From cfc3ee2c63e38b41fdb9d032214dfa20f7896723 Mon Sep 17 00:00:00 2001 From: "ci.datadog-api-spec" Date: Fri, 8 Aug 2025 12:07:21 +0000 Subject: [PATCH] Regenerate client from commit d02c8a3 of spec repo --- .generated-info | 4 +- .generator/schemas/v2/openapi.yaml | 69 +++++++++++++++++++ docs/datadog_api_client.v2.model.rst | 7 ++ .../CreateSecurityMonitoringRule_868881438.py | 68 ++++++++++++++++++ ...ecurity_monitoring_rule_convert_payload.py | 6 ++ ...security_monitoring_rule_create_payload.py | 6 ++ .../model/security_monitoring_rule_query.py | 4 ++ .../security_monitoring_rule_response.py | 6 ++ .../security_monitoring_rule_test_payload.py | 6 ++ ...security_monitoring_rule_update_payload.py | 23 +++++++ ...curity_monitoring_rule_validate_payload.py | 6 ++ .../security_monitoring_scheduling_options.py | 58 ++++++++++++++++ ...monitoring_standard_rule_create_payload.py | 23 +++++++ ...curity_monitoring_standard_rule_payload.py | 23 +++++++ ...security_monitoring_standard_rule_query.py | 9 +++ ...urity_monitoring_standard_rule_response.py | 23 +++++++ ...y_monitoring_standard_rule_test_payload.py | 23 +++++++ src/datadog_api_client/v2/models/__init__.py | 2 + ..._detection_rule_returns_ok_response.frozen | 1 + ...ed_detection_rule_returns_ok_response.yaml | 36 ++++++++++ ..._rrule_returns_bad_request_response.frozen | 1 + ...ut_rrule_returns_bad_request_response.yaml | 22 ++++++ tests/v2/features/security_monitoring.feature | 18 +++++ 23 files changed, 442 insertions(+), 2 deletions(-) create mode 100644 examples/v2/security-monitoring/CreateSecurityMonitoringRule_868881438.py create mode 100644 src/datadog_api_client/v2/model/security_monitoring_scheduling_options.py create mode 100644 tests/v2/cassettes/test_scenarios/test_create_a_scheduled_detection_rule_returns_ok_response.frozen create mode 100644 tests/v2/cassettes/test_scenarios/test_create_a_scheduled_detection_rule_returns_ok_response.yaml create mode 100644 tests/v2/cassettes/test_scenarios/test_create_a_scheduled_rule_without_rrule_returns_bad_request_response.frozen create mode 100644 tests/v2/cassettes/test_scenarios/test_create_a_scheduled_rule_without_rrule_returns_bad_request_response.yaml diff --git a/.generated-info b/.generated-info index 5706cf39d9..bdcbb99f48 100644 --- a/.generated-info +++ b/.generated-info @@ -1,4 +1,4 @@ { - "spec_repo_commit": "c5cca50", - "generated": "2025-08-07 18:03:26.051" + "spec_repo_commit": "d02c8a3", + "generated": "2025-08-08 12:07:20.979" } diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml index a0599c01eb..4f155402b7 100644 --- a/.generator/schemas/v2/openapi.yaml +++ b/.generator/schemas/v2/openapi.yaml @@ -36336,6 +36336,12 @@ components: SecurityMonitoringRuleUpdatePayload: description: Update an existing rule. properties: + calculatedFields: + description: Calculated fields. Only allowed for scheduled rules - in other + words, when schedulingOptions is also defined. + items: + $ref: '#/components/schemas/CalculatedField' + type: array cases: description: Cases for generating signals. items: @@ -36392,6 +36398,8 @@ components: items: $ref: '#/components/schemas/SecurityMonitoringReferenceTable' type: array + schedulingOptions: + $ref: '#/components/schemas/SecurityMonitoringSchedulingOptions' tags: description: Tags for generated signals. items: @@ -36418,6 +36426,27 @@ components: - $ref: '#/components/schemas/SecurityMonitoringStandardRulePayload' - $ref: '#/components/schemas/SecurityMonitoringSignalRulePayload' - $ref: '#/components/schemas/CloudConfigurationRulePayload' + SecurityMonitoringSchedulingOptions: + description: Options for scheduled rules. When this field is present, the rule + runs based on the schedule. When absent, it runs real-time on ingested logs. + nullable: true + properties: + rrule: + description: Schedule for the rule queries, written in RRULE syntax. See + [RFC](https://icalendar.org/iCalendar-RFC-5545/3-8-5-3-recurrence-rule.html) + for syntax reference. + example: FREQ=HOURLY;INTERVAL=1; + type: string + start: + description: Start date for the schedule, in ISO 8601 format without timezone. + example: '2025-07-14T12:00:00' + type: string + timezone: + description: Time zone of the start date, in the [tz database](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) + format. + example: America/New_York + type: string + type: object SecurityMonitoringSignal: description: Object description of a security signal. properties: @@ -37096,6 +37125,12 @@ components: SecurityMonitoringStandardRuleCreatePayload: description: Create a new rule. properties: + calculatedFields: + description: Calculated fields. Only allowed for scheduled rules - in other + words, when schedulingOptions is also defined. + items: + $ref: '#/components/schemas/CalculatedField' + type: array cases: description: Cases for generating signals. example: [] @@ -37148,6 +37183,8 @@ components: items: $ref: '#/components/schemas/SecurityMonitoringReferenceTable' type: array + schedulingOptions: + $ref: '#/components/schemas/SecurityMonitoringSchedulingOptions' tags: description: Tags for generated signals. example: @@ -37177,6 +37214,12 @@ components: SecurityMonitoringStandardRulePayload: description: The payload of a rule. properties: + calculatedFields: + description: Calculated fields. Only allowed for scheduled rules - in other + words, when schedulingOptions is also defined. + items: + $ref: '#/components/schemas/CalculatedField' + type: array cases: description: Cases for generating signals. example: [] @@ -37237,6 +37280,8 @@ components: items: $ref: '#/components/schemas/SecurityMonitoringReferenceTable' type: array + schedulingOptions: + $ref: '#/components/schemas/SecurityMonitoringSchedulingOptions' tags: description: Tags for generated signals. example: @@ -37293,6 +37338,14 @@ components: example: false readOnly: true type: boolean + index: + description: '**This field is currently unstable and might be removed in + a minor version upgrade.** + + The index to run the query on, if the `dataSource` is `logs`. Only used + for scheduled rules - in other words, when the `schedulingOptions` field + is present in the rule payload.' + type: string metric: deprecated: true description: '(Deprecated) The target field to aggregate over when using @@ -37320,6 +37373,12 @@ components: SecurityMonitoringStandardRuleResponse: description: Rule. properties: + calculatedFields: + description: Calculated fields. Only allowed for scheduled rules - in other + words, when schedulingOptions is also defined. + items: + $ref: '#/components/schemas/CalculatedField' + type: array cases: description: Cases for generating signals. items: @@ -37405,6 +37464,8 @@ components: items: $ref: '#/components/schemas/SecurityMonitoringReferenceTable' type: array + schedulingOptions: + $ref: '#/components/schemas/SecurityMonitoringSchedulingOptions' tags: description: Tags for generated signals. items: @@ -37436,6 +37497,12 @@ components: SecurityMonitoringStandardRuleTestPayload: description: The payload of a rule to test properties: + calculatedFields: + description: Calculated fields. Only allowed for scheduled rules - in other + words, when schedulingOptions is also defined. + items: + $ref: '#/components/schemas/CalculatedField' + type: array cases: description: Cases for generating signals. example: [] @@ -37488,6 +37555,8 @@ components: items: $ref: '#/components/schemas/SecurityMonitoringReferenceTable' type: array + schedulingOptions: + $ref: '#/components/schemas/SecurityMonitoringSchedulingOptions' tags: description: Tags for generated signals. example: diff --git a/docs/datadog_api_client.v2.model.rst b/docs/datadog_api_client.v2.model.rst index 7825e93294..3164dbe560 100644 --- a/docs/datadog_api_client.v2.model.rst +++ b/docs/datadog_api_client.v2.model.rst @@ -16237,6 +16237,13 @@ datadog\_api\_client.v2.model.security\_monitoring\_rule\_validate\_payload modu :members: :show-inheritance: +datadog\_api\_client.v2.model.security\_monitoring\_scheduling\_options module +------------------------------------------------------------------------------ + +.. automodule:: datadog_api_client.v2.model.security_monitoring_scheduling_options + :members: + :show-inheritance: + datadog\_api\_client.v2.model.security\_monitoring\_signal module ----------------------------------------------------------------- diff --git a/examples/v2/security-monitoring/CreateSecurityMonitoringRule_868881438.py b/examples/v2/security-monitoring/CreateSecurityMonitoringRule_868881438.py new file mode 100644 index 0000000000..1d39510a01 --- /dev/null +++ b/examples/v2/security-monitoring/CreateSecurityMonitoringRule_868881438.py @@ -0,0 +1,68 @@ +""" +Create a scheduled detection rule returns "OK" response +""" + +from datadog_api_client import ApiClient, Configuration +from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi +from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate +from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import ( + SecurityMonitoringRuleEvaluationWindow, +) +from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive +from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import ( + SecurityMonitoringRuleMaxSignalDuration, +) +from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions +from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import ( + SecurityMonitoringRuleQueryAggregation, +) +from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity +from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate +from datadog_api_client.v2.model.security_monitoring_scheduling_options import SecurityMonitoringSchedulingOptions +from datadog_api_client.v2.model.security_monitoring_standard_rule_create_payload import ( + SecurityMonitoringStandardRuleCreatePayload, +) +from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery + +body = SecurityMonitoringStandardRuleCreatePayload( + name="Example-Security-Monitoring", + queries=[ + SecurityMonitoringStandardRuleQuery( + query="@test:true", + aggregation=SecurityMonitoringRuleQueryAggregation.COUNT, + group_by_fields=[], + distinct_fields=[], + index="main", + ), + ], + filters=[], + cases=[ + SecurityMonitoringRuleCaseCreate( + name="", + status=SecurityMonitoringRuleSeverity.INFO, + condition="a > 0", + notifications=[], + ), + ], + options=SecurityMonitoringRuleOptions( + evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES, + keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR, + max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY, + ), + message="Test rule", + tags=[], + is_enabled=True, + type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION, + scheduling_options=SecurityMonitoringSchedulingOptions( + rrule="FREQ=HOURLY;INTERVAL=2;", + start="2025-06-18T12:00:00", + timezone="Europe/Paris", + ), +) + +configuration = Configuration() +with ApiClient(configuration) as api_client: + api_instance = SecurityMonitoringApi(api_client) + response = api_instance.create_security_monitoring_rule(body=body) + + print(response) diff --git a/src/datadog_api_client/v2/model/security_monitoring_rule_convert_payload.py b/src/datadog_api_client/v2/model/security_monitoring_rule_convert_payload.py index d1b18beed5..9f376540c1 100644 --- a/src/datadog_api_client/v2/model/security_monitoring_rule_convert_payload.py +++ b/src/datadog_api_client/v2/model/security_monitoring_rule_convert_payload.py @@ -15,6 +15,9 @@ def __init__(self, **kwargs): """ Convert a rule from JSON to Terraform. + :param calculated_fields: Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined. + :type calculated_fields: [CalculatedField], optional + :param cases: Cases for generating signals. :type cases: [SecurityMonitoringRuleCaseCreate] @@ -51,6 +54,9 @@ def __init__(self, **kwargs): :param reference_tables: Reference tables for the rule. :type reference_tables: [SecurityMonitoringReferenceTable], optional + :param scheduling_options: Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs. + :type scheduling_options: SecurityMonitoringSchedulingOptions, none_type, optional + :param tags: Tags for generated signals. :type tags: [str], optional diff --git a/src/datadog_api_client/v2/model/security_monitoring_rule_create_payload.py b/src/datadog_api_client/v2/model/security_monitoring_rule_create_payload.py index 42199e04f7..a288fe6c2b 100644 --- a/src/datadog_api_client/v2/model/security_monitoring_rule_create_payload.py +++ b/src/datadog_api_client/v2/model/security_monitoring_rule_create_payload.py @@ -15,6 +15,9 @@ def __init__(self, **kwargs): """ Create a new rule. + :param calculated_fields: Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined. + :type calculated_fields: [CalculatedField], optional + :param cases: Cases for generating signals. :type cases: [SecurityMonitoringRuleCaseCreate] @@ -45,6 +48,9 @@ def __init__(self, **kwargs): :param reference_tables: Reference tables for the rule. :type reference_tables: [SecurityMonitoringReferenceTable], optional + :param scheduling_options: Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs. + :type scheduling_options: SecurityMonitoringSchedulingOptions, none_type, optional + :param tags: Tags for generated signals. :type tags: [str], optional diff --git a/src/datadog_api_client/v2/model/security_monitoring_rule_query.py b/src/datadog_api_client/v2/model/security_monitoring_rule_query.py index 7c43d352b7..1322145c77 100644 --- a/src/datadog_api_client/v2/model/security_monitoring_rule_query.py +++ b/src/datadog_api_client/v2/model/security_monitoring_rule_query.py @@ -33,6 +33,10 @@ def __init__(self, **kwargs): :param has_optional_group_by_fields: When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with `N/A`, replacing the missing values. :type has_optional_group_by_fields: bool, optional + :param index: **This field is currently unstable and might be removed in a minor version upgrade.** + The index to run the query on, if the `dataSource` is `logs`. Only used for scheduled rules - in other words, when the `schedulingOptions` field is present in the rule payload. + :type index: str, optional + :param metric: (Deprecated) The target field to aggregate over when using the sum or max aggregations. `metrics` field should be used instead. :type metric: str, optional diff --git a/src/datadog_api_client/v2/model/security_monitoring_rule_response.py b/src/datadog_api_client/v2/model/security_monitoring_rule_response.py index a429226258..0d42a1a061 100644 --- a/src/datadog_api_client/v2/model/security_monitoring_rule_response.py +++ b/src/datadog_api_client/v2/model/security_monitoring_rule_response.py @@ -15,6 +15,9 @@ def __init__(self, **kwargs): """ Create a new rule. + :param calculated_fields: Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined. + :type calculated_fields: [CalculatedField], optional + :param cases: Cases for generating signals. :type cases: [SecurityMonitoringRuleCase], optional @@ -75,6 +78,9 @@ def __init__(self, **kwargs): :param reference_tables: Reference tables for the rule. :type reference_tables: [SecurityMonitoringReferenceTable], optional + :param scheduling_options: Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs. + :type scheduling_options: SecurityMonitoringSchedulingOptions, none_type, optional + :param tags: Tags for generated signals. :type tags: [str], optional diff --git a/src/datadog_api_client/v2/model/security_monitoring_rule_test_payload.py b/src/datadog_api_client/v2/model/security_monitoring_rule_test_payload.py index 3bde069669..fd97a7cf9c 100644 --- a/src/datadog_api_client/v2/model/security_monitoring_rule_test_payload.py +++ b/src/datadog_api_client/v2/model/security_monitoring_rule_test_payload.py @@ -15,6 +15,9 @@ def __init__(self, **kwargs): """ Test a rule. + :param calculated_fields: Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined. + :type calculated_fields: [CalculatedField], optional + :param cases: Cases for generating signals. :type cases: [SecurityMonitoringRuleCaseCreate] @@ -45,6 +48,9 @@ def __init__(self, **kwargs): :param reference_tables: Reference tables for the rule. :type reference_tables: [SecurityMonitoringReferenceTable], optional + :param scheduling_options: Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs. + :type scheduling_options: SecurityMonitoringSchedulingOptions, none_type, optional + :param tags: Tags for generated signals. :type tags: [str], optional diff --git a/src/datadog_api_client/v2/model/security_monitoring_rule_update_payload.py b/src/datadog_api_client/v2/model/security_monitoring_rule_update_payload.py index efd7fe7900..e4f8680d07 100644 --- a/src/datadog_api_client/v2/model/security_monitoring_rule_update_payload.py +++ b/src/datadog_api_client/v2/model/security_monitoring_rule_update_payload.py @@ -8,12 +8,14 @@ from datadog_api_client.model_utils import ( ModelNormal, cached_property, + none_type, unset, UnsetType, ) if TYPE_CHECKING: + from datadog_api_client.v2.model.calculated_field import CalculatedField from datadog_api_client.v2.model.security_monitoring_rule_case import SecurityMonitoringRuleCase from datadog_api_client.v2.model.cloud_configuration_rule_compliance_signal_options import ( CloudConfigurationRuleComplianceSignalOptions, @@ -22,6 +24,7 @@ from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions from datadog_api_client.v2.model.security_monitoring_rule_query import SecurityMonitoringRuleQuery from datadog_api_client.v2.model.security_monitoring_reference_table import SecurityMonitoringReferenceTable + from datadog_api_client.v2.model.security_monitoring_scheduling_options import SecurityMonitoringSchedulingOptions from datadog_api_client.v2.model.security_monitoring_third_party_rule_case import ( SecurityMonitoringThirdPartyRuleCase, ) @@ -38,6 +41,7 @@ class SecurityMonitoringRuleUpdatePayload(ModelNormal): @cached_property def openapi_types(_): + from datadog_api_client.v2.model.calculated_field import CalculatedField from datadog_api_client.v2.model.security_monitoring_rule_case import SecurityMonitoringRuleCase from datadog_api_client.v2.model.cloud_configuration_rule_compliance_signal_options import ( CloudConfigurationRuleComplianceSignalOptions, @@ -46,11 +50,15 @@ def openapi_types(_): from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions from datadog_api_client.v2.model.security_monitoring_rule_query import SecurityMonitoringRuleQuery from datadog_api_client.v2.model.security_monitoring_reference_table import SecurityMonitoringReferenceTable + from datadog_api_client.v2.model.security_monitoring_scheduling_options import ( + SecurityMonitoringSchedulingOptions, + ) from datadog_api_client.v2.model.security_monitoring_third_party_rule_case import ( SecurityMonitoringThirdPartyRuleCase, ) return { + "calculated_fields": ([CalculatedField],), "cases": ([SecurityMonitoringRuleCase],), "compliance_signal_options": (CloudConfigurationRuleComplianceSignalOptions,), "custom_message": (str,), @@ -64,12 +72,14 @@ def openapi_types(_): "options": (SecurityMonitoringRuleOptions,), "queries": ([SecurityMonitoringRuleQuery],), "reference_tables": ([SecurityMonitoringReferenceTable],), + "scheduling_options": (SecurityMonitoringSchedulingOptions,), "tags": ([str],), "third_party_cases": ([SecurityMonitoringThirdPartyRuleCase],), "version": (int,), } attribute_map = { + "calculated_fields": "calculatedFields", "cases": "cases", "compliance_signal_options": "complianceSignalOptions", "custom_message": "customMessage", @@ -83,6 +93,7 @@ def openapi_types(_): "options": "options", "queries": "queries", "reference_tables": "referenceTables", + "scheduling_options": "schedulingOptions", "tags": "tags", "third_party_cases": "thirdPartyCases", "version": "version", @@ -90,6 +101,7 @@ def openapi_types(_): def __init__( self_, + calculated_fields: Union[List[CalculatedField], UnsetType] = unset, cases: Union[List[SecurityMonitoringRuleCase], UnsetType] = unset, compliance_signal_options: Union[CloudConfigurationRuleComplianceSignalOptions, UnsetType] = unset, custom_message: Union[str, UnsetType] = unset, @@ -110,6 +122,7 @@ def __init__( UnsetType, ] = unset, reference_tables: Union[List[SecurityMonitoringReferenceTable], UnsetType] = unset, + scheduling_options: Union[SecurityMonitoringSchedulingOptions, none_type, UnsetType] = unset, tags: Union[List[str], UnsetType] = unset, third_party_cases: Union[List[SecurityMonitoringThirdPartyRuleCase], UnsetType] = unset, version: Union[int, UnsetType] = unset, @@ -118,6 +131,9 @@ def __init__( """ Update an existing rule. + :param calculated_fields: Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined. + :type calculated_fields: [CalculatedField], optional + :param cases: Cases for generating signals. :type cases: [SecurityMonitoringRuleCase], optional @@ -157,6 +173,9 @@ def __init__( :param reference_tables: Reference tables for the rule. :type reference_tables: [SecurityMonitoringReferenceTable], optional + :param scheduling_options: Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs. + :type scheduling_options: SecurityMonitoringSchedulingOptions, none_type, optional + :param tags: Tags for generated signals. :type tags: [str], optional @@ -166,6 +185,8 @@ def __init__( :param version: The version of the rule being updated. :type version: int, optional """ + if calculated_fields is not unset: + kwargs["calculated_fields"] = calculated_fields if cases is not unset: kwargs["cases"] = cases if compliance_signal_options is not unset: @@ -192,6 +213,8 @@ def __init__( kwargs["queries"] = queries if reference_tables is not unset: kwargs["reference_tables"] = reference_tables + if scheduling_options is not unset: + kwargs["scheduling_options"] = scheduling_options if tags is not unset: kwargs["tags"] = tags if third_party_cases is not unset: diff --git a/src/datadog_api_client/v2/model/security_monitoring_rule_validate_payload.py b/src/datadog_api_client/v2/model/security_monitoring_rule_validate_payload.py index 21d28ae960..0bfbe3c941 100644 --- a/src/datadog_api_client/v2/model/security_monitoring_rule_validate_payload.py +++ b/src/datadog_api_client/v2/model/security_monitoring_rule_validate_payload.py @@ -15,6 +15,9 @@ def __init__(self, **kwargs): """ Validate a rule. + :param calculated_fields: Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined. + :type calculated_fields: [CalculatedField], optional + :param cases: Cases for generating signals. :type cases: [SecurityMonitoringRuleCaseCreate] @@ -51,6 +54,9 @@ def __init__(self, **kwargs): :param reference_tables: Reference tables for the rule. :type reference_tables: [SecurityMonitoringReferenceTable], optional + :param scheduling_options: Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs. + :type scheduling_options: SecurityMonitoringSchedulingOptions, none_type, optional + :param tags: Tags for generated signals. :type tags: [str], optional diff --git a/src/datadog_api_client/v2/model/security_monitoring_scheduling_options.py b/src/datadog_api_client/v2/model/security_monitoring_scheduling_options.py new file mode 100644 index 0000000000..dca7f156e7 --- /dev/null +++ b/src/datadog_api_client/v2/model/security_monitoring_scheduling_options.py @@ -0,0 +1,58 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import Union + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + unset, + UnsetType, +) + + +class SecurityMonitoringSchedulingOptions(ModelNormal): + _nullable = True + + @cached_property + def openapi_types(_): + return { + "rrule": (str,), + "start": (str,), + "timezone": (str,), + } + + attribute_map = { + "rrule": "rrule", + "start": "start", + "timezone": "timezone", + } + + def __init__( + self_, + rrule: Union[str, UnsetType] = unset, + start: Union[str, UnsetType] = unset, + timezone: Union[str, UnsetType] = unset, + **kwargs, + ): + """ + Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs. + + :param rrule: Schedule for the rule queries, written in RRULE syntax. See `RFC `_ for syntax reference. + :type rrule: str, optional + + :param start: Start date for the schedule, in ISO 8601 format without timezone. + :type start: str, optional + + :param timezone: Time zone of the start date, in the `tz database `_ format. + :type timezone: str, optional + """ + if rrule is not unset: + kwargs["rrule"] = rrule + if start is not unset: + kwargs["start"] = start + if timezone is not unset: + kwargs["timezone"] = timezone + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/security_monitoring_standard_rule_create_payload.py b/src/datadog_api_client/v2/model/security_monitoring_standard_rule_create_payload.py index 8ee3bdbc50..b97f072111 100644 --- a/src/datadog_api_client/v2/model/security_monitoring_standard_rule_create_payload.py +++ b/src/datadog_api_client/v2/model/security_monitoring_standard_rule_create_payload.py @@ -8,17 +8,20 @@ from datadog_api_client.model_utils import ( ModelNormal, cached_property, + none_type, unset, UnsetType, ) if TYPE_CHECKING: + from datadog_api_client.v2.model.calculated_field import CalculatedField from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate from datadog_api_client.v2.model.security_monitoring_filter import SecurityMonitoringFilter from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery from datadog_api_client.v2.model.security_monitoring_reference_table import SecurityMonitoringReferenceTable + from datadog_api_client.v2.model.security_monitoring_scheduling_options import SecurityMonitoringSchedulingOptions from datadog_api_client.v2.model.security_monitoring_third_party_rule_case_create import ( SecurityMonitoringThirdPartyRuleCaseCreate, ) @@ -28,6 +31,7 @@ class SecurityMonitoringStandardRuleCreatePayload(ModelNormal): @cached_property def openapi_types(_): + from datadog_api_client.v2.model.calculated_field import CalculatedField from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate from datadog_api_client.v2.model.security_monitoring_filter import SecurityMonitoringFilter from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions @@ -35,12 +39,16 @@ def openapi_types(_): SecurityMonitoringStandardRuleQuery, ) from datadog_api_client.v2.model.security_monitoring_reference_table import SecurityMonitoringReferenceTable + from datadog_api_client.v2.model.security_monitoring_scheduling_options import ( + SecurityMonitoringSchedulingOptions, + ) from datadog_api_client.v2.model.security_monitoring_third_party_rule_case_create import ( SecurityMonitoringThirdPartyRuleCaseCreate, ) from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate return { + "calculated_fields": ([CalculatedField],), "cases": ([SecurityMonitoringRuleCaseCreate],), "filters": ([SecurityMonitoringFilter],), "group_signals_by": ([str],), @@ -51,12 +59,14 @@ def openapi_types(_): "options": (SecurityMonitoringRuleOptions,), "queries": ([SecurityMonitoringStandardRuleQuery],), "reference_tables": ([SecurityMonitoringReferenceTable],), + "scheduling_options": (SecurityMonitoringSchedulingOptions,), "tags": ([str],), "third_party_cases": ([SecurityMonitoringThirdPartyRuleCaseCreate],), "type": (SecurityMonitoringRuleTypeCreate,), } attribute_map = { + "calculated_fields": "calculatedFields", "cases": "cases", "filters": "filters", "group_signals_by": "groupSignalsBy", @@ -67,6 +77,7 @@ def openapi_types(_): "options": "options", "queries": "queries", "reference_tables": "referenceTables", + "scheduling_options": "schedulingOptions", "tags": "tags", "third_party_cases": "thirdPartyCases", "type": "type", @@ -80,10 +91,12 @@ def __init__( name: str, options: SecurityMonitoringRuleOptions, queries: List[SecurityMonitoringStandardRuleQuery], + calculated_fields: Union[List[CalculatedField], UnsetType] = unset, filters: Union[List[SecurityMonitoringFilter], UnsetType] = unset, group_signals_by: Union[List[str], UnsetType] = unset, has_extended_title: Union[bool, UnsetType] = unset, reference_tables: Union[List[SecurityMonitoringReferenceTable], UnsetType] = unset, + scheduling_options: Union[SecurityMonitoringSchedulingOptions, none_type, UnsetType] = unset, tags: Union[List[str], UnsetType] = unset, third_party_cases: Union[List[SecurityMonitoringThirdPartyRuleCaseCreate], UnsetType] = unset, type: Union[SecurityMonitoringRuleTypeCreate, UnsetType] = unset, @@ -92,6 +105,9 @@ def __init__( """ Create a new rule. + :param calculated_fields: Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined. + :type calculated_fields: [CalculatedField], optional + :param cases: Cases for generating signals. :type cases: [SecurityMonitoringRuleCaseCreate] @@ -122,6 +138,9 @@ def __init__( :param reference_tables: Reference tables for the rule. :type reference_tables: [SecurityMonitoringReferenceTable], optional + :param scheduling_options: Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs. + :type scheduling_options: SecurityMonitoringSchedulingOptions, none_type, optional + :param tags: Tags for generated signals. :type tags: [str], optional @@ -131,6 +150,8 @@ def __init__( :param type: The rule type. :type type: SecurityMonitoringRuleTypeCreate, optional """ + if calculated_fields is not unset: + kwargs["calculated_fields"] = calculated_fields if filters is not unset: kwargs["filters"] = filters if group_signals_by is not unset: @@ -139,6 +160,8 @@ def __init__( kwargs["has_extended_title"] = has_extended_title if reference_tables is not unset: kwargs["reference_tables"] = reference_tables + if scheduling_options is not unset: + kwargs["scheduling_options"] = scheduling_options if tags is not unset: kwargs["tags"] = tags if third_party_cases is not unset: diff --git a/src/datadog_api_client/v2/model/security_monitoring_standard_rule_payload.py b/src/datadog_api_client/v2/model/security_monitoring_standard_rule_payload.py index f0bb911b6e..65b9684d0c 100644 --- a/src/datadog_api_client/v2/model/security_monitoring_standard_rule_payload.py +++ b/src/datadog_api_client/v2/model/security_monitoring_standard_rule_payload.py @@ -8,17 +8,20 @@ from datadog_api_client.model_utils import ( ModelNormal, cached_property, + none_type, unset, UnsetType, ) if TYPE_CHECKING: + from datadog_api_client.v2.model.calculated_field import CalculatedField from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate from datadog_api_client.v2.model.security_monitoring_filter import SecurityMonitoringFilter from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery from datadog_api_client.v2.model.security_monitoring_reference_table import SecurityMonitoringReferenceTable + from datadog_api_client.v2.model.security_monitoring_scheduling_options import SecurityMonitoringSchedulingOptions from datadog_api_client.v2.model.security_monitoring_third_party_rule_case_create import ( SecurityMonitoringThirdPartyRuleCaseCreate, ) @@ -28,6 +31,7 @@ class SecurityMonitoringStandardRulePayload(ModelNormal): @cached_property def openapi_types(_): + from datadog_api_client.v2.model.calculated_field import CalculatedField from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate from datadog_api_client.v2.model.security_monitoring_filter import SecurityMonitoringFilter from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions @@ -35,12 +39,16 @@ def openapi_types(_): SecurityMonitoringStandardRuleQuery, ) from datadog_api_client.v2.model.security_monitoring_reference_table import SecurityMonitoringReferenceTable + from datadog_api_client.v2.model.security_monitoring_scheduling_options import ( + SecurityMonitoringSchedulingOptions, + ) from datadog_api_client.v2.model.security_monitoring_third_party_rule_case_create import ( SecurityMonitoringThirdPartyRuleCaseCreate, ) from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate return { + "calculated_fields": ([CalculatedField],), "cases": ([SecurityMonitoringRuleCaseCreate],), "custom_message": (str,), "custom_name": (str,), @@ -53,12 +61,14 @@ def openapi_types(_): "options": (SecurityMonitoringRuleOptions,), "queries": ([SecurityMonitoringStandardRuleQuery],), "reference_tables": ([SecurityMonitoringReferenceTable],), + "scheduling_options": (SecurityMonitoringSchedulingOptions,), "tags": ([str],), "third_party_cases": ([SecurityMonitoringThirdPartyRuleCaseCreate],), "type": (SecurityMonitoringRuleTypeCreate,), } attribute_map = { + "calculated_fields": "calculatedFields", "cases": "cases", "custom_message": "customMessage", "custom_name": "customName", @@ -71,6 +81,7 @@ def openapi_types(_): "options": "options", "queries": "queries", "reference_tables": "referenceTables", + "scheduling_options": "schedulingOptions", "tags": "tags", "third_party_cases": "thirdPartyCases", "type": "type", @@ -84,12 +95,14 @@ def __init__( name: str, options: SecurityMonitoringRuleOptions, queries: List[SecurityMonitoringStandardRuleQuery], + calculated_fields: Union[List[CalculatedField], UnsetType] = unset, custom_message: Union[str, UnsetType] = unset, custom_name: Union[str, UnsetType] = unset, filters: Union[List[SecurityMonitoringFilter], UnsetType] = unset, group_signals_by: Union[List[str], UnsetType] = unset, has_extended_title: Union[bool, UnsetType] = unset, reference_tables: Union[List[SecurityMonitoringReferenceTable], UnsetType] = unset, + scheduling_options: Union[SecurityMonitoringSchedulingOptions, none_type, UnsetType] = unset, tags: Union[List[str], UnsetType] = unset, third_party_cases: Union[List[SecurityMonitoringThirdPartyRuleCaseCreate], UnsetType] = unset, type: Union[SecurityMonitoringRuleTypeCreate, UnsetType] = unset, @@ -98,6 +111,9 @@ def __init__( """ The payload of a rule. + :param calculated_fields: Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined. + :type calculated_fields: [CalculatedField], optional + :param cases: Cases for generating signals. :type cases: [SecurityMonitoringRuleCaseCreate] @@ -134,6 +150,9 @@ def __init__( :param reference_tables: Reference tables for the rule. :type reference_tables: [SecurityMonitoringReferenceTable], optional + :param scheduling_options: Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs. + :type scheduling_options: SecurityMonitoringSchedulingOptions, none_type, optional + :param tags: Tags for generated signals. :type tags: [str], optional @@ -143,6 +162,8 @@ def __init__( :param type: The rule type. :type type: SecurityMonitoringRuleTypeCreate, optional """ + if calculated_fields is not unset: + kwargs["calculated_fields"] = calculated_fields if custom_message is not unset: kwargs["custom_message"] = custom_message if custom_name is not unset: @@ -155,6 +176,8 @@ def __init__( kwargs["has_extended_title"] = has_extended_title if reference_tables is not unset: kwargs["reference_tables"] = reference_tables + if scheduling_options is not unset: + kwargs["scheduling_options"] = scheduling_options if tags is not unset: kwargs["tags"] = tags if third_party_cases is not unset: diff --git a/src/datadog_api_client/v2/model/security_monitoring_standard_rule_query.py b/src/datadog_api_client/v2/model/security_monitoring_standard_rule_query.py index 5aaeea7910..f1f00318a4 100644 --- a/src/datadog_api_client/v2/model/security_monitoring_standard_rule_query.py +++ b/src/datadog_api_client/v2/model/security_monitoring_standard_rule_query.py @@ -39,6 +39,7 @@ def openapi_types(_): "distinct_fields": ([str],), "group_by_fields": ([str],), "has_optional_group_by_fields": (bool,), + "index": (str,), "metric": (str,), "metrics": ([str],), "name": (str,), @@ -52,6 +53,7 @@ def openapi_types(_): "distinct_fields": "distinctFields", "group_by_fields": "groupByFields", "has_optional_group_by_fields": "hasOptionalGroupByFields", + "index": "index", "metric": "metric", "metrics": "metrics", "name": "name", @@ -69,6 +71,7 @@ def __init__( distinct_fields: Union[List[str], UnsetType] = unset, group_by_fields: Union[List[str], UnsetType] = unset, has_optional_group_by_fields: Union[bool, UnsetType] = unset, + index: Union[str, UnsetType] = unset, metric: Union[str, UnsetType] = unset, metrics: Union[List[str], UnsetType] = unset, name: Union[str, UnsetType] = unset, @@ -96,6 +99,10 @@ def __init__( :param has_optional_group_by_fields: When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with ``N/A`` , replacing the missing values. :type has_optional_group_by_fields: bool, optional + :param index: **This field is currently unstable and might be removed in a minor version upgrade.** + The index to run the query on, if the ``dataSource`` is ``logs``. Only used for scheduled rules - in other words, when the ``schedulingOptions`` field is present in the rule payload. + :type index: str, optional + :param metric: (Deprecated) The target field to aggregate over when using the sum or max aggregations. ``metrics`` field should be used instead. **Deprecated**. :type metric: str, optional @@ -121,6 +128,8 @@ def __init__( kwargs["group_by_fields"] = group_by_fields if has_optional_group_by_fields is not unset: kwargs["has_optional_group_by_fields"] = has_optional_group_by_fields + if index is not unset: + kwargs["index"] = index if metric is not unset: kwargs["metric"] = metric if metrics is not unset: diff --git a/src/datadog_api_client/v2/model/security_monitoring_standard_rule_response.py b/src/datadog_api_client/v2/model/security_monitoring_standard_rule_response.py index 29c4cfb6a9..24d922bd95 100644 --- a/src/datadog_api_client/v2/model/security_monitoring_standard_rule_response.py +++ b/src/datadog_api_client/v2/model/security_monitoring_standard_rule_response.py @@ -8,12 +8,14 @@ from datadog_api_client.model_utils import ( ModelNormal, cached_property, + none_type, unset, UnsetType, ) if TYPE_CHECKING: + from datadog_api_client.v2.model.calculated_field import CalculatedField from datadog_api_client.v2.model.security_monitoring_rule_case import SecurityMonitoringRuleCase from datadog_api_client.v2.model.cloud_configuration_rule_compliance_signal_options import ( CloudConfigurationRuleComplianceSignalOptions, @@ -22,6 +24,7 @@ from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery from datadog_api_client.v2.model.security_monitoring_reference_table import SecurityMonitoringReferenceTable + from datadog_api_client.v2.model.security_monitoring_scheduling_options import SecurityMonitoringSchedulingOptions from datadog_api_client.v2.model.security_monitoring_third_party_rule_case import ( SecurityMonitoringThirdPartyRuleCase, ) @@ -31,6 +34,7 @@ class SecurityMonitoringStandardRuleResponse(ModelNormal): @cached_property def openapi_types(_): + from datadog_api_client.v2.model.calculated_field import CalculatedField from datadog_api_client.v2.model.security_monitoring_rule_case import SecurityMonitoringRuleCase from datadog_api_client.v2.model.cloud_configuration_rule_compliance_signal_options import ( CloudConfigurationRuleComplianceSignalOptions, @@ -41,12 +45,16 @@ def openapi_types(_): SecurityMonitoringStandardRuleQuery, ) from datadog_api_client.v2.model.security_monitoring_reference_table import SecurityMonitoringReferenceTable + from datadog_api_client.v2.model.security_monitoring_scheduling_options import ( + SecurityMonitoringSchedulingOptions, + ) from datadog_api_client.v2.model.security_monitoring_third_party_rule_case import ( SecurityMonitoringThirdPartyRuleCase, ) from datadog_api_client.v2.model.security_monitoring_rule_type_read import SecurityMonitoringRuleTypeRead return { + "calculated_fields": ([CalculatedField],), "cases": ([SecurityMonitoringRuleCase],), "compliance_signal_options": (CloudConfigurationRuleComplianceSignalOptions,), "created_at": (int,), @@ -67,6 +75,7 @@ def openapi_types(_): "options": (SecurityMonitoringRuleOptions,), "queries": ([SecurityMonitoringStandardRuleQuery],), "reference_tables": ([SecurityMonitoringReferenceTable],), + "scheduling_options": (SecurityMonitoringSchedulingOptions,), "tags": ([str],), "third_party_cases": ([SecurityMonitoringThirdPartyRuleCase],), "type": (SecurityMonitoringRuleTypeRead,), @@ -76,6 +85,7 @@ def openapi_types(_): } attribute_map = { + "calculated_fields": "calculatedFields", "cases": "cases", "compliance_signal_options": "complianceSignalOptions", "created_at": "createdAt", @@ -96,6 +106,7 @@ def openapi_types(_): "options": "options", "queries": "queries", "reference_tables": "referenceTables", + "scheduling_options": "schedulingOptions", "tags": "tags", "third_party_cases": "thirdPartyCases", "type": "type", @@ -106,6 +117,7 @@ def openapi_types(_): def __init__( self_, + calculated_fields: Union[List[CalculatedField], UnsetType] = unset, cases: Union[List[SecurityMonitoringRuleCase], UnsetType] = unset, compliance_signal_options: Union[CloudConfigurationRuleComplianceSignalOptions, UnsetType] = unset, created_at: Union[int, UnsetType] = unset, @@ -126,6 +138,7 @@ def __init__( options: Union[SecurityMonitoringRuleOptions, UnsetType] = unset, queries: Union[List[SecurityMonitoringStandardRuleQuery], UnsetType] = unset, reference_tables: Union[List[SecurityMonitoringReferenceTable], UnsetType] = unset, + scheduling_options: Union[SecurityMonitoringSchedulingOptions, none_type, UnsetType] = unset, tags: Union[List[str], UnsetType] = unset, third_party_cases: Union[List[SecurityMonitoringThirdPartyRuleCase], UnsetType] = unset, type: Union[SecurityMonitoringRuleTypeRead, UnsetType] = unset, @@ -137,6 +150,9 @@ def __init__( """ Rule. + :param calculated_fields: Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined. + :type calculated_fields: [CalculatedField], optional + :param cases: Cases for generating signals. :type cases: [SecurityMonitoringRuleCase], optional @@ -197,6 +213,9 @@ def __init__( :param reference_tables: Reference tables for the rule. :type reference_tables: [SecurityMonitoringReferenceTable], optional + :param scheduling_options: Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs. + :type scheduling_options: SecurityMonitoringSchedulingOptions, none_type, optional + :param tags: Tags for generated signals. :type tags: [str], optional @@ -215,6 +234,8 @@ def __init__( :param version: The version of the rule. :type version: int, optional """ + if calculated_fields is not unset: + kwargs["calculated_fields"] = calculated_fields if cases is not unset: kwargs["cases"] = cases if compliance_signal_options is not unset: @@ -255,6 +276,8 @@ def __init__( kwargs["queries"] = queries if reference_tables is not unset: kwargs["reference_tables"] = reference_tables + if scheduling_options is not unset: + kwargs["scheduling_options"] = scheduling_options if tags is not unset: kwargs["tags"] = tags if third_party_cases is not unset: diff --git a/src/datadog_api_client/v2/model/security_monitoring_standard_rule_test_payload.py b/src/datadog_api_client/v2/model/security_monitoring_standard_rule_test_payload.py index aa5f7030d2..9ad76d4413 100644 --- a/src/datadog_api_client/v2/model/security_monitoring_standard_rule_test_payload.py +++ b/src/datadog_api_client/v2/model/security_monitoring_standard_rule_test_payload.py @@ -8,17 +8,20 @@ from datadog_api_client.model_utils import ( ModelNormal, cached_property, + none_type, unset, UnsetType, ) if TYPE_CHECKING: + from datadog_api_client.v2.model.calculated_field import CalculatedField from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate from datadog_api_client.v2.model.security_monitoring_filter import SecurityMonitoringFilter from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery from datadog_api_client.v2.model.security_monitoring_reference_table import SecurityMonitoringReferenceTable + from datadog_api_client.v2.model.security_monitoring_scheduling_options import SecurityMonitoringSchedulingOptions from datadog_api_client.v2.model.security_monitoring_third_party_rule_case_create import ( SecurityMonitoringThirdPartyRuleCaseCreate, ) @@ -28,6 +31,7 @@ class SecurityMonitoringStandardRuleTestPayload(ModelNormal): @cached_property def openapi_types(_): + from datadog_api_client.v2.model.calculated_field import CalculatedField from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate from datadog_api_client.v2.model.security_monitoring_filter import SecurityMonitoringFilter from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions @@ -35,12 +39,16 @@ def openapi_types(_): SecurityMonitoringStandardRuleQuery, ) from datadog_api_client.v2.model.security_monitoring_reference_table import SecurityMonitoringReferenceTable + from datadog_api_client.v2.model.security_monitoring_scheduling_options import ( + SecurityMonitoringSchedulingOptions, + ) from datadog_api_client.v2.model.security_monitoring_third_party_rule_case_create import ( SecurityMonitoringThirdPartyRuleCaseCreate, ) from datadog_api_client.v2.model.security_monitoring_rule_type_test import SecurityMonitoringRuleTypeTest return { + "calculated_fields": ([CalculatedField],), "cases": ([SecurityMonitoringRuleCaseCreate],), "filters": ([SecurityMonitoringFilter],), "group_signals_by": ([str],), @@ -51,12 +59,14 @@ def openapi_types(_): "options": (SecurityMonitoringRuleOptions,), "queries": ([SecurityMonitoringStandardRuleQuery],), "reference_tables": ([SecurityMonitoringReferenceTable],), + "scheduling_options": (SecurityMonitoringSchedulingOptions,), "tags": ([str],), "third_party_cases": ([SecurityMonitoringThirdPartyRuleCaseCreate],), "type": (SecurityMonitoringRuleTypeTest,), } attribute_map = { + "calculated_fields": "calculatedFields", "cases": "cases", "filters": "filters", "group_signals_by": "groupSignalsBy", @@ -67,6 +77,7 @@ def openapi_types(_): "options": "options", "queries": "queries", "reference_tables": "referenceTables", + "scheduling_options": "schedulingOptions", "tags": "tags", "third_party_cases": "thirdPartyCases", "type": "type", @@ -80,10 +91,12 @@ def __init__( name: str, options: SecurityMonitoringRuleOptions, queries: List[SecurityMonitoringStandardRuleQuery], + calculated_fields: Union[List[CalculatedField], UnsetType] = unset, filters: Union[List[SecurityMonitoringFilter], UnsetType] = unset, group_signals_by: Union[List[str], UnsetType] = unset, has_extended_title: Union[bool, UnsetType] = unset, reference_tables: Union[List[SecurityMonitoringReferenceTable], UnsetType] = unset, + scheduling_options: Union[SecurityMonitoringSchedulingOptions, none_type, UnsetType] = unset, tags: Union[List[str], UnsetType] = unset, third_party_cases: Union[List[SecurityMonitoringThirdPartyRuleCaseCreate], UnsetType] = unset, type: Union[SecurityMonitoringRuleTypeTest, UnsetType] = unset, @@ -92,6 +105,9 @@ def __init__( """ The payload of a rule to test + :param calculated_fields: Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined. + :type calculated_fields: [CalculatedField], optional + :param cases: Cases for generating signals. :type cases: [SecurityMonitoringRuleCaseCreate] @@ -122,6 +138,9 @@ def __init__( :param reference_tables: Reference tables for the rule. :type reference_tables: [SecurityMonitoringReferenceTable], optional + :param scheduling_options: Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs. + :type scheduling_options: SecurityMonitoringSchedulingOptions, none_type, optional + :param tags: Tags for generated signals. :type tags: [str], optional @@ -131,6 +150,8 @@ def __init__( :param type: The rule type. :type type: SecurityMonitoringRuleTypeTest, optional """ + if calculated_fields is not unset: + kwargs["calculated_fields"] = calculated_fields if filters is not unset: kwargs["filters"] = filters if group_signals_by is not unset: @@ -139,6 +160,8 @@ def __init__( kwargs["has_extended_title"] = has_extended_title if reference_tables is not unset: kwargs["reference_tables"] = reference_tables + if scheduling_options is not unset: + kwargs["scheduling_options"] = scheduling_options if tags is not unset: kwargs["tags"] = tags if third_party_cases is not unset: diff --git a/src/datadog_api_client/v2/models/__init__.py b/src/datadog_api_client/v2/models/__init__.py index ae9e62f682..52e92ab3f7 100644 --- a/src/datadog_api_client/v2/models/__init__.py +++ b/src/datadog_api_client/v2/models/__init__.py @@ -3126,6 +3126,7 @@ from datadog_api_client.v2.model.security_monitoring_rule_type_test import SecurityMonitoringRuleTypeTest from datadog_api_client.v2.model.security_monitoring_rule_update_payload import SecurityMonitoringRuleUpdatePayload from datadog_api_client.v2.model.security_monitoring_rule_validate_payload import SecurityMonitoringRuleValidatePayload +from datadog_api_client.v2.model.security_monitoring_scheduling_options import SecurityMonitoringSchedulingOptions from datadog_api_client.v2.model.security_monitoring_signal import SecurityMonitoringSignal from datadog_api_client.v2.model.security_monitoring_signal_archive_reason import SecurityMonitoringSignalArchiveReason from datadog_api_client.v2.model.security_monitoring_signal_assignee_update_attributes import ( @@ -6148,6 +6149,7 @@ "SecurityMonitoringRuleTypeTest", "SecurityMonitoringRuleUpdatePayload", "SecurityMonitoringRuleValidatePayload", + "SecurityMonitoringSchedulingOptions", "SecurityMonitoringSignal", "SecurityMonitoringSignalArchiveReason", "SecurityMonitoringSignalAssigneeUpdateAttributes", diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_scheduled_detection_rule_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_create_a_scheduled_detection_rule_returns_ok_response.frozen new file mode 100644 index 0000000000..5c8f2a4f08 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_create_a_scheduled_detection_rule_returns_ok_response.frozen @@ -0,0 +1 @@ +2025-07-31T07:48:27.113Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_scheduled_detection_rule_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_create_a_scheduled_detection_rule_returns_ok_response.yaml new file mode 100644 index 0000000000..06476082ec --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_create_a_scheduled_detection_rule_returns_ok_response.yaml @@ -0,0 +1,36 @@ +interactions: +- request: + body: '{"cases":[{"condition":"a > 0","name":"","notifications":[],"status":"info"}],"filters":[],"isEnabled":true,"message":"Test + rule","name":"Test-Create_a_scheduled_detection_rule_returns_OK_response-1753948107","options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"queries":[{"aggregation":"count","distinctFields":[],"groupByFields":[],"index":"main","query":"@test:true"}],"schedulingOptions":{"rrule":"FREQ=HOURLY;INTERVAL=2;","start":"2025-06-18T12:00:00","timezone":"Europe/Paris"},"tags":[],"type":"log_detection"}' + headers: + accept: + - application/json + content-type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/security_monitoring/rules + response: + body: + string: '{"name":"Test-Create_a_scheduled_detection_rule_returns_OK_response-1753948107","createdAt":1753948107557,"isDefault":false,"isPartner":false,"isEnabled":true,"isBeta":false,"isDeleted":false,"isDeprecated":false,"queries":[{"query":"@test:true","groupByFields":[],"hasOptionalGroupByFields":false,"distinctFields":[],"aggregation":"count","name":"","dataSource":"logs","index":"main"}],"options":{"evaluationWindow":900,"detectionMethod":"threshold","maxSignalDuration":86400,"keepAlive":3600},"cases":[{"name":"","status":"info","notifications":[],"condition":"a + \u003e 0"}],"message":"Test rule","tags":[],"hasExtendedTitle":false,"type":"log_detection","filters":[],"version":1,"id":"8dd-els-oyn","blocking":false,"metadata":{"entities":null,"sources":null},"creationAuthorId":1445416,"creator":{"handle":"frog@datadoghq.com","name":"frog"},"updater":{"handle":"","name":""},"schedulingOptions":{"rrule":"FREQ=HOURLY;INTERVAL=2;","start":"2025-06-18T12:00:00","timezone":"Europe/Paris"}}' + headers: + content-type: + - application/json + status: + code: 200 + message: OK +- request: + body: null + headers: + accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/security_monitoring/rules/8dd-els-oyn + response: + body: + string: '' + headers: {} + status: + code: 204 + message: No Content +version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_scheduled_rule_without_rrule_returns_bad_request_response.frozen b/tests/v2/cassettes/test_scenarios/test_create_a_scheduled_rule_without_rrule_returns_bad_request_response.frozen new file mode 100644 index 0000000000..74170d6acd --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_create_a_scheduled_rule_without_rrule_returns_bad_request_response.frozen @@ -0,0 +1 @@ +2025-07-31T07:49:14.474Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_scheduled_rule_without_rrule_returns_bad_request_response.yaml b/tests/v2/cassettes/test_scenarios/test_create_a_scheduled_rule_without_rrule_returns_bad_request_response.yaml new file mode 100644 index 0000000000..c72d5bf4df --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_create_a_scheduled_rule_without_rrule_returns_bad_request_response.yaml @@ -0,0 +1,22 @@ +interactions: +- request: + body: '{"cases":[{"condition":"a > 0","name":"","notifications":[],"status":"info"}],"filters":[],"isEnabled":true,"message":"Test + rule","name":"Test-Create_a_scheduled_rule_without_rrule_returns_Bad_Request_response-1753948154","options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"queries":[{"aggregation":"count","distinctFields":[],"groupByFields":[],"index":"main","query":"@test:true"}],"schedulingOptions":{"start":"2025-06-18T12:00:00","timezone":"Europe/Paris"},"tags":[],"type":"log_detection"}' + headers: + accept: + - application/json + content-type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/security_monitoring/rules + response: + body: + string: '{"error":{"code":"InvalidArgument","message":"Invalid rule configuration","details":[{"code":"InvalidArgument","message":"The + RRULE schedule is invalid for scheduled rules","target":"schedulingOptions.rrule"}]}}' + headers: + content-type: + - application/json + status: + code: 400 + message: Bad Request +version: 1 diff --git a/tests/v2/features/security_monitoring.feature b/tests/v2/features/security_monitoring.feature index 28df5a0644..3acea8148d 100644 --- a/tests/v2/features/security_monitoring.feature +++ b/tests/v2/features/security_monitoring.feature @@ -295,6 +295,24 @@ Feature: Security Monitoring When the request is sent Then the response status is 201 Successfully created the notification rule. + @team:DataDog/k9-cloud-security-platform + Scenario: Create a scheduled detection rule returns "OK" response + Given new "CreateSecurityMonitoringRule" request + And body with value {"name":"{{ unique }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"index":"main"}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type":"log_detection", "schedulingOptions": {"rrule": "FREQ=HOURLY;INTERVAL=2;", "start": "2025-06-18T12:00:00", "timezone": "Europe/Paris"}} + When the request is sent + Then the response status is 200 OK + And the response "name" is equal to "{{ unique }}" + And the response "type" is equal to "log_detection" + And the response "message" is equal to "Test rule" + And the response "schedulingOptions" is equal to {"rrule": "FREQ=HOURLY;INTERVAL=2;", "start": "2025-06-18T12:00:00", "timezone": "Europe/Paris"} + + @team:DataDog/k9-cloud-security-platform + Scenario: Create a scheduled rule without rrule returns "Bad Request" response + Given new "CreateSecurityMonitoringRule" request + And body with value {"name":"{{ unique }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"index":"main"}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type":"log_detection", "schedulingOptions": {"start": "2025-06-18T12:00:00", "timezone": "Europe/Paris"}} + When the request is sent + Then the response status is 400 Bad Request + @generated @skip @team:DataDog/k9-cloud-security-platform Scenario: Create a security filter returns "Bad Request" response Given new "CreateSecurityFilter" request