diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml index 8a51fd127e..800c3477a4 100644 --- a/.generator/schemas/v2/openapi.yaml +++ b/.generator/schemas/v2/openapi.yaml @@ -29884,6 +29884,30 @@ components: required: - self type: object + GetIoCIndicatorResponse: + description: Response for the get indicator of compromise endpoint. + properties: + data: + $ref: "#/components/schemas/GetIoCIndicatorResponseData" + type: object + GetIoCIndicatorResponseAttributes: + description: Attributes of the get indicator response. + properties: + data: + $ref: "#/components/schemas/IoCIndicatorDetailed" + type: object + GetIoCIndicatorResponseData: + description: IoC indicator response data object. + properties: + attributes: + $ref: "#/components/schemas/GetIoCIndicatorResponseAttributes" + id: + description: Unique identifier for the response. + type: string + type: + description: Response type identifier. + type: string + type: object GetIssueIncludeQueryParameterItem: description: Relationship object that should be included in the response. enum: @@ -35391,6 +35415,301 @@ components: type: string x-enum-varnames: - INVESTIGATION + IoCExplorerListResponse: + description: Response for the list indicators of compromise endpoint. + properties: + data: + $ref: "#/components/schemas/IoCExplorerListResponseData" + type: object + IoCExplorerListResponseAttributes: + description: Attributes of the IoC Explorer list response. + properties: + data: + description: List of indicators of compromise. + items: + $ref: "#/components/schemas/IoCIndicator" + type: array + metadata: + $ref: "#/components/schemas/IoCExplorerListResponseMetadata" + paging: + $ref: "#/components/schemas/IoCExplorerListResponsePaging" + type: object + IoCExplorerListResponseData: + description: IoC Explorer list response data object. + properties: + attributes: + $ref: "#/components/schemas/IoCExplorerListResponseAttributes" + id: + description: Unique identifier for the response. + type: string + type: + description: Response type identifier. + type: string + type: object + IoCExplorerListResponseMetadata: + description: Response metadata. + properties: + count: + description: Total number of indicators matching the query. + format: int64 + type: integer + type: object + IoCExplorerListResponsePaging: + description: Pagination information. + properties: + offset: + description: Current pagination offset. + format: int64 + type: integer + type: object + IoCGeoLocation: + description: Geographic location information for an IP indicator. + properties: + city: + description: City name. + type: string + country_code: + description: ISO country code. + type: string + country_name: + description: Full country name. + type: string + type: object + IoCIndicator: + description: An indicator of compromise with threat intelligence data. + properties: + as_geo: + $ref: "#/components/schemas/IoCGeoLocation" + as_type: + description: Autonomous system type. + type: string + benign_sources: + description: Threat intelligence sources that flagged this indicator as benign. + items: + $ref: "#/components/schemas/IoCSource" + nullable: true + type: array + categories: + description: Threat categories associated with the indicator. + items: + type: string + type: array + first_seen: + description: Timestamp when the indicator was first seen. + format: date-time + type: string + id: + description: Unique identifier for the indicator. + type: string + indicator: + description: The indicator value (for example, an IP address or domain). + type: string + indicator_type: + description: Type of indicator (for example, IP address or domain). + type: string + last_seen: + description: Timestamp when the indicator was last seen. + format: date-time + type: string + log_matches: + description: Number of logs that matched this indicator. + format: int64 + type: integer + m_as_type: + $ref: "#/components/schemas/IoCScoreEffect" + m_persistence: + $ref: "#/components/schemas/IoCScoreEffect" + m_signal: + $ref: "#/components/schemas/IoCScoreEffect" + m_sources: + $ref: "#/components/schemas/IoCScoreEffect" + malicious_sources: + description: Threat intelligence sources that flagged this indicator as malicious. + items: + $ref: "#/components/schemas/IoCSource" + nullable: true + type: array + max_trust_score: + $ref: "#/components/schemas/IoCScoreEffect" + score: + description: Threat score for the indicator (0-100). + format: double + type: number + signal_matches: + description: Number of security signals that matched this indicator. + format: int64 + type: integer + signal_tier: + description: Signal tier level. + format: int64 + type: integer + suspicious_sources: + description: Threat intelligence sources that flagged this indicator as suspicious. + items: + $ref: "#/components/schemas/IoCSource" + nullable: true + type: array + tags: + description: Tags associated with the indicator. + items: + type: string + type: array + type: object + IoCIndicatorDetailed: + description: An indicator of compromise with extended context from your environment. + properties: + additional_data: + additionalProperties: {} + description: Additional domain-specific context from threat intelligence sources. + type: object + as_cidr_block: + description: Autonomous system CIDR block. + type: string + as_geo: + $ref: "#/components/schemas/IoCGeoLocation" + as_number: + description: Autonomous system number. + type: string + as_organization: + description: Autonomous system organization name. + type: string + as_type: + description: Autonomous system type. + type: string + benign_sources: + description: Threat intelligence sources that flagged this indicator as benign. + items: + $ref: "#/components/schemas/IoCSource" + nullable: true + type: array + categories: + description: Threat categories associated with the indicator. + items: + type: string + type: array + critical_assets: + description: Critical assets associated with this indicator. + items: + type: string + type: array + first_seen: + description: Timestamp when the indicator was first seen. + format: date-time + type: string + hosts: + description: Hosts associated with this indicator. + items: + type: string + type: array + id: + description: Unique identifier for the indicator. + type: string + indicator: + description: The indicator value (for example, an IP address or domain). + type: string + indicator_type: + description: Type of indicator (for example, IP address or domain). + type: string + last_seen: + description: Timestamp when the indicator was last seen. + format: date-time + type: string + log_matches: + description: Number of logs that matched this indicator. + format: int64 + type: integer + log_sources: + description: Log sources where this indicator was observed. + items: + type: string + type: array + m_as_type: + $ref: "#/components/schemas/IoCScoreEffect" + m_persistence: + $ref: "#/components/schemas/IoCScoreEffect" + m_signal: + $ref: "#/components/schemas/IoCScoreEffect" + m_sources: + $ref: "#/components/schemas/IoCScoreEffect" + malicious_sources: + description: Threat intelligence sources that flagged this indicator as malicious. + items: + $ref: "#/components/schemas/IoCSource" + nullable: true + type: array + max_trust_score: + $ref: "#/components/schemas/IoCScoreEffect" + score: + description: Threat score for the indicator (0-100). + format: double + type: number + services: + description: Services where this indicator was observed. + items: + type: string + type: array + signal_matches: + description: Number of security signals that matched this indicator. + format: int64 + type: integer + signal_severity: + description: Breakdown of security signals by severity. + items: + $ref: "#/components/schemas/IoCSignalSeverityCount" + type: array + signal_tier: + description: Signal tier level. + format: int64 + type: integer + suspicious_sources: + description: Threat intelligence sources that flagged this indicator as suspicious. + items: + $ref: "#/components/schemas/IoCSource" + nullable: true + type: array + tags: + description: Tags associated with the indicator. + items: + type: string + type: array + users: + additionalProperties: + description: List of user identifiers in this category. + items: + type: string + type: array + description: Users associated with this indicator, grouped by category. + type: object + type: object + IoCScoreEffect: + description: Effect of a scoring factor on the indicator's threat score. + enum: + - RAISE_SCORE + - LOWER_SCORE + - NO_EFFECT + type: string + x-enum-varnames: + - RAISE_SCORE + - LOWER_SCORE + - NO_EFFECT + IoCSignalSeverityCount: + description: Count of security signals by severity level. + properties: + count: + description: Number of signals at this severity level. + format: int64 + type: integer + severity: + description: Severity level (for example, critical, high, medium, low, info). + type: string + type: object + IoCSource: + description: A threat intelligence source that has flagged an indicator. + properties: + name: + description: Name of the threat intelligence source. + type: string + type: object Issue: description: The issue matching the request. properties: @@ -110601,6 +110920,110 @@ paths: x-unstable: |- **Note**: This endpoint is a private preview. If you are interested in accessing this API, [fill out this form](https://forms.gle/kMYC1sDr6WDUBDsx9). + /api/v2/security/siem/ioc-explorer: + get: + description: |- + Get a list of indicators of compromise (IoCs) matching the specified filters. + operationId: ListIndicatorsOfCompromise + parameters: + - description: Number of results per page. + in: query + name: limit + required: false + schema: + default: 50 + format: int32 + maximum: 2147483647 + type: integer + - description: Pagination offset. + in: query + name: offset + required: false + schema: + default: 0 + format: int32 + maximum: 2147483647 + type: integer + - description: Search/filter query (supports field:value syntax). + in: query + name: query + required: false + schema: + type: string + - description: "Sort column: score, first_seen_ts_epoch, last_seen_ts_epoch, indicator, indicator_type, signal_count, log_count, category, as_type." + in: query + name: sort[column] + required: false + schema: + default: score + type: string + - description: "Sort order: asc or desc." + in: query + name: sort[order] + required: false + schema: + default: desc + type: string + responses: + "200": + content: + "application/json": + schema: + $ref: "#/components/schemas/IoCExplorerListResponse" + description: OK + "400": + $ref: "#/components/responses/BadRequestResponse" + "403": + $ref: "#/components/responses/NotAuthorizedResponse" + "429": + $ref: "#/components/responses/TooManyRequestsResponse" + security: + - apiKeyAuth: [] + appKeyAuth: [] + - AuthZ: + - security_monitoring_signals_read + summary: List indicators of compromise + tags: ["Security Monitoring"] + x-unstable: |- + **Note**: This endpoint is in beta and may be subject to changes. + Please check the documentation regularly for updates. + /api/v2/security/siem/ioc-explorer/indicator: + get: + description: |- + Get detailed information about a specific indicator of compromise (IoC). + operationId: GetIndicatorOfCompromise + parameters: + - description: The indicator value to look up (for example, an IP address or domain). + in: query + name: indicator + required: true + schema: + type: string + responses: + "200": + content: + "application/json": + schema: + $ref: "#/components/schemas/GetIoCIndicatorResponse" + description: OK + "400": + $ref: "#/components/responses/BadRequestResponse" + "403": + $ref: "#/components/responses/NotAuthorizedResponse" + "404": + $ref: "#/components/responses/NotFoundResponse" + "429": + $ref: "#/components/responses/TooManyRequestsResponse" + security: + - apiKeyAuth: [] + appKeyAuth: [] + - AuthZ: + - security_monitoring_signals_read + summary: Get an indicator of compromise + tags: ["Security Monitoring"] + x-unstable: |- + **Note**: This endpoint is in beta and may be subject to changes. + Please check the documentation regularly for updates. /api/v2/security/signals/notification_rules: get: description: Returns the list of notification rules for security signals. diff --git a/docs/datadog_api_client.v2.model.rst b/docs/datadog_api_client.v2.model.rst index 5c807730dd..0f59a908f6 100644 --- a/docs/datadog_api_client.v2.model.rst +++ b/docs/datadog_api_client.v2.model.rst @@ -12506,6 +12506,27 @@ datadog\_api\_client.v2.model.get\_investigation\_response\_links module :members: :show-inheritance: +datadog\_api\_client.v2.model.get\_io\_c\_indicator\_response module +-------------------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.get_io_c_indicator_response + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.get\_io\_c\_indicator\_response\_attributes module +-------------------------------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.get_io_c_indicator_response_attributes + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.get\_io\_c\_indicator\_response\_data module +-------------------------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.get_io_c_indicator_response_data + :members: + :show-inheritance: + datadog\_api\_client.v2.model.get\_issue\_include\_query\_parameter\_item module -------------------------------------------------------------------------------- @@ -15054,6 +15075,83 @@ datadog\_api\_client.v2.model.investigation\_type module :members: :show-inheritance: +datadog\_api\_client.v2.model.io\_c\_explorer\_list\_response module +-------------------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.io_c_explorer_list_response + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.io\_c\_explorer\_list\_response\_attributes module +-------------------------------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.io_c_explorer_list_response_attributes + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.io\_c\_explorer\_list\_response\_data module +-------------------------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.io_c_explorer_list_response_data + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.io\_c\_explorer\_list\_response\_metadata module +------------------------------------------------------------------------------ + +.. automodule:: datadog_api_client.v2.model.io_c_explorer_list_response_metadata + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.io\_c\_explorer\_list\_response\_paging module +---------------------------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.io_c_explorer_list_response_paging + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.io\_c\_geo\_location module +--------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.io_c_geo_location + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.io\_c\_indicator module +----------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.io_c_indicator + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.io\_c\_indicator\_detailed module +--------------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.io_c_indicator_detailed + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.io\_c\_score\_effect module +--------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.io_c_score_effect + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.io\_c\_signal\_severity\_count module +------------------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.io_c_signal_severity_count + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.io\_c\_source module +-------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.io_c_source + :members: + :show-inheritance: + datadog\_api\_client.v2.model.ip\_allowlist\_attributes module -------------------------------------------------------------- diff --git a/examples/v2/security-monitoring/GetIndicatorOfCompromise.py b/examples/v2/security-monitoring/GetIndicatorOfCompromise.py new file mode 100644 index 0000000000..0e44580585 --- /dev/null +++ b/examples/v2/security-monitoring/GetIndicatorOfCompromise.py @@ -0,0 +1,16 @@ +""" +Get an indicator of compromise returns "OK" response +""" + +from datadog_api_client import ApiClient, Configuration +from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi + +configuration = Configuration() +configuration.unstable_operations["get_indicator_of_compromise"] = True +with ApiClient(configuration) as api_client: + api_instance = SecurityMonitoringApi(api_client) + response = api_instance.get_indicator_of_compromise( + indicator="masscan/1.3 (https://github.com/robertdavidgraham/masscan)", + ) + + print(response) diff --git a/examples/v2/security-monitoring/ListIndicatorsOfCompromise.py b/examples/v2/security-monitoring/ListIndicatorsOfCompromise.py new file mode 100644 index 0000000000..d23a826110 --- /dev/null +++ b/examples/v2/security-monitoring/ListIndicatorsOfCompromise.py @@ -0,0 +1,16 @@ +""" +List indicators of compromise returns "OK" response +""" + +from datadog_api_client import ApiClient, Configuration +from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi + +configuration = Configuration() +configuration.unstable_operations["list_indicators_of_compromise"] = True +with ApiClient(configuration) as api_client: + api_instance = SecurityMonitoringApi(api_client) + response = api_instance.list_indicators_of_compromise( + limit=1, + ) + + print(response) diff --git a/src/datadog_api_client/configuration.py b/src/datadog_api_client/configuration.py index 6602924b5d..8383d6ba53 100644 --- a/src/datadog_api_client/configuration.py +++ b/src/datadog_api_client/configuration.py @@ -304,12 +304,14 @@ def __init__( "v2.delete_threat_hunting_job": False, "v2.get_content_packs_states": False, "v2.get_finding": False, + "v2.get_indicator_of_compromise": False, "v2.get_rule_version_history": False, "v2.get_secrets_rules": False, "v2.get_security_monitoring_histsignal": False, "v2.get_security_monitoring_histsignals_by_job_id": False, "v2.get_threat_hunting_job": False, "v2.list_findings": False, + "v2.list_indicators_of_compromise": False, "v2.list_multiple_rulesets": False, "v2.list_scanned_assets_metadata": False, "v2.list_security_monitoring_histsignals": False, diff --git a/src/datadog_api_client/v2/api/security_monitoring_api.py b/src/datadog_api_client/v2/api/security_monitoring_api.py index 3456effdab..e5c6b02989 100644 --- a/src/datadog_api_client/v2/api/security_monitoring_api.py +++ b/src/datadog_api_client/v2/api/security_monitoring_api.py @@ -56,6 +56,8 @@ from datadog_api_client.v2.model.sbom_format import SBOMFormat from datadog_api_client.v2.model.scanned_assets_metadata import ScannedAssetsMetadata from datadog_api_client.v2.model.cloud_asset_type import CloudAssetType +from datadog_api_client.v2.model.io_c_explorer_list_response import IoCExplorerListResponse +from datadog_api_client.v2.model.get_io_c_indicator_response import GetIoCIndicatorResponse from datadog_api_client.v2.model.notification_rule_response import NotificationRuleResponse from datadog_api_client.v2.model.create_notification_rule_parameters import CreateNotificationRuleParameters from datadog_api_client.v2.model.patch_notification_rule_parameters import PatchNotificationRuleParameters @@ -976,6 +978,29 @@ def __init__(self, api_client=None): api_client=api_client, ) + self._get_indicator_of_compromise_endpoint = _Endpoint( + settings={ + "response_type": (GetIoCIndicatorResponse,), + "auth": ["apiKeyAuth", "appKeyAuth", "AuthZ"], + "endpoint_path": "/api/v2/security/siem/ioc-explorer/indicator", + "operation_id": "get_indicator_of_compromise", + "http_method": "GET", + "version": "v2", + }, + params_map={ + "indicator": { + "required": True, + "openapi_types": (str,), + "attribute": "indicator", + "location": "query", + }, + }, + headers_map={ + "accept": ["application/json"], + }, + api_client=api_client, + ) + self._get_investigation_log_queries_matching_signal_endpoint = _Endpoint( settings={ "response_type": (SecurityMonitoringSignalSuggestedActionsResponse,), @@ -1673,6 +1698,54 @@ def __init__(self, api_client=None): api_client=api_client, ) + self._list_indicators_of_compromise_endpoint = _Endpoint( + settings={ + "response_type": (IoCExplorerListResponse,), + "auth": ["apiKeyAuth", "appKeyAuth", "AuthZ"], + "endpoint_path": "/api/v2/security/siem/ioc-explorer", + "operation_id": "list_indicators_of_compromise", + "http_method": "GET", + "version": "v2", + }, + params_map={ + "limit": { + "validation": { + "inclusive_maximum": 2147483647, + }, + "openapi_types": (int,), + "attribute": "limit", + "location": "query", + }, + "offset": { + "validation": { + "inclusive_maximum": 2147483647, + }, + "openapi_types": (int,), + "attribute": "offset", + "location": "query", + }, + "query": { + "openapi_types": (str,), + "attribute": "query", + "location": "query", + }, + "sort_column": { + "openapi_types": (str,), + "attribute": "sort[column]", + "location": "query", + }, + "sort_order": { + "openapi_types": (str,), + "attribute": "sort[order]", + "location": "query", + }, + }, + headers_map={ + "accept": ["application/json"], + }, + api_client=api_client, + ) + self._list_multiple_rulesets_endpoint = _Endpoint( settings={ "response_type": (GetMultipleRulesetsResponse,), @@ -3447,6 +3520,23 @@ def get_finding( return self._get_finding_endpoint.call_with_http_info(**kwargs) + def get_indicator_of_compromise( + self, + indicator: str, + ) -> GetIoCIndicatorResponse: + """Get an indicator of compromise. + + Get detailed information about a specific indicator of compromise (IoC). + + :param indicator: The indicator value to look up (for example, an IP address or domain). + :type indicator: str + :rtype: GetIoCIndicatorResponse + """ + kwargs: Dict[str, Any] = {} + kwargs["indicator"] = indicator + + return self._get_indicator_of_compromise_endpoint.call_with_http_info(**kwargs) + def get_investigation_log_queries_matching_signal( self, signal_id: str, @@ -4227,6 +4317,49 @@ def list_findings_with_pagination( } return endpoint.call_with_http_info_paginated(pagination) + def list_indicators_of_compromise( + self, + *, + limit: Union[int, UnsetType] = unset, + offset: Union[int, UnsetType] = unset, + query: Union[str, UnsetType] = unset, + sort_column: Union[str, UnsetType] = unset, + sort_order: Union[str, UnsetType] = unset, + ) -> IoCExplorerListResponse: + """List indicators of compromise. + + Get a list of indicators of compromise (IoCs) matching the specified filters. + + :param limit: Number of results per page. + :type limit: int, optional + :param offset: Pagination offset. + :type offset: int, optional + :param query: Search/filter query (supports field:value syntax). + :type query: str, optional + :param sort_column: Sort column: score, first_seen_ts_epoch, last_seen_ts_epoch, indicator, indicator_type, signal_count, log_count, category, as_type. + :type sort_column: str, optional + :param sort_order: Sort order: asc or desc. + :type sort_order: str, optional + :rtype: IoCExplorerListResponse + """ + kwargs: Dict[str, Any] = {} + if limit is not unset: + kwargs["limit"] = limit + + if offset is not unset: + kwargs["offset"] = offset + + if query is not unset: + kwargs["query"] = query + + if sort_column is not unset: + kwargs["sort_column"] = sort_column + + if sort_order is not unset: + kwargs["sort_order"] = sort_order + + return self._list_indicators_of_compromise_endpoint.call_with_http_info(**kwargs) + def list_multiple_rulesets( self, body: GetMultipleRulesetsRequest, diff --git a/src/datadog_api_client/v2/model/get_io_c_indicator_response.py b/src/datadog_api_client/v2/model/get_io_c_indicator_response.py new file mode 100644 index 0000000000..2353ea5842 --- /dev/null +++ b/src/datadog_api_client/v2/model/get_io_c_indicator_response.py @@ -0,0 +1,42 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import Union, TYPE_CHECKING + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + unset, + UnsetType, +) + + +if TYPE_CHECKING: + from datadog_api_client.v2.model.get_io_c_indicator_response_data import GetIoCIndicatorResponseData + + +class GetIoCIndicatorResponse(ModelNormal): + @cached_property + def openapi_types(_): + from datadog_api_client.v2.model.get_io_c_indicator_response_data import GetIoCIndicatorResponseData + + return { + "data": (GetIoCIndicatorResponseData,), + } + + attribute_map = { + "data": "data", + } + + def __init__(self_, data: Union[GetIoCIndicatorResponseData, UnsetType] = unset, **kwargs): + """ + Response for the get indicator of compromise endpoint. + + :param data: IoC indicator response data object. + :type data: GetIoCIndicatorResponseData, optional + """ + if data is not unset: + kwargs["data"] = data + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/get_io_c_indicator_response_attributes.py b/src/datadog_api_client/v2/model/get_io_c_indicator_response_attributes.py new file mode 100644 index 0000000000..ae5021d4b7 --- /dev/null +++ b/src/datadog_api_client/v2/model/get_io_c_indicator_response_attributes.py @@ -0,0 +1,42 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import Union, TYPE_CHECKING + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + unset, + UnsetType, +) + + +if TYPE_CHECKING: + from datadog_api_client.v2.model.io_c_indicator_detailed import IoCIndicatorDetailed + + +class GetIoCIndicatorResponseAttributes(ModelNormal): + @cached_property + def openapi_types(_): + from datadog_api_client.v2.model.io_c_indicator_detailed import IoCIndicatorDetailed + + return { + "data": (IoCIndicatorDetailed,), + } + + attribute_map = { + "data": "data", + } + + def __init__(self_, data: Union[IoCIndicatorDetailed, UnsetType] = unset, **kwargs): + """ + Attributes of the get indicator response. + + :param data: An indicator of compromise with extended context from your environment. + :type data: IoCIndicatorDetailed, optional + """ + if data is not unset: + kwargs["data"] = data + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/get_io_c_indicator_response_data.py b/src/datadog_api_client/v2/model/get_io_c_indicator_response_data.py new file mode 100644 index 0000000000..bbf545d47d --- /dev/null +++ b/src/datadog_api_client/v2/model/get_io_c_indicator_response_data.py @@ -0,0 +1,62 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import Union, TYPE_CHECKING + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + unset, + UnsetType, +) + + +if TYPE_CHECKING: + from datadog_api_client.v2.model.get_io_c_indicator_response_attributes import GetIoCIndicatorResponseAttributes + + +class GetIoCIndicatorResponseData(ModelNormal): + @cached_property + def openapi_types(_): + from datadog_api_client.v2.model.get_io_c_indicator_response_attributes import GetIoCIndicatorResponseAttributes + + return { + "attributes": (GetIoCIndicatorResponseAttributes,), + "id": (str,), + "type": (str,), + } + + attribute_map = { + "attributes": "attributes", + "id": "id", + "type": "type", + } + + def __init__( + self_, + attributes: Union[GetIoCIndicatorResponseAttributes, UnsetType] = unset, + id: Union[str, UnsetType] = unset, + type: Union[str, UnsetType] = unset, + **kwargs, + ): + """ + IoC indicator response data object. + + :param attributes: Attributes of the get indicator response. + :type attributes: GetIoCIndicatorResponseAttributes, optional + + :param id: Unique identifier for the response. + :type id: str, optional + + :param type: Response type identifier. + :type type: str, optional + """ + if attributes is not unset: + kwargs["attributes"] = attributes + if id is not unset: + kwargs["id"] = id + if type is not unset: + kwargs["type"] = type + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/io_c_explorer_list_response.py b/src/datadog_api_client/v2/model/io_c_explorer_list_response.py new file mode 100644 index 0000000000..38db2df987 --- /dev/null +++ b/src/datadog_api_client/v2/model/io_c_explorer_list_response.py @@ -0,0 +1,42 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import Union, TYPE_CHECKING + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + unset, + UnsetType, +) + + +if TYPE_CHECKING: + from datadog_api_client.v2.model.io_c_explorer_list_response_data import IoCExplorerListResponseData + + +class IoCExplorerListResponse(ModelNormal): + @cached_property + def openapi_types(_): + from datadog_api_client.v2.model.io_c_explorer_list_response_data import IoCExplorerListResponseData + + return { + "data": (IoCExplorerListResponseData,), + } + + attribute_map = { + "data": "data", + } + + def __init__(self_, data: Union[IoCExplorerListResponseData, UnsetType] = unset, **kwargs): + """ + Response for the list indicators of compromise endpoint. + + :param data: IoC Explorer list response data object. + :type data: IoCExplorerListResponseData, optional + """ + if data is not unset: + kwargs["data"] = data + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/io_c_explorer_list_response_attributes.py b/src/datadog_api_client/v2/model/io_c_explorer_list_response_attributes.py new file mode 100644 index 0000000000..2beb99caba --- /dev/null +++ b/src/datadog_api_client/v2/model/io_c_explorer_list_response_attributes.py @@ -0,0 +1,66 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import List, Union, TYPE_CHECKING + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + unset, + UnsetType, +) + + +if TYPE_CHECKING: + from datadog_api_client.v2.model.io_c_indicator import IoCIndicator + from datadog_api_client.v2.model.io_c_explorer_list_response_metadata import IoCExplorerListResponseMetadata + from datadog_api_client.v2.model.io_c_explorer_list_response_paging import IoCExplorerListResponsePaging + + +class IoCExplorerListResponseAttributes(ModelNormal): + @cached_property + def openapi_types(_): + from datadog_api_client.v2.model.io_c_indicator import IoCIndicator + from datadog_api_client.v2.model.io_c_explorer_list_response_metadata import IoCExplorerListResponseMetadata + from datadog_api_client.v2.model.io_c_explorer_list_response_paging import IoCExplorerListResponsePaging + + return { + "data": ([IoCIndicator],), + "metadata": (IoCExplorerListResponseMetadata,), + "paging": (IoCExplorerListResponsePaging,), + } + + attribute_map = { + "data": "data", + "metadata": "metadata", + "paging": "paging", + } + + def __init__( + self_, + data: Union[List[IoCIndicator], UnsetType] = unset, + metadata: Union[IoCExplorerListResponseMetadata, UnsetType] = unset, + paging: Union[IoCExplorerListResponsePaging, UnsetType] = unset, + **kwargs, + ): + """ + Attributes of the IoC Explorer list response. + + :param data: List of indicators of compromise. + :type data: [IoCIndicator], optional + + :param metadata: Response metadata. + :type metadata: IoCExplorerListResponseMetadata, optional + + :param paging: Pagination information. + :type paging: IoCExplorerListResponsePaging, optional + """ + if data is not unset: + kwargs["data"] = data + if metadata is not unset: + kwargs["metadata"] = metadata + if paging is not unset: + kwargs["paging"] = paging + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/io_c_explorer_list_response_data.py b/src/datadog_api_client/v2/model/io_c_explorer_list_response_data.py new file mode 100644 index 0000000000..b5cce31f12 --- /dev/null +++ b/src/datadog_api_client/v2/model/io_c_explorer_list_response_data.py @@ -0,0 +1,62 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import Union, TYPE_CHECKING + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + unset, + UnsetType, +) + + +if TYPE_CHECKING: + from datadog_api_client.v2.model.io_c_explorer_list_response_attributes import IoCExplorerListResponseAttributes + + +class IoCExplorerListResponseData(ModelNormal): + @cached_property + def openapi_types(_): + from datadog_api_client.v2.model.io_c_explorer_list_response_attributes import IoCExplorerListResponseAttributes + + return { + "attributes": (IoCExplorerListResponseAttributes,), + "id": (str,), + "type": (str,), + } + + attribute_map = { + "attributes": "attributes", + "id": "id", + "type": "type", + } + + def __init__( + self_, + attributes: Union[IoCExplorerListResponseAttributes, UnsetType] = unset, + id: Union[str, UnsetType] = unset, + type: Union[str, UnsetType] = unset, + **kwargs, + ): + """ + IoC Explorer list response data object. + + :param attributes: Attributes of the IoC Explorer list response. + :type attributes: IoCExplorerListResponseAttributes, optional + + :param id: Unique identifier for the response. + :type id: str, optional + + :param type: Response type identifier. + :type type: str, optional + """ + if attributes is not unset: + kwargs["attributes"] = attributes + if id is not unset: + kwargs["id"] = id + if type is not unset: + kwargs["type"] = type + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/io_c_explorer_list_response_metadata.py b/src/datadog_api_client/v2/model/io_c_explorer_list_response_metadata.py new file mode 100644 index 0000000000..fb742d649f --- /dev/null +++ b/src/datadog_api_client/v2/model/io_c_explorer_list_response_metadata.py @@ -0,0 +1,36 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import Union + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + unset, + UnsetType, +) + + +class IoCExplorerListResponseMetadata(ModelNormal): + @cached_property + def openapi_types(_): + return { + "count": (int,), + } + + attribute_map = { + "count": "count", + } + + def __init__(self_, count: Union[int, UnsetType] = unset, **kwargs): + """ + Response metadata. + + :param count: Total number of indicators matching the query. + :type count: int, optional + """ + if count is not unset: + kwargs["count"] = count + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/io_c_explorer_list_response_paging.py b/src/datadog_api_client/v2/model/io_c_explorer_list_response_paging.py new file mode 100644 index 0000000000..e1cd269633 --- /dev/null +++ b/src/datadog_api_client/v2/model/io_c_explorer_list_response_paging.py @@ -0,0 +1,36 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import Union + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + unset, + UnsetType, +) + + +class IoCExplorerListResponsePaging(ModelNormal): + @cached_property + def openapi_types(_): + return { + "offset": (int,), + } + + attribute_map = { + "offset": "offset", + } + + def __init__(self_, offset: Union[int, UnsetType] = unset, **kwargs): + """ + Pagination information. + + :param offset: Current pagination offset. + :type offset: int, optional + """ + if offset is not unset: + kwargs["offset"] = offset + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/io_c_geo_location.py b/src/datadog_api_client/v2/model/io_c_geo_location.py new file mode 100644 index 0000000000..2c65b61740 --- /dev/null +++ b/src/datadog_api_client/v2/model/io_c_geo_location.py @@ -0,0 +1,56 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import Union + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + unset, + UnsetType, +) + + +class IoCGeoLocation(ModelNormal): + @cached_property + def openapi_types(_): + return { + "city": (str,), + "country_code": (str,), + "country_name": (str,), + } + + attribute_map = { + "city": "city", + "country_code": "country_code", + "country_name": "country_name", + } + + def __init__( + self_, + city: Union[str, UnsetType] = unset, + country_code: Union[str, UnsetType] = unset, + country_name: Union[str, UnsetType] = unset, + **kwargs, + ): + """ + Geographic location information for an IP indicator. + + :param city: City name. + :type city: str, optional + + :param country_code: ISO country code. + :type country_code: str, optional + + :param country_name: Full country name. + :type country_name: str, optional + """ + if city is not unset: + kwargs["city"] = city + if country_code is not unset: + kwargs["country_code"] = country_code + if country_name is not unset: + kwargs["country_name"] = country_name + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/io_c_indicator.py b/src/datadog_api_client/v2/model/io_c_indicator.py new file mode 100644 index 0000000000..1b4a7d2704 --- /dev/null +++ b/src/datadog_api_client/v2/model/io_c_indicator.py @@ -0,0 +1,212 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import List, Union, TYPE_CHECKING + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + datetime, + none_type, + unset, + UnsetType, +) + + +if TYPE_CHECKING: + from datadog_api_client.v2.model.io_c_geo_location import IoCGeoLocation + from datadog_api_client.v2.model.io_c_source import IoCSource + from datadog_api_client.v2.model.io_c_score_effect import IoCScoreEffect + + +class IoCIndicator(ModelNormal): + @cached_property + def openapi_types(_): + from datadog_api_client.v2.model.io_c_geo_location import IoCGeoLocation + from datadog_api_client.v2.model.io_c_source import IoCSource + from datadog_api_client.v2.model.io_c_score_effect import IoCScoreEffect + + return { + "as_geo": (IoCGeoLocation,), + "as_type": (str,), + "benign_sources": ([IoCSource], none_type), + "categories": ([str],), + "first_seen": (datetime,), + "id": (str,), + "indicator": (str,), + "indicator_type": (str,), + "last_seen": (datetime,), + "log_matches": (int,), + "m_as_type": (IoCScoreEffect,), + "m_persistence": (IoCScoreEffect,), + "m_signal": (IoCScoreEffect,), + "m_sources": (IoCScoreEffect,), + "malicious_sources": ([IoCSource], none_type), + "max_trust_score": (IoCScoreEffect,), + "score": (float,), + "signal_matches": (int,), + "signal_tier": (int,), + "suspicious_sources": ([IoCSource], none_type), + "tags": ([str],), + } + + attribute_map = { + "as_geo": "as_geo", + "as_type": "as_type", + "benign_sources": "benign_sources", + "categories": "categories", + "first_seen": "first_seen", + "id": "id", + "indicator": "indicator", + "indicator_type": "indicator_type", + "last_seen": "last_seen", + "log_matches": "log_matches", + "m_as_type": "m_as_type", + "m_persistence": "m_persistence", + "m_signal": "m_signal", + "m_sources": "m_sources", + "malicious_sources": "malicious_sources", + "max_trust_score": "max_trust_score", + "score": "score", + "signal_matches": "signal_matches", + "signal_tier": "signal_tier", + "suspicious_sources": "suspicious_sources", + "tags": "tags", + } + + def __init__( + self_, + as_geo: Union[IoCGeoLocation, UnsetType] = unset, + as_type: Union[str, UnsetType] = unset, + benign_sources: Union[List[IoCSource], none_type, UnsetType] = unset, + categories: Union[List[str], UnsetType] = unset, + first_seen: Union[datetime, UnsetType] = unset, + id: Union[str, UnsetType] = unset, + indicator: Union[str, UnsetType] = unset, + indicator_type: Union[str, UnsetType] = unset, + last_seen: Union[datetime, UnsetType] = unset, + log_matches: Union[int, UnsetType] = unset, + m_as_type: Union[IoCScoreEffect, UnsetType] = unset, + m_persistence: Union[IoCScoreEffect, UnsetType] = unset, + m_signal: Union[IoCScoreEffect, UnsetType] = unset, + m_sources: Union[IoCScoreEffect, UnsetType] = unset, + malicious_sources: Union[List[IoCSource], none_type, UnsetType] = unset, + max_trust_score: Union[IoCScoreEffect, UnsetType] = unset, + score: Union[float, UnsetType] = unset, + signal_matches: Union[int, UnsetType] = unset, + signal_tier: Union[int, UnsetType] = unset, + suspicious_sources: Union[List[IoCSource], none_type, UnsetType] = unset, + tags: Union[List[str], UnsetType] = unset, + **kwargs, + ): + """ + An indicator of compromise with threat intelligence data. + + :param as_geo: Geographic location information for an IP indicator. + :type as_geo: IoCGeoLocation, optional + + :param as_type: Autonomous system type. + :type as_type: str, optional + + :param benign_sources: Threat intelligence sources that flagged this indicator as benign. + :type benign_sources: [IoCSource], none_type, optional + + :param categories: Threat categories associated with the indicator. + :type categories: [str], optional + + :param first_seen: Timestamp when the indicator was first seen. + :type first_seen: datetime, optional + + :param id: Unique identifier for the indicator. + :type id: str, optional + + :param indicator: The indicator value (for example, an IP address or domain). + :type indicator: str, optional + + :param indicator_type: Type of indicator (for example, IP address or domain). + :type indicator_type: str, optional + + :param last_seen: Timestamp when the indicator was last seen. + :type last_seen: datetime, optional + + :param log_matches: Number of logs that matched this indicator. + :type log_matches: int, optional + + :param m_as_type: Effect of a scoring factor on the indicator's threat score. + :type m_as_type: IoCScoreEffect, optional + + :param m_persistence: Effect of a scoring factor on the indicator's threat score. + :type m_persistence: IoCScoreEffect, optional + + :param m_signal: Effect of a scoring factor on the indicator's threat score. + :type m_signal: IoCScoreEffect, optional + + :param m_sources: Effect of a scoring factor on the indicator's threat score. + :type m_sources: IoCScoreEffect, optional + + :param malicious_sources: Threat intelligence sources that flagged this indicator as malicious. + :type malicious_sources: [IoCSource], none_type, optional + + :param max_trust_score: Effect of a scoring factor on the indicator's threat score. + :type max_trust_score: IoCScoreEffect, optional + + :param score: Threat score for the indicator (0-100). + :type score: float, optional + + :param signal_matches: Number of security signals that matched this indicator. + :type signal_matches: int, optional + + :param signal_tier: Signal tier level. + :type signal_tier: int, optional + + :param suspicious_sources: Threat intelligence sources that flagged this indicator as suspicious. + :type suspicious_sources: [IoCSource], none_type, optional + + :param tags: Tags associated with the indicator. + :type tags: [str], optional + """ + if as_geo is not unset: + kwargs["as_geo"] = as_geo + if as_type is not unset: + kwargs["as_type"] = as_type + if benign_sources is not unset: + kwargs["benign_sources"] = benign_sources + if categories is not unset: + kwargs["categories"] = categories + if first_seen is not unset: + kwargs["first_seen"] = first_seen + if id is not unset: + kwargs["id"] = id + if indicator is not unset: + kwargs["indicator"] = indicator + if indicator_type is not unset: + kwargs["indicator_type"] = indicator_type + if last_seen is not unset: + kwargs["last_seen"] = last_seen + if log_matches is not unset: + kwargs["log_matches"] = log_matches + if m_as_type is not unset: + kwargs["m_as_type"] = m_as_type + if m_persistence is not unset: + kwargs["m_persistence"] = m_persistence + if m_signal is not unset: + kwargs["m_signal"] = m_signal + if m_sources is not unset: + kwargs["m_sources"] = m_sources + if malicious_sources is not unset: + kwargs["malicious_sources"] = malicious_sources + if max_trust_score is not unset: + kwargs["max_trust_score"] = max_trust_score + if score is not unset: + kwargs["score"] = score + if signal_matches is not unset: + kwargs["signal_matches"] = signal_matches + if signal_tier is not unset: + kwargs["signal_tier"] = signal_tier + if suspicious_sources is not unset: + kwargs["suspicious_sources"] = suspicious_sources + if tags is not unset: + kwargs["tags"] = tags + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/io_c_indicator_detailed.py b/src/datadog_api_client/v2/model/io_c_indicator_detailed.py new file mode 100644 index 0000000000..dfed28097f --- /dev/null +++ b/src/datadog_api_client/v2/model/io_c_indicator_detailed.py @@ -0,0 +1,311 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import Any, Dict, List, Union, TYPE_CHECKING + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + date, + datetime, + none_type, + unset, + UnsetType, + UUID, +) + + +if TYPE_CHECKING: + from datadog_api_client.v2.model.io_c_geo_location import IoCGeoLocation + from datadog_api_client.v2.model.io_c_source import IoCSource + from datadog_api_client.v2.model.io_c_score_effect import IoCScoreEffect + from datadog_api_client.v2.model.io_c_signal_severity_count import IoCSignalSeverityCount + + +class IoCIndicatorDetailed(ModelNormal): + @cached_property + def openapi_types(_): + from datadog_api_client.v2.model.io_c_geo_location import IoCGeoLocation + from datadog_api_client.v2.model.io_c_source import IoCSource + from datadog_api_client.v2.model.io_c_score_effect import IoCScoreEffect + from datadog_api_client.v2.model.io_c_signal_severity_count import IoCSignalSeverityCount + + return { + "additional_data": ( + { + str: ( + bool, + date, + datetime, + dict, + float, + int, + list, + str, + UUID, + none_type, + ) + }, + ), + "as_cidr_block": (str,), + "as_geo": (IoCGeoLocation,), + "as_number": (str,), + "as_organization": (str,), + "as_type": (str,), + "benign_sources": ([IoCSource], none_type), + "categories": ([str],), + "critical_assets": ([str],), + "first_seen": (datetime,), + "hosts": ([str],), + "id": (str,), + "indicator": (str,), + "indicator_type": (str,), + "last_seen": (datetime,), + "log_matches": (int,), + "log_sources": ([str],), + "m_as_type": (IoCScoreEffect,), + "m_persistence": (IoCScoreEffect,), + "m_signal": (IoCScoreEffect,), + "m_sources": (IoCScoreEffect,), + "malicious_sources": ([IoCSource], none_type), + "max_trust_score": (IoCScoreEffect,), + "score": (float,), + "services": ([str],), + "signal_matches": (int,), + "signal_severity": ([IoCSignalSeverityCount],), + "signal_tier": (int,), + "suspicious_sources": ([IoCSource], none_type), + "tags": ([str],), + "users": ({str: ([str],)},), + } + + attribute_map = { + "additional_data": "additional_data", + "as_cidr_block": "as_cidr_block", + "as_geo": "as_geo", + "as_number": "as_number", + "as_organization": "as_organization", + "as_type": "as_type", + "benign_sources": "benign_sources", + "categories": "categories", + "critical_assets": "critical_assets", + "first_seen": "first_seen", + "hosts": "hosts", + "id": "id", + "indicator": "indicator", + "indicator_type": "indicator_type", + "last_seen": "last_seen", + "log_matches": "log_matches", + "log_sources": "log_sources", + "m_as_type": "m_as_type", + "m_persistence": "m_persistence", + "m_signal": "m_signal", + "m_sources": "m_sources", + "malicious_sources": "malicious_sources", + "max_trust_score": "max_trust_score", + "score": "score", + "services": "services", + "signal_matches": "signal_matches", + "signal_severity": "signal_severity", + "signal_tier": "signal_tier", + "suspicious_sources": "suspicious_sources", + "tags": "tags", + "users": "users", + } + + def __init__( + self_, + additional_data: Union[Dict[str, Any], UnsetType] = unset, + as_cidr_block: Union[str, UnsetType] = unset, + as_geo: Union[IoCGeoLocation, UnsetType] = unset, + as_number: Union[str, UnsetType] = unset, + as_organization: Union[str, UnsetType] = unset, + as_type: Union[str, UnsetType] = unset, + benign_sources: Union[List[IoCSource], none_type, UnsetType] = unset, + categories: Union[List[str], UnsetType] = unset, + critical_assets: Union[List[str], UnsetType] = unset, + first_seen: Union[datetime, UnsetType] = unset, + hosts: Union[List[str], UnsetType] = unset, + id: Union[str, UnsetType] = unset, + indicator: Union[str, UnsetType] = unset, + indicator_type: Union[str, UnsetType] = unset, + last_seen: Union[datetime, UnsetType] = unset, + log_matches: Union[int, UnsetType] = unset, + log_sources: Union[List[str], UnsetType] = unset, + m_as_type: Union[IoCScoreEffect, UnsetType] = unset, + m_persistence: Union[IoCScoreEffect, UnsetType] = unset, + m_signal: Union[IoCScoreEffect, UnsetType] = unset, + m_sources: Union[IoCScoreEffect, UnsetType] = unset, + malicious_sources: Union[List[IoCSource], none_type, UnsetType] = unset, + max_trust_score: Union[IoCScoreEffect, UnsetType] = unset, + score: Union[float, UnsetType] = unset, + services: Union[List[str], UnsetType] = unset, + signal_matches: Union[int, UnsetType] = unset, + signal_severity: Union[List[IoCSignalSeverityCount], UnsetType] = unset, + signal_tier: Union[int, UnsetType] = unset, + suspicious_sources: Union[List[IoCSource], none_type, UnsetType] = unset, + tags: Union[List[str], UnsetType] = unset, + users: Union[Dict[str, List[str]], UnsetType] = unset, + **kwargs, + ): + """ + An indicator of compromise with extended context from your environment. + + :param additional_data: Additional domain-specific context from threat intelligence sources. + :type additional_data: {str: (bool, date, datetime, dict, float, int, list, str, UUID, none_type,)}, optional + + :param as_cidr_block: Autonomous system CIDR block. + :type as_cidr_block: str, optional + + :param as_geo: Geographic location information for an IP indicator. + :type as_geo: IoCGeoLocation, optional + + :param as_number: Autonomous system number. + :type as_number: str, optional + + :param as_organization: Autonomous system organization name. + :type as_organization: str, optional + + :param as_type: Autonomous system type. + :type as_type: str, optional + + :param benign_sources: Threat intelligence sources that flagged this indicator as benign. + :type benign_sources: [IoCSource], none_type, optional + + :param categories: Threat categories associated with the indicator. + :type categories: [str], optional + + :param critical_assets: Critical assets associated with this indicator. + :type critical_assets: [str], optional + + :param first_seen: Timestamp when the indicator was first seen. + :type first_seen: datetime, optional + + :param hosts: Hosts associated with this indicator. + :type hosts: [str], optional + + :param id: Unique identifier for the indicator. + :type id: str, optional + + :param indicator: The indicator value (for example, an IP address or domain). + :type indicator: str, optional + + :param indicator_type: Type of indicator (for example, IP address or domain). + :type indicator_type: str, optional + + :param last_seen: Timestamp when the indicator was last seen. + :type last_seen: datetime, optional + + :param log_matches: Number of logs that matched this indicator. + :type log_matches: int, optional + + :param log_sources: Log sources where this indicator was observed. + :type log_sources: [str], optional + + :param m_as_type: Effect of a scoring factor on the indicator's threat score. + :type m_as_type: IoCScoreEffect, optional + + :param m_persistence: Effect of a scoring factor on the indicator's threat score. + :type m_persistence: IoCScoreEffect, optional + + :param m_signal: Effect of a scoring factor on the indicator's threat score. + :type m_signal: IoCScoreEffect, optional + + :param m_sources: Effect of a scoring factor on the indicator's threat score. + :type m_sources: IoCScoreEffect, optional + + :param malicious_sources: Threat intelligence sources that flagged this indicator as malicious. + :type malicious_sources: [IoCSource], none_type, optional + + :param max_trust_score: Effect of a scoring factor on the indicator's threat score. + :type max_trust_score: IoCScoreEffect, optional + + :param score: Threat score for the indicator (0-100). + :type score: float, optional + + :param services: Services where this indicator was observed. + :type services: [str], optional + + :param signal_matches: Number of security signals that matched this indicator. + :type signal_matches: int, optional + + :param signal_severity: Breakdown of security signals by severity. + :type signal_severity: [IoCSignalSeverityCount], optional + + :param signal_tier: Signal tier level. + :type signal_tier: int, optional + + :param suspicious_sources: Threat intelligence sources that flagged this indicator as suspicious. + :type suspicious_sources: [IoCSource], none_type, optional + + :param tags: Tags associated with the indicator. + :type tags: [str], optional + + :param users: Users associated with this indicator, grouped by category. + :type users: {str: ([str],)}, optional + """ + if additional_data is not unset: + kwargs["additional_data"] = additional_data + if as_cidr_block is not unset: + kwargs["as_cidr_block"] = as_cidr_block + if as_geo is not unset: + kwargs["as_geo"] = as_geo + if as_number is not unset: + kwargs["as_number"] = as_number + if as_organization is not unset: + kwargs["as_organization"] = as_organization + if as_type is not unset: + kwargs["as_type"] = as_type + if benign_sources is not unset: + kwargs["benign_sources"] = benign_sources + if categories is not unset: + kwargs["categories"] = categories + if critical_assets is not unset: + kwargs["critical_assets"] = critical_assets + if first_seen is not unset: + kwargs["first_seen"] = first_seen + if hosts is not unset: + kwargs["hosts"] = hosts + if id is not unset: + kwargs["id"] = id + if indicator is not unset: + kwargs["indicator"] = indicator + if indicator_type is not unset: + kwargs["indicator_type"] = indicator_type + if last_seen is not unset: + kwargs["last_seen"] = last_seen + if log_matches is not unset: + kwargs["log_matches"] = log_matches + if log_sources is not unset: + kwargs["log_sources"] = log_sources + if m_as_type is not unset: + kwargs["m_as_type"] = m_as_type + if m_persistence is not unset: + kwargs["m_persistence"] = m_persistence + if m_signal is not unset: + kwargs["m_signal"] = m_signal + if m_sources is not unset: + kwargs["m_sources"] = m_sources + if malicious_sources is not unset: + kwargs["malicious_sources"] = malicious_sources + if max_trust_score is not unset: + kwargs["max_trust_score"] = max_trust_score + if score is not unset: + kwargs["score"] = score + if services is not unset: + kwargs["services"] = services + if signal_matches is not unset: + kwargs["signal_matches"] = signal_matches + if signal_severity is not unset: + kwargs["signal_severity"] = signal_severity + if signal_tier is not unset: + kwargs["signal_tier"] = signal_tier + if suspicious_sources is not unset: + kwargs["suspicious_sources"] = suspicious_sources + if tags is not unset: + kwargs["tags"] = tags + if users is not unset: + kwargs["users"] = users + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/io_c_score_effect.py b/src/datadog_api_client/v2/model/io_c_score_effect.py new file mode 100644 index 0000000000..3c93bdf9e1 --- /dev/null +++ b/src/datadog_api_client/v2/model/io_c_score_effect.py @@ -0,0 +1,41 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + + +from datadog_api_client.model_utils import ( + ModelSimple, + cached_property, +) + +from typing import ClassVar + + +class IoCScoreEffect(ModelSimple): + """ + Effect of a scoring factor on the indicator's threat score. + + :param value: Must be one of ["RAISE_SCORE", "LOWER_SCORE", "NO_EFFECT"]. + :type value: str + """ + + allowed_values = { + "RAISE_SCORE", + "LOWER_SCORE", + "NO_EFFECT", + } + RAISE_SCORE: ClassVar["IoCScoreEffect"] + LOWER_SCORE: ClassVar["IoCScoreEffect"] + NO_EFFECT: ClassVar["IoCScoreEffect"] + + @cached_property + def openapi_types(_): + return { + "value": (str,), + } + + +IoCScoreEffect.RAISE_SCORE = IoCScoreEffect("RAISE_SCORE") +IoCScoreEffect.LOWER_SCORE = IoCScoreEffect("LOWER_SCORE") +IoCScoreEffect.NO_EFFECT = IoCScoreEffect("NO_EFFECT") diff --git a/src/datadog_api_client/v2/model/io_c_signal_severity_count.py b/src/datadog_api_client/v2/model/io_c_signal_severity_count.py new file mode 100644 index 0000000000..647dc8bbac --- /dev/null +++ b/src/datadog_api_client/v2/model/io_c_signal_severity_count.py @@ -0,0 +1,43 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import Union + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + unset, + UnsetType, +) + + +class IoCSignalSeverityCount(ModelNormal): + @cached_property + def openapi_types(_): + return { + "count": (int,), + "severity": (str,), + } + + attribute_map = { + "count": "count", + "severity": "severity", + } + + def __init__(self_, count: Union[int, UnsetType] = unset, severity: Union[str, UnsetType] = unset, **kwargs): + """ + Count of security signals by severity level. + + :param count: Number of signals at this severity level. + :type count: int, optional + + :param severity: Severity level (for example, critical, high, medium, low, info). + :type severity: str, optional + """ + if count is not unset: + kwargs["count"] = count + if severity is not unset: + kwargs["severity"] = severity + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/io_c_source.py b/src/datadog_api_client/v2/model/io_c_source.py new file mode 100644 index 0000000000..fee64d492a --- /dev/null +++ b/src/datadog_api_client/v2/model/io_c_source.py @@ -0,0 +1,36 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import Union + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + unset, + UnsetType, +) + + +class IoCSource(ModelNormal): + @cached_property + def openapi_types(_): + return { + "name": (str,), + } + + attribute_map = { + "name": "name", + } + + def __init__(self_, name: Union[str, UnsetType] = unset, **kwargs): + """ + A threat intelligence source that has flagged an indicator. + + :param name: Name of the threat intelligence source. + :type name: str, optional + """ + if name is not unset: + kwargs["name"] = name + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/models/__init__.py b/src/datadog_api_client/v2/models/__init__.py index 7a4faea982..cbfb4701a6 100644 --- a/src/datadog_api_client/v2/models/__init__.py +++ b/src/datadog_api_client/v2/models/__init__.py @@ -2383,6 +2383,9 @@ GetInvestigationResponseDataAttributes, ) from datadog_api_client.v2.model.get_investigation_response_links import GetInvestigationResponseLinks +from datadog_api_client.v2.model.get_io_c_indicator_response import GetIoCIndicatorResponse +from datadog_api_client.v2.model.get_io_c_indicator_response_attributes import GetIoCIndicatorResponseAttributes +from datadog_api_client.v2.model.get_io_c_indicator_response_data import GetIoCIndicatorResponseData from datadog_api_client.v2.model.get_issue_include_query_parameter_item import GetIssueIncludeQueryParameterItem from datadog_api_client.v2.model.get_mapping_response import GetMappingResponse from datadog_api_client.v2.model.get_mapping_response_data import GetMappingResponseData @@ -2878,6 +2881,17 @@ from datadog_api_client.v2.model.interface_attributes_status import InterfaceAttributesStatus from datadog_api_client.v2.model.investigation_conclusion import InvestigationConclusion from datadog_api_client.v2.model.investigation_type import InvestigationType +from datadog_api_client.v2.model.io_c_explorer_list_response import IoCExplorerListResponse +from datadog_api_client.v2.model.io_c_explorer_list_response_attributes import IoCExplorerListResponseAttributes +from datadog_api_client.v2.model.io_c_explorer_list_response_data import IoCExplorerListResponseData +from datadog_api_client.v2.model.io_c_explorer_list_response_metadata import IoCExplorerListResponseMetadata +from datadog_api_client.v2.model.io_c_explorer_list_response_paging import IoCExplorerListResponsePaging +from datadog_api_client.v2.model.io_c_geo_location import IoCGeoLocation +from datadog_api_client.v2.model.io_c_indicator import IoCIndicator +from datadog_api_client.v2.model.io_c_indicator_detailed import IoCIndicatorDetailed +from datadog_api_client.v2.model.io_c_score_effect import IoCScoreEffect +from datadog_api_client.v2.model.io_c_signal_severity_count import IoCSignalSeverityCount +from datadog_api_client.v2.model.io_c_source import IoCSource from datadog_api_client.v2.model.issue import Issue from datadog_api_client.v2.model.issue_assignee_relationship import IssueAssigneeRelationship from datadog_api_client.v2.model.issue_attributes import IssueAttributes @@ -8963,6 +8977,9 @@ "GetInvestigationResponseData", "GetInvestigationResponseDataAttributes", "GetInvestigationResponseLinks", + "GetIoCIndicatorResponse", + "GetIoCIndicatorResponseAttributes", + "GetIoCIndicatorResponseData", "GetIssueIncludeQueryParameterItem", "GetMappingResponse", "GetMappingResponseData", @@ -9336,6 +9353,17 @@ "InterfaceAttributesStatus", "InvestigationConclusion", "InvestigationType", + "IoCExplorerListResponse", + "IoCExplorerListResponseAttributes", + "IoCExplorerListResponseData", + "IoCExplorerListResponseMetadata", + "IoCExplorerListResponsePaging", + "IoCGeoLocation", + "IoCIndicator", + "IoCIndicatorDetailed", + "IoCScoreEffect", + "IoCSignalSeverityCount", + "IoCSource", "Issue", "IssueAssigneeRelationship", "IssueAttributes", diff --git a/tests/v2/cassettes/test_scenarios/test_get_an_indicator_of_compromise_returns_not_found_response.frozen b/tests/v2/cassettes/test_scenarios/test_get_an_indicator_of_compromise_returns_not_found_response.frozen new file mode 100644 index 0000000000..55d3aa91a8 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_get_an_indicator_of_compromise_returns_not_found_response.frozen @@ -0,0 +1 @@ +2026-04-14T18:22:17.027Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_get_an_indicator_of_compromise_returns_not_found_response.yaml b/tests/v2/cassettes/test_scenarios/test_get_an_indicator_of_compromise_returns_not_found_response.yaml new file mode 100644 index 0000000000..c289cb92e9 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_get_an_indicator_of_compromise_returns_not_found_response.yaml @@ -0,0 +1,18 @@ +interactions: +- request: + body: null + headers: + accept: + - application/json + method: GET + uri: https://api.datadoghq.com/api/v2/security/siem/ioc-explorer/indicator?indicator=this-indicator-does-not-exist.invalid + response: + body: + string: '{"errors":[{"title":"Generic Error","detail":"indicator not found"}]}' + headers: + content-type: + - application/vnd.api+json + status: + code: 404 + message: Not Found +version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_get_an_indicator_of_compromise_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_get_an_indicator_of_compromise_returns_ok_response.frozen new file mode 100644 index 0000000000..fc8ed109ad --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_get_an_indicator_of_compromise_returns_ok_response.frozen @@ -0,0 +1 @@ +2026-04-14T18:22:29.733Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_get_an_indicator_of_compromise_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_get_an_indicator_of_compromise_returns_ok_response.yaml new file mode 100644 index 0000000000..67802c5892 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_get_an_indicator_of_compromise_returns_ok_response.yaml @@ -0,0 +1,21 @@ +interactions: +- request: + body: null + headers: + accept: + - application/json + method: GET + uri: https://api.datadoghq.com/api/v2/security/siem/ioc-explorer/indicator?indicator=masscan%2F1.3%20%28https%3A%2F%2Fgithub.com%2Frobertdavidgraham%2Fmasscan%29 + response: + body: + string: '{"data":{"id":"65a31893-cc59-4125-9424-44f7ba083e53","type":"get_indicator_response","attributes":{"data":{"id":"masscan/1.3 + (https://github.com/robertdavidgraham/masscan)","indicator":"masscan/1.3 (https://github.com/robertdavidgraham/masscan)","indicator_type":"User + Agent","score":4,"as_type":"hosting","malicious_sources":null,"suspicious_sources":[{"name":"Datadog + Threat Research"}],"benign_sources":null,"categories":["scanner"],"tags":[],"signal_matches":0,"log_matches":45,"first_seen":"2025-01-08T23:24:45Z","last_seen":"2026-04-10T14:36:20Z","signal_tier":0,"max_trust_score":"RAISE_SCORE","m_sources":"NO_EFFECT","m_persistence":"RAISE_SCORE","m_signal":"NO_EFFECT","m_as_type":"NO_EFFECT","log_sources":[],"services":[],"signal_severity":[],"users":{},"critical_assets":[],"hosts":[],"as_number":"","as_organization":"","as_cidr_block":""}}}}' + headers: + content-type: + - application/vnd.api+json + status: + code: 200 + message: OK +version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_list_indicators_of_compromise_returns_bad_request_response.frozen b/tests/v2/cassettes/test_scenarios/test_list_indicators_of_compromise_returns_bad_request_response.frozen new file mode 100644 index 0000000000..307d03acb4 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_list_indicators_of_compromise_returns_bad_request_response.frozen @@ -0,0 +1 @@ +2026-04-14T18:22:40.711Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_list_indicators_of_compromise_returns_bad_request_response.yaml b/tests/v2/cassettes/test_scenarios/test_list_indicators_of_compromise_returns_bad_request_response.yaml new file mode 100644 index 0000000000..ec114dcff1 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_list_indicators_of_compromise_returns_bad_request_response.yaml @@ -0,0 +1,20 @@ +interactions: +- request: + body: null + headers: + accept: + - application/json + method: GET + uri: https://api.datadoghq.com/api/v2/security/siem/ioc-explorer?query=invalid%3A%3A%3Aquery + response: + body: + string: '{"errors":[{"title":"Generic Error","detail":"invalid query: invalid + query: syntax error: no viable alternative at input ''invalid::'' at line + 1 and char position 8"}]}' + headers: + content-type: + - application/vnd.api+json + status: + code: 400 + message: Bad Request +version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_list_indicators_of_compromise_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_list_indicators_of_compromise_returns_ok_response.frozen new file mode 100644 index 0000000000..5814ac627e --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_list_indicators_of_compromise_returns_ok_response.frozen @@ -0,0 +1 @@ +2026-04-14T18:22:48.392Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_list_indicators_of_compromise_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_list_indicators_of_compromise_returns_ok_response.yaml new file mode 100644 index 0000000000..4f6ed05ab2 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_list_indicators_of_compromise_returns_ok_response.yaml @@ -0,0 +1,20 @@ +interactions: +- request: + body: null + headers: + accept: + - application/json + method: GET + uri: https://api.datadoghq.com/api/v2/security/siem/ioc-explorer?limit=1 + response: + body: + string: '{"data":{"id":"a4e3b616-e180-4b47-a379-43da9c5b300e","type":"ioc_explorer_response","attributes":{"data":[{"id":"43.228.157.121","indicator":"43.228.157.121","indicator_type":"IP + Address","score":8,"as_type":"hosting","malicious_sources":[{"name":"threatfox"}],"suspicious_sources":[{"name":"tor"},{"name":"SPUR"}],"benign_sources":null,"categories":["malware","tor","hosting_proxy"],"tags":[],"signal_matches":0,"log_matches":14,"signal_tier":0,"max_trust_score":"RAISE_SCORE","m_sources":"RAISE_SCORE","m_persistence":"NO_EFFECT","m_signal":"NO_EFFECT","m_as_type":"NO_EFFECT","as_geo":{"city":"Frankfurt + am Main","country_code":"DE","country_name":"Germany"}}],"metadata":{"count":25091},"paging":{"offset":1}}}}' + headers: + content-type: + - application/vnd.api+json + status: + code: 200 + message: OK +version: 1 diff --git a/tests/v2/features/security_monitoring.feature b/tests/v2/features/security_monitoring.feature index 1fdee4f141..ac7b626e0d 100644 --- a/tests/v2/features/security_monitoring.feature +++ b/tests/v2/features/security_monitoring.feature @@ -1298,6 +1298,30 @@ Feature: Security Monitoring Then the response status is 200 OK And the response "data[0].attributes.name" is equal to "suppression2 {{ unique_hash }}" + @generated @skip @team:DataDog/k9-cloud-siem + Scenario: Get an indicator of compromise returns "Bad Request" response + Given operation "GetIndicatorOfCompromise" enabled + And new "GetIndicatorOfCompromise" request + And request contains "indicator" parameter from "REPLACE.ME" + When the request is sent + Then the response status is 400 Bad Request + + @replay-only @skip-terraform-config @team:DataDog/k9-cloud-siem + Scenario: Get an indicator of compromise returns "Not Found" response + Given operation "GetIndicatorOfCompromise" enabled + And new "GetIndicatorOfCompromise" request + And request contains "indicator" parameter with value "this-indicator-does-not-exist.invalid" + When the request is sent + Then the response status is 404 Not Found + + @replay-only @skip-terraform-config @team:DataDog/k9-cloud-siem + Scenario: Get an indicator of compromise returns "OK" response + Given operation "GetIndicatorOfCompromise" enabled + And new "GetIndicatorOfCompromise" request + And request contains "indicator" parameter with value "masscan/1.3 (https://github.com/robertdavidgraham/masscan)" + When the request is sent + Then the response status is 200 OK + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get content pack states returns "Not Found" response Given operation "GetContentPacksStates" enabled @@ -1573,6 +1597,22 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK + @replay-only @skip-terraform-config @team:DataDog/k9-cloud-siem + Scenario: List indicators of compromise returns "Bad Request" response + Given operation "ListIndicatorsOfCompromise" enabled + And new "ListIndicatorsOfCompromise" request + And request contains "query" parameter with value "invalid:::query" + When the request is sent + Then the response status is 400 Bad Request + + @replay-only @skip-terraform-config @team:DataDog/k9-cloud-siem + Scenario: List indicators of compromise returns "OK" response + Given operation "ListIndicatorsOfCompromise" enabled + And new "ListIndicatorsOfCompromise" request + And request contains "limit" parameter with value 1 + When the request is sent + Then the response status is 200 OK + @team:DataDog/k9-cloud-siem Scenario: List resource filters returns "Bad Request" response Given new "GetResourceEvaluationFilters" request diff --git a/tests/v2/features/undo.json b/tests/v2/features/undo.json index 02b5c2d4c5..c7ef9624df 100644 --- a/tests/v2/features/undo.json +++ b/tests/v2/features/undo.json @@ -5283,6 +5283,18 @@ "type": "safe" } }, + "ListIndicatorsOfCompromise": { + "tag": "Security Monitoring", + "undo": { + "type": "safe" + } + }, + "GetIndicatorOfCompromise": { + "tag": "Security Monitoring", + "undo": { + "type": "safe" + } + }, "GetSignalNotificationRules": { "tag": "Security Monitoring", "undo": {