Skip to content

Commit 57e551d

Browse files
api-clients-generation-pipeline[bot]ci.datadog-api-spec
andauthored
Support Cloud SIEM scheduled rules in API client (#809)
Co-authored-by: ci.datadog-api-spec <[email protected]>
1 parent 2000cfc commit 57e551d

16 files changed

+650
-4
lines changed

.generated-info

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
11
{
2-
"spec_repo_commit": "c5cca50",
3-
"generated": "2025-08-07 18:08:43.875"
2+
"spec_repo_commit": "d02c8a3",
3+
"generated": "2025-08-08 12:12:16.900"
44
}

.generator/schemas/v2/openapi.yaml

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36336,6 +36336,12 @@ components:
3633636336
SecurityMonitoringRuleUpdatePayload:
3633736337
description: Update an existing rule.
3633836338
properties:
36339+
calculatedFields:
36340+
description: Calculated fields. Only allowed for scheduled rules - in other
36341+
words, when schedulingOptions is also defined.
36342+
items:
36343+
$ref: '#/components/schemas/CalculatedField'
36344+
type: array
3633936345
cases:
3634036346
description: Cases for generating signals.
3634136347
items:
@@ -36392,6 +36398,8 @@ components:
3639236398
items:
3639336399
$ref: '#/components/schemas/SecurityMonitoringReferenceTable'
3639436400
type: array
36401+
schedulingOptions:
36402+
$ref: '#/components/schemas/SecurityMonitoringSchedulingOptions'
3639536403
tags:
3639636404
description: Tags for generated signals.
3639736405
items:
@@ -36418,6 +36426,27 @@ components:
3641836426
- $ref: '#/components/schemas/SecurityMonitoringStandardRulePayload'
3641936427
- $ref: '#/components/schemas/SecurityMonitoringSignalRulePayload'
3642036428
- $ref: '#/components/schemas/CloudConfigurationRulePayload'
36429+
SecurityMonitoringSchedulingOptions:
36430+
description: Options for scheduled rules. When this field is present, the rule
36431+
runs based on the schedule. When absent, it runs real-time on ingested logs.
36432+
nullable: true
36433+
properties:
36434+
rrule:
36435+
description: Schedule for the rule queries, written in RRULE syntax. See
36436+
[RFC](https://icalendar.org/iCalendar-RFC-5545/3-8-5-3-recurrence-rule.html)
36437+
for syntax reference.
36438+
example: FREQ=HOURLY;INTERVAL=1;
36439+
type: string
36440+
start:
36441+
description: Start date for the schedule, in ISO 8601 format without timezone.
36442+
example: '2025-07-14T12:00:00'
36443+
type: string
36444+
timezone:
36445+
description: Time zone of the start date, in the [tz database](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones)
36446+
format.
36447+
example: America/New_York
36448+
type: string
36449+
type: object
3642136450
SecurityMonitoringSignal:
3642236451
description: Object description of a security signal.
3642336452
properties:
@@ -37096,6 +37125,12 @@ components:
3709637125
SecurityMonitoringStandardRuleCreatePayload:
3709737126
description: Create a new rule.
3709837127
properties:
37128+
calculatedFields:
37129+
description: Calculated fields. Only allowed for scheduled rules - in other
37130+
words, when schedulingOptions is also defined.
37131+
items:
37132+
$ref: '#/components/schemas/CalculatedField'
37133+
type: array
3709937134
cases:
3710037135
description: Cases for generating signals.
3710137136
example: []
@@ -37148,6 +37183,8 @@ components:
3714837183
items:
3714937184
$ref: '#/components/schemas/SecurityMonitoringReferenceTable'
3715037185
type: array
37186+
schedulingOptions:
37187+
$ref: '#/components/schemas/SecurityMonitoringSchedulingOptions'
3715137188
tags:
3715237189
description: Tags for generated signals.
3715337190
example:
@@ -37177,6 +37214,12 @@ components:
3717737214
SecurityMonitoringStandardRulePayload:
3717837215
description: The payload of a rule.
3717937216
properties:
37217+
calculatedFields:
37218+
description: Calculated fields. Only allowed for scheduled rules - in other
37219+
words, when schedulingOptions is also defined.
37220+
items:
37221+
$ref: '#/components/schemas/CalculatedField'
37222+
type: array
3718037223
cases:
3718137224
description: Cases for generating signals.
3718237225
example: []
@@ -37237,6 +37280,8 @@ components:
3723737280
items:
3723837281
$ref: '#/components/schemas/SecurityMonitoringReferenceTable'
3723937282
type: array
37283+
schedulingOptions:
37284+
$ref: '#/components/schemas/SecurityMonitoringSchedulingOptions'
3724037285
tags:
3724137286
description: Tags for generated signals.
3724237287
example:
@@ -37293,6 +37338,14 @@ components:
3729337338
example: false
3729437339
readOnly: true
3729537340
type: boolean
37341+
index:
37342+
description: '**This field is currently unstable and might be removed in
37343+
a minor version upgrade.**
37344+
37345+
The index to run the query on, if the `dataSource` is `logs`. Only used
37346+
for scheduled rules - in other words, when the `schedulingOptions` field
37347+
is present in the rule payload.'
37348+
type: string
3729637349
metric:
3729737350
deprecated: true
3729837351
description: '(Deprecated) The target field to aggregate over when using
@@ -37320,6 +37373,12 @@ components:
3732037373
SecurityMonitoringStandardRuleResponse:
3732137374
description: Rule.
3732237375
properties:
37376+
calculatedFields:
37377+
description: Calculated fields. Only allowed for scheduled rules - in other
37378+
words, when schedulingOptions is also defined.
37379+
items:
37380+
$ref: '#/components/schemas/CalculatedField'
37381+
type: array
3732337382
cases:
3732437383
description: Cases for generating signals.
3732537384
items:
@@ -37405,6 +37464,8 @@ components:
3740537464
items:
3740637465
$ref: '#/components/schemas/SecurityMonitoringReferenceTable'
3740737466
type: array
37467+
schedulingOptions:
37468+
$ref: '#/components/schemas/SecurityMonitoringSchedulingOptions'
3740837469
tags:
3740937470
description: Tags for generated signals.
3741037471
items:
@@ -37436,6 +37497,12 @@ components:
3743637497
SecurityMonitoringStandardRuleTestPayload:
3743737498
description: The payload of a rule to test
3743837499
properties:
37500+
calculatedFields:
37501+
description: Calculated fields. Only allowed for scheduled rules - in other
37502+
words, when schedulingOptions is also defined.
37503+
items:
37504+
$ref: '#/components/schemas/CalculatedField'
37505+
type: array
3743937506
cases:
3744037507
description: Cases for generating signals.
3744137508
example: []
@@ -37488,6 +37555,8 @@ components:
3748837555
items:
3748937556
$ref: '#/components/schemas/SecurityMonitoringReferenceTable'
3749037557
type: array
37558+
schedulingOptions:
37559+
$ref: '#/components/schemas/SecurityMonitoringSchedulingOptions'
3749137560
tags:
3749237561
description: Tags for generated signals.
3749337562
example:
Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
// Create a scheduled detection rule returns "OK" response
2+
use datadog_api_client::datadog;
3+
use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
4+
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate;
5+
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCreatePayload;
6+
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;
7+
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
8+
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
9+
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
10+
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;
11+
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
12+
use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate;
13+
use datadog_api_client::datadogV2::model::SecurityMonitoringSchedulingOptions;
14+
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleCreatePayload;
15+
use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;
16+
17+
#[tokio::main]
18+
async fn main() {
19+
let body =
20+
SecurityMonitoringRuleCreatePayload::SecurityMonitoringStandardRuleCreatePayload(Box::new(
21+
SecurityMonitoringStandardRuleCreatePayload::new(
22+
vec![
23+
SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO)
24+
.condition("a > 0".to_string())
25+
.name("".to_string())
26+
.notifications(vec![]),
27+
],
28+
true,
29+
"Test rule".to_string(),
30+
"Example-Security-Monitoring".to_string(),
31+
SecurityMonitoringRuleOptions::new()
32+
.evaluation_window(SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES)
33+
.keep_alive(SecurityMonitoringRuleKeepAlive::ONE_HOUR)
34+
.max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::ONE_DAY),
35+
vec![SecurityMonitoringStandardRuleQuery::new()
36+
.aggregation(SecurityMonitoringRuleQueryAggregation::COUNT)
37+
.distinct_fields(vec![])
38+
.group_by_fields(vec![])
39+
.index("main".to_string())
40+
.query("@test:true".to_string())],
41+
)
42+
.filters(vec![])
43+
.scheduling_options(Some(
44+
SecurityMonitoringSchedulingOptions::new()
45+
.rrule("FREQ=HOURLY;INTERVAL=2;".to_string())
46+
.start("2025-06-18T12:00:00".to_string())
47+
.timezone("Europe/Paris".to_string()),
48+
))
49+
.tags(vec![])
50+
.type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION),
51+
));
52+
let configuration = datadog::Configuration::new();
53+
let api = SecurityMonitoringAPI::with_config(configuration);
54+
let resp = api.create_security_monitoring_rule(body).await;
55+
if let Ok(value) = resp {
56+
println!("{:#?}", value);
57+
} else {
58+
println!("{:#?}", resp.unwrap_err());
59+
}
60+
}

src/datadogV2/model/mod.rs

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4656,6 +4656,8 @@ pub mod model_security_monitoring_list_rules_response;
46564656
pub use self::model_security_monitoring_list_rules_response::SecurityMonitoringListRulesResponse;
46574657
pub mod model_security_monitoring_standard_rule_response;
46584658
pub use self::model_security_monitoring_standard_rule_response::SecurityMonitoringStandardRuleResponse;
4659+
pub mod model_calculated_field;
4660+
pub use self::model_calculated_field::CalculatedField;
46594661
pub mod model_security_monitoring_rule_case;
46604662
pub use self::model_security_monitoring_rule_case::SecurityMonitoringRuleCase;
46614663
pub mod model_security_monitoring_rule_case_action;
@@ -4714,6 +4716,8 @@ pub mod model_security_monitoring_standard_data_source;
47144716
pub use self::model_security_monitoring_standard_data_source::SecurityMonitoringStandardDataSource;
47154717
pub mod model_security_monitoring_reference_table;
47164718
pub use self::model_security_monitoring_reference_table::SecurityMonitoringReferenceTable;
4719+
pub mod model_security_monitoring_scheduling_options;
4720+
pub use self::model_security_monitoring_scheduling_options::SecurityMonitoringSchedulingOptions;
47174721
pub mod model_security_monitoring_third_party_rule_case;
47184722
pub use self::model_security_monitoring_third_party_rule_case::SecurityMonitoringThirdPartyRuleCase;
47194723
pub mod model_security_monitoring_rule_type_read;
@@ -5138,8 +5142,6 @@ pub mod model_historical_job_response_attributes;
51385142
pub use self::model_historical_job_response_attributes::HistoricalJobResponseAttributes;
51395143
pub mod model_job_definition;
51405144
pub use self::model_job_definition::JobDefinition;
5141-
pub mod model_calculated_field;
5142-
pub use self::model_calculated_field::CalculatedField;
51435145
pub mod model_historical_job_options;
51445146
pub use self::model_historical_job_options::HistoricalJobOptions;
51455147
pub mod model_historical_job_query;

src/datadogV2/model/model_security_monitoring_rule_update_payload.rs

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,9 @@ use std::fmt::{self, Formatter};
1111
#[skip_serializing_none]
1212
#[derive(Clone, Debug, PartialEq, Serialize)]
1313
pub struct SecurityMonitoringRuleUpdatePayload {
14+
/// Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.
15+
#[serde(rename = "calculatedFields")]
16+
pub calculated_fields: Option<Vec<crate::datadogV2::model::CalculatedField>>,
1417
/// Cases for generating signals.
1518
#[serde(rename = "cases")]
1619
pub cases: Option<Vec<crate::datadogV2::model::SecurityMonitoringRuleCase>>,
@@ -51,6 +54,14 @@ pub struct SecurityMonitoringRuleUpdatePayload {
5154
/// Reference tables for the rule.
5255
#[serde(rename = "referenceTables")]
5356
pub reference_tables: Option<Vec<crate::datadogV2::model::SecurityMonitoringReferenceTable>>,
57+
/// Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
58+
#[serde(
59+
rename = "schedulingOptions",
60+
default,
61+
with = "::serde_with::rust::double_option"
62+
)]
63+
pub scheduling_options:
64+
Option<Option<crate::datadogV2::model::SecurityMonitoringSchedulingOptions>>,
5465
/// Tags for generated signals.
5566
#[serde(rename = "tags")]
5667
pub tags: Option<Vec<String>>,
@@ -71,6 +82,7 @@ pub struct SecurityMonitoringRuleUpdatePayload {
7182
impl SecurityMonitoringRuleUpdatePayload {
7283
pub fn new() -> SecurityMonitoringRuleUpdatePayload {
7384
SecurityMonitoringRuleUpdatePayload {
85+
calculated_fields: None,
7486
cases: None,
7587
compliance_signal_options: None,
7688
custom_message: None,
@@ -84,6 +96,7 @@ impl SecurityMonitoringRuleUpdatePayload {
8496
options: None,
8597
queries: None,
8698
reference_tables: None,
99+
scheduling_options: None,
87100
tags: None,
88101
third_party_cases: None,
89102
version: None,
@@ -92,6 +105,14 @@ impl SecurityMonitoringRuleUpdatePayload {
92105
}
93106
}
94107

108+
pub fn calculated_fields(
109+
mut self,
110+
value: Vec<crate::datadogV2::model::CalculatedField>,
111+
) -> Self {
112+
self.calculated_fields = Some(value);
113+
self
114+
}
115+
95116
pub fn cases(
96117
mut self,
97118
value: Vec<crate::datadogV2::model::SecurityMonitoringRuleCase>,
@@ -175,6 +196,14 @@ impl SecurityMonitoringRuleUpdatePayload {
175196
self
176197
}
177198

199+
pub fn scheduling_options(
200+
mut self,
201+
value: Option<crate::datadogV2::model::SecurityMonitoringSchedulingOptions>,
202+
) -> Self {
203+
self.scheduling_options = Some(value);
204+
self
205+
}
206+
178207
pub fn tags(mut self, value: Vec<String>) -> Self {
179208
self.tags = Some(value);
180209
self
@@ -225,6 +254,8 @@ impl<'de> Deserialize<'de> for SecurityMonitoringRuleUpdatePayload {
225254
where
226255
M: MapAccess<'a>,
227256
{
257+
let mut calculated_fields: Option<Vec<crate::datadogV2::model::CalculatedField>> =
258+
None;
228259
let mut cases: Option<Vec<crate::datadogV2::model::SecurityMonitoringRuleCase>> =
229260
None;
230261
let mut compliance_signal_options: Option<
@@ -246,6 +277,9 @@ impl<'de> Deserialize<'de> for SecurityMonitoringRuleUpdatePayload {
246277
let mut reference_tables: Option<
247278
Vec<crate::datadogV2::model::SecurityMonitoringReferenceTable>,
248279
> = None;
280+
let mut scheduling_options: Option<
281+
Option<crate::datadogV2::model::SecurityMonitoringSchedulingOptions>,
282+
> = None;
249283
let mut tags: Option<Vec<String>> = None;
250284
let mut third_party_cases: Option<
251285
Vec<crate::datadogV2::model::SecurityMonitoringThirdPartyRuleCase>,
@@ -259,6 +293,13 @@ impl<'de> Deserialize<'de> for SecurityMonitoringRuleUpdatePayload {
259293

260294
while let Some((k, v)) = map.next_entry::<String, serde_json::Value>()? {
261295
match k.as_str() {
296+
"calculatedFields" => {
297+
if v.is_null() {
298+
continue;
299+
}
300+
calculated_fields =
301+
Some(serde_json::from_value(v).map_err(M::Error::custom)?);
302+
}
262303
"cases" => {
263304
if v.is_null() {
264305
continue;
@@ -343,6 +384,10 @@ impl<'de> Deserialize<'de> for SecurityMonitoringRuleUpdatePayload {
343384
reference_tables =
344385
Some(serde_json::from_value(v).map_err(M::Error::custom)?);
345386
}
387+
"schedulingOptions" => {
388+
scheduling_options =
389+
Some(serde_json::from_value(v).map_err(M::Error::custom)?);
390+
}
346391
"tags" => {
347392
if v.is_null() {
348393
continue;
@@ -371,6 +416,7 @@ impl<'de> Deserialize<'de> for SecurityMonitoringRuleUpdatePayload {
371416
}
372417

373418
let content = SecurityMonitoringRuleUpdatePayload {
419+
calculated_fields,
374420
cases,
375421
compliance_signal_options,
376422
custom_message,
@@ -384,6 +430,7 @@ impl<'de> Deserialize<'de> for SecurityMonitoringRuleUpdatePayload {
384430
options,
385431
queries,
386432
reference_tables,
433+
scheduling_options,
387434
tags,
388435
third_party_cases,
389436
version,

0 commit comments

Comments
 (0)