diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml index d1ea8725c694..961406c151ed 100644 --- a/.generator/schemas/v2/openapi.yaml +++ b/.generator/schemas/v2/openapi.yaml @@ -43891,6 +43891,14 @@ components: for scheduled rules - in other words, when the `schedulingOptions` field is present in the rule payload.' type: string + indexes: + description: List of indexes to query when the `dataSource` is `logs`. Only + used for scheduled rules, such as when the `schedulingOptions` field is + present in the rule payload. + items: + description: Index. + type: string + type: array metric: deprecated: true description: '(Deprecated) The target field to aggregate over when using diff --git a/cassettes/v2/Security-Monitoring_1187227211/Create-a-scheduled-detection-rule-returns-OK-response_4086716458/frozen.json b/cassettes/v2/Security-Monitoring_1187227211/Create-a-scheduled-detection-rule-returns-OK-response_4086716458/frozen.json index 03069033acbf..4e1f3bbfcd9b 100644 --- a/cassettes/v2/Security-Monitoring_1187227211/Create-a-scheduled-detection-rule-returns-OK-response_4086716458/frozen.json +++ b/cassettes/v2/Security-Monitoring_1187227211/Create-a-scheduled-detection-rule-returns-OK-response_4086716458/frozen.json @@ -1 +1 @@ -"2025-07-31T07:48:27.113Z" +"2025-10-13T21:11:45.641Z" diff --git a/cassettes/v2/Security-Monitoring_1187227211/Create-a-scheduled-detection-rule-returns-OK-response_4086716458/recording.har b/cassettes/v2/Security-Monitoring_1187227211/Create-a-scheduled-detection-rule-returns-OK-response_4086716458/recording.har index 4d45e04401e5..858db75af1c8 100644 --- a/cassettes/v2/Security-Monitoring_1187227211/Create-a-scheduled-detection-rule-returns-OK-response_4086716458/recording.har +++ b/cassettes/v2/Security-Monitoring_1187227211/Create-a-scheduled-detection-rule-returns-OK-response_4086716458/recording.har @@ -8,11 +8,11 @@ }, "entries": [ { - "_id": "65e5fd9cf3ead6c42b6c2fecaf3465a1", + "_id": "9e5544391b54c57a63096e4100546bfd", "_order": 0, "cache": {}, "request": { - "bodySize": 543, + "bodySize": 547, "cookies": [], "headers": [ { @@ -32,17 +32,17 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"cases\":[{\"condition\":\"a > 0\",\"name\":\"\",\"notifications\":[],\"status\":\"info\"}],\"filters\":[],\"isEnabled\":true,\"message\":\"Test rule\",\"name\":\"Test-Create_a_scheduled_detection_rule_returns_OK_response-1753948107\",\"options\":{\"evaluationWindow\":900,\"keepAlive\":3600,\"maxSignalDuration\":86400},\"queries\":[{\"aggregation\":\"count\",\"distinctFields\":[],\"groupByFields\":[],\"index\":\"main\",\"query\":\"@test:true\"}],\"schedulingOptions\":{\"rrule\":\"FREQ=HOURLY;INTERVAL=2;\",\"start\":\"2025-06-18T12:00:00\",\"timezone\":\"Europe/Paris\"},\"tags\":[],\"type\":\"log_detection\"}" + "text": "{\"cases\":[{\"condition\":\"a > 0\",\"name\":\"\",\"notifications\":[],\"status\":\"info\"}],\"filters\":[],\"isEnabled\":true,\"message\":\"Test rule\",\"name\":\"Test-Create_a_scheduled_detection_rule_returns_OK_response-1760389905\",\"options\":{\"evaluationWindow\":900,\"keepAlive\":3600,\"maxSignalDuration\":86400},\"queries\":[{\"aggregation\":\"count\",\"distinctFields\":[],\"groupByFields\":[],\"indexes\":[\"main\"],\"query\":\"@test:true\"}],\"schedulingOptions\":{\"rrule\":\"FREQ=HOURLY;INTERVAL=2;\",\"start\":\"2025-06-18T12:00:00\",\"timezone\":\"Europe/Paris\"},\"tags\":[],\"type\":\"log_detection\"}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules" }, "response": { - "bodySize": 991, + "bodySize": 1010, "content": { "mimeType": "application/json", - "size": 991, - "text": "{\"name\":\"Test-Create_a_scheduled_detection_rule_returns_OK_response-1753948107\",\"createdAt\":1753948107557,\"isDefault\":false,\"isPartner\":false,\"isEnabled\":true,\"isBeta\":false,\"isDeleted\":false,\"isDeprecated\":false,\"queries\":[{\"query\":\"@test:true\",\"groupByFields\":[],\"hasOptionalGroupByFields\":false,\"distinctFields\":[],\"aggregation\":\"count\",\"name\":\"\",\"dataSource\":\"logs\",\"index\":\"main\"}],\"options\":{\"evaluationWindow\":900,\"detectionMethod\":\"threshold\",\"maxSignalDuration\":86400,\"keepAlive\":3600},\"cases\":[{\"name\":\"\",\"status\":\"info\",\"notifications\":[],\"condition\":\"a \\u003e 0\"}],\"message\":\"Test rule\",\"tags\":[],\"hasExtendedTitle\":false,\"type\":\"log_detection\",\"filters\":[],\"version\":1,\"id\":\"8dd-els-oyn\",\"blocking\":false,\"metadata\":{\"entities\":null,\"sources\":null},\"creationAuthorId\":1445416,\"creator\":{\"handle\":\"frog@datadoghq.com\",\"name\":\"frog\"},\"updater\":{\"handle\":\"\",\"name\":\"\"},\"schedulingOptions\":{\"rrule\":\"FREQ=HOURLY;INTERVAL=2;\",\"start\":\"2025-06-18T12:00:00\",\"timezone\":\"Europe/Paris\"}}" + "size": 1010, + "text": "{\"name\":\"Test-Create_a_scheduled_detection_rule_returns_OK_response-1760389905\",\"createdAt\":1760389906051,\"isDefault\":false,\"isPartner\":false,\"isEnabled\":true,\"isBeta\":false,\"isDeleted\":false,\"isDeprecated\":false,\"queries\":[{\"query\":\"@test:true\",\"groupByFields\":[],\"hasOptionalGroupByFields\":false,\"distinctFields\":[],\"aggregation\":\"count\",\"name\":\"\",\"dataSource\":\"logs\",\"index\":\"main\",\"indexes\":[\"main\"]}],\"options\":{\"evaluationWindow\":900,\"detectionMethod\":\"threshold\",\"maxSignalDuration\":86400,\"keepAlive\":3600},\"cases\":[{\"name\":\"\",\"status\":\"info\",\"notifications\":[],\"condition\":\"a \\u003e 0\"}],\"message\":\"Test rule\",\"tags\":[],\"hasExtendedTitle\":false,\"type\":\"log_detection\",\"filters\":[],\"version\":1,\"id\":\"vgs-rrg-orf\",\"blocking\":false,\"metadata\":{\"entities\":null,\"sources\":null},\"creationAuthorId\":1445416,\"creator\":{\"handle\":\"frog@datadoghq.com\",\"name\":\"frog\"},\"updater\":{\"handle\":\"\",\"name\":\"\"},\"schedulingOptions\":{\"rrule\":\"FREQ=HOURLY;INTERVAL=2;\",\"start\":\"2025-06-18T12:00:00\",\"timezone\":\"Europe/Paris\"}}" }, "cookies": [], "headers": [ @@ -51,17 +51,17 @@ "value": "application/json" } ], - "headersSize": 654, + "headersSize": 655, "httpVersion": "HTTP/1.1", "redirectURL": "", "status": 200, "statusText": "OK" }, - "startedDateTime": "2025-07-31T07:48:27.118Z", - "time": 469 + "startedDateTime": "2025-10-13T21:11:45.649Z", + "time": 443 }, { - "_id": "9ba28a921a04dada8d9d8beaa90e5bf7", + "_id": "3f90a9ee18561d238f2f54a61f8a9e13", "_order": 0, "cache": {}, "request": { @@ -78,7 +78,7 @@ "httpVersion": "HTTP/1.1", "method": "DELETE", "queryString": [], - "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules/8dd-els-oyn" + "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules/vgs-rrg-orf" }, "response": { "bodySize": 0, @@ -94,8 +94,8 @@ "status": 204, "statusText": "No Content" }, - "startedDateTime": "2025-07-31T07:48:27.600Z", - "time": 436 + "startedDateTime": "2025-10-13T21:11:46.103Z", + "time": 446 } ], "pages": [], diff --git a/cassettes/v2/Security-Monitoring_1187227211/Create-a-scheduled-rule-without-rrule-returns-Bad-Request-response_2911847931/frozen.json b/cassettes/v2/Security-Monitoring_1187227211/Create-a-scheduled-rule-without-rrule-returns-Bad-Request-response_2911847931/frozen.json index 8d517a63cc5a..a379bbe02008 100644 --- a/cassettes/v2/Security-Monitoring_1187227211/Create-a-scheduled-rule-without-rrule-returns-Bad-Request-response_2911847931/frozen.json +++ b/cassettes/v2/Security-Monitoring_1187227211/Create-a-scheduled-rule-without-rrule-returns-Bad-Request-response_2911847931/frozen.json @@ -1 +1 @@ -"2025-07-31T07:49:14.474Z" +"2025-10-13T21:12:46.212Z" diff --git a/cassettes/v2/Security-Monitoring_1187227211/Create-a-scheduled-rule-without-rrule-returns-Bad-Request-response_2911847931/recording.har b/cassettes/v2/Security-Monitoring_1187227211/Create-a-scheduled-rule-without-rrule-returns-Bad-Request-response_2911847931/recording.har index c91747cf8397..ad39653aa02b 100644 --- a/cassettes/v2/Security-Monitoring_1187227211/Create-a-scheduled-rule-without-rrule-returns-Bad-Request-response_2911847931/recording.har +++ b/cassettes/v2/Security-Monitoring_1187227211/Create-a-scheduled-rule-without-rrule-returns-Bad-Request-response_2911847931/recording.har @@ -8,11 +8,11 @@ }, "entries": [ { - "_id": "d9e00af4d10673adb787bc97f2c88023", + "_id": "cbbd6e4eaf0e9a076e70f2b3e17abe21", "_order": 0, "cache": {}, "request": { - "bodySize": 522, + "bodySize": 526, "cookies": [], "headers": [ { @@ -32,7 +32,7 @@ "postData": { "mimeType": "application/json", "params": [], - "text": "{\"cases\":[{\"condition\":\"a > 0\",\"name\":\"\",\"notifications\":[],\"status\":\"info\"}],\"filters\":[],\"isEnabled\":true,\"message\":\"Test rule\",\"name\":\"Test-Create_a_scheduled_rule_without_rrule_returns_Bad_Request_response-1753948154\",\"options\":{\"evaluationWindow\":900,\"keepAlive\":3600,\"maxSignalDuration\":86400},\"queries\":[{\"aggregation\":\"count\",\"distinctFields\":[],\"groupByFields\":[],\"index\":\"main\",\"query\":\"@test:true\"}],\"schedulingOptions\":{\"start\":\"2025-06-18T12:00:00\",\"timezone\":\"Europe/Paris\"},\"tags\":[],\"type\":\"log_detection\"}" + "text": "{\"cases\":[{\"condition\":\"a > 0\",\"name\":\"\",\"notifications\":[],\"status\":\"info\"}],\"filters\":[],\"isEnabled\":true,\"message\":\"Test rule\",\"name\":\"Test-Create_a_scheduled_rule_without_rrule_returns_Bad_Request_response-1760389966\",\"options\":{\"evaluationWindow\":900,\"keepAlive\":3600,\"maxSignalDuration\":86400},\"queries\":[{\"aggregation\":\"count\",\"distinctFields\":[],\"groupByFields\":[],\"indexes\":[\"main\"],\"query\":\"@test:true\"}],\"schedulingOptions\":{\"start\":\"2025-06-18T12:00:00\",\"timezone\":\"Europe/Paris\"},\"tags\":[],\"type\":\"log_detection\"}" }, "queryString": [], "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules" @@ -57,8 +57,8 @@ "status": 400, "statusText": "Bad Request" }, - "startedDateTime": "2025-07-31T07:49:14.479Z", - "time": 421 + "startedDateTime": "2025-10-13T21:12:46.235Z", + "time": 962 } ], "pages": [], diff --git a/features/v2/security_monitoring.feature b/features/v2/security_monitoring.feature index 77aa1d738ce1..c83348e68981 100644 --- a/features/v2/security_monitoring.feature +++ b/features/v2/security_monitoring.feature @@ -308,7 +308,7 @@ Feature: Security Monitoring @team:DataDog/k9-cloud-security-platform Scenario: Create a scheduled detection rule returns "OK" response Given new "CreateSecurityMonitoringRule" request - And body with value {"name":"{{ unique }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"index":"main"}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type":"log_detection", "schedulingOptions": {"rrule": "FREQ=HOURLY;INTERVAL=2;", "start": "2025-06-18T12:00:00", "timezone": "Europe/Paris"}} + And body with value {"name":"{{ unique }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"indexes":["main"]}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type":"log_detection", "schedulingOptions": {"rrule": "FREQ=HOURLY;INTERVAL=2;", "start": "2025-06-18T12:00:00", "timezone": "Europe/Paris"}} When the request is sent Then the response status is 200 OK And the response "name" is equal to "{{ unique }}" @@ -319,7 +319,7 @@ Feature: Security Monitoring @team:DataDog/k9-cloud-security-platform Scenario: Create a scheduled rule without rrule returns "Bad Request" response Given new "CreateSecurityMonitoringRule" request - And body with value {"name":"{{ unique }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"index":"main"}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type":"log_detection", "schedulingOptions": {"start": "2025-06-18T12:00:00", "timezone": "Europe/Paris"}} + And body with value {"name":"{{ unique }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"indexes":["main"]}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type":"log_detection", "schedulingOptions": {"start": "2025-06-18T12:00:00", "timezone": "Europe/Paris"}} When the request is sent Then the response status is 400 Bad Request diff --git a/services/security_monitoring/src/v2/models/SecurityMonitoringStandardRuleQuery.ts b/services/security_monitoring/src/v2/models/SecurityMonitoringStandardRuleQuery.ts index 9988ed03caac..b7c060af253c 100644 --- a/services/security_monitoring/src/v2/models/SecurityMonitoringStandardRuleQuery.ts +++ b/services/security_monitoring/src/v2/models/SecurityMonitoringStandardRuleQuery.ts @@ -36,6 +36,10 @@ export class SecurityMonitoringStandardRuleQuery { * The index to run the query on, if the `dataSource` is `logs`. Only used for scheduled rules - in other words, when the `schedulingOptions` field is present in the rule payload. */ "index"?: string; + /** + * List of indexes to query when the `dataSource` is `logs`. Only used for scheduled rules, such as when the `schedulingOptions` field is present in the rule payload. + */ + "indexes"?: Array; /** * (Deprecated) The target field to aggregate over when using the sum or max * aggregations. `metrics` field should be used instead. @@ -96,6 +100,10 @@ export class SecurityMonitoringStandardRuleQuery { baseName: "index", type: "string", }, + indexes: { + baseName: "indexes", + type: "Array", + }, metric: { baseName: "metric", type: "string",