diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml index d3d603bec261..87a84afd60e5 100644 --- a/.generator/schemas/v2/openapi.yaml +++ b/.generator/schemas/v2/openapi.yaml @@ -20470,6 +20470,8 @@ components: $ref: '#/components/schemas/SecurityMonitoringRuleMaxSignalDuration' newValueOptions: $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptions' + sequenceDetectionOptions: + $ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionOptions' thirdPartyRuleOptions: $ref: '#/components/schemas/SecurityMonitoringRuleThirdPartyOptions' type: object @@ -40786,6 +40788,7 @@ components: - hardcoded - third_party - anomaly_threshold + - sequence_detection type: string x-enum-varnames: - THRESHOLD @@ -40795,6 +40798,7 @@ components: - HARDCODED - THIRD_PARTY - ANOMALY_THRESHOLD + - SEQUENCE_DETECTION SecurityMonitoringRuleEvaluationWindow: description: 'A time window is specified to match when at least one of the cases matches true. This is a sliding window @@ -41008,6 +41012,8 @@ components: $ref: '#/components/schemas/SecurityMonitoringRuleMaxSignalDuration' newValueOptions: $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptions' + sequenceDetectionOptions: + $ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionOptions' thirdPartyRuleOptions: $ref: '#/components/schemas/SecurityMonitoringRuleThirdPartyOptions' type: object @@ -41083,6 +41089,47 @@ components: oneOf: - $ref: '#/components/schemas/SecurityMonitoringStandardRuleResponse' - $ref: '#/components/schemas/SecurityMonitoringSignalRuleResponse' + SecurityMonitoringRuleSequenceDetectionOptions: + description: Options on sequence detection method. + properties: + stepTransitions: + description: Transitions defining the allowed order of steps and their evaluation + windows. + items: + $ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionStepTransition' + type: array + steps: + description: Steps that define the conditions to be matched in sequence. + items: + $ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionStep' + type: array + type: object + SecurityMonitoringRuleSequenceDetectionStep: + description: Step definition for sequence detection containing the step name, + condition, and evaluation window. + properties: + condition: + description: Condition referencing rule queries (e.g., `a > 0`). + type: string + evaluationWindow: + $ref: '#/components/schemas/SecurityMonitoringRuleEvaluationWindow' + name: + description: Unique name identifying the step. + type: string + type: object + SecurityMonitoringRuleSequenceDetectionStepTransition: + description: Transition from a parent step to a child step within a sequence + detection rule. + properties: + child: + description: Name of the child step. + type: string + evaluationWindow: + $ref: '#/components/schemas/SecurityMonitoringRuleEvaluationWindow' + parent: + description: Name of the parent step. + type: string + type: object SecurityMonitoringRuleSeverity: description: Severity of the Security Signal. enum: diff --git a/cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-detection-method-sequence_detection-returns-OK-response_224770692/frozen.json b/cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-detection-method-sequence_detection-returns-OK-response_224770692/frozen.json new file mode 100644 index 000000000000..cb791b20c5c0 --- /dev/null +++ b/cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-detection-method-sequence_detection-returns-OK-response_224770692/frozen.json @@ -0,0 +1 @@ +"2025-09-12T15:45:55.719Z" diff --git a/cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-detection-method-sequence_detection-returns-OK-response_224770692/recording.har b/cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-detection-method-sequence_detection-returns-OK-response_224770692/recording.har new file mode 100644 index 000000000000..6064063a989b --- /dev/null +++ b/cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-detection-method-sequence_detection-returns-OK-response_224770692/recording.har @@ -0,0 +1,104 @@ +{ + "log": { + "_recordingName": "Security Monitoring/Create a detection rule with detection method 'sequence_detection' returns \"OK\" response", + "creator": { + "comment": "persister:fs", + "name": "Polly.JS", + "version": "6.0.5" + }, + "entries": [ + { + "_id": "faa8ed427532bf09665284cdbb2daf9c", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 1000, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "application/json" + }, + { + "_fromType": "array", + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 589, + "httpVersion": "HTTP/1.1", + "method": "POST", + "postData": { + "mimeType": "application/json", + "params": [], + "text": "{\"cases\":[{\"condition\":\"step_b > 0\",\"name\":\"\",\"notifications\":[],\"status\":\"info\"}],\"isEnabled\":true,\"message\":\"Logs and signals asdf\",\"name\":\"Test-Create_a_detection_rule_with_detection_method_sequence_detection_returns_OK_response-1757691955\",\"options\":{\"detectionMethod\":\"sequence_detection\",\"evaluationWindow\":0,\"keepAlive\":300,\"maxSignalDuration\":600,\"sequenceDetectionOptions\":{\"stepTransitions\":[{\"child\":\"step_b\",\"evaluationWindow\":900,\"parent\":\"step_a\"}],\"steps\":[{\"condition\":\"a > 0\",\"evaluationWindow\":60,\"name\":\"step_a\"},{\"condition\":\"b > 0\",\"evaluationWindow\":60,\"name\":\"step_b\"}]}},\"queries\":[{\"aggregation\":\"count\",\"dataSource\":\"logs\",\"distinctFields\":[],\"groupByFields\":[],\"hasOptionalGroupByFields\":false,\"name\":\"\",\"query\":\"service:logs-rule-reducer source:paul test2\"},{\"aggregation\":\"count\",\"dataSource\":\"logs\",\"distinctFields\":[],\"groupByFields\":[],\"hasOptionalGroupByFields\":false,\"name\":\"\",\"query\":\"service:logs-rule-reducer source:paul test1\"}],\"tags\":[],\"type\":\"log_detection\"}" + }, + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules" + }, + "response": { + "bodySize": 1378, + "content": { + "mimeType": "application/json", + "size": 1378, + "text": "{\"name\":\"Test-Create_a_detection_rule_with_detection_method_sequence_detection_returns_OK_response-1757691955\",\"createdAt\":1757691955862,\"isDefault\":false,\"isPartner\":false,\"isEnabled\":true,\"isBeta\":false,\"isDeleted\":false,\"isDeprecated\":false,\"queries\":[{\"query\":\"service:logs-rule-reducer source:paul test2\",\"groupByFields\":[],\"hasOptionalGroupByFields\":false,\"distinctFields\":[],\"aggregation\":\"count\",\"name\":\"\",\"dataSource\":\"logs\"},{\"query\":\"service:logs-rule-reducer source:paul test1\",\"groupByFields\":[],\"hasOptionalGroupByFields\":false,\"distinctFields\":[],\"aggregation\":\"count\",\"name\":\"\",\"dataSource\":\"logs\"}],\"options\":{\"evaluationWindow\":0,\"detectionMethod\":\"sequence_detection\",\"maxSignalDuration\":600,\"keepAlive\":300,\"sequenceDetectionOptions\":{\"steps\":[{\"name\":\"step_a\",\"condition\":\"a \\u003e 0\",\"evaluationWindow\":60},{\"name\":\"step_b\",\"condition\":\"b \\u003e 0\",\"evaluationWindow\":60}],\"stepTransitions\":[{\"parent\":\"step_a\",\"child\":\"step_b\",\"evaluationWindow\":900}]}},\"cases\":[{\"name\":\"\",\"status\":\"info\",\"notifications\":[],\"condition\":\"step_b \\u003e 0\"}],\"message\":\"Logs and signals asdf\",\"tags\":[],\"hasExtendedTitle\":false,\"type\":\"log_detection\",\"filters\":[],\"version\":1,\"id\":\"k0l-txb-xxx\",\"blocking\":false,\"metadata\":{\"entities\":null,\"sources\":null},\"creationAuthorId\":1445416,\"creator\":{\"handle\":\"frog@datadoghq.com\",\"name\":\"frog\"},\"updater\":{\"handle\":\"\",\"name\":\"\"}}" + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 655, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2025-09-12T15:45:55.723Z", + "time": 207 + }, + { + "_id": "d7239dc51220cdcb7c3c9788a4feafa5", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + } + ], + "headersSize": 536, + "httpVersion": "HTTP/1.1", + "method": "DELETE", + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules/k0l-txb-xxx" + }, + "response": { + "bodySize": 0, + "content": { + "mimeType": "text/plain", + "size": 0 + }, + "cookies": [], + "headers": [], + "headersSize": 601, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 204, + "statusText": "No Content" + }, + "startedDateTime": "2025-09-12T15:45:55.938Z", + "time": 232 + } + ], + "pages": [], + "version": "1.2" + } +} diff --git a/cassettes/v2/Security-Monitoring_1187227211/Validate-a-detection-rule-with-detection-method-sequence_detection-returns-OK-response_4291746846/frozen.json b/cassettes/v2/Security-Monitoring_1187227211/Validate-a-detection-rule-with-detection-method-sequence_detection-returns-OK-response_4291746846/frozen.json new file mode 100644 index 000000000000..e9ed0d99819b --- /dev/null +++ b/cassettes/v2/Security-Monitoring_1187227211/Validate-a-detection-rule-with-detection-method-sequence_detection-returns-OK-response_4291746846/frozen.json @@ -0,0 +1 @@ +"2025-09-12T15:43:48.016Z" diff --git a/cassettes/v2/Security-Monitoring_1187227211/Validate-a-detection-rule-with-detection-method-sequence_detection-returns-OK-response_4291746846/recording.har b/cassettes/v2/Security-Monitoring_1187227211/Validate-a-detection-rule-with-detection-method-sequence_detection-returns-OK-response_4291746846/recording.har new file mode 100644 index 000000000000..6397db898bd4 --- /dev/null +++ b/cassettes/v2/Security-Monitoring_1187227211/Validate-a-detection-rule-with-detection-method-sequence_detection-returns-OK-response_4291746846/recording.har @@ -0,0 +1,61 @@ +{ + "log": { + "_recordingName": "Security Monitoring/Validate a detection rule with detection method 'sequence_detection' returns \"OK\" response", + "creator": { + "comment": "persister:fs", + "name": "Polly.JS", + "version": "6.0.5" + }, + "entries": [ + { + "_id": "7c3af95d617e9512f01309e2f2ec4f07", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 856, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + }, + { + "_fromType": "array", + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 588, + "httpVersion": "HTTP/1.1", + "method": "POST", + "postData": { + "mimeType": "application/json", + "params": [], + "text": "{\"cases\":[{\"condition\":\"step_b > 0\",\"name\":\"\",\"notifications\":[],\"status\":\"info\"}],\"hasExtendedTitle\":true,\"isEnabled\":true,\"message\":\"My security monitoring rule\",\"name\":\"My security monitoring rule\",\"options\":{\"detectionMethod\":\"sequence_detection\",\"evaluationWindow\":0,\"keepAlive\":300,\"maxSignalDuration\":600,\"sequenceDetectionOptions\":{\"stepTransitions\":[{\"child\":\"step_b\",\"evaluationWindow\":900,\"parent\":\"step_a\"}],\"steps\":[{\"condition\":\"a > 0\",\"evaluationWindow\":60,\"name\":\"step_a\"},{\"condition\":\"b > 0\",\"evaluationWindow\":60,\"name\":\"step_b\"}]}},\"queries\":[{\"aggregation\":\"count\",\"distinctFields\":[],\"groupByFields\":[\"@userIdentity.assumed_role\"],\"name\":\"\",\"query\":\"source:source_here\"},{\"aggregation\":\"count\",\"distinctFields\":[],\"groupByFields\":[],\"name\":\"\",\"query\":\"source:source_here2\"}],\"tags\":[\"env:prod\",\"team:security\"],\"type\":\"log_detection\"}" + }, + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules/validation" + }, + "response": { + "bodySize": 0, + "content": { + "mimeType": "text/plain", + "size": 0 + }, + "cookies": [], + "headers": [], + "headersSize": 601, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 204, + "statusText": "No Content" + }, + "startedDateTime": "2025-09-12T15:43:48.019Z", + "time": 114 + } + ], + "pages": [], + "version": "1.2" + } +} diff --git a/examples/v2/security-monitoring/CreateSecurityMonitoringRule_2899714190.ts b/examples/v2/security-monitoring/CreateSecurityMonitoringRule_2899714190.ts new file mode 100644 index 000000000000..eb46336e8ab5 --- /dev/null +++ b/examples/v2/security-monitoring/CreateSecurityMonitoringRule_2899714190.ts @@ -0,0 +1,82 @@ +/** + * Create a detection rule with detection method 'sequence_detection' returns "OK" response + */ + +import { client, v2 } from "@datadog/datadog-api-client"; + +const configuration = client.createConfiguration(); +const apiInstance = new v2.SecurityMonitoringApi(configuration); + +const params: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest = { + body: { + name: "Example-Security-Monitoring", + type: "log_detection", + isEnabled: true, + queries: [ + { + aggregation: "count", + dataSource: "logs", + distinctFields: [], + groupByFields: [], + hasOptionalGroupByFields: false, + name: "", + query: "service:logs-rule-reducer source:paul test2", + }, + { + aggregation: "count", + dataSource: "logs", + distinctFields: [], + groupByFields: [], + hasOptionalGroupByFields: false, + name: "", + query: "service:logs-rule-reducer source:paul test1", + }, + ], + cases: [ + { + name: "", + status: "info", + notifications: [], + condition: "step_b > 0", + }, + ], + message: "Logs and signals asdf", + options: { + detectionMethod: "sequence_detection", + evaluationWindow: 0, + keepAlive: 300, + maxSignalDuration: 600, + sequenceDetectionOptions: { + stepTransitions: [ + { + child: "step_b", + evaluationWindow: 900, + parent: "step_a", + }, + ], + steps: [ + { + condition: "a > 0", + evaluationWindow: 60, + name: "step_a", + }, + { + condition: "b > 0", + evaluationWindow: 60, + name: "step_b", + }, + ], + }, + }, + tags: [], + }, +}; + +apiInstance + .createSecurityMonitoringRule(params) + .then((data: v2.SecurityMonitoringRuleResponse) => { + console.log( + "API called successfully. Returned data: " + JSON.stringify(data) + ); + }) + .catch((error: any) => console.error(error)); diff --git a/examples/v2/security-monitoring/ValidateSecurityMonitoringRule_4152369508.ts b/examples/v2/security-monitoring/ValidateSecurityMonitoringRule_4152369508.ts new file mode 100644 index 000000000000..b92dcdd7b030 --- /dev/null +++ b/examples/v2/security-monitoring/ValidateSecurityMonitoringRule_4152369508.ts @@ -0,0 +1,79 @@ +/** + * Validate a detection rule with detection method 'sequence_detection' returns "OK" response + */ + +import { client, v2 } from "@datadog/datadog-api-client"; + +const configuration = client.createConfiguration(); +const apiInstance = new v2.SecurityMonitoringApi(configuration); + +const params: v2.SecurityMonitoringApiValidateSecurityMonitoringRuleRequest = { + body: { + cases: [ + { + name: "", + status: "info", + notifications: [], + condition: "step_b > 0", + }, + ], + hasExtendedTitle: true, + isEnabled: true, + message: "My security monitoring rule", + name: "My security monitoring rule", + options: { + evaluationWindow: 0, + keepAlive: 300, + maxSignalDuration: 600, + detectionMethod: "sequence_detection", + sequenceDetectionOptions: { + stepTransitions: [ + { + child: "step_b", + evaluationWindow: 900, + parent: "step_a", + }, + ], + steps: [ + { + condition: "a > 0", + evaluationWindow: 60, + name: "step_a", + }, + { + condition: "b > 0", + evaluationWindow: 60, + name: "step_b", + }, + ], + }, + }, + queries: [ + { + query: "source:source_here", + groupByFields: ["@userIdentity.assumed_role"], + distinctFields: [], + aggregation: "count", + name: "", + }, + { + query: "source:source_here2", + groupByFields: [], + distinctFields: [], + aggregation: "count", + name: "", + }, + ], + tags: ["env:prod", "team:security"], + type: "log_detection", + }, +}; + +apiInstance + .validateSecurityMonitoringRule(params) + .then((data: any) => { + console.log( + "API called successfully. Returned data: " + JSON.stringify(data) + ); + }) + .catch((error: any) => console.error(error)); diff --git a/features/v2/security_monitoring.feature b/features/v2/security_monitoring.feature index 612e8fc5f98f..f4eab41ff04f 100644 --- a/features/v2/security_monitoring.feature +++ b/features/v2/security_monitoring.feature @@ -211,6 +211,16 @@ Feature: Security Monitoring And the response "message" is equal to "Test rule" And the response "referenceTables" is equal to [{"tableName": "synthetics_test_reference_table_dont_delete", "columnName": "value", "logFieldPath":"testtag", "checkPresence":true, "ruleQueryName":"a"}] + @team:DataDog/k9-cloud-security-platform + Scenario: Create a detection rule with detection method 'sequence_detection' returns "OK" response + Given new "CreateSecurityMonitoringRule" request + And body with value {"name":"{{ unique }}","type":"log_detection","isEnabled":true,"queries":[{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":[],"hasOptionalGroupByFields":false,"name":"","query":"service:logs-rule-reducer source:paul test2"},{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":[],"hasOptionalGroupByFields":false,"name":"","query":"service:logs-rule-reducer source:paul test1"}],"cases":[{"name":"","status":"info","notifications":[],"condition":"step_b > 0"}],"message":"Logs and signals asdf","options":{"detectionMethod":"sequence_detection","evaluationWindow":0,"keepAlive":300,"maxSignalDuration":600,"sequenceDetectionOptions":{"stepTransitions":[{"child":"step_b","evaluationWindow":900,"parent":"step_a"}],"steps":[{"condition":"a > 0","evaluationWindow":60,"name":"step_a"},{"condition":"b > 0","evaluationWindow":60,"name":"step_b"}]}},"tags":[]} + When the request is sent + Then the response status is 200 OK + And the response "name" is equal to "{{ unique }}" + And the response "type" is equal to "log_detection" + And the response "options.detectionMethod" is equal to "sequence_detection" + @team:DataDog/k9-cloud-security-platform Scenario: Create a detection rule with detection method 'third_party' returns "OK" response Given new "CreateSecurityMonitoringRule" request @@ -1483,6 +1493,13 @@ Feature: Security Monitoring When the request is sent Then the response status is 204 OK + @team:DataDog/k9-cloud-security-platform + Scenario: Validate a detection rule with detection method 'sequence_detection' returns "OK" response + Given new "ValidateSecurityMonitoringRule" request + And body with value {"cases":[{"name":"","status":"info","notifications":[],"condition":"step_b > 0"}],"hasExtendedTitle":true,"isEnabled":true,"message":"My security monitoring rule","name":"My security monitoring rule","options":{"evaluationWindow":0,"keepAlive":300,"maxSignalDuration":600,"detectionMethod":"sequence_detection","sequenceDetectionOptions":{"stepTransitions":[{"child":"step_b","evaluationWindow":900,"parent":"step_a"}],"steps":[{"condition":"a > 0","evaluationWindow":60,"name":"step_a"},{"condition":"b > 0","evaluationWindow":60,"name":"step_b"}]}},"queries":[{"query":"source:source_here","groupByFields":["@userIdentity.assumed_role"],"distinctFields":[],"aggregation":"count","name":""},{"query":"source:source_here2","groupByFields":[],"distinctFields":[],"aggregation":"count","name":""}],"tags":["env:prod","team:security"],"type":"log_detection"} + When the request is sent + Then the response status is 204 OK + @team:DataDog/k9-cloud-security-platform Scenario: Validate a suppression rule returns "Bad Request" response Given new "ValidateSecurityMonitoringSuppression" request diff --git a/packages/datadog-api-client-v2/index.ts b/packages/datadog-api-client-v2/index.ts index b38c21d96ed8..ef2d28f76d89 100644 --- a/packages/datadog-api-client-v2/index.ts +++ b/packages/datadog-api-client-v2/index.ts @@ -3411,6 +3411,9 @@ export { SecurityMonitoringRuleQueryAggregation } from "./models/SecurityMonitor export { SecurityMonitoringRuleQueryPayload } from "./models/SecurityMonitoringRuleQueryPayload"; export { SecurityMonitoringRuleQueryPayloadData } from "./models/SecurityMonitoringRuleQueryPayloadData"; export { SecurityMonitoringRuleResponse } from "./models/SecurityMonitoringRuleResponse"; +export { SecurityMonitoringRuleSequenceDetectionOptions } from "./models/SecurityMonitoringRuleSequenceDetectionOptions"; +export { SecurityMonitoringRuleSequenceDetectionStep } from "./models/SecurityMonitoringRuleSequenceDetectionStep"; +export { SecurityMonitoringRuleSequenceDetectionStepTransition } from "./models/SecurityMonitoringRuleSequenceDetectionStepTransition"; export { SecurityMonitoringRuleSeverity } from "./models/SecurityMonitoringRuleSeverity"; export { SecurityMonitoringRuleTestPayload } from "./models/SecurityMonitoringRuleTestPayload"; export { SecurityMonitoringRuleTestRequest } from "./models/SecurityMonitoringRuleTestRequest"; diff --git a/packages/datadog-api-client-v2/models/HistoricalJobOptions.ts b/packages/datadog-api-client-v2/models/HistoricalJobOptions.ts index 616ec5e62f98..e5a31e2d8420 100644 --- a/packages/datadog-api-client-v2/models/HistoricalJobOptions.ts +++ b/packages/datadog-api-client-v2/models/HistoricalJobOptions.ts @@ -9,6 +9,7 @@ import { SecurityMonitoringRuleImpossibleTravelOptions } from "./SecurityMonitor import { SecurityMonitoringRuleKeepAlive } from "./SecurityMonitoringRuleKeepAlive"; import { SecurityMonitoringRuleMaxSignalDuration } from "./SecurityMonitoringRuleMaxSignalDuration"; import { SecurityMonitoringRuleNewValueOptions } from "./SecurityMonitoringRuleNewValueOptions"; +import { SecurityMonitoringRuleSequenceDetectionOptions } from "./SecurityMonitoringRuleSequenceDetectionOptions"; import { SecurityMonitoringRuleThirdPartyOptions } from "./SecurityMonitoringRuleThirdPartyOptions"; import { AttributeTypeMap } from "../../datadog-api-client-common/util"; @@ -44,6 +45,10 @@ export class HistoricalJobOptions { * Options on new value detection method. */ "newValueOptions"?: SecurityMonitoringRuleNewValueOptions; + /** + * Options on sequence detection method. + */ + "sequenceDetectionOptions"?: SecurityMonitoringRuleSequenceDetectionOptions; /** * Options on third party detection method. */ @@ -89,6 +94,10 @@ export class HistoricalJobOptions { baseName: "newValueOptions", type: "SecurityMonitoringRuleNewValueOptions", }, + sequenceDetectionOptions: { + baseName: "sequenceDetectionOptions", + type: "SecurityMonitoringRuleSequenceDetectionOptions", + }, thirdPartyRuleOptions: { baseName: "thirdPartyRuleOptions", type: "SecurityMonitoringRuleThirdPartyOptions", diff --git a/packages/datadog-api-client-v2/models/ObjectSerializer.ts b/packages/datadog-api-client-v2/models/ObjectSerializer.ts index 598d2a19eda7..0ef70d5037a6 100644 --- a/packages/datadog-api-client-v2/models/ObjectSerializer.ts +++ b/packages/datadog-api-client-v2/models/ObjectSerializer.ts @@ -1902,6 +1902,9 @@ import { SecurityMonitoringRuleNewValueOptions } from "./SecurityMonitoringRuleN import { SecurityMonitoringRuleOptions } from "./SecurityMonitoringRuleOptions"; import { SecurityMonitoringRuleQueryPayload } from "./SecurityMonitoringRuleQueryPayload"; import { SecurityMonitoringRuleQueryPayloadData } from "./SecurityMonitoringRuleQueryPayloadData"; +import { SecurityMonitoringRuleSequenceDetectionOptions } from "./SecurityMonitoringRuleSequenceDetectionOptions"; +import { SecurityMonitoringRuleSequenceDetectionStep } from "./SecurityMonitoringRuleSequenceDetectionStep"; +import { SecurityMonitoringRuleSequenceDetectionStepTransition } from "./SecurityMonitoringRuleSequenceDetectionStepTransition"; import { SecurityMonitoringRuleTestRequest } from "./SecurityMonitoringRuleTestRequest"; import { SecurityMonitoringRuleTestResponse } from "./SecurityMonitoringRuleTestResponse"; import { SecurityMonitoringRuleThirdPartyOptions } from "./SecurityMonitoringRuleThirdPartyOptions"; @@ -3523,6 +3526,7 @@ const enumsMap: { [key: string]: any[] } = { "hardcoded", "third_party", "anomaly_threshold", + "sequence_detection", ], SecurityMonitoringRuleEvaluationWindow: [ 0, 60, 300, 600, 900, 1800, 3600, 7200, 10800, 21600, 43200, 86400, @@ -6080,6 +6084,12 @@ const typeMap: { [index: string]: any } = { SecurityMonitoringRuleQueryPayload: SecurityMonitoringRuleQueryPayload, SecurityMonitoringRuleQueryPayloadData: SecurityMonitoringRuleQueryPayloadData, + SecurityMonitoringRuleSequenceDetectionOptions: + SecurityMonitoringRuleSequenceDetectionOptions, + SecurityMonitoringRuleSequenceDetectionStep: + SecurityMonitoringRuleSequenceDetectionStep, + SecurityMonitoringRuleSequenceDetectionStepTransition: + SecurityMonitoringRuleSequenceDetectionStepTransition, SecurityMonitoringRuleTestRequest: SecurityMonitoringRuleTestRequest, SecurityMonitoringRuleTestResponse: SecurityMonitoringRuleTestResponse, SecurityMonitoringRuleThirdPartyOptions: diff --git a/packages/datadog-api-client-v2/models/SecurityMonitoringRuleDetectionMethod.ts b/packages/datadog-api-client-v2/models/SecurityMonitoringRuleDetectionMethod.ts index 7e82b7a8ecd4..4d2ec8266d1e 100644 --- a/packages/datadog-api-client-v2/models/SecurityMonitoringRuleDetectionMethod.ts +++ b/packages/datadog-api-client-v2/models/SecurityMonitoringRuleDetectionMethod.ts @@ -18,6 +18,7 @@ export type SecurityMonitoringRuleDetectionMethod = | typeof HARDCODED | typeof THIRD_PARTY | typeof ANOMALY_THRESHOLD + | typeof SEQUENCE_DETECTION | UnparsedObject; export const THRESHOLD = "threshold"; export const NEW_VALUE = "new_value"; @@ -26,3 +27,4 @@ export const IMPOSSIBLE_TRAVEL = "impossible_travel"; export const HARDCODED = "hardcoded"; export const THIRD_PARTY = "third_party"; export const ANOMALY_THRESHOLD = "anomaly_threshold"; +export const SEQUENCE_DETECTION = "sequence_detection"; diff --git a/packages/datadog-api-client-v2/models/SecurityMonitoringRuleOptions.ts b/packages/datadog-api-client-v2/models/SecurityMonitoringRuleOptions.ts index 4c360fc49c4a..f61b9e6e290d 100644 --- a/packages/datadog-api-client-v2/models/SecurityMonitoringRuleOptions.ts +++ b/packages/datadog-api-client-v2/models/SecurityMonitoringRuleOptions.ts @@ -11,6 +11,7 @@ import { SecurityMonitoringRuleImpossibleTravelOptions } from "./SecurityMonitor import { SecurityMonitoringRuleKeepAlive } from "./SecurityMonitoringRuleKeepAlive"; import { SecurityMonitoringRuleMaxSignalDuration } from "./SecurityMonitoringRuleMaxSignalDuration"; import { SecurityMonitoringRuleNewValueOptions } from "./SecurityMonitoringRuleNewValueOptions"; +import { SecurityMonitoringRuleSequenceDetectionOptions } from "./SecurityMonitoringRuleSequenceDetectionOptions"; import { SecurityMonitoringRuleThirdPartyOptions } from "./SecurityMonitoringRuleThirdPartyOptions"; import { AttributeTypeMap } from "../../datadog-api-client-common/util"; @@ -61,6 +62,10 @@ export class SecurityMonitoringRuleOptions { * Options on new value detection method. */ "newValueOptions"?: SecurityMonitoringRuleNewValueOptions; + /** + * Options on sequence detection method. + */ + "sequenceDetectionOptions"?: SecurityMonitoringRuleSequenceDetectionOptions; /** * Options on third party detection method. */ @@ -118,6 +123,10 @@ export class SecurityMonitoringRuleOptions { baseName: "newValueOptions", type: "SecurityMonitoringRuleNewValueOptions", }, + sequenceDetectionOptions: { + baseName: "sequenceDetectionOptions", + type: "SecurityMonitoringRuleSequenceDetectionOptions", + }, thirdPartyRuleOptions: { baseName: "thirdPartyRuleOptions", type: "SecurityMonitoringRuleThirdPartyOptions", diff --git a/packages/datadog-api-client-v2/models/SecurityMonitoringRuleSequenceDetectionOptions.ts b/packages/datadog-api-client-v2/models/SecurityMonitoringRuleSequenceDetectionOptions.ts new file mode 100644 index 000000000000..513f6adbc354 --- /dev/null +++ b/packages/datadog-api-client-v2/models/SecurityMonitoringRuleSequenceDetectionOptions.ts @@ -0,0 +1,62 @@ +/** + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2020-Present Datadog, Inc. + */ +import { SecurityMonitoringRuleSequenceDetectionStep } from "./SecurityMonitoringRuleSequenceDetectionStep"; +import { SecurityMonitoringRuleSequenceDetectionStepTransition } from "./SecurityMonitoringRuleSequenceDetectionStepTransition"; + +import { AttributeTypeMap } from "../../datadog-api-client-common/util"; + +/** + * Options on sequence detection method. + */ +export class SecurityMonitoringRuleSequenceDetectionOptions { + /** + * Transitions defining the allowed order of steps and their evaluation windows. + */ + "stepTransitions"?: Array; + /** + * Steps that define the conditions to be matched in sequence. + */ + "steps"?: Array; + + /** + * A container for additional, undeclared properties. + * This is a holder for any undeclared properties as specified with + * the 'additionalProperties' keyword in the OAS document. + */ + "additionalProperties"?: { [key: string]: any }; + + /** + * @ignore + */ + "_unparsed"?: boolean; + + /** + * @ignore + */ + static readonly attributeTypeMap: AttributeTypeMap = { + stepTransitions: { + baseName: "stepTransitions", + type: "Array", + }, + steps: { + baseName: "steps", + type: "Array", + }, + additionalProperties: { + baseName: "additionalProperties", + type: "{ [key: string]: any; }", + }, + }; + + /** + * @ignore + */ + static getAttributeTypeMap(): AttributeTypeMap { + return SecurityMonitoringRuleSequenceDetectionOptions.attributeTypeMap; + } + + public constructor() {} +} diff --git a/packages/datadog-api-client-v2/models/SecurityMonitoringRuleSequenceDetectionStep.ts b/packages/datadog-api-client-v2/models/SecurityMonitoringRuleSequenceDetectionStep.ts new file mode 100644 index 000000000000..bea191ae9f83 --- /dev/null +++ b/packages/datadog-api-client-v2/models/SecurityMonitoringRuleSequenceDetectionStep.ts @@ -0,0 +1,70 @@ +/** + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2020-Present Datadog, Inc. + */ +import { SecurityMonitoringRuleEvaluationWindow } from "./SecurityMonitoringRuleEvaluationWindow"; + +import { AttributeTypeMap } from "../../datadog-api-client-common/util"; + +/** + * Step definition for sequence detection containing the step name, condition, and evaluation window. + */ +export class SecurityMonitoringRuleSequenceDetectionStep { + /** + * Condition referencing rule queries (e.g., `a > 0`). + */ + "condition"?: string; + /** + * A time window is specified to match when at least one of the cases matches true. This is a sliding window + * and evaluates in real time. For third party detection method, this field is not used. + */ + "evaluationWindow"?: SecurityMonitoringRuleEvaluationWindow; + /** + * Unique name identifying the step. + */ + "name"?: string; + + /** + * A container for additional, undeclared properties. + * This is a holder for any undeclared properties as specified with + * the 'additionalProperties' keyword in the OAS document. + */ + "additionalProperties"?: { [key: string]: any }; + + /** + * @ignore + */ + "_unparsed"?: boolean; + + /** + * @ignore + */ + static readonly attributeTypeMap: AttributeTypeMap = { + condition: { + baseName: "condition", + type: "string", + }, + evaluationWindow: { + baseName: "evaluationWindow", + type: "SecurityMonitoringRuleEvaluationWindow", + }, + name: { + baseName: "name", + type: "string", + }, + additionalProperties: { + baseName: "additionalProperties", + type: "{ [key: string]: any; }", + }, + }; + + /** + * @ignore + */ + static getAttributeTypeMap(): AttributeTypeMap { + return SecurityMonitoringRuleSequenceDetectionStep.attributeTypeMap; + } + + public constructor() {} +} diff --git a/packages/datadog-api-client-v2/models/SecurityMonitoringRuleSequenceDetectionStepTransition.ts b/packages/datadog-api-client-v2/models/SecurityMonitoringRuleSequenceDetectionStepTransition.ts new file mode 100644 index 000000000000..4d568180231a --- /dev/null +++ b/packages/datadog-api-client-v2/models/SecurityMonitoringRuleSequenceDetectionStepTransition.ts @@ -0,0 +1,70 @@ +/** + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2020-Present Datadog, Inc. + */ +import { SecurityMonitoringRuleEvaluationWindow } from "./SecurityMonitoringRuleEvaluationWindow"; + +import { AttributeTypeMap } from "../../datadog-api-client-common/util"; + +/** + * Transition from a parent step to a child step within a sequence detection rule. + */ +export class SecurityMonitoringRuleSequenceDetectionStepTransition { + /** + * Name of the child step. + */ + "child"?: string; + /** + * A time window is specified to match when at least one of the cases matches true. This is a sliding window + * and evaluates in real time. For third party detection method, this field is not used. + */ + "evaluationWindow"?: SecurityMonitoringRuleEvaluationWindow; + /** + * Name of the parent step. + */ + "parent"?: string; + + /** + * A container for additional, undeclared properties. + * This is a holder for any undeclared properties as specified with + * the 'additionalProperties' keyword in the OAS document. + */ + "additionalProperties"?: { [key: string]: any }; + + /** + * @ignore + */ + "_unparsed"?: boolean; + + /** + * @ignore + */ + static readonly attributeTypeMap: AttributeTypeMap = { + child: { + baseName: "child", + type: "string", + }, + evaluationWindow: { + baseName: "evaluationWindow", + type: "SecurityMonitoringRuleEvaluationWindow", + }, + parent: { + baseName: "parent", + type: "string", + }, + additionalProperties: { + baseName: "additionalProperties", + type: "{ [key: string]: any; }", + }, + }; + + /** + * @ignore + */ + static getAttributeTypeMap(): AttributeTypeMap { + return SecurityMonitoringRuleSequenceDetectionStepTransition.attributeTypeMap; + } + + public constructor() {} +}