Support Cloud SIEM scheduled rules in API client

.generated-info

@@ -1,4 +1,4 @@
 {
-  "spec_repo_commit": "c5cca50",
-  "generated": "2025-08-07 18:03:13.305"
+  "spec_repo_commit": "d02c8a3",
+  "generated": "2025-08-08 12:07:05.112"
 }

.generator/schemas/v2/openapi.yaml

@@ -36336,6 +36336,12 @@ components:
     SecurityMonitoringRuleUpdatePayload:
       description: Update an existing rule.
       properties:
+        calculatedFields:
+          description: Calculated fields. Only allowed for scheduled rules - in other
+            words, when schedulingOptions is also defined.
+          items:
+            $ref: '#/components/schemas/CalculatedField'
+          type: array
         cases:
           description: Cases for generating signals.
           items:
@@ -36392,6 +36398,8 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringReferenceTable'
           type: array
+        schedulingOptions:
+          $ref: '#/components/schemas/SecurityMonitoringSchedulingOptions'
         tags:
           description: Tags for generated signals.
           items:
@@ -36418,6 +36426,27 @@ components:
       - $ref: '#/components/schemas/SecurityMonitoringStandardRulePayload'
       - $ref: '#/components/schemas/SecurityMonitoringSignalRulePayload'
       - $ref: '#/components/schemas/CloudConfigurationRulePayload'
+    SecurityMonitoringSchedulingOptions:
+      description: Options for scheduled rules. When this field is present, the rule
+        runs based on the schedule. When absent, it runs real-time on ingested logs.
+      nullable: true
+      properties:
+        rrule:
+          description: Schedule for the rule queries, written in RRULE syntax. See
+            [RFC](https://icalendar.org/iCalendar-RFC-5545/3-8-5-3-recurrence-rule.html)
+            for syntax reference.
+          example: FREQ=HOURLY;INTERVAL=1;
+          type: string
+        start:
+          description: Start date for the schedule, in ISO 8601 format without timezone.
+          example: '2025-07-14T12:00:00'
+          type: string
+        timezone:
+          description: Time zone of the start date, in the [tz database](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones)
+            format.
+          example: America/New_York
+          type: string
+      type: object
     SecurityMonitoringSignal:
       description: Object description of a security signal.
       properties:
@@ -37096,6 +37125,12 @@ components:
     SecurityMonitoringStandardRuleCreatePayload:
       description: Create a new rule.
       properties:
+        calculatedFields:
+          description: Calculated fields. Only allowed for scheduled rules - in other
+            words, when schedulingOptions is also defined.
+          items:
+            $ref: '#/components/schemas/CalculatedField'
+          type: array
         cases:
           description: Cases for generating signals.
           example: []
@@ -37148,6 +37183,8 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringReferenceTable'
           type: array
+        schedulingOptions:
+          $ref: '#/components/schemas/SecurityMonitoringSchedulingOptions'
         tags:
           description: Tags for generated signals.
           example:
@@ -37177,6 +37214,12 @@ components:
     SecurityMonitoringStandardRulePayload:
       description: The payload of a rule.
       properties:
+        calculatedFields:
+          description: Calculated fields. Only allowed for scheduled rules - in other
+            words, when schedulingOptions is also defined.
+          items:
+            $ref: '#/components/schemas/CalculatedField'
+          type: array
         cases:
           description: Cases for generating signals.
           example: []
@@ -37237,6 +37280,8 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringReferenceTable'
           type: array
+        schedulingOptions:
+          $ref: '#/components/schemas/SecurityMonitoringSchedulingOptions'
         tags:
           description: Tags for generated signals.
           example:
@@ -37293,6 +37338,14 @@ components:
           example: false
           readOnly: true
           type: boolean
+        index:
+          description: '**This field is currently unstable and might be removed in
+            a minor version upgrade.**
+
+            The index to run the query on, if the `dataSource` is `logs`. Only used
+            for scheduled rules - in other words, when the `schedulingOptions` field
+            is present in the rule payload.'
+          type: string
         metric:
           deprecated: true
           description: '(Deprecated) The target field to aggregate over when using
@@ -37320,6 +37373,12 @@ components:
     SecurityMonitoringStandardRuleResponse:
       description: Rule.
       properties:
+        calculatedFields:
+          description: Calculated fields. Only allowed for scheduled rules - in other
+            words, when schedulingOptions is also defined.
+          items:
+            $ref: '#/components/schemas/CalculatedField'
+          type: array
         cases:
           description: Cases for generating signals.
           items:
@@ -37405,6 +37464,8 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringReferenceTable'
           type: array
+        schedulingOptions:
+          $ref: '#/components/schemas/SecurityMonitoringSchedulingOptions'
         tags:
           description: Tags for generated signals.
           items:
@@ -37436,6 +37497,12 @@ components:
     SecurityMonitoringStandardRuleTestPayload:
       description: The payload of a rule to test
       properties:
+        calculatedFields:
+          description: Calculated fields. Only allowed for scheduled rules - in other
+            words, when schedulingOptions is also defined.
+          items:
+            $ref: '#/components/schemas/CalculatedField'
+          type: array
         cases:
           description: Cases for generating signals.
           example: []
@@ -37488,6 +37555,8 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringReferenceTable'
           type: array
+        schedulingOptions:
+          $ref: '#/components/schemas/SecurityMonitoringSchedulingOptions'
         tags:
           description: Tags for generated signals.
           example:

cassettes/features/v2/security_monitoring/Create-a-scheduled-detection-rule-returns-OK-response.frozen

@@ -0,0 +1 @@
+2025-07-31T07:48:27.113Z

cassettes/features/v2/security_monitoring/Create-a-scheduled-rule-without-rrule-returns-Bad-Request-response.frozen

@@ -0,0 +1 @@
+2025-07-31T07:49:14.474Z

examples/v2/security-monitoring/CreateSecurityMonitoringRule_868881438.rb

@@ -0,0 +1,41 @@
+# Create a scheduled detection rule returns "OK" response
+
+require "datadog_api_client"
+api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
+
+body = DatadogAPIClient::V2::SecurityMonitoringStandardRuleCreatePayload.new({
+  name: "Example-Security-Monitoring",
+  queries: [
+    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
+      query: "@test:true",
+      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
+      group_by_fields: [],
+      distinct_fields: [],
+      index: "main",
+    }),
+  ],
+  filters: [],
+  cases: [
+    DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
+      name: "",
+      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
+      condition: "a > 0",
+      notifications: [],
+    }),
+  ],
+  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
+    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
+    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR,
+    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY,
+  }),
+  message: "Test rule",
+  tags: [],
+  is_enabled: true,
+  type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
+  scheduling_options: DatadogAPIClient::V2::SecurityMonitoringSchedulingOptions.new({
+    rrule: "FREQ=HOURLY;INTERVAL=2;",
+    start: "2025-06-18T12:00:00",
+    timezone: "Europe/Paris",
+  }),
+})
+p api_instance.create_security_monitoring_rule(body)

features/v2/security_monitoring.feature

@@ -295,6 +295,24 @@ Feature: Security Monitoring
     When the request is sent
     Then the response status is 201 Successfully created the notification rule.
 
+  @team:DataDog/k9-cloud-security-platform
+  Scenario: Create a scheduled detection rule returns "OK" response
+    Given new "CreateSecurityMonitoringRule" request
+    And body with value {"name":"{{ unique }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"index":"main"}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type":"log_detection", "schedulingOptions": {"rrule": "FREQ=HOURLY;INTERVAL=2;", "start": "2025-06-18T12:00:00", "timezone": "Europe/Paris"}}
+    When the request is sent
+    Then the response status is 200 OK
+    And the response "name" is equal to "{{ unique }}"
+    And the response "type" is equal to "log_detection"
+    And the response "message" is equal to "Test rule"
+    And the response "schedulingOptions" is equal to {"rrule": "FREQ=HOURLY;INTERVAL=2;", "start": "2025-06-18T12:00:00", "timezone": "Europe/Paris"}
+
+  @team:DataDog/k9-cloud-security-platform
+  Scenario: Create a scheduled rule without rrule returns "Bad Request" response
+    Given new "CreateSecurityMonitoringRule" request
+    And body with value {"name":"{{ unique }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"index":"main"}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type":"log_detection", "schedulingOptions": {"start": "2025-06-18T12:00:00", "timezone": "Europe/Paris"}}
+    When the request is sent
+    Then the response status is 400 Bad Request
+
   @generated @skip @team:DataDog/k9-cloud-security-platform
   Scenario: Create a security filter returns "Bad Request" response
     Given new "CreateSecurityFilter" request

lib/datadog_api_client/inflector.rb

@@ -3243,6 +3243,7 @@ def overrides
           "v2.security_monitoring_rule_type_test" => "SecurityMonitoringRuleTypeTest",
           "v2.security_monitoring_rule_update_payload" => "SecurityMonitoringRuleUpdatePayload",
           "v2.security_monitoring_rule_validate_payload" => "SecurityMonitoringRuleValidatePayload",
+          "v2.security_monitoring_scheduling_options" => "SecurityMonitoringSchedulingOptions",
           "v2.security_monitoring_signal" => "SecurityMonitoringSignal",
           "v2.security_monitoring_signal_archive_reason" => "SecurityMonitoringSignalArchiveReason",
           "v2.security_monitoring_signal_assignee_update_attributes" => "SecurityMonitoringSignalAssigneeUpdateAttributes",