DataDog
diff --git a/‎.generated-info‎
Lines changed: 2 additions & 2 deletions b/‎.generated-info‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.generator/schemas/v2/openapi.yaml‎
Lines changed: 37 additions & 0 deletions b/‎.generator/schemas/v2/openapi.yaml‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎docs/datadog_api_client.v2.model.rst‎
Lines changed: 7 additions & 0 deletions b/‎docs/datadog_api_client.v2.model.rst‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎examples/v2/security-monitoring/CreateSecurityMonitoringRule_868881438.py‎
Lines changed: 68 additions & 0 deletions b/‎examples/v2/security-monitoring/CreateSecurityMonitoringRule_868881438.py‎
Lines changed: 68 additions & 0 deletions
diff --git a/‎src/datadog_api_client/v2/model/security_monitoring_rule_create_payload.py‎
Lines changed: 6 additions & 0 deletions b/‎src/datadog_api_client/v2/model/security_monitoring_rule_create_payload.py‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎src/datadog_api_client/v2/model/security_monitoring_rule_query.py‎
Lines changed: 4 additions & 0 deletions b/‎src/datadog_api_client/v2/model/security_monitoring_rule_query.py‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎src/datadog_api_client/v2/model/security_monitoring_scheduling_options.py‎
Lines changed: 58 additions & 0 deletions b/‎src/datadog_api_client/v2/model/security_monitoring_scheduling_options.py‎
Lines changed: 58 additions & 0 deletions
diff --git a/‎src/datadog_api_client/v2/model/security_monitoring_standard_rule_create_payload.py‎
Lines changed: 23 additions & 0 deletions b/‎src/datadog_api_client/v2/model/security_monitoring_standard_rule_create_payload.py‎
Lines changed: 23 additions & 0 deletions
@@ -1,4 +1,4 @@
 {
-  "spec_repo_commit": "df31e44",
-  "generated": "2025-07-28 19:54:45.232"
+  "spec_repo_commit": "2a2b481",
+  "generated": "2025-07-31 08:51:34.198"
 }
@@ -34920,6 +34920,27 @@ components:
       - $ref: '#/components/schemas/SecurityMonitoringStandardRulePayload'
       - $ref: '#/components/schemas/SecurityMonitoringSignalRulePayload'
       - $ref: '#/components/schemas/CloudConfigurationRulePayload'
+    SecurityMonitoringSchedulingOptions:
+      description: Options for scheduled rules. When this field is present, the rule
+        runs based on the schedule. When absent, it runs real-time on ingested logs.
+      nullable: true
+      properties:
+        rrule:
+          description: Schedule for the rule queries, written in RRULE syntax. See
+            [RFC](https://icalendar.org/iCalendar-RFC-5545/3-8-5-3-recurrence-rule.html)
+            for syntax reference.
+          example: FREQ=HOURLY;INTERVAL=1;
+          type: string
+        start:
+          description: Start date for the schedule, in ISO 8601 format without timezone.
+          example: '2025-07-14T12:00:00'
+          type: string
+        timezone:
+          description: Time zone of the start date, in the [tz database](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones)
+            format.
+          example: America/New_York
+          type: string
+      type: object
     SecurityMonitoringSignal:
       description: Object description of a security signal.
       properties:
@@ -35598,6 +35619,12 @@ components:
     SecurityMonitoringStandardRuleCreatePayload:
       description: Create a new rule.
       properties:
+        calculatedFields:
+          description: Calculated fields. Only allowed for scheduled rules, i.e. when
+            schedulingOptions is also defined.
+          items:
+            $ref: '#/components/schemas/CalculatedField'
+          type: array
         cases:
           description: Cases for generating signals.
           example: []
@@ -35650,6 +35677,8 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringReferenceTable'
           type: array
+        schedulingOptions:
+          $ref: '#/components/schemas/SecurityMonitoringSchedulingOptions'
         tags:
           description: Tags for generated signals.
           example:
@@ -35795,6 +35824,14 @@ components:
           example: false
           readOnly: true
           type: boolean
+        index:
+          description: '**This field is currently unstable and might be removed in
+            a minor version upgrade.**
+
+            The index to run the query on, if the `dataSource` is `logs`. Only used
+            for scheduled rules, i.e. when the `schedulingOptions` field is present
+            in the rule payload.'
+          type: string
         metric:
           deprecated: true
           description: '(Deprecated) The target field to aggregate over when using
 
@@ -15201,6 +15201,13 @@ datadog\_api\_client.v2.model.security\_monitoring\_rule\_validate\_payload modu
    :members:
    :show-inheritance:
 
+datadog\_api\_client.v2.model.security\_monitoring\_scheduling\_options module
+------------------------------------------------------------------------------
+
+.. automodule:: datadog_api_client.v2.model.security_monitoring_scheduling_options
+   :members:
+   :show-inheritance:
+
 datadog\_api\_client.v2.model.security\_monitoring\_signal module
 -----------------------------------------------------------------
 
 
@@ -0,0 +1,68 @@
+"""
+Create a scheduled detection rule returns "OK" response
+"""
+
+from datadog_api_client import ApiClient, Configuration
+from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
+from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
+from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
+    SecurityMonitoringRuleEvaluationWindow,
+)
+from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
+from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
+    SecurityMonitoringRuleMaxSignalDuration,
+)
+from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
+from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
+    SecurityMonitoringRuleQueryAggregation,
+)
+from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
+from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
+from datadog_api_client.v2.model.security_monitoring_scheduling_options import SecurityMonitoringSchedulingOptions
+from datadog_api_client.v2.model.security_monitoring_standard_rule_create_payload import (
+    SecurityMonitoringStandardRuleCreatePayload,
+)
+from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery
+
+body = SecurityMonitoringStandardRuleCreatePayload(
+    name="Example-Security-Monitoring",
+    queries=[
+        SecurityMonitoringStandardRuleQuery(
+            query="@test:true",
+            aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
+            group_by_fields=[],
+            distinct_fields=[],
+            index="main",
+        ),
+    ],
+    filters=[],
+    cases=[
+        SecurityMonitoringRuleCaseCreate(
+            name="",
+            status=SecurityMonitoringRuleSeverity.INFO,
+            condition="a > 0",
+            notifications=[],
+        ),
+    ],
+    options=SecurityMonitoringRuleOptions(
+        evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,
+        keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR,
+        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY,
+    ),
+    message="Test rule",
+    tags=[],
+    is_enabled=True,
+    type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
+    scheduling_options=SecurityMonitoringSchedulingOptions(
+        rrule="FREQ=HOURLY;INTERVAL=2;",
+        start="2025-06-18T12:00:00",
+        timezone="Europe/Paris",
+    ),
+)
+
+configuration = Configuration()
+with ApiClient(configuration) as api_client:
+    api_instance = SecurityMonitoringApi(api_client)
+    response = api_instance.create_security_monitoring_rule(body=body)
+
+    print(response)
@@ -15,6 +15,9 @@ def __init__(self, **kwargs):
         """
         Create a new rule.
 
+        :param calculated_fields: Calculated fields. Only allowed for scheduled rules, i.e. when schedulingOptions is also defined.
+        :type calculated_fields: [CalculatedField], optional
+
         :param cases: Cases for generating signals.
         :type cases: [SecurityMonitoringRuleCaseCreate]
 
@@ -45,6 +48,9 @@ def __init__(self, **kwargs):
         :param reference_tables: Reference tables for the rule.
         :type reference_tables: [SecurityMonitoringReferenceTable], optional
 
+        :param scheduling_options: Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
+        :type scheduling_options: SecurityMonitoringSchedulingOptions, none_type, optional
+
         :param tags: Tags for generated signals.
         :type tags: [str], optional
 
 
@@ -33,6 +33,10 @@ def __init__(self, **kwargs):
         :param has_optional_group_by_fields: When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with `N/A`, replacing the missing values.
         :type has_optional_group_by_fields: bool, optional
 
+        :param index: **This field is currently unstable and might be removed in a minor version upgrade.**
+            The index to run the query on, if the `dataSource` is `logs`. Only used for scheduled rules, i.e. when the `schedulingOptions` field is present in the rule payload.
+        :type index: str, optional
+
         :param metric: (Deprecated) The target field to aggregate over when using the sum or max
             aggregations. `metrics` field should be used instead.
         :type metric: str, optional
 
@@ -0,0 +1,58 @@
+# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
+# This product includes software developed at Datadog (https://www.datadoghq.com/).
+# Copyright 2019-Present Datadog, Inc.
+from __future__ import annotations
+
+from typing import Union
+
+from datadog_api_client.model_utils import (
+    ModelNormal,
+    cached_property,
+    unset,
+    UnsetType,
+)
+
+
+class SecurityMonitoringSchedulingOptions(ModelNormal):
+    _nullable = True
+
+    @cached_property
+    def openapi_types(_):
+        return {
+            "rrule": (str,),
+            "start": (str,),
+            "timezone": (str,),
+        }
+
+    attribute_map = {
+        "rrule": "rrule",
+        "start": "start",
+        "timezone": "timezone",
+    }
+
+    def __init__(
+        self_,
+        rrule: Union[str, UnsetType] = unset,
+        start: Union[str, UnsetType] = unset,
+        timezone: Union[str, UnsetType] = unset,
+        **kwargs,
+    ):
+        """
+        Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
+
+        :param rrule: Schedule for the rule queries, written in RRULE syntax. See `RFC <https://icalendar.org/iCalendar-RFC-5545/3-8-5-3-recurrence-rule.html>`_ for syntax reference.
+        :type rrule: str, optional
+
+        :param start: Start date for the schedule, in ISO 8601 format without timezone.
+        :type start: str, optional
+
+        :param timezone: Time zone of the start date, in the `tz database <https://en.wikipedia.org/wiki/List_of_tz_database_time_zones>`_ format.
+        :type timezone: str, optional
+        """
+        if rrule is not unset:
+            kwargs["rrule"] = rrule
+        if start is not unset:
+            kwargs["start"] = start
+        if timezone is not unset:
+            kwargs["timezone"] = timezone
+        super().__init__(kwargs)
@@ -8,17 +8,20 @@
 from datadog_api_client.model_utils import (
     ModelNormal,
     cached_property,
+    none_type,
     unset,
     UnsetType,
 )
 
 
 if TYPE_CHECKING:
+    from datadog_api_client.v2.model.calculated_field import CalculatedField
     from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
     from datadog_api_client.v2.model.security_monitoring_filter import SecurityMonitoringFilter
     from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
     from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery
     from datadog_api_client.v2.model.security_monitoring_reference_table import SecurityMonitoringReferenceTable
+    from datadog_api_client.v2.model.security_monitoring_scheduling_options import SecurityMonitoringSchedulingOptions
     from datadog_api_client.v2.model.security_monitoring_third_party_rule_case_create import (
         SecurityMonitoringThirdPartyRuleCaseCreate,
     )
@@ -28,19 +31,24 @@
 class SecurityMonitoringStandardRuleCreatePayload(ModelNormal):
     @cached_property
     def openapi_types(_):
+        from datadog_api_client.v2.model.calculated_field import CalculatedField
         from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
         from datadog_api_client.v2.model.security_monitoring_filter import SecurityMonitoringFilter
         from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
         from datadog_api_client.v2.model.security_monitoring_standard_rule_query import (
             SecurityMonitoringStandardRuleQuery,
         )
         from datadog_api_client.v2.model.security_monitoring_reference_table import SecurityMonitoringReferenceTable
+        from datadog_api_client.v2.model.security_monitoring_scheduling_options import (
+            SecurityMonitoringSchedulingOptions,
+        )
         from datadog_api_client.v2.model.security_monitoring_third_party_rule_case_create import (
             SecurityMonitoringThirdPartyRuleCaseCreate,
         )
         from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
 
         return {
+            "calculated_fields": ([CalculatedField],),
             "cases": ([SecurityMonitoringRuleCaseCreate],),
             "filters": ([SecurityMonitoringFilter],),
             "group_signals_by": ([str],),
@@ -51,12 +59,14 @@ def openapi_types(_):
             "options": (SecurityMonitoringRuleOptions,),
             "queries": ([SecurityMonitoringStandardRuleQuery],),
             "reference_tables": ([SecurityMonitoringReferenceTable],),
+            "scheduling_options": (SecurityMonitoringSchedulingOptions,),
             "tags": ([str],),
             "third_party_cases": ([SecurityMonitoringThirdPartyRuleCaseCreate],),
             "type": (SecurityMonitoringRuleTypeCreate,),
         }
 
     attribute_map = {
+        "calculated_fields": "calculatedFields",
         "cases": "cases",
         "filters": "filters",
         "group_signals_by": "groupSignalsBy",
@@ -67,6 +77,7 @@ def openapi_types(_):
         "options": "options",
         "queries": "queries",
         "reference_tables": "referenceTables",
+        "scheduling_options": "schedulingOptions",
         "tags": "tags",
         "third_party_cases": "thirdPartyCases",
         "type": "type",
@@ -80,10 +91,12 @@ def __init__(
         name: str,
         options: SecurityMonitoringRuleOptions,
         queries: List[SecurityMonitoringStandardRuleQuery],
+        calculated_fields: Union[List[CalculatedField], UnsetType] = unset,
         filters: Union[List[SecurityMonitoringFilter], UnsetType] = unset,
         group_signals_by: Union[List[str], UnsetType] = unset,
         has_extended_title: Union[bool, UnsetType] = unset,
         reference_tables: Union[List[SecurityMonitoringReferenceTable], UnsetType] = unset,
+        scheduling_options: Union[SecurityMonitoringSchedulingOptions, none_type, UnsetType] = unset,
         tags: Union[List[str], UnsetType] = unset,
         third_party_cases: Union[List[SecurityMonitoringThirdPartyRuleCaseCreate], UnsetType] = unset,
         type: Union[SecurityMonitoringRuleTypeCreate, UnsetType] = unset,
@@ -92,6 +105,9 @@ def __init__(
         """
         Create a new rule.
 
+        :param calculated_fields: Calculated fields. Only allowed for scheduled rules, i.e. when schedulingOptions is also defined.
+        :type calculated_fields: [CalculatedField], optional
+
         :param cases: Cases for generating signals.
         :type cases: [SecurityMonitoringRuleCaseCreate]
 
@@ -122,6 +138,9 @@ def __init__(
         :param reference_tables: Reference tables for the rule.
         :type reference_tables: [SecurityMonitoringReferenceTable], optional
 
+        :param scheduling_options: Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
+        :type scheduling_options: SecurityMonitoringSchedulingOptions, none_type, optional
+
         :param tags: Tags for generated signals.
         :type tags: [str], optional
 
@@ -131,6 +150,8 @@ def __init__(
         :param type: The rule type.
         :type type: SecurityMonitoringRuleTypeCreate, optional
         """
+        if calculated_fields is not unset:
+            kwargs["calculated_fields"] = calculated_fields
         if filters is not unset:
             kwargs["filters"] = filters
         if group_signals_by is not unset:
@@ -139,6 +160,8 @@ def __init__(
             kwargs["has_extended_title"] = has_extended_title
         if reference_tables is not unset:
             kwargs["reference_tables"] = reference_tables
+        if scheduling_options is not unset:
+            kwargs["scheduling_options"] = scheduling_options
         if tags is not unset:
             kwargs["tags"] = tags
         if third_party_cases is not unset:
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`	`1`	`{`
`2`		`- "spec_repo_commit": "df31e44",`
`3`		`- "generated": "2025-07-28 19:54:45.232"`
	`2`	`+ "spec_repo_commit": "2a2b481",`
	`3`	`+ "generated": "2025-07-31 08:51:34.198"`
`4`	`4`	`}`