Add user behavior case actions in API spec

.apigentools-info

@@ -4,13 +4,13 @@
     "spec_versions": {
         "v1": {
             "apigentools_version": "1.6.6",
-            "regenerated": "2025-04-10 11:41:56.358780",
-            "spec_repo_commit": "7f98e0a9"
+            "regenerated": "2025-04-10 18:01:30.298822",
+            "spec_repo_commit": "c0a45137"
         },
         "v2": {
             "apigentools_version": "1.6.6",
-            "regenerated": "2025-04-10 11:41:56.373787",
-            "spec_repo_commit": "7f98e0a9"
+            "regenerated": "2025-04-10 18:01:30.315459",
+            "spec_repo_commit": "c0a45137"
         }
     }
 }

.generator/schemas/v2/openapi.yaml

@@ -27215,6 +27215,7 @@ components:
           $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionType'
       type: object
     SecurityMonitoringRuleCaseActionOptions:
+      additionalProperties: {}
       description: Options for the rule action
       properties:
         duration:
@@ -27223,16 +27224,24 @@ components:
           format: int64
           minimum: 0
           type: integer
+        userBehaviorName:
+          $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionOptionsUserBehaviorName'
       type: object
+    SecurityMonitoringRuleCaseActionOptionsUserBehaviorName:
+      description: Used with the case action of type 'user_behavior'. The value specified
+        in this field is applied as a risk tag to all users affected by the rule.
+      type: string
     SecurityMonitoringRuleCaseActionType:
       description: The action type.
       enum:
       - block_ip
       - block_user
+      - user_behavior
       type: string
       x-enum-varnames:
       - BLOCK_IP
       - BLOCK_USER
+      - USER_BEHAVIOR
     SecurityMonitoringRuleCaseCreate:
       description: Case when signal is generated.
       properties:

examples/v2/security-monitoring/CreateSecurityMonitoringRule_1965169892.py

@@ -57,6 +57,12 @@
                         duration=900,
                     ),
                 ),
+                SecurityMonitoringRuleCaseAction(
+                    type=SecurityMonitoringRuleCaseActionType.USER_BEHAVIOR,
+                    options=SecurityMonitoringRuleCaseActionOptions(
+                        user_behavior_name="behavior",
+                    ),
+                ),
             ],
         ),
     ],

src/datadog_api_client/v2/model/security_monitoring_rule_case_action_options.py

@@ -24,19 +24,28 @@ class SecurityMonitoringRuleCaseActionOptions(ModelNormal):
     def openapi_types(_):
         return {
             "duration": (int,),
+            "user_behavior_name": (str,),
         }
 
     attribute_map = {
         "duration": "duration",
+        "user_behavior_name": "userBehaviorName",
     }
 
-    def __init__(self_, duration: Union[int, UnsetType] = unset, **kwargs):
+    def __init__(
+        self_, duration: Union[int, UnsetType] = unset, user_behavior_name: Union[str, UnsetType] = unset, **kwargs
+    ):
         """
         Options for the rule action
 
         :param duration: Duration of the action in seconds. 0 indicates no expiration.
         :type duration: int, optional
+
+        :param user_behavior_name: Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
+        :type user_behavior_name: str, optional
         """
         if duration is not unset:
             kwargs["duration"] = duration
+        if user_behavior_name is not unset:
+            kwargs["user_behavior_name"] = user_behavior_name
         super().__init__(kwargs)

src/datadog_api_client/v2/model/security_monitoring_rule_case_action_type.py

@@ -16,16 +16,18 @@ class SecurityMonitoringRuleCaseActionType(ModelSimple):
     """
     The action type.
 
-    :param value: Must be one of ["block_ip", "block_user"].
+    :param value: Must be one of ["block_ip", "block_user", "user_behavior"].
     :type value: str
     """
 
     allowed_values = {
         "block_ip",
         "block_user",
+        "user_behavior",
     }
     BLOCK_IP: ClassVar["SecurityMonitoringRuleCaseActionType"]
     BLOCK_USER: ClassVar["SecurityMonitoringRuleCaseActionType"]
+    USER_BEHAVIOR: ClassVar["SecurityMonitoringRuleCaseActionType"]
 
     @cached_property
     def openapi_types(_):
@@ -36,3 +38,4 @@ def openapi_types(_):
 
 SecurityMonitoringRuleCaseActionType.BLOCK_IP = SecurityMonitoringRuleCaseActionType("block_ip")
 SecurityMonitoringRuleCaseActionType.BLOCK_USER = SecurityMonitoringRuleCaseActionType("block_user")
+SecurityMonitoringRuleCaseActionType.USER_BEHAVIOR = SecurityMonitoringRuleCaseActionType("user_behavior")

tests/v2/cassettes/test_scenarios/test_create_a_detection_rule_with_type_application_security_returns_ok_response.frozen

@@ -1 +1 @@
-2025-02-06T16:50:39.787Z
+2025-04-09T15:02:05.047Z

tests/v2/cassettes/test_scenarios/test_create_a_detection_rule_with_type_application_security_returns_ok_response.yaml

@@ -1,8 +1,8 @@
 interactions:
 - request:
-    body: '{"cases":[{"actions":[{"options":{"duration":900},"type":"block_ip"}],"condition":"a
+    body: '{"cases":[{"actions":[{"options":{"duration":900},"type":"block_ip"},{"options":{"userBehaviorName":"behavior"},"type":"user_behavior"}],"condition":"a
       > 100000","name":"","notifications":[],"status":"info"}],"filters":[],"groupSignalsBy":["service"],"isEnabled":true,"message":"Test
-      rule","name":"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1738860639_appsec_rule","options":{"detectionMethod":"threshold","evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"queries":[{"aggregation":"count","distinctFields":[],"groupByFields":["service","@http.client_ip"],"query":"@appsec.security_activity:business_logic.users.login.failure"}],"tags":[],"type":"application_security"}'
+      rule","name":"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1744210925_appsec_rule","options":{"detectionMethod":"threshold","evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"queries":[{"aggregation":"count","distinctFields":[],"groupByFields":["service","@http.client_ip"],"query":"@appsec.security_activity:business_logic.users.login.failure"}],"tags":[],"type":"application_security"}'
     headers:
       accept:
       - application/json
@@ -12,9 +12,10 @@ interactions:
     uri: https://api.datadoghq.com/api/v2/security_monitoring/rules
   response:
     body:
-      string: '{"name":"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1738860639_appsec_rule","createdAt":1738860640426,"isDefault":false,"isPartner":false,"isEnabled":true,"isBeta":false,"isDeleted":false,"isDeprecated":false,"queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","groupByFields":["service","@http.client_ip"],"hasOptionalGroupByFields":false,"distinctFields":[],"aggregation":"count","name":"","dataSource":"app_sec_spans"}],"options":{"evaluationWindow":900,"detectionMethod":"threshold","maxSignalDuration":86400,"keepAlive":3600},"cases":[{"name":"","status":"info","notifications":[],"condition":"a
-        \u003e 100000","actions":[{"type":"block_ip","options":{"duration":900}}]}],"message":"Test
-        rule","tags":[],"hasExtendedTitle":false,"type":"application_security","filters":[],"version":1,"id":"rfn-h2v-udr","blocking":true,"groupSignalsBy":["service"],"casesActions":[[{"type":"block_ip","options":{"duration":900}}]],"dependencies":["business_logic.users.login.failure"],"metadata":{"entities":null,"sources":null},"creator":{"handle":"","name":""},"updater":{"handle":"","name":""}}'
+      string: '{"name":"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1744210925_appsec_rule","createdAt":1744210925675,"isDefault":false,"isPartner":false,"isEnabled":true,"isBeta":false,"isDeleted":false,"isDeprecated":false,"queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","groupByFields":["service","@http.client_ip"],"hasOptionalGroupByFields":false,"distinctFields":[],"aggregation":"count","name":"","dataSource":"app_sec_spans"}],"options":{"evaluationWindow":900,"detectionMethod":"threshold","maxSignalDuration":86400,"keepAlive":3600},"cases":[{"name":"","status":"info","notifications":[],"condition":"a
+        \u003e 100000","actions":[{"type":"block_ip","options":{"duration":900}},{"type":"user_behavior","options":{"userBehaviorName":"behavior"}}]}],"message":"Test
+        rule","tags":[],"hasExtendedTitle":false,"type":"application_security","filters":[],"version":1,"id":"lfr-zxg-fyc","blocking":true,"groupSignalsBy":["service"],"dependencies":["business_logic.users.login.failure"],"metadata":{"entities":null,"sources":null},"creationAuthorId":2320499,"creator":{"handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","name":"CI
+        Account"},"updater":{"handle":"","name":""}}'
     headers:
       content-type:
       - application/json
@@ -27,14 +28,12 @@ interactions:
       accept:
       - '*/*'
     method: DELETE
-    uri: https://api.datadoghq.com/api/v2/security_monitoring/rules/rfn-h2v-udr
+    uri: https://api.datadoghq.com/api/v2/security_monitoring/rules/lfr-zxg-fyc
   response:
     body:
-      string: '{"status":"404","title":"Not Found"}'
-    headers:
-      content-type:
-      - application/json
+      string: ''
+    headers: {}
     status:
-      code: 404
-      message: Not Found
+      code: 204
+      message: No Content
 version: 1

tests/v2/features/security_monitoring.feature

@@ -203,7 +203,7 @@ Feature: Security Monitoring
   @skip-validation @team:DataDog/k9-cloud-security-platform
   Scenario: Create a detection rule with type 'application_security 'returns "OK" response
     Given new "CreateSecurityMonitoringRule" request
-    And body with value {"type":"application_security","name":"{{unique}}_appsec_rule","queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","aggregation":"count","groupByFields":["service","@http.client_ip"],"distinctFields":[]}],"filters":[],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 100000","actions":[{"type":"block_ip","options":{"duration":900}}]}],"options":{"keepAlive":3600,"maxSignalDuration":86400,"evaluationWindow":900,"detectionMethod":"threshold"},"isEnabled":true,"message":"Test rule","tags":[],"groupSignalsBy":["service"]}
+    And body with value {"type":"application_security","name":"{{unique}}_appsec_rule","queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","aggregation":"count","groupByFields":["service","@http.client_ip"],"distinctFields":[]}],"filters":[],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 100000","actions":[{"type":"block_ip","options":{"duration":900}}, {"type":"user_behavior","options":{"userBehaviorName":"behavior"}}]}],"options":{"keepAlive":3600,"maxSignalDuration":86400,"evaluationWindow":900,"detectionMethod":"threshold"},"isEnabled":true,"message":"Test rule","tags":[],"groupSignalsBy":["service"]}
     When the request is sent
     Then the response status is 200 OK
     And the response "name" is equal to "{{ unique }}_appsec_rule"