DataDog · api-clients-generation-pipeline · Oct 14, 2025 · Oct 14, 2025
@@ -9472,6 +9472,10 @@ components:
           description: The name of the policy
           example: my_agent_policy
           type: string
+        pinned:
+          description: Whether the policy is pinned
+          example: false
+          type: boolean
         policyVersion:
           description: The version of the policy
           example: '1'
@@ -9499,6 +9503,8 @@ components:
           type: integer
         updater:
           $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyUpdaterAttributes'
+        versions:
+          $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyVersions'
       type: object
     CloudWorkloadSecurityAgentPolicyCreateAttributes:
       description: Create a new Cloud Workload Security Agent policy
@@ -9645,6 +9651,23 @@ components:
           nullable: true
           type: string
       type: object
+    CloudWorkloadSecurityAgentPolicyVersion:
+      description: The versions of the policy
+      properties:
+        Date:
+          description: The date and time the version was created
+          nullable: true
+          type: string
+        Name:
+          description: The version of the policy
+          example: 1.47.0-rc2
+          type: string
+      type: object
+    CloudWorkloadSecurityAgentPolicyVersions:
+      description: The versions of the policy
+      items:
+        $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyVersion'
+      type: array
     CloudWorkloadSecurityAgentRuleAction:
       description: The action the rule can perform if triggered
       properties:
@@ -9682,23 +9705,32 @@ components:
       description: The set action applied on the scope matching the rule
       properties:
         append:
-          description: Whether the value should be appended to the field
+          description: Whether the value should be appended to the field.
           type: boolean
+        default_value:
+          description: The default value of the set action
+          type: string
+        expression:
+          description: The expression of the set action.
+          type: string
         field:
           description: The field of the set action
           type: string
+        inherited:
+          description: Whether the value should be inherited.
+          type: boolean
         name:
           description: The name of the set action
           type: string
         scope:
-          description: The scope of the set action
+          description: The scope of the set action.
           type: string
         size:
-          description: The size of the set action
+          description: The size of the set action.
           format: int64
           type: integer
         ttl:
-          description: The time to live of the set action
+          description: The time to live of the set action.
           format: int64
           type: integer
         value:
@@ -9779,6 +9811,10 @@ components:
           items:
             type: string
           type: array
+        silent:
+          description: Whether the rule is silent.
+          example: false
+          type: boolean
         updateAuthorUuId:
           description: The ID of the user who updated the rule
           example: e51c9744-d158-11ec-ad23-da7ad0900002
@@ -9806,8 +9842,11 @@ components:
       properties:
         actions:
           $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleActions'
+        agent_version:
+          description: Constrain the rule to specific versions of the Datadog Agent.
+          type: string
         blocking:
-          description: The blocking policies that the rule belongs to
+          description: The blocking policies that the rule belongs to.
           items:
             type: string
           type: array
@@ -9816,25 +9855,25 @@ components:
           example: My Agent rule
           type: string
         disabled:
-          description: The disabled policies that the rule belongs to
+          description: The disabled policies that the rule belongs to.
           items:
             type: string
           type: array
         enabled:
-          description: Whether the Agent rule is enabled
+          description: Whether the Agent rule is enabled.
           example: true
           type: boolean
         expression:
           description: The SECL expression of the Agent rule.
           example: exec.file.name == "sh"
           type: string
         filters:
-          description: The platforms the Agent rule is supported on
+          description: The platforms the Agent rule is supported on.
           items:
             type: string
           type: array
         monitoring:
-          description: The monitoring policies that the rule belongs to
+          description: The monitoring policies that the rule belongs to.
           items:
             type: string
           type: array
@@ -9843,14 +9882,18 @@ components:
           example: my_agent_rule
           type: string
         policy_id:
-          description: The ID of the policy where the Agent rule is saved
+          description: The ID of the policy where the Agent rule is saved.
           example: a8c8e364-6556-434d-b798-a4c23de29c0b
           type: string
         product_tags:
-          description: The list of product tags associated with the rule
+          description: The list of product tags associated with the rule.
           items:
             type: string
           type: array
+        silent:
+          description: Whether the rule is silent.
+          example: false
+          type: boolean
       required:
       - name
       - expression
@@ -9930,6 +9973,9 @@ components:
       properties:
         actions:
           $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleActions'
+        agent_version:
+          description: Constrain the rule to specific versions of the Datadog Agent
+          type: string
         blocking:
           description: The blocking policies that the rule belongs to
           items:
@@ -9966,6 +10012,10 @@ components:
           items:
             type: string
           type: array
+        silent:
+          description: Whether the rule is silent.
+          example: false
+          type: boolean
       type: object
     CloudWorkloadSecurityAgentRuleUpdateData:
       description: Object for a single Agent rule

@@ -25,7 +25,7 @@
                     "env:test",
                 ],
             ],
-            name="my_agent_policy",
+            name="my_agent_policy_2",
         ),
         type=CloudWorkloadSecurityAgentPolicyType.POLICY,
     ),

@@ -25,6 +25,7 @@
             description="My Agent rule",
             enabled=True,
             expression='exec.file.name == "sh"',
+            agent_version="> 7.60",
             filters=[],
             name="examplecsmthreat",
             policy_id=POLICY_DATA_ID,

@@ -42,6 +42,7 @@
                         name="test_set",
                         value="test_value",
                         scope="process",
+                        inherited=True,
                     ),
                 ),
                 CloudWorkloadSecurityAgentRuleAction(

@@ -0,0 +1,56 @@
+"""
+Create a Workload Protection agent rule with set action with expression returns "OK" response
+"""
+
+from os import environ
+from datadog_api_client import ApiClient, Configuration
+from datadog_api_client.v2.api.csm_threats_api import CSMThreatsApi
+from datadog_api_client.v2.model.cloud_workload_security_agent_rule_action import CloudWorkloadSecurityAgentRuleAction
+from datadog_api_client.v2.model.cloud_workload_security_agent_rule_action_set import (
+    CloudWorkloadSecurityAgentRuleActionSet,
+)
+from datadog_api_client.v2.model.cloud_workload_security_agent_rule_create_attributes import (
+    CloudWorkloadSecurityAgentRuleCreateAttributes,
+)
+from datadog_api_client.v2.model.cloud_workload_security_agent_rule_create_data import (
+    CloudWorkloadSecurityAgentRuleCreateData,
+)
+from datadog_api_client.v2.model.cloud_workload_security_agent_rule_create_request import (
+    CloudWorkloadSecurityAgentRuleCreateRequest,
+)
+from datadog_api_client.v2.model.cloud_workload_security_agent_rule_type import CloudWorkloadSecurityAgentRuleType
+
+# there is a valid "policy_rc" in the system
+POLICY_DATA_ID = environ["POLICY_DATA_ID"]
+
+body = CloudWorkloadSecurityAgentRuleCreateRequest(
+    data=CloudWorkloadSecurityAgentRuleCreateData(
+        attributes=CloudWorkloadSecurityAgentRuleCreateAttributes(
+            description="My Agent rule with set action with expression",
+            enabled=True,
+            expression='exec.file.name == "sh"',
+            filters=[],
+            name="examplecsmthreat",
+            policy_id=POLICY_DATA_ID,
+            product_tags=[],
+            actions=[
+                CloudWorkloadSecurityAgentRuleAction(
+                    set=CloudWorkloadSecurityAgentRuleActionSet(
+                        name="test_set",
+                        expression="open.file.path",
+                        default_value="/dev/null",
+                        scope="process",
+                    ),
+                ),
+            ],
+        ),
+        type=CloudWorkloadSecurityAgentRuleType.AGENT_RULE,
+    ),
+)
+
+configuration = Configuration()
+with ApiClient(configuration) as api_client:
+    api_instance = CSMThreatsApi(api_client)
+    response = api_instance.create_csm_threats_agent_rule(body=body)
+
+    print(response)
@@ -17,6 +17,9 @@
     from datadog_api_client.v2.model.cloud_workload_security_agent_policy_updater_attributes import (
         CloudWorkloadSecurityAgentPolicyUpdaterAttributes,
     )
+    from datadog_api_client.v2.model.cloud_workload_security_agent_policy_version import (
+        CloudWorkloadSecurityAgentPolicyVersion,
+    )
 
 
 class CloudWorkloadSecurityAgentPolicyAttributes(ModelNormal):
@@ -40,6 +43,9 @@ def openapi_types(_):
         from datadog_api_client.v2.model.cloud_workload_security_agent_policy_updater_attributes import (
             CloudWorkloadSecurityAgentPolicyUpdaterAttributes,
         )
+        from datadog_api_client.v2.model.cloud_workload_security_agent_policy_version import (
+            CloudWorkloadSecurityAgentPolicyVersion,
+        )
 
         return {
             "blocking_rules_count": (int,),
@@ -51,12 +57,14 @@ def openapi_types(_):
             "host_tags_lists": ([[str]],),
             "monitoring_rules_count": (int,),
             "name": (str,),
+            "pinned": (bool,),
             "policy_version": (str,),
             "priority": (int,),
             "rule_count": (int,),
             "update_date": (int,),
             "updated_at": (int,),
             "updater": (CloudWorkloadSecurityAgentPolicyUpdaterAttributes,),
+            "versions": ([CloudWorkloadSecurityAgentPolicyVersion],),
         }
 
     attribute_map = {
@@ -69,12 +77,14 @@ def openapi_types(_):
         "host_tags_lists": "hostTagsLists",
         "monitoring_rules_count": "monitoringRulesCount",
         "name": "name",
+        "pinned": "pinned",
         "policy_version": "policyVersion",
         "priority": "priority",
         "rule_count": "ruleCount",
         "update_date": "updateDate",
         "updated_at": "updatedAt",
         "updater": "updater",
+        "versions": "versions",
     }
 
     def __init__(
@@ -88,12 +98,14 @@ def __init__(
         host_tags_lists: Union[List[List[str]], UnsetType] = unset,
         monitoring_rules_count: Union[int, UnsetType] = unset,
         name: Union[str, UnsetType] = unset,
+        pinned: Union[bool, UnsetType] = unset,
         policy_version: Union[str, UnsetType] = unset,
         priority: Union[int, UnsetType] = unset,
         rule_count: Union[int, UnsetType] = unset,
         update_date: Union[int, UnsetType] = unset,
         updated_at: Union[int, UnsetType] = unset,
         updater: Union[CloudWorkloadSecurityAgentPolicyUpdaterAttributes, UnsetType] = unset,
+        versions: Union[List[CloudWorkloadSecurityAgentPolicyVersion], UnsetType] = unset,
         **kwargs,
     ):
         """
@@ -126,6 +138,9 @@ def __init__(
         :param name: The name of the policy
         :type name: str, optional
 
+        :param pinned: Whether the policy is pinned
+        :type pinned: bool, optional
+
         :param policy_version: The version of the policy
         :type policy_version: str, optional
 
@@ -143,6 +158,9 @@ def __init__(
 
         :param updater: The attributes of the user who last updated the policy
         :type updater: CloudWorkloadSecurityAgentPolicyUpdaterAttributes, optional
+
+        :param versions: The versions of the policy
+        :type versions: [CloudWorkloadSecurityAgentPolicyVersion], optional
         """
         if blocking_rules_count is not unset:
             kwargs["blocking_rules_count"] = blocking_rules_count
@@ -162,6 +180,8 @@ def __init__(
             kwargs["monitoring_rules_count"] = monitoring_rules_count
         if name is not unset:
             kwargs["name"] = name
+        if pinned is not unset:
+            kwargs["pinned"] = pinned
         if policy_version is not unset:
             kwargs["policy_version"] = policy_version
         if priority is not unset:
@@ -174,4 +194,6 @@ def __init__(
             kwargs["updated_at"] = updated_at
         if updater is not unset:
             kwargs["updater"] = updater
+        if versions is not unset:
+            kwargs["versions"] = versions
         super().__init__(kwargs)