From cd6247e2d08a8e91d3364a779355bb573db86aca Mon Sep 17 00:00:00 2001 From: "ci.datadog-api-spec" Date: Fri, 19 Sep 2025 16:17:06 +0000 Subject: [PATCH] Regenerate client from commit e4360c2 of spec repo --- .generator/schemas/v2/openapi.yaml | 47 ++++++++ .../frozen.json | 1 + .../recording.har | 104 ++++++++++++++++++ .../frozen.json | 1 + .../recording.har | 61 ++++++++++ features/v2/security_monitoring.feature | 17 +++ services/security_monitoring/src/v2/index.ts | 3 + .../src/v2/models/HistoricalJobOptions.ts | 9 ++ .../SecurityMonitoringRuleDetectionMethod.ts | 2 + .../models/SecurityMonitoringRuleOptions.ts | 9 ++ ...yMonitoringRuleSequenceDetectionOptions.ts | 55 +++++++++ ...rityMonitoringRuleSequenceDetectionStep.ts | 64 +++++++++++ ...ringRuleSequenceDetectionStepTransition.ts | 64 +++++++++++ .../src/v2/models/TypingInfo.ts | 10 ++ 14 files changed, 447 insertions(+) create mode 100644 cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-detection-method-sequence_detection-returns-OK-response_224770692/frozen.json create mode 100644 cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-detection-method-sequence_detection-returns-OK-response_224770692/recording.har create mode 100644 cassettes/v2/Security-Monitoring_1187227211/Validate-a-detection-rule-with-detection-method-sequence_detection-returns-OK-response_4291746846/frozen.json create mode 100644 cassettes/v2/Security-Monitoring_1187227211/Validate-a-detection-rule-with-detection-method-sequence_detection-returns-OK-response_4291746846/recording.har create mode 100644 services/security_monitoring/src/v2/models/SecurityMonitoringRuleSequenceDetectionOptions.ts create mode 100644 services/security_monitoring/src/v2/models/SecurityMonitoringRuleSequenceDetectionStep.ts create mode 100644 services/security_monitoring/src/v2/models/SecurityMonitoringRuleSequenceDetectionStepTransition.ts diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml index d3d603bec261..87a84afd60e5 100644 --- a/.generator/schemas/v2/openapi.yaml +++ b/.generator/schemas/v2/openapi.yaml @@ -20470,6 +20470,8 @@ components: $ref: '#/components/schemas/SecurityMonitoringRuleMaxSignalDuration' newValueOptions: $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptions' + sequenceDetectionOptions: + $ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionOptions' thirdPartyRuleOptions: $ref: '#/components/schemas/SecurityMonitoringRuleThirdPartyOptions' type: object @@ -40786,6 +40788,7 @@ components: - hardcoded - third_party - anomaly_threshold + - sequence_detection type: string x-enum-varnames: - THRESHOLD @@ -40795,6 +40798,7 @@ components: - HARDCODED - THIRD_PARTY - ANOMALY_THRESHOLD + - SEQUENCE_DETECTION SecurityMonitoringRuleEvaluationWindow: description: 'A time window is specified to match when at least one of the cases matches true. This is a sliding window @@ -41008,6 +41012,8 @@ components: $ref: '#/components/schemas/SecurityMonitoringRuleMaxSignalDuration' newValueOptions: $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptions' + sequenceDetectionOptions: + $ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionOptions' thirdPartyRuleOptions: $ref: '#/components/schemas/SecurityMonitoringRuleThirdPartyOptions' type: object @@ -41083,6 +41089,47 @@ components: oneOf: - $ref: '#/components/schemas/SecurityMonitoringStandardRuleResponse' - $ref: '#/components/schemas/SecurityMonitoringSignalRuleResponse' + SecurityMonitoringRuleSequenceDetectionOptions: + description: Options on sequence detection method. + properties: + stepTransitions: + description: Transitions defining the allowed order of steps and their evaluation + windows. + items: + $ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionStepTransition' + type: array + steps: + description: Steps that define the conditions to be matched in sequence. + items: + $ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionStep' + type: array + type: object + SecurityMonitoringRuleSequenceDetectionStep: + description: Step definition for sequence detection containing the step name, + condition, and evaluation window. + properties: + condition: + description: Condition referencing rule queries (e.g., `a > 0`). + type: string + evaluationWindow: + $ref: '#/components/schemas/SecurityMonitoringRuleEvaluationWindow' + name: + description: Unique name identifying the step. + type: string + type: object + SecurityMonitoringRuleSequenceDetectionStepTransition: + description: Transition from a parent step to a child step within a sequence + detection rule. + properties: + child: + description: Name of the child step. + type: string + evaluationWindow: + $ref: '#/components/schemas/SecurityMonitoringRuleEvaluationWindow' + parent: + description: Name of the parent step. + type: string + type: object SecurityMonitoringRuleSeverity: description: Severity of the Security Signal. enum: diff --git a/cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-detection-method-sequence_detection-returns-OK-response_224770692/frozen.json b/cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-detection-method-sequence_detection-returns-OK-response_224770692/frozen.json new file mode 100644 index 000000000000..cb791b20c5c0 --- /dev/null +++ b/cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-detection-method-sequence_detection-returns-OK-response_224770692/frozen.json @@ -0,0 +1 @@ +"2025-09-12T15:45:55.719Z" diff --git a/cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-detection-method-sequence_detection-returns-OK-response_224770692/recording.har b/cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-detection-method-sequence_detection-returns-OK-response_224770692/recording.har new file mode 100644 index 000000000000..6064063a989b --- /dev/null +++ b/cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-detection-method-sequence_detection-returns-OK-response_224770692/recording.har @@ -0,0 +1,104 @@ +{ + "log": { + "_recordingName": "Security Monitoring/Create a detection rule with detection method 'sequence_detection' returns \"OK\" response", + "creator": { + "comment": "persister:fs", + "name": "Polly.JS", + "version": "6.0.5" + }, + "entries": [ + { + "_id": "faa8ed427532bf09665284cdbb2daf9c", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 1000, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "application/json" + }, + { + "_fromType": "array", + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 589, + "httpVersion": "HTTP/1.1", + "method": "POST", + "postData": { + "mimeType": "application/json", + "params": [], + "text": "{\"cases\":[{\"condition\":\"step_b > 0\",\"name\":\"\",\"notifications\":[],\"status\":\"info\"}],\"isEnabled\":true,\"message\":\"Logs and signals asdf\",\"name\":\"Test-Create_a_detection_rule_with_detection_method_sequence_detection_returns_OK_response-1757691955\",\"options\":{\"detectionMethod\":\"sequence_detection\",\"evaluationWindow\":0,\"keepAlive\":300,\"maxSignalDuration\":600,\"sequenceDetectionOptions\":{\"stepTransitions\":[{\"child\":\"step_b\",\"evaluationWindow\":900,\"parent\":\"step_a\"}],\"steps\":[{\"condition\":\"a > 0\",\"evaluationWindow\":60,\"name\":\"step_a\"},{\"condition\":\"b > 0\",\"evaluationWindow\":60,\"name\":\"step_b\"}]}},\"queries\":[{\"aggregation\":\"count\",\"dataSource\":\"logs\",\"distinctFields\":[],\"groupByFields\":[],\"hasOptionalGroupByFields\":false,\"name\":\"\",\"query\":\"service:logs-rule-reducer source:paul test2\"},{\"aggregation\":\"count\",\"dataSource\":\"logs\",\"distinctFields\":[],\"groupByFields\":[],\"hasOptionalGroupByFields\":false,\"name\":\"\",\"query\":\"service:logs-rule-reducer source:paul test1\"}],\"tags\":[],\"type\":\"log_detection\"}" + }, + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules" + }, + "response": { + "bodySize": 1378, + "content": { + "mimeType": "application/json", + "size": 1378, + "text": "{\"name\":\"Test-Create_a_detection_rule_with_detection_method_sequence_detection_returns_OK_response-1757691955\",\"createdAt\":1757691955862,\"isDefault\":false,\"isPartner\":false,\"isEnabled\":true,\"isBeta\":false,\"isDeleted\":false,\"isDeprecated\":false,\"queries\":[{\"query\":\"service:logs-rule-reducer source:paul test2\",\"groupByFields\":[],\"hasOptionalGroupByFields\":false,\"distinctFields\":[],\"aggregation\":\"count\",\"name\":\"\",\"dataSource\":\"logs\"},{\"query\":\"service:logs-rule-reducer source:paul test1\",\"groupByFields\":[],\"hasOptionalGroupByFields\":false,\"distinctFields\":[],\"aggregation\":\"count\",\"name\":\"\",\"dataSource\":\"logs\"}],\"options\":{\"evaluationWindow\":0,\"detectionMethod\":\"sequence_detection\",\"maxSignalDuration\":600,\"keepAlive\":300,\"sequenceDetectionOptions\":{\"steps\":[{\"name\":\"step_a\",\"condition\":\"a \\u003e 0\",\"evaluationWindow\":60},{\"name\":\"step_b\",\"condition\":\"b \\u003e 0\",\"evaluationWindow\":60}],\"stepTransitions\":[{\"parent\":\"step_a\",\"child\":\"step_b\",\"evaluationWindow\":900}]}},\"cases\":[{\"name\":\"\",\"status\":\"info\",\"notifications\":[],\"condition\":\"step_b \\u003e 0\"}],\"message\":\"Logs and signals asdf\",\"tags\":[],\"hasExtendedTitle\":false,\"type\":\"log_detection\",\"filters\":[],\"version\":1,\"id\":\"k0l-txb-xxx\",\"blocking\":false,\"metadata\":{\"entities\":null,\"sources\":null},\"creationAuthorId\":1445416,\"creator\":{\"handle\":\"frog@datadoghq.com\",\"name\":\"frog\"},\"updater\":{\"handle\":\"\",\"name\":\"\"}}" + }, + "cookies": [], + "headers": [ + { + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 655, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 200, + "statusText": "OK" + }, + "startedDateTime": "2025-09-12T15:45:55.723Z", + "time": 207 + }, + { + "_id": "d7239dc51220cdcb7c3c9788a4feafa5", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 0, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + } + ], + "headersSize": 536, + "httpVersion": "HTTP/1.1", + "method": "DELETE", + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules/k0l-txb-xxx" + }, + "response": { + "bodySize": 0, + "content": { + "mimeType": "text/plain", + "size": 0 + }, + "cookies": [], + "headers": [], + "headersSize": 601, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 204, + "statusText": "No Content" + }, + "startedDateTime": "2025-09-12T15:45:55.938Z", + "time": 232 + } + ], + "pages": [], + "version": "1.2" + } +} diff --git a/cassettes/v2/Security-Monitoring_1187227211/Validate-a-detection-rule-with-detection-method-sequence_detection-returns-OK-response_4291746846/frozen.json b/cassettes/v2/Security-Monitoring_1187227211/Validate-a-detection-rule-with-detection-method-sequence_detection-returns-OK-response_4291746846/frozen.json new file mode 100644 index 000000000000..e9ed0d99819b --- /dev/null +++ b/cassettes/v2/Security-Monitoring_1187227211/Validate-a-detection-rule-with-detection-method-sequence_detection-returns-OK-response_4291746846/frozen.json @@ -0,0 +1 @@ +"2025-09-12T15:43:48.016Z" diff --git a/cassettes/v2/Security-Monitoring_1187227211/Validate-a-detection-rule-with-detection-method-sequence_detection-returns-OK-response_4291746846/recording.har b/cassettes/v2/Security-Monitoring_1187227211/Validate-a-detection-rule-with-detection-method-sequence_detection-returns-OK-response_4291746846/recording.har new file mode 100644 index 000000000000..6397db898bd4 --- /dev/null +++ b/cassettes/v2/Security-Monitoring_1187227211/Validate-a-detection-rule-with-detection-method-sequence_detection-returns-OK-response_4291746846/recording.har @@ -0,0 +1,61 @@ +{ + "log": { + "_recordingName": "Security Monitoring/Validate a detection rule with detection method 'sequence_detection' returns \"OK\" response", + "creator": { + "comment": "persister:fs", + "name": "Polly.JS", + "version": "6.0.5" + }, + "entries": [ + { + "_id": "7c3af95d617e9512f01309e2f2ec4f07", + "_order": 0, + "cache": {}, + "request": { + "bodySize": 856, + "cookies": [], + "headers": [ + { + "_fromType": "array", + "name": "accept", + "value": "*/*" + }, + { + "_fromType": "array", + "name": "content-type", + "value": "application/json" + } + ], + "headersSize": 588, + "httpVersion": "HTTP/1.1", + "method": "POST", + "postData": { + "mimeType": "application/json", + "params": [], + "text": "{\"cases\":[{\"condition\":\"step_b > 0\",\"name\":\"\",\"notifications\":[],\"status\":\"info\"}],\"hasExtendedTitle\":true,\"isEnabled\":true,\"message\":\"My security monitoring rule\",\"name\":\"My security monitoring rule\",\"options\":{\"detectionMethod\":\"sequence_detection\",\"evaluationWindow\":0,\"keepAlive\":300,\"maxSignalDuration\":600,\"sequenceDetectionOptions\":{\"stepTransitions\":[{\"child\":\"step_b\",\"evaluationWindow\":900,\"parent\":\"step_a\"}],\"steps\":[{\"condition\":\"a > 0\",\"evaluationWindow\":60,\"name\":\"step_a\"},{\"condition\":\"b > 0\",\"evaluationWindow\":60,\"name\":\"step_b\"}]}},\"queries\":[{\"aggregation\":\"count\",\"distinctFields\":[],\"groupByFields\":[\"@userIdentity.assumed_role\"],\"name\":\"\",\"query\":\"source:source_here\"},{\"aggregation\":\"count\",\"distinctFields\":[],\"groupByFields\":[],\"name\":\"\",\"query\":\"source:source_here2\"}],\"tags\":[\"env:prod\",\"team:security\"],\"type\":\"log_detection\"}" + }, + "queryString": [], + "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules/validation" + }, + "response": { + "bodySize": 0, + "content": { + "mimeType": "text/plain", + "size": 0 + }, + "cookies": [], + "headers": [], + "headersSize": 601, + "httpVersion": "HTTP/1.1", + "redirectURL": "", + "status": 204, + "statusText": "No Content" + }, + "startedDateTime": "2025-09-12T15:43:48.019Z", + "time": 114 + } + ], + "pages": [], + "version": "1.2" + } +} diff --git a/features/v2/security_monitoring.feature b/features/v2/security_monitoring.feature index 612e8fc5f98f..f4eab41ff04f 100644 --- a/features/v2/security_monitoring.feature +++ b/features/v2/security_monitoring.feature @@ -211,6 +211,16 @@ Feature: Security Monitoring And the response "message" is equal to "Test rule" And the response "referenceTables" is equal to [{"tableName": "synthetics_test_reference_table_dont_delete", "columnName": "value", "logFieldPath":"testtag", "checkPresence":true, "ruleQueryName":"a"}] + @team:DataDog/k9-cloud-security-platform + Scenario: Create a detection rule with detection method 'sequence_detection' returns "OK" response + Given new "CreateSecurityMonitoringRule" request + And body with value {"name":"{{ unique }}","type":"log_detection","isEnabled":true,"queries":[{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":[],"hasOptionalGroupByFields":false,"name":"","query":"service:logs-rule-reducer source:paul test2"},{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":[],"hasOptionalGroupByFields":false,"name":"","query":"service:logs-rule-reducer source:paul test1"}],"cases":[{"name":"","status":"info","notifications":[],"condition":"step_b > 0"}],"message":"Logs and signals asdf","options":{"detectionMethod":"sequence_detection","evaluationWindow":0,"keepAlive":300,"maxSignalDuration":600,"sequenceDetectionOptions":{"stepTransitions":[{"child":"step_b","evaluationWindow":900,"parent":"step_a"}],"steps":[{"condition":"a > 0","evaluationWindow":60,"name":"step_a"},{"condition":"b > 0","evaluationWindow":60,"name":"step_b"}]}},"tags":[]} + When the request is sent + Then the response status is 200 OK + And the response "name" is equal to "{{ unique }}" + And the response "type" is equal to "log_detection" + And the response "options.detectionMethod" is equal to "sequence_detection" + @team:DataDog/k9-cloud-security-platform Scenario: Create a detection rule with detection method 'third_party' returns "OK" response Given new "CreateSecurityMonitoringRule" request @@ -1483,6 +1493,13 @@ Feature: Security Monitoring When the request is sent Then the response status is 204 OK + @team:DataDog/k9-cloud-security-platform + Scenario: Validate a detection rule with detection method 'sequence_detection' returns "OK" response + Given new "ValidateSecurityMonitoringRule" request + And body with value {"cases":[{"name":"","status":"info","notifications":[],"condition":"step_b > 0"}],"hasExtendedTitle":true,"isEnabled":true,"message":"My security monitoring rule","name":"My security monitoring rule","options":{"evaluationWindow":0,"keepAlive":300,"maxSignalDuration":600,"detectionMethod":"sequence_detection","sequenceDetectionOptions":{"stepTransitions":[{"child":"step_b","evaluationWindow":900,"parent":"step_a"}],"steps":[{"condition":"a > 0","evaluationWindow":60,"name":"step_a"},{"condition":"b > 0","evaluationWindow":60,"name":"step_b"}]}},"queries":[{"query":"source:source_here","groupByFields":["@userIdentity.assumed_role"],"distinctFields":[],"aggregation":"count","name":""},{"query":"source:source_here2","groupByFields":[],"distinctFields":[],"aggregation":"count","name":""}],"tags":["env:prod","team:security"],"type":"log_detection"} + When the request is sent + Then the response status is 204 OK + @team:DataDog/k9-cloud-security-platform Scenario: Validate a suppression rule returns "Bad Request" response Given new "ValidateSecurityMonitoringSuppression" request diff --git a/services/security_monitoring/src/v2/index.ts b/services/security_monitoring/src/v2/index.ts index d79134460b95..daaf731f1465 100644 --- a/services/security_monitoring/src/v2/index.ts +++ b/services/security_monitoring/src/v2/index.ts @@ -239,6 +239,9 @@ export { SecurityMonitoringRuleQueryAggregation } from "./models/SecurityMonitor export { SecurityMonitoringRuleQueryPayload } from "./models/SecurityMonitoringRuleQueryPayload"; export { SecurityMonitoringRuleQueryPayloadData } from "./models/SecurityMonitoringRuleQueryPayloadData"; export { SecurityMonitoringRuleResponse } from "./models/SecurityMonitoringRuleResponse"; +export { SecurityMonitoringRuleSequenceDetectionOptions } from "./models/SecurityMonitoringRuleSequenceDetectionOptions"; +export { SecurityMonitoringRuleSequenceDetectionStep } from "./models/SecurityMonitoringRuleSequenceDetectionStep"; +export { SecurityMonitoringRuleSequenceDetectionStepTransition } from "./models/SecurityMonitoringRuleSequenceDetectionStepTransition"; export { SecurityMonitoringRuleSeverity } from "./models/SecurityMonitoringRuleSeverity"; export { SecurityMonitoringRuleTestPayload } from "./models/SecurityMonitoringRuleTestPayload"; export { SecurityMonitoringRuleTestRequest } from "./models/SecurityMonitoringRuleTestRequest"; diff --git a/services/security_monitoring/src/v2/models/HistoricalJobOptions.ts b/services/security_monitoring/src/v2/models/HistoricalJobOptions.ts index b28e482350c0..439a9469f7ab 100644 --- a/services/security_monitoring/src/v2/models/HistoricalJobOptions.ts +++ b/services/security_monitoring/src/v2/models/HistoricalJobOptions.ts @@ -6,6 +6,7 @@ import { SecurityMonitoringRuleImpossibleTravelOptions } from "./SecurityMonitor import { SecurityMonitoringRuleKeepAlive } from "./SecurityMonitoringRuleKeepAlive"; import { SecurityMonitoringRuleMaxSignalDuration } from "./SecurityMonitoringRuleMaxSignalDuration"; import { SecurityMonitoringRuleNewValueOptions } from "./SecurityMonitoringRuleNewValueOptions"; +import { SecurityMonitoringRuleSequenceDetectionOptions } from "./SecurityMonitoringRuleSequenceDetectionOptions"; import { SecurityMonitoringRuleThirdPartyOptions } from "./SecurityMonitoringRuleThirdPartyOptions"; /** @@ -39,6 +40,10 @@ export class HistoricalJobOptions { * Options on new value detection method. */ "newValueOptions"?: SecurityMonitoringRuleNewValueOptions; + /** + * Options on sequence detection method. + */ + "sequenceDetectionOptions"?: SecurityMonitoringRuleSequenceDetectionOptions; /** * Options on third party detection method. */ @@ -85,6 +90,10 @@ export class HistoricalJobOptions { baseName: "newValueOptions", type: "SecurityMonitoringRuleNewValueOptions", }, + sequenceDetectionOptions: { + baseName: "sequenceDetectionOptions", + type: "SecurityMonitoringRuleSequenceDetectionOptions", + }, thirdPartyRuleOptions: { baseName: "thirdPartyRuleOptions", type: "SecurityMonitoringRuleThirdPartyOptions", diff --git a/services/security_monitoring/src/v2/models/SecurityMonitoringRuleDetectionMethod.ts b/services/security_monitoring/src/v2/models/SecurityMonitoringRuleDetectionMethod.ts index 9fba9fccde34..335338aafffb 100644 --- a/services/security_monitoring/src/v2/models/SecurityMonitoringRuleDetectionMethod.ts +++ b/services/security_monitoring/src/v2/models/SecurityMonitoringRuleDetectionMethod.ts @@ -11,6 +11,7 @@ export type SecurityMonitoringRuleDetectionMethod = | typeof HARDCODED | typeof THIRD_PARTY | typeof ANOMALY_THRESHOLD + | typeof SEQUENCE_DETECTION | UnparsedObject; export const THRESHOLD = "threshold"; export const NEW_VALUE = "new_value"; @@ -19,3 +20,4 @@ export const IMPOSSIBLE_TRAVEL = "impossible_travel"; export const HARDCODED = "hardcoded"; export const THIRD_PARTY = "third_party"; export const ANOMALY_THRESHOLD = "anomaly_threshold"; +export const SEQUENCE_DETECTION = "sequence_detection"; diff --git a/services/security_monitoring/src/v2/models/SecurityMonitoringRuleOptions.ts b/services/security_monitoring/src/v2/models/SecurityMonitoringRuleOptions.ts index da1c662d4731..0c7e8949965a 100644 --- a/services/security_monitoring/src/v2/models/SecurityMonitoringRuleOptions.ts +++ b/services/security_monitoring/src/v2/models/SecurityMonitoringRuleOptions.ts @@ -8,6 +8,7 @@ import { SecurityMonitoringRuleImpossibleTravelOptions } from "./SecurityMonitor import { SecurityMonitoringRuleKeepAlive } from "./SecurityMonitoringRuleKeepAlive"; import { SecurityMonitoringRuleMaxSignalDuration } from "./SecurityMonitoringRuleMaxSignalDuration"; import { SecurityMonitoringRuleNewValueOptions } from "./SecurityMonitoringRuleNewValueOptions"; +import { SecurityMonitoringRuleSequenceDetectionOptions } from "./SecurityMonitoringRuleSequenceDetectionOptions"; import { SecurityMonitoringRuleThirdPartyOptions } from "./SecurityMonitoringRuleThirdPartyOptions"; /** @@ -56,6 +57,10 @@ export class SecurityMonitoringRuleOptions { * Options on new value detection method. */ "newValueOptions"?: SecurityMonitoringRuleNewValueOptions; + /** + * Options on sequence detection method. + */ + "sequenceDetectionOptions"?: SecurityMonitoringRuleSequenceDetectionOptions; /** * Options on third party detection method. */ @@ -114,6 +119,10 @@ export class SecurityMonitoringRuleOptions { baseName: "newValueOptions", type: "SecurityMonitoringRuleNewValueOptions", }, + sequenceDetectionOptions: { + baseName: "sequenceDetectionOptions", + type: "SecurityMonitoringRuleSequenceDetectionOptions", + }, thirdPartyRuleOptions: { baseName: "thirdPartyRuleOptions", type: "SecurityMonitoringRuleThirdPartyOptions", diff --git a/services/security_monitoring/src/v2/models/SecurityMonitoringRuleSequenceDetectionOptions.ts b/services/security_monitoring/src/v2/models/SecurityMonitoringRuleSequenceDetectionOptions.ts new file mode 100644 index 000000000000..db2f7a1a2976 --- /dev/null +++ b/services/security_monitoring/src/v2/models/SecurityMonitoringRuleSequenceDetectionOptions.ts @@ -0,0 +1,55 @@ +import { AttributeTypeMap } from "@datadog/datadog-api-client"; + +import { SecurityMonitoringRuleSequenceDetectionStep } from "./SecurityMonitoringRuleSequenceDetectionStep"; +import { SecurityMonitoringRuleSequenceDetectionStepTransition } from "./SecurityMonitoringRuleSequenceDetectionStepTransition"; + +/** + * Options on sequence detection method. + */ +export class SecurityMonitoringRuleSequenceDetectionOptions { + /** + * Transitions defining the allowed order of steps and their evaluation windows. + */ + "stepTransitions"?: Array; + /** + * Steps that define the conditions to be matched in sequence. + */ + "steps"?: Array; + /** + * A container for additional, undeclared properties. + * This is a holder for any undeclared properties as specified with + * the 'additionalProperties' keyword in the OAS document. + */ + "additionalProperties"?: { [key: string]: any }; + /** + * @ignore + */ + "_unparsed"?: boolean; + + /** + * @ignore + */ + static readonly attributeTypeMap: AttributeTypeMap = { + stepTransitions: { + baseName: "stepTransitions", + type: "Array", + }, + steps: { + baseName: "steps", + type: "Array", + }, + additionalProperties: { + baseName: "additionalProperties", + type: "{ [key: string]: any; }", + }, + }; + + /** + * @ignore + */ + static getAttributeTypeMap(): AttributeTypeMap { + return SecurityMonitoringRuleSequenceDetectionOptions.attributeTypeMap; + } + + public constructor() {} +} diff --git a/services/security_monitoring/src/v2/models/SecurityMonitoringRuleSequenceDetectionStep.ts b/services/security_monitoring/src/v2/models/SecurityMonitoringRuleSequenceDetectionStep.ts new file mode 100644 index 000000000000..163aefac8022 --- /dev/null +++ b/services/security_monitoring/src/v2/models/SecurityMonitoringRuleSequenceDetectionStep.ts @@ -0,0 +1,64 @@ +import { AttributeTypeMap } from "@datadog/datadog-api-client"; + +import { SecurityMonitoringRuleEvaluationWindow } from "./SecurityMonitoringRuleEvaluationWindow"; + +/** + * Step definition for sequence detection containing the step name, condition, and evaluation window. + */ +export class SecurityMonitoringRuleSequenceDetectionStep { + /** + * Condition referencing rule queries (e.g., `a > 0`). + */ + "condition"?: string; + /** + * A time window is specified to match when at least one of the cases matches true. This is a sliding window + * and evaluates in real time. For third party detection method, this field is not used. + */ + "evaluationWindow"?: SecurityMonitoringRuleEvaluationWindow; + /** + * Unique name identifying the step. + */ + "name"?: string; + /** + * A container for additional, undeclared properties. + * This is a holder for any undeclared properties as specified with + * the 'additionalProperties' keyword in the OAS document. + */ + "additionalProperties"?: { [key: string]: any }; + /** + * @ignore + */ + "_unparsed"?: boolean; + + /** + * @ignore + */ + static readonly attributeTypeMap: AttributeTypeMap = { + condition: { + baseName: "condition", + type: "string", + }, + evaluationWindow: { + baseName: "evaluationWindow", + type: "SecurityMonitoringRuleEvaluationWindow", + format: "int32", + }, + name: { + baseName: "name", + type: "string", + }, + additionalProperties: { + baseName: "additionalProperties", + type: "{ [key: string]: any; }", + }, + }; + + /** + * @ignore + */ + static getAttributeTypeMap(): AttributeTypeMap { + return SecurityMonitoringRuleSequenceDetectionStep.attributeTypeMap; + } + + public constructor() {} +} diff --git a/services/security_monitoring/src/v2/models/SecurityMonitoringRuleSequenceDetectionStepTransition.ts b/services/security_monitoring/src/v2/models/SecurityMonitoringRuleSequenceDetectionStepTransition.ts new file mode 100644 index 000000000000..7c7753765189 --- /dev/null +++ b/services/security_monitoring/src/v2/models/SecurityMonitoringRuleSequenceDetectionStepTransition.ts @@ -0,0 +1,64 @@ +import { AttributeTypeMap } from "@datadog/datadog-api-client"; + +import { SecurityMonitoringRuleEvaluationWindow } from "./SecurityMonitoringRuleEvaluationWindow"; + +/** + * Transition from a parent step to a child step within a sequence detection rule. + */ +export class SecurityMonitoringRuleSequenceDetectionStepTransition { + /** + * Name of the child step. + */ + "child"?: string; + /** + * A time window is specified to match when at least one of the cases matches true. This is a sliding window + * and evaluates in real time. For third party detection method, this field is not used. + */ + "evaluationWindow"?: SecurityMonitoringRuleEvaluationWindow; + /** + * Name of the parent step. + */ + "parent"?: string; + /** + * A container for additional, undeclared properties. + * This is a holder for any undeclared properties as specified with + * the 'additionalProperties' keyword in the OAS document. + */ + "additionalProperties"?: { [key: string]: any }; + /** + * @ignore + */ + "_unparsed"?: boolean; + + /** + * @ignore + */ + static readonly attributeTypeMap: AttributeTypeMap = { + child: { + baseName: "child", + type: "string", + }, + evaluationWindow: { + baseName: "evaluationWindow", + type: "SecurityMonitoringRuleEvaluationWindow", + format: "int32", + }, + parent: { + baseName: "parent", + type: "string", + }, + additionalProperties: { + baseName: "additionalProperties", + type: "{ [key: string]: any; }", + }, + }; + + /** + * @ignore + */ + static getAttributeTypeMap(): AttributeTypeMap { + return SecurityMonitoringRuleSequenceDetectionStepTransition.attributeTypeMap; + } + + public constructor() {} +} diff --git a/services/security_monitoring/src/v2/models/TypingInfo.ts b/services/security_monitoring/src/v2/models/TypingInfo.ts index 0b99201cf40f..61fea6c3e5a6 100644 --- a/services/security_monitoring/src/v2/models/TypingInfo.ts +++ b/services/security_monitoring/src/v2/models/TypingInfo.ts @@ -137,6 +137,9 @@ import { SecurityMonitoringRuleNewValueOptions } from "./SecurityMonitoringRuleN import { SecurityMonitoringRuleOptions } from "./SecurityMonitoringRuleOptions"; import { SecurityMonitoringRuleQueryPayload } from "./SecurityMonitoringRuleQueryPayload"; import { SecurityMonitoringRuleQueryPayloadData } from "./SecurityMonitoringRuleQueryPayloadData"; +import { SecurityMonitoringRuleSequenceDetectionOptions } from "./SecurityMonitoringRuleSequenceDetectionOptions"; +import { SecurityMonitoringRuleSequenceDetectionStep } from "./SecurityMonitoringRuleSequenceDetectionStep"; +import { SecurityMonitoringRuleSequenceDetectionStepTransition } from "./SecurityMonitoringRuleSequenceDetectionStepTransition"; import { SecurityMonitoringRuleTestRequest } from "./SecurityMonitoringRuleTestRequest"; import { SecurityMonitoringRuleTestResponse } from "./SecurityMonitoringRuleTestResponse"; import { SecurityMonitoringRuleThirdPartyOptions } from "./SecurityMonitoringRuleThirdPartyOptions"; @@ -303,6 +306,7 @@ export const TypingInfo: ModelTypingInfo = { "hardcoded", "third_party", "anomaly_threshold", + "sequence_detection", ], SecurityMonitoringRuleEvaluationWindow: [ 0, 60, 300, 600, 900, 1800, 3600, 7200, 10800, 21600, 43200, 86400, @@ -629,6 +633,12 @@ export const TypingInfo: ModelTypingInfo = { SecurityMonitoringRuleQueryPayload: SecurityMonitoringRuleQueryPayload, SecurityMonitoringRuleQueryPayloadData: SecurityMonitoringRuleQueryPayloadData, + SecurityMonitoringRuleSequenceDetectionOptions: + SecurityMonitoringRuleSequenceDetectionOptions, + SecurityMonitoringRuleSequenceDetectionStep: + SecurityMonitoringRuleSequenceDetectionStep, + SecurityMonitoringRuleSequenceDetectionStepTransition: + SecurityMonitoringRuleSequenceDetectionStepTransition, SecurityMonitoringRuleTestRequest: SecurityMonitoringRuleTestRequest, SecurityMonitoringRuleTestResponse: SecurityMonitoringRuleTestResponse, SecurityMonitoringRuleThirdPartyOptions: