
           minimum: 0
           type: integer
+        flaggedIPType:
+          $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionOptionsFlaggedIPType'
         userBehaviorName:
           $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionOptionsUserBehaviorName'
       type: object
+    SecurityMonitoringRuleCaseActionOptionsFlaggedIPType:
+      description: Used with the case action of type 'flag_ip'. The value specified
+        in this field is applied as a flag to the IP addresses.
+      enum:
+      - SUSPICIOUS
+      - FLAGGED
+      example: FLAGGED
+      type: string
+      x-enum-varnames:
+      - SUSPICIOUS
+      - FLAGGED
     SecurityMonitoringRuleCaseActionOptionsUserBehaviorName:
       description: Used with the case action of type 'user_behavior'. The value specified
         in this field is applied as a risk tag to all users affected by the rule.
@@ -34309,11 +34322,13 @@ components:
       - block_ip
       - block_user
       - user_behavior
+      - flag_ip
       type: string
       x-enum-varnames:
       - BLOCK_IP
       - BLOCK_USER
       - USER_BEHAVIOR
+      - FLAG_IP
     SecurityMonitoringRuleCaseCreate:
       description: Case when signal is generated.
       properties:

cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-type-application_security-returns-OK-response_4179263030/frozen.json

@@ -1 +1 @@
-"2025-04-09T15:02:05.047Z"
+"2025-07-17T10:35:24.061Z"

cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-type-application_security-returns-OK-response_4179263030/recording.har

@@ -8,11 +8,11 @@
     },
     "entries": [
       {
-        "_id": "2f689fb3a0a54f45bf3637e6331a9f25",
+        "_id": "29eb6c549b50360bd2c38ca9462c0177",
         "_order": 0,
         "cache": {},
         "request": {
-          "bodySize": 723,
+          "bodySize": 780,
           "cookies": [],
           "headers": [
             {
@@ -32,17 +32,17 @@
           "postData": {
             "mimeType": "application/json",
             "params": [],
-            "text": "{\"cases\":[{\"actions\":[{\"options\":{\"duration\":900},\"type\":\"block_ip\"},{\"options\":{\"userBehaviorName\":\"behavior\"},\"type\":\"user_behavior\"}],\"condition\":\"a > 100000\",\"name\":\"\",\"notifications\":[],\"status\":\"info\"}],\"filters\":[],\"groupSignalsBy\":[\"service\"],\"isEnabled\":true,\"message\":\"Test rule\",\"name\":\"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1744210925_appsec_rule\",\"options\":{\"detectionMethod\":\"threshold\",\"evaluationWindow\":900,\"keepAlive\":3600,\"maxSignalDuration\":86400},\"queries\":[{\"aggregation\":\"count\",\"distinctFields\":[],\"groupByFields\":[\"service\",\"@http.client_ip\"],\"query\":\"@appsec.security_activity:business_logic.users.login.failure\"}],\"tags\":[],\"type\":\"application_security\"}"
+            "text": "{\"cases\":[{\"actions\":[{\"options\":{\"duration\":900},\"type\":\"block_ip\"},{\"options\":{\"userBehaviorName\":\"behavior\"},\"type\":\"user_behavior\"},{\"options\":{\"flaggedIPType\":\"FLAGGED\"},\"type\":\"flag_ip\"}],\"condition\":\"a > 100000\",\"name\":\"\",\"notifications\":[],\"status\":\"info\"}],\"filters\":[],\"groupSignalsBy\":[\"service\"],\"isEnabled\":true,\"message\":\"Test rule\",\"name\":\"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1752748524_appsec_rule\",\"options\":{\"detectionMethod\":\"threshold\",\"evaluationWindow\":900,\"keepAlive\":3600,\"maxSignalDuration\":86400},\"queries\":[{\"aggregation\":\"count\",\"distinctFields\":[],\"groupByFields\":[\"service\",\"@http.client_ip\"],\"query\":\"@appsec.security_activity:business_logic.users.login.failure\"}],\"tags\":[],\"type\":\"application_security\"}"
           },
           "queryString": [],
           "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules"
         },
         "response": {
-          "bodySize": 1227,
+          "bodySize": 1284,
           "content": {
             "mimeType": "application/json",
-            "size": 1227,
-            "text": "{\"name\":\"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1744210925_appsec_rule\",\"createdAt\":1744210925675,\"isDefault\":false,\"isPartner\":false,\"isEnabled\":true,\"isBeta\":false,\"isDeleted\":false,\"isDeprecated\":false,\"queries\":[{\"query\":\"@appsec.security_activity:business_logic.users.login.failure\",\"groupByFields\":[\"service\",\"@http.client_ip\"],\"hasOptionalGroupByFields\":false,\"distinctFields\":[],\"aggregation\":\"count\",\"name\":\"\",\"dataSource\":\"app_sec_spans\"}],\"options\":{\"evaluationWindow\":900,\"detectionMethod\":\"threshold\",\"maxSignalDuration\":86400,\"keepAlive\":3600},\"cases\":[{\"name\":\"\",\"status\":\"info\",\"notifications\":[],\"condition\":\"a \\u003e 100000\",\"actions\":[{\"type\":\"block_ip\",\"options\":{\"duration\":900}},{\"type\":\"user_behavior\",\"options\":{\"userBehaviorName\":\"behavior\"}}]}],\"message\":\"Test rule\",\"tags\":[],\"hasExtendedTitle\":false,\"type\":\"application_security\",\"filters\":[],\"version\":1,\"id\":\"lfr-zxg-fyc\",\"blocking\":true,\"groupSignalsBy\":[\"service\"],\"dependencies\":[\"business_logic.users.login.failure\"],\"metadata\":{\"entities\":null,\"sources\":null},\"creationAuthorId\":2320499,\"creator\":{\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"name\":\"CI Account\"},\"updater\":{\"handle\":\"\",\"name\":\"\"}}"
+            "size": 1284,
+            "text": "{\"name\":\"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1752748524_appsec_rule\",\"createdAt\":1752748524806,\"isDefault\":false,\"isPartner\":false,\"isEnabled\":true,\"isBeta\":false,\"isDeleted\":false,\"isDeprecated\":false,\"queries\":[{\"query\":\"@appsec.security_activity:business_logic.users.login.failure\",\"groupByFields\":[\"service\",\"@http.client_ip\"],\"hasOptionalGroupByFields\":false,\"distinctFields\":[],\"aggregation\":\"count\",\"name\":\"\",\"dataSource\":\"app_sec_spans\"}],\"options\":{\"evaluationWindow\":900,\"detectionMethod\":\"threshold\",\"maxSignalDuration\":86400,\"keepAlive\":3600},\"cases\":[{\"name\":\"\",\"status\":\"info\",\"notifications\":[],\"condition\":\"a \\u003e 100000\",\"actions\":[{\"type\":\"block_ip\",\"options\":{\"duration\":900}},{\"type\":\"user_behavior\",\"options\":{\"userBehaviorName\":\"behavior\"}},{\"type\":\"flag_ip\",\"options\":{\"flaggedIPType\":\"FLAGGED\"}}]}],\"message\":\"Test rule\",\"tags\":[],\"hasExtendedTitle\":false,\"type\":\"application_security\",\"filters\":[],\"version\":1,\"id\":\"wgo-lgy-ajy\",\"blocking\":true,\"groupSignalsBy\":[\"service\"],\"dependencies\":[\"business_logic.users.login.failure\"],\"metadata\":{\"entities\":null,\"sources\":null},\"creationAuthorId\":2320499,\"creator\":{\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"name\":\"CI Account\"},\"updater\":{\"handle\":\"\",\"name\":\"\"}}"
           },
           "cookies": [],
           "headers": [
@@ -57,11 +57,11 @@
           "status": 200,
           "statusText": "OK"
         },
-        "startedDateTime": "2025-04-09T15:02:05.465Z",
-        "time": 259
+        "startedDateTime": "2025-07-17T10:35:24.741Z",
+        "time": 100
       },
       {
-        "_id": "a32045c85c74ebb299fe6584f15ea321",
+        "_id": "eaf198f31c333ac309eb713901fb969e",
         "_order": 0,
         "cache": {},
         "request": {
@@ -78,7 +78,7 @@
           "httpVersion": "HTTP/1.1",
           "method": "DELETE",
           "queryString": [],
-          "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules/lfr-zxg-fyc"
+          "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules/wgo-lgy-ajy"
         },
         "response": {
           "bodySize": 0,
@@ -94,8 +94,8 @@
           "status": 204,
           "statusText": "No Content"
         },
-        "startedDateTime": "2025-04-09T15:02:05.734Z",
-        "time": 194
+        "startedDateTime": "2025-07-17T10:35:24.848Z",
+        "time": 105
       }
     ],
     "pages": [],

features/v2/security_monitoring.feature

@@ -225,7 +225,7 @@ Feature: Security Monitoring
   @skip-validation @team:DataDog/k9-cloud-security-platform
   Scenario: Create a detection rule with type 'application_security 'returns "OK" response
     Given new "CreateSecurityMonitoringRule" request
-    And body with value {"type":"application_security","name":"{{unique}}_appsec_rule","queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","aggregation":"count","groupByFields":["service","@http.client_ip"],"distinctFields":[]}],"filters":[],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 100000","actions":[{"type":"block_ip","options":{"duration":900}}, {"type":"user_behavior","options":{"userBehaviorName":"behavior"}}]}],"options":{"keepAlive":3600,"maxSignalDuration":86400,"evaluationWindow":900,"detectionMethod":"threshold"},"isEnabled":true,"message":"Test rule","tags":[],"groupSignalsBy":["service"]}
+    And body with value {"type":"application_security","name":"{{unique}}_appsec_rule","queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","aggregation":"count","groupByFields":["service","@http.client_ip"],"distinctFields":[]}],"filters":[],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 100000","actions":[{"type":"block_ip","options":{"duration":900}}, {"type":"user_behavior","options":{"userBehaviorName":"behavior"}}, {"type":"flag_ip","options":{"flaggedIPType":"FLAGGED"}}]}],"options":{"keepAlive":3600,"maxSignalDuration":86400,"evaluationWindow":900,"detectionMethod":"threshold"},"isEnabled":true,"message":"Test rule","tags":[],"groupSignalsBy":["service"]}
     When the request is sent
     Then the response status is 200 OK
     And the response "name" is equal to "{{ unique }}_appsec_rule"

services/security_monitoring/src/v2/index.ts

@@ -209,6 +209,7 @@ export { SecurityMonitoringReferenceTable } from "./models/SecurityMonitoringRef
 export { SecurityMonitoringRuleCase } from "./models/SecurityMonitoringRuleCase";
 export { SecurityMonitoringRuleCaseAction } from "./models/SecurityMonitoringRuleCaseAction";
 export { SecurityMonitoringRuleCaseActionOptions } from "./models/SecurityMonitoringRuleCaseActionOptions";
+export { SecurityMonitoringRuleCaseActionOptionsFlaggedIPType } from "./models/SecurityMonitoringRuleCaseActionOptionsFlaggedIPType";
 export { SecurityMonitoringRuleCaseActionType } from "./models/SecurityMonitoringRuleCaseActionType";
 export { SecurityMonitoringRuleCaseCreate } from "./models/SecurityMonitoringRuleCaseCreate";
 export { SecurityMonitoringRuleConvertPayload } from "./models/SecurityMonitoringRuleConvertPayload";

services/security_monitoring/src/v2/models/SecurityMonitoringRuleCaseActionOptions.ts

@@ -1,5 +1,7 @@
 import { AttributeTypeMap } from "@datadog/datadog-api-client";
 
+import { SecurityMonitoringRuleCaseActionOptionsFlaggedIPType } from "./SecurityMonitoringRuleCaseActionOptionsFlaggedIPType";
+
 /**
  * Options for the rule action
  */
@@ -8,6 +10,10 @@ export class SecurityMonitoringRuleCaseActionOptions {
    * Duration of the action in seconds. 0 indicates no expiration.
    */
   "duration"?: number;
+  /**
+   * Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses.
+   */
+  "flaggedIpType"?: SecurityMonitoringRuleCaseActionOptionsFlaggedIPType;
   /**
    * Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
    */
@@ -32,6 +38,10 @@ export class SecurityMonitoringRuleCaseActionOptions {
       type: "number",
       format: "int64",
     },
+    flaggedIpType: {
+      baseName: "flaggedIPType",
+      type: "SecurityMonitoringRuleCaseActionOptionsFlaggedIPType",
+    },
     userBehaviorName: {
       baseName: "userBehaviorName",
       type: "string",

services/security_monitoring/src/v2/models/SecurityMonitoringRuleCaseActionOptionsFlaggedIPType.ts

@@ -0,0 +1,11 @@
+import { UnparsedObject } from "@datadog/datadog-api-client";
+
+/**
+ * Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses.
+ */
+export type SecurityMonitoringRuleCaseActionOptionsFlaggedIPType =
+  | typeof SUSPICIOUS
+  | typeof FLAGGED
+  | UnparsedObject;
+export const SUSPICIOUS = "SUSPICIOUS";
+export const FLAGGED = "FLAGGED";

services/security_monitoring/src/v2/models/SecurityMonitoringRuleCaseActionType.ts

@@ -7,7 +7,9 @@ export type SecurityMonitoringRuleCaseActionType =
   | typeof BLOCK_IP
   | typeof BLOCK_USER
   | typeof USER_BEHAVIOR
+  | typeof FLAG_IP
   | UnparsedObject;
 export const BLOCK_IP = "block_ip";
 export const BLOCK_USER = "block_user";
 export const USER_BEHAVIOR = "user_behavior";
+export const FLAG_IP = "flag_ip";

services/security_monitoring/src/v2/models/TypingInfo.ts

@@ -282,10 +282,15 @@ export const TypingInfo: ModelTypingInfo = {
     SecurityFilterFilteredDataType: ["logs"],
     SecurityFilterType: ["security_filters"],
     SecurityMonitoringFilterAction: ["require", "suppress"],
+    SecurityMonitoringRuleCaseActionOptionsFlaggedIPType: [
+      "SUSPICIOUS",
+      "FLAGGED",
+    ],
     SecurityMonitoringRuleCaseActionType: [
       "block_ip",
       "block_user",
       "user_behavior",
+      "flag_ip",
     ],
     SecurityMonitoringRuleDetectionMethod: [
       "threshold",