From 7e6d0042d6da98bd995c97ad54e555521c6908d8 Mon Sep 17 00:00:00 2001 From: "ci.datadog-api-spec" Date: Wed, 17 Dec 2025 15:37:12 +0000 Subject: [PATCH] Regenerate client from commit 55b59e4 of spec repo --- .generator/schemas/v2/openapi.yaml | 84 +++++++++++++++++ docs/datadog_api_client.v2.model.rst | 28 ++++++ ...CreateSecurityMonitoringRule_2323193894.py | 88 +++++++++++++++++ ...nitoring_rule_anomaly_detection_options.py | 94 +++++++++++++++++++ ...omaly_detection_options_bucket_duration.py | 63 +++++++++++++ ...y_detection_options_detection_tolerance.py | 58 ++++++++++++ ...aly_detection_options_learning_duration.py | 67 +++++++++++++ .../model/security_monitoring_rule_options.py | 14 +++ .../v2/model/threat_hunting_job_options.py | 14 +++ src/datadog_api_client/v2/models/__init__.py | 16 ++++ ...omaly_detection_returns_ok_response.frozen | 1 + ...anomaly_detection_returns_ok_response.yaml | 38 ++++++++ tests/v2/features/security_monitoring.feature | 14 +++ 13 files changed, 579 insertions(+) create mode 100644 examples/v2/security-monitoring/CreateSecurityMonitoringRule_2323193894.py create mode 100644 src/datadog_api_client/v2/model/security_monitoring_rule_anomaly_detection_options.py create mode 100644 src/datadog_api_client/v2/model/security_monitoring_rule_anomaly_detection_options_bucket_duration.py create mode 100644 src/datadog_api_client/v2/model/security_monitoring_rule_anomaly_detection_options_detection_tolerance.py create mode 100644 src/datadog_api_client/v2/model/security_monitoring_rule_anomaly_detection_options_learning_duration.py create mode 100644 tests/v2/cassettes/test_scenarios/test_create_a_detection_rule_with_detection_method_anomaly_detection_returns_ok_response.frozen create mode 100644 tests/v2/cassettes/test_scenarios/test_create_a_detection_rule_with_detection_method_anomaly_detection_returns_ok_response.yaml diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml index a954de475f..b4944c9eb4 100644 --- a/.generator/schemas/v2/openapi.yaml +++ b/.generator/schemas/v2/openapi.yaml @@ -47320,6 +47320,86 @@ components: description: The name of the reference table. type: string type: object + SecurityMonitoringRuleAnomalyDetectionOptions: + additionalProperties: {} + description: Options on anomaly detection method. + properties: + bucketDuration: + $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration' + detectionTolerance: + $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance' + learningDuration: + $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration' + learningPeriodBaseline: + description: An optional override baseline to apply while the rule is in + the learning period. Must be greater than or equal to 0. + format: int64 + minimum: 0 + type: integer + type: object + SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration: + description: 'Duration in seconds of the time buckets used to aggregate events + matched by the rule. + + Must be greater than or equal to 300.' + enum: + - 300 + - 600 + - 900 + - 1800 + - 3600 + - 10800 + example: 300 + format: int32 + type: integer + x-enum-varnames: + - FIVE_MINUTES + - TEN_MINUTES + - FIFTEEN_MINUTES + - THIRTY_MINUTES + - ONE_HOUR + - THREE_HOURS + SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance: + description: 'An optional parameter that sets how permissive anomaly detection + is. + + Higher values require higher deviations before triggering a signal.' + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + example: 5 + format: int32 + type: integer + x-enum-varnames: + - ONE + - TWO + - THREE + - FOUR + - FIVE + SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration: + description: Learning duration in hours. Anomaly detection waits for at least + this amount of historical data before it starts evaluating. + enum: + - 1 + - 6 + - 12 + - 24 + - 48 + - 168 + - 336 + format: int32 + type: integer + x-enum-varnames: + - ONE_HOUR + - SIX_HOURS + - TWELVE_HOURS + - ONE_DAY + - TWO_DAYS + - ONE_WEEK + - TWO_WEEKS SecurityMonitoringRuleCase: description: Case when signal is generated. properties: @@ -47685,6 +47765,8 @@ components: SecurityMonitoringRuleOptions: description: Options. properties: + anomalyDetectionOptions: + $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptions' complianceRuleOptions: $ref: '#/components/schemas/CloudConfigurationComplianceRuleOptions' decreaseCriticalityBasedOnEnv: @@ -55124,6 +55206,8 @@ components: ThreatHuntingJobOptions: description: Job options. properties: + anomalyDetectionOptions: + $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptions' detectionMethod: $ref: '#/components/schemas/SecurityMonitoringRuleDetectionMethod' evaluationWindow: diff --git a/docs/datadog_api_client.v2.model.rst b/docs/datadog_api_client.v2.model.rst index 62e30101b4..6220d558aa 100644 --- a/docs/datadog_api_client.v2.model.rst +++ b/docs/datadog_api_client.v2.model.rst @@ -21032,6 +21032,34 @@ datadog\_api\_client.v2.model.security\_monitoring\_reference\_table module :members: :show-inheritance: +datadog\_api\_client.v2.model.security\_monitoring\_rule\_anomaly\_detection\_options module +-------------------------------------------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.security\_monitoring\_rule\_anomaly\_detection\_options\_bucket\_duration module +-------------------------------------------------------------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options_bucket_duration + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.security\_monitoring\_rule\_anomaly\_detection\_options\_detection\_tolerance module +------------------------------------------------------------------------------------------------------------------ + +.. automodule:: datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options_detection_tolerance + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.security\_monitoring\_rule\_anomaly\_detection\_options\_learning\_duration module +---------------------------------------------------------------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options_learning_duration + :members: + :show-inheritance: + datadog\_api\_client.v2.model.security\_monitoring\_rule\_case module --------------------------------------------------------------------- diff --git a/examples/v2/security-monitoring/CreateSecurityMonitoringRule_2323193894.py b/examples/v2/security-monitoring/CreateSecurityMonitoringRule_2323193894.py new file mode 100644 index 0000000000..8a0847260a --- /dev/null +++ b/examples/v2/security-monitoring/CreateSecurityMonitoringRule_2323193894.py @@ -0,0 +1,88 @@ +""" +Create a detection rule with detection method 'anomaly_detection' returns "OK" response +""" + +from datadog_api_client import ApiClient, Configuration +from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi +from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options import ( + SecurityMonitoringRuleAnomalyDetectionOptions, +) +from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options_bucket_duration import ( + SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration, +) +from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options_detection_tolerance import ( + SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance, +) +from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options_learning_duration import ( + SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration, +) +from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate +from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod +from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import ( + SecurityMonitoringRuleEvaluationWindow, +) +from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive +from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import ( + SecurityMonitoringRuleMaxSignalDuration, +) +from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions +from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import ( + SecurityMonitoringRuleQueryAggregation, +) +from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity +from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate +from datadog_api_client.v2.model.security_monitoring_standard_data_source import SecurityMonitoringStandardDataSource +from datadog_api_client.v2.model.security_monitoring_standard_rule_create_payload import ( + SecurityMonitoringStandardRuleCreatePayload, +) +from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery + +body = SecurityMonitoringStandardRuleCreatePayload( + name="Example-Security-Monitoring", + type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION, + is_enabled=True, + queries=[ + SecurityMonitoringStandardRuleQuery( + aggregation=SecurityMonitoringRuleQueryAggregation.COUNT, + data_source=SecurityMonitoringStandardDataSource.LOGS, + distinct_fields=[], + group_by_fields=[ + "@usr.email", + "@network.client.ip", + ], + has_optional_group_by_fields=False, + name="", + query="service:app status:error", + ), + ], + cases=[ + SecurityMonitoringRuleCaseCreate( + name="", + status=SecurityMonitoringRuleSeverity.INFO, + notifications=[], + condition="a > 0.995", + ), + ], + message="An anomaly detection rule", + options=SecurityMonitoringRuleOptions( + detection_method=SecurityMonitoringRuleDetectionMethod.ANOMALY_DETECTION, + evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES, + keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR, + max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY, + anomaly_detection_options=SecurityMonitoringRuleAnomalyDetectionOptions( + bucket_duration=SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration.FIVE_MINUTES, + learning_duration=SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration.ONE_DAY, + detection_tolerance=SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance.THREE, + learning_period_baseline=10, + ), + ), + tags=[], + filters=[], +) + +configuration = Configuration() +with ApiClient(configuration) as api_client: + api_instance = SecurityMonitoringApi(api_client) + response = api_instance.create_security_monitoring_rule(body=body) + + print(response) diff --git a/src/datadog_api_client/v2/model/security_monitoring_rule_anomaly_detection_options.py b/src/datadog_api_client/v2/model/security_monitoring_rule_anomaly_detection_options.py new file mode 100644 index 0000000000..e7f172a6e0 --- /dev/null +++ b/src/datadog_api_client/v2/model/security_monitoring_rule_anomaly_detection_options.py @@ -0,0 +1,94 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import Union, TYPE_CHECKING + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + unset, + UnsetType, +) + + +if TYPE_CHECKING: + from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options_bucket_duration import ( + SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration, + ) + from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options_detection_tolerance import ( + SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance, + ) + from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options_learning_duration import ( + SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration, + ) + + +class SecurityMonitoringRuleAnomalyDetectionOptions(ModelNormal): + validations = { + "learning_period_baseline": { + "inclusive_minimum": 0, + }, + } + + @cached_property + def openapi_types(_): + from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options_bucket_duration import ( + SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration, + ) + from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options_detection_tolerance import ( + SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance, + ) + from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options_learning_duration import ( + SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration, + ) + + return { + "bucket_duration": (SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration,), + "detection_tolerance": (SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance,), + "learning_duration": (SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration,), + "learning_period_baseline": (int,), + } + + attribute_map = { + "bucket_duration": "bucketDuration", + "detection_tolerance": "detectionTolerance", + "learning_duration": "learningDuration", + "learning_period_baseline": "learningPeriodBaseline", + } + + def __init__( + self_, + bucket_duration: Union[SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration, UnsetType] = unset, + detection_tolerance: Union[SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance, UnsetType] = unset, + learning_duration: Union[SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration, UnsetType] = unset, + learning_period_baseline: Union[int, UnsetType] = unset, + **kwargs, + ): + """ + Options on anomaly detection method. + + :param bucket_duration: Duration in seconds of the time buckets used to aggregate events matched by the rule. + Must be greater than or equal to 300. + :type bucket_duration: SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration, optional + + :param detection_tolerance: An optional parameter that sets how permissive anomaly detection is. + Higher values require higher deviations before triggering a signal. + :type detection_tolerance: SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance, optional + + :param learning_duration: Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. + :type learning_duration: SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration, optional + + :param learning_period_baseline: An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0. + :type learning_period_baseline: int, optional + """ + if bucket_duration is not unset: + kwargs["bucket_duration"] = bucket_duration + if detection_tolerance is not unset: + kwargs["detection_tolerance"] = detection_tolerance + if learning_duration is not unset: + kwargs["learning_duration"] = learning_duration + if learning_period_baseline is not unset: + kwargs["learning_period_baseline"] = learning_period_baseline + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/security_monitoring_rule_anomaly_detection_options_bucket_duration.py b/src/datadog_api_client/v2/model/security_monitoring_rule_anomaly_detection_options_bucket_duration.py new file mode 100644 index 0000000000..6986723069 --- /dev/null +++ b/src/datadog_api_client/v2/model/security_monitoring_rule_anomaly_detection_options_bucket_duration.py @@ -0,0 +1,63 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + + +from datadog_api_client.model_utils import ( + ModelSimple, + cached_property, +) + +from typing import ClassVar + + +class SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration(ModelSimple): + """ + Duration in seconds of the time buckets used to aggregate events matched by the rule. + Must be greater than or equal to 300. + + :param value: Must be one of [300, 600, 900, 1800, 3600, 10800]. + :type value: int + """ + + allowed_values = { + 300, + 600, + 900, + 1800, + 3600, + 10800, + } + FIVE_MINUTES: ClassVar["SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration"] + TEN_MINUTES: ClassVar["SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration"] + FIFTEEN_MINUTES: ClassVar["SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration"] + THIRTY_MINUTES: ClassVar["SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration"] + ONE_HOUR: ClassVar["SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration"] + THREE_HOURS: ClassVar["SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration"] + + @cached_property + def openapi_types(_): + return { + "value": (int,), + } + + +SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration.FIVE_MINUTES = ( + SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration(300) +) +SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration.TEN_MINUTES = ( + SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration(600) +) +SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration.FIFTEEN_MINUTES = ( + SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration(900) +) +SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration.THIRTY_MINUTES = ( + SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration(1800) +) +SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration.ONE_HOUR = ( + SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration(3600) +) +SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration.THREE_HOURS = ( + SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration(10800) +) diff --git a/src/datadog_api_client/v2/model/security_monitoring_rule_anomaly_detection_options_detection_tolerance.py b/src/datadog_api_client/v2/model/security_monitoring_rule_anomaly_detection_options_detection_tolerance.py new file mode 100644 index 0000000000..e9edfd4c27 --- /dev/null +++ b/src/datadog_api_client/v2/model/security_monitoring_rule_anomaly_detection_options_detection_tolerance.py @@ -0,0 +1,58 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + + +from datadog_api_client.model_utils import ( + ModelSimple, + cached_property, +) + +from typing import ClassVar + + +class SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance(ModelSimple): + """ + An optional parameter that sets how permissive anomaly detection is. + Higher values require higher deviations before triggering a signal. + + :param value: Must be one of [1, 2, 3, 4, 5]. + :type value: int + """ + + allowed_values = { + 1, + 2, + 3, + 4, + 5, + } + ONE: ClassVar["SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance"] + TWO: ClassVar["SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance"] + THREE: ClassVar["SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance"] + FOUR: ClassVar["SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance"] + FIVE: ClassVar["SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance"] + + @cached_property + def openapi_types(_): + return { + "value": (int,), + } + + +SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance.ONE = ( + SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance(1) +) +SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance.TWO = ( + SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance(2) +) +SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance.THREE = ( + SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance(3) +) +SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance.FOUR = ( + SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance(4) +) +SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance.FIVE = ( + SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance(5) +) diff --git a/src/datadog_api_client/v2/model/security_monitoring_rule_anomaly_detection_options_learning_duration.py b/src/datadog_api_client/v2/model/security_monitoring_rule_anomaly_detection_options_learning_duration.py new file mode 100644 index 0000000000..46d919c069 --- /dev/null +++ b/src/datadog_api_client/v2/model/security_monitoring_rule_anomaly_detection_options_learning_duration.py @@ -0,0 +1,67 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + + +from datadog_api_client.model_utils import ( + ModelSimple, + cached_property, +) + +from typing import ClassVar + + +class SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration(ModelSimple): + """ + Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. + + :param value: Must be one of [1, 6, 12, 24, 48, 168, 336]. + :type value: int + """ + + allowed_values = { + 1, + 6, + 12, + 24, + 48, + 168, + 336, + } + ONE_HOUR: ClassVar["SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration"] + SIX_HOURS: ClassVar["SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration"] + TWELVE_HOURS: ClassVar["SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration"] + ONE_DAY: ClassVar["SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration"] + TWO_DAYS: ClassVar["SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration"] + ONE_WEEK: ClassVar["SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration"] + TWO_WEEKS: ClassVar["SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration"] + + @cached_property + def openapi_types(_): + return { + "value": (int,), + } + + +SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration.ONE_HOUR = ( + SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration(1) +) +SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration.SIX_HOURS = ( + SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration(6) +) +SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration.TWELVE_HOURS = ( + SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration(12) +) +SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration.ONE_DAY = ( + SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration(24) +) +SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration.TWO_DAYS = ( + SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration(48) +) +SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration.ONE_WEEK = ( + SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration(168) +) +SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration.TWO_WEEKS = ( + SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration(336) +) diff --git a/src/datadog_api_client/v2/model/security_monitoring_rule_options.py b/src/datadog_api_client/v2/model/security_monitoring_rule_options.py index 60d6855532..2154617b33 100644 --- a/src/datadog_api_client/v2/model/security_monitoring_rule_options.py +++ b/src/datadog_api_client/v2/model/security_monitoring_rule_options.py @@ -14,6 +14,9 @@ if TYPE_CHECKING: + from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options import ( + SecurityMonitoringRuleAnomalyDetectionOptions, + ) from datadog_api_client.v2.model.cloud_configuration_compliance_rule_options import ( CloudConfigurationComplianceRuleOptions, ) @@ -47,6 +50,9 @@ class SecurityMonitoringRuleOptions(ModelNormal): @cached_property def openapi_types(_): + from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options import ( + SecurityMonitoringRuleAnomalyDetectionOptions, + ) from datadog_api_client.v2.model.cloud_configuration_compliance_rule_options import ( CloudConfigurationComplianceRuleOptions, ) @@ -77,6 +83,7 @@ def openapi_types(_): ) return { + "anomaly_detection_options": (SecurityMonitoringRuleAnomalyDetectionOptions,), "compliance_rule_options": (CloudConfigurationComplianceRuleOptions,), "decrease_criticality_based_on_env": (bool,), "detection_method": (SecurityMonitoringRuleDetectionMethod,), @@ -91,6 +98,7 @@ def openapi_types(_): } attribute_map = { + "anomaly_detection_options": "anomalyDetectionOptions", "compliance_rule_options": "complianceRuleOptions", "decrease_criticality_based_on_env": "decreaseCriticalityBasedOnEnv", "detection_method": "detectionMethod", @@ -106,6 +114,7 @@ def openapi_types(_): def __init__( self_, + anomaly_detection_options: Union[SecurityMonitoringRuleAnomalyDetectionOptions, UnsetType] = unset, compliance_rule_options: Union[CloudConfigurationComplianceRuleOptions, UnsetType] = unset, decrease_criticality_based_on_env: Union[bool, UnsetType] = unset, detection_method: Union[SecurityMonitoringRuleDetectionMethod, UnsetType] = unset, @@ -122,6 +131,9 @@ def __init__( """ Options. + :param anomaly_detection_options: Options on anomaly detection method. + :type anomaly_detection_options: SecurityMonitoringRuleAnomalyDetectionOptions, optional + :param compliance_rule_options: Options for cloud_configuration rules. Fields ``resourceType`` and ``regoRule`` are mandatory when managing custom ``cloud_configuration`` rules. :type compliance_rule_options: CloudConfigurationComplianceRuleOptions, optional @@ -161,6 +173,8 @@ def __init__( :param third_party_rule_options: Options on third party detection method. :type third_party_rule_options: SecurityMonitoringRuleThirdPartyOptions, optional """ + if anomaly_detection_options is not unset: + kwargs["anomaly_detection_options"] = anomaly_detection_options if compliance_rule_options is not unset: kwargs["compliance_rule_options"] = compliance_rule_options if decrease_criticality_based_on_env is not unset: diff --git a/src/datadog_api_client/v2/model/threat_hunting_job_options.py b/src/datadog_api_client/v2/model/threat_hunting_job_options.py index 09c69dc9f7..f875edb5c6 100644 --- a/src/datadog_api_client/v2/model/threat_hunting_job_options.py +++ b/src/datadog_api_client/v2/model/threat_hunting_job_options.py @@ -14,6 +14,9 @@ if TYPE_CHECKING: + from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options import ( + SecurityMonitoringRuleAnomalyDetectionOptions, + ) from datadog_api_client.v2.model.security_monitoring_rule_detection_method import ( SecurityMonitoringRuleDetectionMethod, ) @@ -41,6 +44,9 @@ class ThreatHuntingJobOptions(ModelNormal): @cached_property def openapi_types(_): + from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options import ( + SecurityMonitoringRuleAnomalyDetectionOptions, + ) from datadog_api_client.v2.model.security_monitoring_rule_detection_method import ( SecurityMonitoringRuleDetectionMethod, ) @@ -65,6 +71,7 @@ def openapi_types(_): ) return { + "anomaly_detection_options": (SecurityMonitoringRuleAnomalyDetectionOptions,), "detection_method": (SecurityMonitoringRuleDetectionMethod,), "evaluation_window": (SecurityMonitoringRuleEvaluationWindow,), "impossible_travel_options": (SecurityMonitoringRuleImpossibleTravelOptions,), @@ -76,6 +83,7 @@ def openapi_types(_): } attribute_map = { + "anomaly_detection_options": "anomalyDetectionOptions", "detection_method": "detectionMethod", "evaluation_window": "evaluationWindow", "impossible_travel_options": "impossibleTravelOptions", @@ -88,6 +96,7 @@ def openapi_types(_): def __init__( self_, + anomaly_detection_options: Union[SecurityMonitoringRuleAnomalyDetectionOptions, UnsetType] = unset, detection_method: Union[SecurityMonitoringRuleDetectionMethod, UnsetType] = unset, evaluation_window: Union[SecurityMonitoringRuleEvaluationWindow, UnsetType] = unset, impossible_travel_options: Union[SecurityMonitoringRuleImpossibleTravelOptions, UnsetType] = unset, @@ -101,6 +110,9 @@ def __init__( """ Job options. + :param anomaly_detection_options: Options on anomaly detection method. + :type anomaly_detection_options: SecurityMonitoringRuleAnomalyDetectionOptions, optional + :param detection_method: The detection method. :type detection_method: SecurityMonitoringRuleDetectionMethod, optional @@ -128,6 +140,8 @@ def __init__( :param third_party_rule_options: Options on third party detection method. :type third_party_rule_options: SecurityMonitoringRuleThirdPartyOptions, optional """ + if anomaly_detection_options is not unset: + kwargs["anomaly_detection_options"] = anomaly_detection_options if detection_method is not unset: kwargs["detection_method"] = detection_method if evaluation_window is not unset: diff --git a/src/datadog_api_client/v2/models/__init__.py b/src/datadog_api_client/v2/models/__init__.py index 21d5ad71e9..8217f826ec 100644 --- a/src/datadog_api_client/v2/models/__init__.py +++ b/src/datadog_api_client/v2/models/__init__.py @@ -4171,6 +4171,18 @@ from datadog_api_client.v2.model.security_monitoring_filter_action import SecurityMonitoringFilterAction from datadog_api_client.v2.model.security_monitoring_list_rules_response import SecurityMonitoringListRulesResponse from datadog_api_client.v2.model.security_monitoring_reference_table import SecurityMonitoringReferenceTable +from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options import ( + SecurityMonitoringRuleAnomalyDetectionOptions, +) +from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options_bucket_duration import ( + SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration, +) +from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options_detection_tolerance import ( + SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance, +) +from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options_learning_duration import ( + SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration, +) from datadog_api_client.v2.model.security_monitoring_rule_case import SecurityMonitoringRuleCase from datadog_api_client.v2.model.security_monitoring_rule_case_action import SecurityMonitoringRuleCaseAction from datadog_api_client.v2.model.security_monitoring_rule_case_action_options import ( @@ -8121,6 +8133,10 @@ "SecurityMonitoringFilterAction", "SecurityMonitoringListRulesResponse", "SecurityMonitoringReferenceTable", + "SecurityMonitoringRuleAnomalyDetectionOptions", + "SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration", + "SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance", + "SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration", "SecurityMonitoringRuleCase", "SecurityMonitoringRuleCaseAction", "SecurityMonitoringRuleCaseActionOptions", diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_detection_rule_with_detection_method_anomaly_detection_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_create_a_detection_rule_with_detection_method_anomaly_detection_returns_ok_response.frozen new file mode 100644 index 0000000000..d0c938a563 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_create_a_detection_rule_with_detection_method_anomaly_detection_returns_ok_response.frozen @@ -0,0 +1 @@ +2025-12-16T15:19:00.493Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_detection_rule_with_detection_method_anomaly_detection_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_create_a_detection_rule_with_detection_method_anomaly_detection_returns_ok_response.yaml new file mode 100644 index 0000000000..fa813c903b --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_create_a_detection_rule_with_detection_method_anomaly_detection_returns_ok_response.yaml @@ -0,0 +1,38 @@ +interactions: +- request: + body: '{"cases":[{"condition":"a > 0.995","name":"","notifications":[],"status":"info"}],"filters":[],"isEnabled":true,"message":"An + anomaly detection rule","name":"Test-Create_a_detection_rule_with_detection_method_anomaly_detection_returns_OK_response-1765898340","options":{"anomalyDetectionOptions":{"bucketDuration":300,"detectionTolerance":3,"learningDuration":24,"learningPeriodBaseline":10},"detectionMethod":"anomaly_detection","evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"queries":[{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":["@usr.email","@network.client.ip"],"hasOptionalGroupByFields":false,"name":"","query":"service:app + status:error"}],"tags":[],"type":"log_detection"}' + headers: + accept: + - application/json + content-type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/security_monitoring/rules + response: + body: + string: '{"name":"Test-Create_a_detection_rule_with_detection_method_anomaly_detection_returns_OK_response-1765898340","createdAt":1765898340611,"isDefault":false,"isPartner":false,"isEnabled":true,"isBeta":false,"isDeleted":false,"isDeprecated":false,"queries":[{"query":"service:app + status:error","groupByFields":["@usr.email","@network.client.ip"],"hasOptionalGroupByFields":false,"distinctFields":[],"aggregation":"count","name":"","dataSource":"logs"}],"options":{"evaluationWindow":1800,"detectionMethod":"anomaly_detection","maxSignalDuration":86400,"keepAlive":3600,"anomalyDetectionOptions":{"bucketDuration":300,"learningDuration":24,"detectionTolerance":3,"instantaneousBaseline":false,"instantaneousBaselineTimeoutMinutes":30,"learningPeriodBaseline":10}},"cases":[{"name":"","status":"info","notifications":[],"condition":"a + \u003e 0.995"}],"message":"An anomaly detection rule","tags":[],"hasExtendedTitle":false,"type":"log_detection","filters":[],"version":1,"id":"0vk-kph-3ri","blocking":false,"metadata":{"entities":null,"sources":null},"creationAuthorId":1445416,"creator":{"handle":"frog@datadoghq.com","name":"frog"},"updater":{"handle":"","name":""}}' + headers: + content-type: + - application/json + status: + code: 200 + message: OK +- request: + body: null + headers: + accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/security_monitoring/rules/0vk-kph-3ri + response: + body: + string: '' + headers: {} + status: + code: 204 + message: No Content +version: 1 diff --git a/tests/v2/features/security_monitoring.feature b/tests/v2/features/security_monitoring.feature index e86aed12b3..b3955e02b3 100644 --- a/tests/v2/features/security_monitoring.feature +++ b/tests/v2/features/security_monitoring.feature @@ -333,6 +333,20 @@ Feature: Security Monitoring And the response "message" is equal to "Test rule" And the response "referenceTables" is equal to [{"tableName": "synthetics_test_reference_table_dont_delete", "columnName": "value", "logFieldPath":"testtag", "checkPresence":true, "ruleQueryName":"a"}] + @team:DataDog/k9-cloud-security-platform + Scenario: Create a detection rule with detection method 'anomaly_detection' returns "OK" response + Given new "CreateSecurityMonitoringRule" request + And body with value {"name":"{{ unique }}","type":"log_detection","isEnabled":true,"queries":[{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":["@usr.email","@network.client.ip"],"hasOptionalGroupByFields":false,"name":"","query":"service:app status:error"}],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 0.995"}],"message":"An anomaly detection rule","options":{"detectionMethod":"anomaly_detection","evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400,"anomalyDetectionOptions":{"bucketDuration":300,"learningDuration":24,"detectionTolerance":3,"learningPeriodBaseline":10}},"tags":[],"filters":[]} + When the request is sent + Then the response status is 200 OK + And the response "name" is equal to "{{ unique }}" + And the response "type" is equal to "log_detection" + And the response "options.detectionMethod" is equal to "anomaly_detection" + And the response "options.anomalyDetectionOptions.bucketDuration" is equal to 300 + And the response "options.anomalyDetectionOptions.learningDuration" is equal to 24 + And the response "options.anomalyDetectionOptions.learningPeriodBaseline" is equal to 10 + And the response "options.anomalyDetectionOptions.detectionTolerance" is equal to 3 + @team:DataDog/k9-cloud-security-platform Scenario: Create a detection rule with detection method 'sequence_detection' returns "OK" response Given new "CreateSecurityMonitoringRule" request