diff --git a/content/en/api/v2/security-monitoring/examples.json b/content/en/api/v2/security-monitoring/examples.json index 17f4f4797ce00..b2ceb8caee274 100644 --- a/content/en/api/v2/security-monitoring/examples.json +++ b/content/en/api/v2/security-monitoring/examples.json @@ -2956,6 +2956,7 @@ "groupByFields": [], "hasOptionalGroupByFields": false, "index": "string", + "indexes": [], "metric": "string", "metrics": [], "name": "string", @@ -2990,7 +2991,7 @@ ], "type": "string" }, - "html": "
Option 1
\nobject
Create a new rule.
calculatedFields
\n[object]
Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.
expression [required]
\nstring
Expression.
name [required]
\nstring
Field name.
cases [required]
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
groupSignalsBy
\n[string]
Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
\nboolean
Whether the rule is enabled.
message [required]
\nstring
Message for generated signals.
name [required]
\nstring
The name of the rule.
options [required]
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
customQueryExtension
\nstring
Query extension to append to the logs query.
dataSource
\nenum
Source of events, either logs, audit trail, or Datadog events. \nAllowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events
default: logs
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
hasOptionalGroupByFields
\nboolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
index
\nstring
This field is currently unstable and might be removed in a minor version upgrade.\nThe index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.
metric
\nstring
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max\naggregations. metrics field should be used instead.
metrics
\n[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
\nstring
Name of the query.
query
\nstring
Query to run on logs.
referenceTables
\n[object]
Reference tables for the rule.
checkPresence
\nboolean
Whether to include or exclude the matched values.
columnName
\nstring
The name of the column in the reference table.
logFieldPath
\nstring
The field in the log to match against the reference table.
ruleQueryName
\nstring
The name of the query to apply the reference table to.
tableName
\nstring
The name of the reference table.
schedulingOptions
\nobject
Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
rrule
\nstring
Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.
start
\nstring
Start date for the schedule, in ISO 8601 format without timezone.
tags
\n[string]
Tags for generated signals.
thirdPartyCases
\n[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each case.
query
\nstring
A query to map a third party event to this case.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
type
\nenum
The rule type. \nAllowed enum values: api_security,application_security,log_detection,workload_security
Option 2
\nobject
Create a new signal correlation rule.
cases [required]
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
\nboolean
Whether the rule is enabled.
message [required]
\nstring
Message for generated signals.
name [required]
\nstring
The name of the rule.
options [required]
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
\n[object]
Queries for selecting signals which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
\n[string]
Fields to group by.
correlatedQueryIndex
\nint32
Index of the rule query used to retrieve the correlated field.
metrics
\n[string]
Group of target fields to aggregate over.
name
\nstring
Name of the query.
ruleId [required]
\nstring
Rule ID to match on signals.
tags
\n[string]
Tags for generated signals.
type
\nenum
The rule type. \nAllowed enum values: signal_correlation
Option 3
\nobject
Create a new cloud configuration rule.
cases [required]
\n[object]
Description of generated findings and signals (severity and channels to be notified in case of a signal). Must contain exactly one item.
notifications
\n[string]
Notification targets for each rule case.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
complianceSignalOptions [required]
\nobject
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
\nboolean
The default activation status.
defaultGroupByFields
\n[string]
The default group by fields.
userActivationStatus
\nboolean
Whether signals will be sent.
userGroupByFields
\n[string]
Fields to use to group findings by when sending signals.
filters
\n[object]
Additional queries to filter matched events before they are processed.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
isEnabled [required]
\nboolean
Whether the rule is enabled.
message [required]
\nstring
Message in markdown format for generated findings and signals.
name [required]
\nstring
The name of the rule.
options [required]
\nobject
Options on cloud configuration rules.
complianceRuleOptions [required]
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
tags
\n[string]
Tags for generated findings and signals.
type
\nenum
The rule type. \nAllowed enum values: cloud_configuration
Option 1
\nobject
Create a new rule.
calculatedFields
\n[object]
Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.
expression [required]
\nstring
Expression.
name [required]
\nstring
Field name.
cases [required]
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
groupSignalsBy
\n[string]
Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
\nboolean
Whether the rule is enabled.
message [required]
\nstring
Message for generated signals.
name [required]
\nstring
The name of the rule.
options [required]
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
customQueryExtension
\nstring
Query extension to append to the logs query.
dataSource
\nenum
Source of events, either logs, audit trail, or Datadog events. \nAllowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events
default: logs
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
hasOptionalGroupByFields
\nboolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
index
\nstring
This field is currently unstable and might be removed in a minor version upgrade.\nThe index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.
indexes
\n[string]
List of indexes to query when the dataSource is logs. Only used for scheduled rules, such as when the schedulingOptions field is present in the rule payload.
metric
\nstring
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max\naggregations. metrics field should be used instead.
metrics
\n[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
\nstring
Name of the query.
query
\nstring
Query to run on logs.
referenceTables
\n[object]
Reference tables for the rule.
checkPresence
\nboolean
Whether to include or exclude the matched values.
columnName
\nstring
The name of the column in the reference table.
logFieldPath
\nstring
The field in the log to match against the reference table.
ruleQueryName
\nstring
The name of the query to apply the reference table to.
tableName
\nstring
The name of the reference table.
schedulingOptions
\nobject
Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
rrule
\nstring
Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.
start
\nstring
Start date for the schedule, in ISO 8601 format without timezone.
tags
\n[string]
Tags for generated signals.
thirdPartyCases
\n[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each case.
query
\nstring
A query to map a third party event to this case.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
type
\nenum
The rule type. \nAllowed enum values: api_security,application_security,log_detection,workload_security
Option 2
\nobject
Create a new signal correlation rule.
cases [required]
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
\nboolean
Whether the rule is enabled.
message [required]
\nstring
Message for generated signals.
name [required]
\nstring
The name of the rule.
options [required]
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
\n[object]
Queries for selecting signals which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
\n[string]
Fields to group by.
correlatedQueryIndex
\nint32
Index of the rule query used to retrieve the correlated field.
metrics
\n[string]
Group of target fields to aggregate over.
name
\nstring
Name of the query.
ruleId [required]
\nstring
Rule ID to match on signals.
tags
\n[string]
Tags for generated signals.
type
\nenum
The rule type. \nAllowed enum values: signal_correlation
Option 3
\nobject
Create a new cloud configuration rule.
cases [required]
\n[object]
Description of generated findings and signals (severity and channels to be notified in case of a signal). Must contain exactly one item.
notifications
\n[string]
Notification targets for each rule case.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
complianceSignalOptions [required]
\nobject
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
\nboolean
The default activation status.
defaultGroupByFields
\n[string]
The default group by fields.
userActivationStatus
\nboolean
Whether signals will be sent.
userGroupByFields
\n[string]
Fields to use to group findings by when sending signals.
filters
\n[object]
Additional queries to filter matched events before they are processed.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
isEnabled [required]
\nboolean
Whether the rule is enabled.
message [required]
\nstring
Message in markdown format for generated findings and signals.
name [required]
\nstring
The name of the rule.
options [required]
\nobject
Options on cloud configuration rules.
complianceRuleOptions [required]
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
tags
\n[string]
Tags for generated findings and signals.
type
\nenum
The rule type. \nAllowed enum values: cloud_configuration
data
\n[ <oneOf>]
Array containing the list of rules.
Option 1
\nobject
Rule.
calculatedFields
\n[object]
Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.
expression [required]
\nstring
Expression.
name [required]
\nstring
Field name.
cases
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
complianceSignalOptions
\nobject
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
\nboolean
The default activation status.
defaultGroupByFields
\n[string]
The default group by fields.
userActivationStatus
\nboolean
Whether signals will be sent.
userGroupByFields
\n[string]
Fields to use to group findings by when sending signals.
createdAt
\nint64
When the rule was created, timestamp in milliseconds.
creationAuthorId
\nint64
User ID of the user who created the rule.
customMessage
\nstring
Custom/Overridden message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name of the rule (used in case of Default rule update).
defaultTags
\n[string]
Default Tags for default rules (included in tags)
deprecationDate
\nint64
When the rule will be deprecated, timestamp in milliseconds.
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
groupSignalsBy
\n[string]
Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
id
\nstring
The ID of the rule.
isDefault
\nboolean
Whether the rule is included by default.
isDeleted
\nboolean
Whether the rule has been deleted.
isEnabled
\nboolean
Whether the rule is enabled.
message
\nstring
Message for generated signals.
name
\nstring
The name of the rule.
options
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
customQueryExtension
\nstring
Query extension to append to the logs query.
dataSource
\nenum
Source of events, either logs, audit trail, or Datadog events. \nAllowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events
default: logs
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
hasOptionalGroupByFields
\nboolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
index
\nstring
This field is currently unstable and might be removed in a minor version upgrade.\nThe index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.
metric
\nstring
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max\naggregations. metrics field should be used instead.
metrics
\n[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
\nstring
Name of the query.
query
\nstring
Query to run on logs.
referenceTables
\n[object]
Reference tables for the rule.
checkPresence
\nboolean
Whether to include or exclude the matched values.
columnName
\nstring
The name of the column in the reference table.
logFieldPath
\nstring
The field in the log to match against the reference table.
ruleQueryName
\nstring
The name of the query to apply the reference table to.
tableName
\nstring
The name of the reference table.
schedulingOptions
\nobject
Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
rrule
\nstring
Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.
start
\nstring
Start date for the schedule, in ISO 8601 format without timezone.
tags
\n[string]
Tags for generated signals.
thirdPartyCases
\n[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
query
\nstring
A query to map a third party event to this case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
type
\nenum
The rule type. \nAllowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration,application_security,api_security
updateAuthorId
\nint64
User ID of the user who updated the rule.
updatedAt
\nint64
The date the rule was last updated, in milliseconds.
version
\nint64
The version of the rule.
Option 2
\nobject
Rule.
cases
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
createdAt
\nint64
When the rule was created, timestamp in milliseconds.
creationAuthorId
\nint64
User ID of the user who created the rule.
customMessage
\nstring
Custom/Overridden message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name of the rule (used in case of Default rule update).
deprecationDate
\nint64
When the rule will be deprecated, timestamp in milliseconds.
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
id
\nstring
The ID of the rule.
isDefault
\nboolean
Whether the rule is included by default.
isDeleted
\nboolean
Whether the rule has been deleted.
isEnabled
\nboolean
Whether the rule is enabled.
message
\nstring
Message for generated signals.
name
\nstring
The name of the rule.
options
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
\n[string]
Fields to correlate by.
correlatedQueryIndex
\nint32
Index of the rule query used to retrieve the correlated field.
defaultRuleId
\nstring
Default Rule ID to match on signals.
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
metrics
\n[string]
Group of target fields to aggregate over.
name
\nstring
Name of the query.
ruleId
\nstring
Rule ID to match on signals.
tags
\n[string]
Tags for generated signals.
type
\nenum
The rule type. \nAllowed enum values: signal_correlation
updateAuthorId
\nint64
User ID of the user who updated the rule.
version
\nint64
The version of the rule.
meta
\nobject
Object describing meta attributes of response.
page
\nobject
Pagination object.
total_count
\nint64
Total count.
total_filtered_count
\nint64
Total count of elements matched by the filter.
data
\n[ <oneOf>]
Array containing the list of rules.
Option 1
\nobject
Rule.
calculatedFields
\n[object]
Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.
expression [required]
\nstring
Expression.
name [required]
\nstring
Field name.
cases
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
complianceSignalOptions
\nobject
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
\nboolean
The default activation status.
defaultGroupByFields
\n[string]
The default group by fields.
userActivationStatus
\nboolean
Whether signals will be sent.
userGroupByFields
\n[string]
Fields to use to group findings by when sending signals.
createdAt
\nint64
When the rule was created, timestamp in milliseconds.
creationAuthorId
\nint64
User ID of the user who created the rule.
customMessage
\nstring
Custom/Overridden message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name of the rule (used in case of Default rule update).
defaultTags
\n[string]
Default Tags for default rules (included in tags)
deprecationDate
\nint64
When the rule will be deprecated, timestamp in milliseconds.
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
groupSignalsBy
\n[string]
Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
id
\nstring
The ID of the rule.
isDefault
\nboolean
Whether the rule is included by default.
isDeleted
\nboolean
Whether the rule has been deleted.
isEnabled
\nboolean
Whether the rule is enabled.
message
\nstring
Message for generated signals.
name
\nstring
The name of the rule.
options
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
customQueryExtension
\nstring
Query extension to append to the logs query.
dataSource
\nenum
Source of events, either logs, audit trail, or Datadog events. \nAllowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events
default: logs
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
hasOptionalGroupByFields
\nboolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
index
\nstring
This field is currently unstable and might be removed in a minor version upgrade.\nThe index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.
indexes
\n[string]
List of indexes to query when the dataSource is logs. Only used for scheduled rules, such as when the schedulingOptions field is present in the rule payload.
metric
\nstring
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max\naggregations. metrics field should be used instead.
metrics
\n[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
\nstring
Name of the query.
query
\nstring
Query to run on logs.
referenceTables
\n[object]
Reference tables for the rule.
checkPresence
\nboolean
Whether to include or exclude the matched values.
columnName
\nstring
The name of the column in the reference table.
logFieldPath
\nstring
The field in the log to match against the reference table.
ruleQueryName
\nstring
The name of the query to apply the reference table to.
tableName
\nstring
The name of the reference table.
schedulingOptions
\nobject
Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
rrule
\nstring
Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.
start
\nstring
Start date for the schedule, in ISO 8601 format without timezone.
tags
\n[string]
Tags for generated signals.
thirdPartyCases
\n[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
query
\nstring
A query to map a third party event to this case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
type
\nenum
The rule type. \nAllowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration,application_security,api_security
updateAuthorId
\nint64
User ID of the user who updated the rule.
updatedAt
\nint64
The date the rule was last updated, in milliseconds.
version
\nint64
The version of the rule.
Option 2
\nobject
Rule.
cases
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
createdAt
\nint64
When the rule was created, timestamp in milliseconds.
creationAuthorId
\nint64
User ID of the user who created the rule.
customMessage
\nstring
Custom/Overridden message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name of the rule (used in case of Default rule update).
deprecationDate
\nint64
When the rule will be deprecated, timestamp in milliseconds.
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
id
\nstring
The ID of the rule.
isDefault
\nboolean
Whether the rule is included by default.
isDeleted
\nboolean
Whether the rule has been deleted.
isEnabled
\nboolean
Whether the rule is enabled.
message
\nstring
Message for generated signals.
name
\nstring
The name of the rule.
options
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
\n[string]
Fields to correlate by.
correlatedQueryIndex
\nint32
Index of the rule query used to retrieve the correlated field.
defaultRuleId
\nstring
Default Rule ID to match on signals.
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
metrics
\n[string]
Group of target fields to aggregate over.
name
\nstring
Name of the query.
ruleId
\nstring
Rule ID to match on signals.
tags
\n[string]
Tags for generated signals.
type
\nenum
The rule type. \nAllowed enum values: signal_correlation
updateAuthorId
\nint64
User ID of the user who updated the rule.
version
\nint64
The version of the rule.
meta
\nobject
Object describing meta attributes of response.
page
\nobject
Pagination object.
total_count
\nint64
Total count.
total_filtered_count
\nint64
Total count of elements matched by the filter.
Option 1
\nobject
Rule.
calculatedFields
\n[object]
Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.
expression [required]
\nstring
Expression.
name [required]
\nstring
Field name.
cases
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
complianceSignalOptions
\nobject
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
\nboolean
The default activation status.
defaultGroupByFields
\n[string]
The default group by fields.
userActivationStatus
\nboolean
Whether signals will be sent.
userGroupByFields
\n[string]
Fields to use to group findings by when sending signals.
createdAt
\nint64
When the rule was created, timestamp in milliseconds.
creationAuthorId
\nint64
User ID of the user who created the rule.
customMessage
\nstring
Custom/Overridden message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name of the rule (used in case of Default rule update).
defaultTags
\n[string]
Default Tags for default rules (included in tags)
deprecationDate
\nint64
When the rule will be deprecated, timestamp in milliseconds.
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
groupSignalsBy
\n[string]
Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
id
\nstring
The ID of the rule.
isDefault
\nboolean
Whether the rule is included by default.
isDeleted
\nboolean
Whether the rule has been deleted.
isEnabled
\nboolean
Whether the rule is enabled.
message
\nstring
Message for generated signals.
name
\nstring
The name of the rule.
options
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
customQueryExtension
\nstring
Query extension to append to the logs query.
dataSource
\nenum
Source of events, either logs, audit trail, or Datadog events. \nAllowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events
default: logs
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
hasOptionalGroupByFields
\nboolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
index
\nstring
This field is currently unstable and might be removed in a minor version upgrade.\nThe index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.
metric
\nstring
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max\naggregations. metrics field should be used instead.
metrics
\n[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
\nstring
Name of the query.
query
\nstring
Query to run on logs.
referenceTables
\n[object]
Reference tables for the rule.
checkPresence
\nboolean
Whether to include or exclude the matched values.
columnName
\nstring
The name of the column in the reference table.
logFieldPath
\nstring
The field in the log to match against the reference table.
ruleQueryName
\nstring
The name of the query to apply the reference table to.
tableName
\nstring
The name of the reference table.
schedulingOptions
\nobject
Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
rrule
\nstring
Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.
start
\nstring
Start date for the schedule, in ISO 8601 format without timezone.
tags
\n[string]
Tags for generated signals.
thirdPartyCases
\n[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
query
\nstring
A query to map a third party event to this case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
type
\nenum
The rule type. \nAllowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration,application_security,api_security
updateAuthorId
\nint64
User ID of the user who updated the rule.
updatedAt
\nint64
The date the rule was last updated, in milliseconds.
version
\nint64
The version of the rule.
Option 2
\nobject
Rule.
cases
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
createdAt
\nint64
When the rule was created, timestamp in milliseconds.
creationAuthorId
\nint64
User ID of the user who created the rule.
customMessage
\nstring
Custom/Overridden message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name of the rule (used in case of Default rule update).
deprecationDate
\nint64
When the rule will be deprecated, timestamp in milliseconds.
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
id
\nstring
The ID of the rule.
isDefault
\nboolean
Whether the rule is included by default.
isDeleted
\nboolean
Whether the rule has been deleted.
isEnabled
\nboolean
Whether the rule is enabled.
message
\nstring
Message for generated signals.
name
\nstring
The name of the rule.
options
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
\n[string]
Fields to correlate by.
correlatedQueryIndex
\nint32
Index of the rule query used to retrieve the correlated field.
defaultRuleId
\nstring
Default Rule ID to match on signals.
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
metrics
\n[string]
Group of target fields to aggregate over.
name
\nstring
Name of the query.
ruleId
\nstring
Rule ID to match on signals.
tags
\n[string]
Tags for generated signals.
type
\nenum
The rule type. \nAllowed enum values: signal_correlation
updateAuthorId
\nint64
User ID of the user who updated the rule.
version
\nint64
The version of the rule.
Option 1
\nobject
Rule.
calculatedFields
\n[object]
Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.
expression [required]
\nstring
Expression.
name [required]
\nstring
Field name.
cases
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
complianceSignalOptions
\nobject
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
\nboolean
The default activation status.
defaultGroupByFields
\n[string]
The default group by fields.
userActivationStatus
\nboolean
Whether signals will be sent.
userGroupByFields
\n[string]
Fields to use to group findings by when sending signals.
createdAt
\nint64
When the rule was created, timestamp in milliseconds.
creationAuthorId
\nint64
User ID of the user who created the rule.
customMessage
\nstring
Custom/Overridden message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name of the rule (used in case of Default rule update).
defaultTags
\n[string]
Default Tags for default rules (included in tags)
deprecationDate
\nint64
When the rule will be deprecated, timestamp in milliseconds.
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
groupSignalsBy
\n[string]
Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
id
\nstring
The ID of the rule.
isDefault
\nboolean
Whether the rule is included by default.
isDeleted
\nboolean
Whether the rule has been deleted.
isEnabled
\nboolean
Whether the rule is enabled.
message
\nstring
Message for generated signals.
name
\nstring
The name of the rule.
options
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
customQueryExtension
\nstring
Query extension to append to the logs query.
dataSource
\nenum
Source of events, either logs, audit trail, or Datadog events. \nAllowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events
default: logs
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
hasOptionalGroupByFields
\nboolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
index
\nstring
This field is currently unstable and might be removed in a minor version upgrade.\nThe index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.
indexes
\n[string]
List of indexes to query when the dataSource is logs. Only used for scheduled rules, such as when the schedulingOptions field is present in the rule payload.
metric
\nstring
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max\naggregations. metrics field should be used instead.
metrics
\n[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
\nstring
Name of the query.
query
\nstring
Query to run on logs.
referenceTables
\n[object]
Reference tables for the rule.
checkPresence
\nboolean
Whether to include or exclude the matched values.
columnName
\nstring
The name of the column in the reference table.
logFieldPath
\nstring
The field in the log to match against the reference table.
ruleQueryName
\nstring
The name of the query to apply the reference table to.
tableName
\nstring
The name of the reference table.
schedulingOptions
\nobject
Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
rrule
\nstring
Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.
start
\nstring
Start date for the schedule, in ISO 8601 format without timezone.
tags
\n[string]
Tags for generated signals.
thirdPartyCases
\n[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
query
\nstring
A query to map a third party event to this case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
type
\nenum
The rule type. \nAllowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration,application_security,api_security
updateAuthorId
\nint64
User ID of the user who updated the rule.
updatedAt
\nint64
The date the rule was last updated, in milliseconds.
version
\nint64
The version of the rule.
Option 2
\nobject
Rule.
cases
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
createdAt
\nint64
When the rule was created, timestamp in milliseconds.
creationAuthorId
\nint64
User ID of the user who created the rule.
customMessage
\nstring
Custom/Overridden message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name of the rule (used in case of Default rule update).
deprecationDate
\nint64
When the rule will be deprecated, timestamp in milliseconds.
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
id
\nstring
The ID of the rule.
isDefault
\nboolean
Whether the rule is included by default.
isDeleted
\nboolean
Whether the rule has been deleted.
isEnabled
\nboolean
Whether the rule is enabled.
message
\nstring
Message for generated signals.
name
\nstring
The name of the rule.
options
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
\n[string]
Fields to correlate by.
correlatedQueryIndex
\nint32
Index of the rule query used to retrieve the correlated field.
defaultRuleId
\nstring
Default Rule ID to match on signals.
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
metrics
\n[string]
Group of target fields to aggregate over.
name
\nstring
Name of the query.
ruleId
\nstring
Rule ID to match on signals.
tags
\n[string]
Tags for generated signals.
type
\nenum
The rule type. \nAllowed enum values: signal_correlation
updateAuthorId
\nint64
User ID of the user who updated the rule.
version
\nint64
The version of the rule.
Option 1
\nobject
Create a new rule.
calculatedFields
\n[object]
Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.
expression [required]
\nstring
Expression.
name [required]
\nstring
Field name.
cases [required]
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
groupSignalsBy
\n[string]
Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
\nboolean
Whether the rule is enabled.
message [required]
\nstring
Message for generated signals.
name [required]
\nstring
The name of the rule.
options [required]
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
customQueryExtension
\nstring
Query extension to append to the logs query.
dataSource
\nenum
Source of events, either logs, audit trail, or Datadog events. \nAllowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events
default: logs
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
hasOptionalGroupByFields
\nboolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
index
\nstring
This field is currently unstable and might be removed in a minor version upgrade.\nThe index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.
metric
\nstring
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max\naggregations. metrics field should be used instead.
metrics
\n[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
\nstring
Name of the query.
query
\nstring
Query to run on logs.
referenceTables
\n[object]
Reference tables for the rule.
checkPresence
\nboolean
Whether to include or exclude the matched values.
columnName
\nstring
The name of the column in the reference table.
logFieldPath
\nstring
The field in the log to match against the reference table.
ruleQueryName
\nstring
The name of the query to apply the reference table to.
tableName
\nstring
The name of the reference table.
schedulingOptions
\nobject
Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
rrule
\nstring
Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.
start
\nstring
Start date for the schedule, in ISO 8601 format without timezone.
tags
\n[string]
Tags for generated signals.
thirdPartyCases
\n[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each case.
query
\nstring
A query to map a third party event to this case.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
type
\nenum
The rule type. \nAllowed enum values: api_security,application_security,log_detection,workload_security
Option 2
\nobject
Create a new signal correlation rule.
cases [required]
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
\nboolean
Whether the rule is enabled.
message [required]
\nstring
Message for generated signals.
name [required]
\nstring
The name of the rule.
options [required]
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
\n[object]
Queries for selecting signals which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
\n[string]
Fields to group by.
correlatedQueryIndex
\nint32
Index of the rule query used to retrieve the correlated field.
metrics
\n[string]
Group of target fields to aggregate over.
name
\nstring
Name of the query.
ruleId [required]
\nstring
Rule ID to match on signals.
tags
\n[string]
Tags for generated signals.
type
\nenum
The rule type. \nAllowed enum values: signal_correlation
Option 3
\nobject
Create a new cloud configuration rule.
cases [required]
\n[object]
Description of generated findings and signals (severity and channels to be notified in case of a signal). Must contain exactly one item.
notifications
\n[string]
Notification targets for each rule case.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
complianceSignalOptions [required]
\nobject
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
\nboolean
The default activation status.
defaultGroupByFields
\n[string]
The default group by fields.
userActivationStatus
\nboolean
Whether signals will be sent.
userGroupByFields
\n[string]
Fields to use to group findings by when sending signals.
filters
\n[object]
Additional queries to filter matched events before they are processed.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
isEnabled [required]
\nboolean
Whether the rule is enabled.
message [required]
\nstring
Message in markdown format for generated findings and signals.
name [required]
\nstring
The name of the rule.
options [required]
\nobject
Options on cloud configuration rules.
complianceRuleOptions [required]
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
tags
\n[string]
Tags for generated findings and signals.
type
\nenum
The rule type. \nAllowed enum values: cloud_configuration
Option 1
\nobject
Create a new rule.
calculatedFields
\n[object]
Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.
expression [required]
\nstring
Expression.
name [required]
\nstring
Field name.
cases [required]
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
groupSignalsBy
\n[string]
Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
\nboolean
Whether the rule is enabled.
message [required]
\nstring
Message for generated signals.
name [required]
\nstring
The name of the rule.
options [required]
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
customQueryExtension
\nstring
Query extension to append to the logs query.
dataSource
\nenum
Source of events, either logs, audit trail, or Datadog events. \nAllowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events
default: logs
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
hasOptionalGroupByFields
\nboolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
index
\nstring
This field is currently unstable and might be removed in a minor version upgrade.\nThe index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.
indexes
\n[string]
List of indexes to query when the dataSource is logs. Only used for scheduled rules, such as when the schedulingOptions field is present in the rule payload.
metric
\nstring
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max\naggregations. metrics field should be used instead.
metrics
\n[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
\nstring
Name of the query.
query
\nstring
Query to run on logs.
referenceTables
\n[object]
Reference tables for the rule.
checkPresence
\nboolean
Whether to include or exclude the matched values.
columnName
\nstring
The name of the column in the reference table.
logFieldPath
\nstring
The field in the log to match against the reference table.
ruleQueryName
\nstring
The name of the query to apply the reference table to.
tableName
\nstring
The name of the reference table.
schedulingOptions
\nobject
Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
rrule
\nstring
Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.
start
\nstring
Start date for the schedule, in ISO 8601 format without timezone.
tags
\n[string]
Tags for generated signals.
thirdPartyCases
\n[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each case.
query
\nstring
A query to map a third party event to this case.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
type
\nenum
The rule type. \nAllowed enum values: api_security,application_security,log_detection,workload_security
Option 2
\nobject
Create a new signal correlation rule.
cases [required]
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
\nboolean
Whether the rule is enabled.
message [required]
\nstring
Message for generated signals.
name [required]
\nstring
The name of the rule.
options [required]
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
\n[object]
Queries for selecting signals which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
\n[string]
Fields to group by.
correlatedQueryIndex
\nint32
Index of the rule query used to retrieve the correlated field.
metrics
\n[string]
Group of target fields to aggregate over.
name
\nstring
Name of the query.
ruleId [required]
\nstring
Rule ID to match on signals.
tags
\n[string]
Tags for generated signals.
type
\nenum
The rule type. \nAllowed enum values: signal_correlation
Option 3
\nobject
Create a new cloud configuration rule.
cases [required]
\n[object]
Description of generated findings and signals (severity and channels to be notified in case of a signal). Must contain exactly one item.
notifications
\n[string]
Notification targets for each rule case.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
complianceSignalOptions [required]
\nobject
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
\nboolean
The default activation status.
defaultGroupByFields
\n[string]
The default group by fields.
userActivationStatus
\nboolean
Whether signals will be sent.
userGroupByFields
\n[string]
Fields to use to group findings by when sending signals.
filters
\n[object]
Additional queries to filter matched events before they are processed.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
isEnabled [required]
\nboolean
Whether the rule is enabled.
message [required]
\nstring
Message in markdown format for generated findings and signals.
name [required]
\nstring
The name of the rule.
options [required]
\nobject
Options on cloud configuration rules.
complianceRuleOptions [required]
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
tags
\n[string]
Tags for generated findings and signals.
type
\nenum
The rule type. \nAllowed enum values: cloud_configuration
Option 1
\nobject
The payload of a rule.
calculatedFields
\n[object]
Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.
expression [required]
\nstring
Expression.
name [required]
\nstring
Field name.
cases [required]
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
customMessage
\nstring
Custom/Overridden message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name of the rule (used in case of Default rule update).
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
groupSignalsBy
\n[string]
Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
\nboolean
Whether the rule is enabled.
message [required]
\nstring
Message for generated signals.
name [required]
\nstring
The name of the rule.
options [required]
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
customQueryExtension
\nstring
Query extension to append to the logs query.
dataSource
\nenum
Source of events, either logs, audit trail, or Datadog events. \nAllowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events
default: logs
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
hasOptionalGroupByFields
\nboolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
index
\nstring
This field is currently unstable and might be removed in a minor version upgrade.\nThe index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.
metric
\nstring
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max\naggregations. metrics field should be used instead.
metrics
\n[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
\nstring
Name of the query.
query
\nstring
Query to run on logs.
referenceTables
\n[object]
Reference tables for the rule.
checkPresence
\nboolean
Whether to include or exclude the matched values.
columnName
\nstring
The name of the column in the reference table.
logFieldPath
\nstring
The field in the log to match against the reference table.
ruleQueryName
\nstring
The name of the query to apply the reference table to.
tableName
\nstring
The name of the reference table.
schedulingOptions
\nobject
Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
rrule
\nstring
Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.
start
\nstring
Start date for the schedule, in ISO 8601 format without timezone.
tags
\n[string]
Tags for generated signals.
thirdPartyCases
\n[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each case.
query
\nstring
A query to map a third party event to this case.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
type
\nenum
The rule type. \nAllowed enum values: api_security,application_security,log_detection,workload_security
Option 2
\nobject
The payload of a signal correlation rule.
cases [required]
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
customMessage
\nstring
Custom/Overridden message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name of the rule (used in case of Default rule update).
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
\nboolean
Whether the rule is enabled.
message [required]
\nstring
Message for generated signals.
name [required]
\nstring
The name of the rule.
options [required]
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
\n[object]
Queries for selecting signals which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
\n[string]
Fields to group by.
correlatedQueryIndex
\nint32
Index of the rule query used to retrieve the correlated field.
metrics
\n[string]
Group of target fields to aggregate over.
name
\nstring
Name of the query.
ruleId [required]
\nstring
Rule ID to match on signals.
tags
\n[string]
Tags for generated signals.
type
\nenum
The rule type. \nAllowed enum values: signal_correlation
Option 1
\nobject
The payload of a rule.
calculatedFields
\n[object]
Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.
expression [required]
\nstring
Expression.
name [required]
\nstring
Field name.
cases [required]
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
customMessage
\nstring
Custom/Overridden message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name of the rule (used in case of Default rule update).
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
groupSignalsBy
\n[string]
Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
\nboolean
Whether the rule is enabled.
message [required]
\nstring
Message for generated signals.
name [required]
\nstring
The name of the rule.
options [required]
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
customQueryExtension
\nstring
Query extension to append to the logs query.
dataSource
\nenum
Source of events, either logs, audit trail, or Datadog events. \nAllowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events
default: logs
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
hasOptionalGroupByFields
\nboolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
index
\nstring
This field is currently unstable and might be removed in a minor version upgrade.\nThe index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.
indexes
\n[string]
List of indexes to query when the dataSource is logs. Only used for scheduled rules, such as when the schedulingOptions field is present in the rule payload.
metric
\nstring
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max\naggregations. metrics field should be used instead.
metrics
\n[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
\nstring
Name of the query.
query
\nstring
Query to run on logs.
referenceTables
\n[object]
Reference tables for the rule.
checkPresence
\nboolean
Whether to include or exclude the matched values.
columnName
\nstring
The name of the column in the reference table.
logFieldPath
\nstring
The field in the log to match against the reference table.
ruleQueryName
\nstring
The name of the query to apply the reference table to.
tableName
\nstring
The name of the reference table.
schedulingOptions
\nobject
Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
rrule
\nstring
Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.
start
\nstring
Start date for the schedule, in ISO 8601 format without timezone.
tags
\n[string]
Tags for generated signals.
thirdPartyCases
\n[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each case.
query
\nstring
A query to map a third party event to this case.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
type
\nenum
The rule type. \nAllowed enum values: api_security,application_security,log_detection,workload_security
Option 2
\nobject
The payload of a signal correlation rule.
cases [required]
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
customMessage
\nstring
Custom/Overridden message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name of the rule (used in case of Default rule update).
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
\nboolean
Whether the rule is enabled.
message [required]
\nstring
Message for generated signals.
name [required]
\nstring
The name of the rule.
options [required]
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
\n[object]
Queries for selecting signals which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
\n[string]
Fields to group by.
correlatedQueryIndex
\nint32
Index of the rule query used to retrieve the correlated field.
metrics
\n[string]
Group of target fields to aggregate over.
name
\nstring
Name of the query.
ruleId [required]
\nstring
Rule ID to match on signals.
tags
\n[string]
Tags for generated signals.
type
\nenum
The rule type. \nAllowed enum values: signal_correlation
rule
\n<oneOf>
Test a rule.
Option 1
\nobject
The payload of a rule to test
calculatedFields
\n[object]
Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.
expression [required]
\nstring
Expression.
name [required]
\nstring
Field name.
cases [required]
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
groupSignalsBy
\n[string]
Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
\nboolean
Whether the rule is enabled.
message [required]
\nstring
Message for generated signals.
name [required]
\nstring
The name of the rule.
options [required]
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
customQueryExtension
\nstring
Query extension to append to the logs query.
dataSource
\nenum
Source of events, either logs, audit trail, or Datadog events. \nAllowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events
default: logs
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
hasOptionalGroupByFields
\nboolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
index
\nstring
This field is currently unstable and might be removed in a minor version upgrade.\nThe index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.
metric
\nstring
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max\naggregations. metrics field should be used instead.
metrics
\n[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
\nstring
Name of the query.
query
\nstring
Query to run on logs.
referenceTables
\n[object]
Reference tables for the rule.
checkPresence
\nboolean
Whether to include or exclude the matched values.
columnName
\nstring
The name of the column in the reference table.
logFieldPath
\nstring
The field in the log to match against the reference table.
ruleQueryName
\nstring
The name of the query to apply the reference table to.
tableName
\nstring
The name of the reference table.
schedulingOptions
\nobject
Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
rrule
\nstring
Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.
start
\nstring
Start date for the schedule, in ISO 8601 format without timezone.
tags
\n[string]
Tags for generated signals.
thirdPartyCases
\n[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each case.
query
\nstring
A query to map a third party event to this case.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
type
\nenum
The rule type. \nAllowed enum values: log_detection
ruleQueryPayloads
\n[object]
Data payloads used to test rules query with the expected result.
expectedResult
\nboolean
Expected result of the test.
index
\nint64
Index of the query under test.
payload
\nobject
Payload used to test the rule query.
ddsource
\nstring
Source of the payload.
ddtags
\nstring
Tags associated with your data.
hostname
\nstring
The name of the originating host of the log.
message
\nstring
The message of the payload.
service
\nstring
The name of the application or service generating the data.
rule
\n<oneOf>
Test a rule.
Option 1
\nobject
The payload of a rule to test
calculatedFields
\n[object]
Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.
expression [required]
\nstring
Expression.
name [required]
\nstring
Field name.
cases [required]
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
groupSignalsBy
\n[string]
Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
\nboolean
Whether the rule is enabled.
message [required]
\nstring
Message for generated signals.
name [required]
\nstring
The name of the rule.
options [required]
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
customQueryExtension
\nstring
Query extension to append to the logs query.
dataSource
\nenum
Source of events, either logs, audit trail, or Datadog events. \nAllowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events
default: logs
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
hasOptionalGroupByFields
\nboolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
index
\nstring
This field is currently unstable and might be removed in a minor version upgrade.\nThe index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.
indexes
\n[string]
List of indexes to query when the dataSource is logs. Only used for scheduled rules, such as when the schedulingOptions field is present in the rule payload.
metric
\nstring
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max\naggregations. metrics field should be used instead.
metrics
\n[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
\nstring
Name of the query.
query
\nstring
Query to run on logs.
referenceTables
\n[object]
Reference tables for the rule.
checkPresence
\nboolean
Whether to include or exclude the matched values.
columnName
\nstring
The name of the column in the reference table.
logFieldPath
\nstring
The field in the log to match against the reference table.
ruleQueryName
\nstring
The name of the query to apply the reference table to.
tableName
\nstring
The name of the reference table.
schedulingOptions
\nobject
Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
rrule
\nstring
Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.
start
\nstring
Start date for the schedule, in ISO 8601 format without timezone.
tags
\n[string]
Tags for generated signals.
thirdPartyCases
\n[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each case.
query
\nstring
A query to map a third party event to this case.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
type
\nenum
The rule type. \nAllowed enum values: log_detection
ruleQueryPayloads
\n[object]
Data payloads used to test rules query with the expected result.
expectedResult
\nboolean
Expected result of the test.
index
\nint64
Index of the query under test.
payload
\nobject
Payload used to test the rule query.
ddsource
\nstring
Source of the payload.
ddtags
\nstring
Tags associated with your data.
hostname
\nstring
The name of the originating host of the log.
message
\nstring
The message of the payload.
service
\nstring
The name of the application or service generating the data.
Option 1
\nobject
The payload of a rule.
calculatedFields
\n[object]
Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.
expression [required]
\nstring
Expression.
name [required]
\nstring
Field name.
cases [required]
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
customMessage
\nstring
Custom/Overridden message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name of the rule (used in case of Default rule update).
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
groupSignalsBy
\n[string]
Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
\nboolean
Whether the rule is enabled.
message [required]
\nstring
Message for generated signals.
name [required]
\nstring
The name of the rule.
options [required]
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
customQueryExtension
\nstring
Query extension to append to the logs query.
dataSource
\nenum
Source of events, either logs, audit trail, or Datadog events. \nAllowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events
default: logs
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
hasOptionalGroupByFields
\nboolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
index
\nstring
This field is currently unstable and might be removed in a minor version upgrade.\nThe index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.
metric
\nstring
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max\naggregations. metrics field should be used instead.
metrics
\n[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
\nstring
Name of the query.
query
\nstring
Query to run on logs.
referenceTables
\n[object]
Reference tables for the rule.
checkPresence
\nboolean
Whether to include or exclude the matched values.
columnName
\nstring
The name of the column in the reference table.
logFieldPath
\nstring
The field in the log to match against the reference table.
ruleQueryName
\nstring
The name of the query to apply the reference table to.
tableName
\nstring
The name of the reference table.
schedulingOptions
\nobject
Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
rrule
\nstring
Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.
start
\nstring
Start date for the schedule, in ISO 8601 format without timezone.
tags
\n[string]
Tags for generated signals.
thirdPartyCases
\n[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each case.
query
\nstring
A query to map a third party event to this case.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
type
\nenum
The rule type. \nAllowed enum values: api_security,application_security,log_detection,workload_security
Option 2
\nobject
The payload of a signal correlation rule.
cases [required]
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
customMessage
\nstring
Custom/Overridden message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name of the rule (used in case of Default rule update).
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
\nboolean
Whether the rule is enabled.
message [required]
\nstring
Message for generated signals.
name [required]
\nstring
The name of the rule.
options [required]
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
\n[object]
Queries for selecting signals which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
\n[string]
Fields to group by.
correlatedQueryIndex
\nint32
Index of the rule query used to retrieve the correlated field.
metrics
\n[string]
Group of target fields to aggregate over.
name
\nstring
Name of the query.
ruleId [required]
\nstring
Rule ID to match on signals.
tags
\n[string]
Tags for generated signals.
type
\nenum
The rule type. \nAllowed enum values: signal_correlation
Option 3
\nobject
The payload of a cloud configuration rule.
cases [required]
\n[object]
Description of generated findings and signals (severity and channels to be notified in case of a signal). Must contain exactly one item.
notifications
\n[string]
Notification targets for each rule case.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
complianceSignalOptions [required]
\nobject
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
\nboolean
The default activation status.
defaultGroupByFields
\n[string]
The default group by fields.
userActivationStatus
\nboolean
Whether signals will be sent.
userGroupByFields
\n[string]
Fields to use to group findings by when sending signals.
customMessage
\nstring
Custom/Overridden message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name of the rule (used in case of Default rule update).
filters
\n[object]
Additional queries to filter matched events before they are processed.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
isEnabled [required]
\nboolean
Whether the rule is enabled.
message [required]
\nstring
Message in markdown format for generated findings and signals.
name [required]
\nstring
The name of the rule.
options [required]
\nobject
Options on cloud configuration rules.
complianceRuleOptions [required]
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
tags
\n[string]
Tags for generated findings and signals.
type
\nenum
The rule type. \nAllowed enum values: cloud_configuration
Option 1
\nobject
The payload of a rule.
calculatedFields
\n[object]
Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.
expression [required]
\nstring
Expression.
name [required]
\nstring
Field name.
cases [required]
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
customMessage
\nstring
Custom/Overridden message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name of the rule (used in case of Default rule update).
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
groupSignalsBy
\n[string]
Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
\nboolean
Whether the rule is enabled.
message [required]
\nstring
Message for generated signals.
name [required]
\nstring
The name of the rule.
options [required]
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
customQueryExtension
\nstring
Query extension to append to the logs query.
dataSource
\nenum
Source of events, either logs, audit trail, or Datadog events. \nAllowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events
default: logs
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
hasOptionalGroupByFields
\nboolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
index
\nstring
This field is currently unstable and might be removed in a minor version upgrade.\nThe index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.
indexes
\n[string]
List of indexes to query when the dataSource is logs. Only used for scheduled rules, such as when the schedulingOptions field is present in the rule payload.
metric
\nstring
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max\naggregations. metrics field should be used instead.
metrics
\n[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
\nstring
Name of the query.
query
\nstring
Query to run on logs.
referenceTables
\n[object]
Reference tables for the rule.
checkPresence
\nboolean
Whether to include or exclude the matched values.
columnName
\nstring
The name of the column in the reference table.
logFieldPath
\nstring
The field in the log to match against the reference table.
ruleQueryName
\nstring
The name of the query to apply the reference table to.
tableName
\nstring
The name of the reference table.
schedulingOptions
\nobject
Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
rrule
\nstring
Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.
start
\nstring
Start date for the schedule, in ISO 8601 format without timezone.
tags
\n[string]
Tags for generated signals.
thirdPartyCases
\n[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each case.
query
\nstring
A query to map a third party event to this case.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
type
\nenum
The rule type. \nAllowed enum values: api_security,application_security,log_detection,workload_security
Option 2
\nobject
The payload of a signal correlation rule.
cases [required]
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
customMessage
\nstring
Custom/Overridden message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name of the rule (used in case of Default rule update).
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
\nboolean
Whether the rule is enabled.
message [required]
\nstring
Message for generated signals.
name [required]
\nstring
The name of the rule.
options [required]
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
\n[object]
Queries for selecting signals which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
\n[string]
Fields to group by.
correlatedQueryIndex
\nint32
Index of the rule query used to retrieve the correlated field.
metrics
\n[string]
Group of target fields to aggregate over.
name
\nstring
Name of the query.
ruleId [required]
\nstring
Rule ID to match on signals.
tags
\n[string]
Tags for generated signals.
type
\nenum
The rule type. \nAllowed enum values: signal_correlation
Option 3
\nobject
The payload of a cloud configuration rule.
cases [required]
\n[object]
Description of generated findings and signals (severity and channels to be notified in case of a signal). Must contain exactly one item.
notifications
\n[string]
Notification targets for each rule case.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
complianceSignalOptions [required]
\nobject
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
\nboolean
The default activation status.
defaultGroupByFields
\n[string]
The default group by fields.
userActivationStatus
\nboolean
Whether signals will be sent.
userGroupByFields
\n[string]
Fields to use to group findings by when sending signals.
customMessage
\nstring
Custom/Overridden message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name of the rule (used in case of Default rule update).
filters
\n[object]
Additional queries to filter matched events before they are processed.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
isEnabled [required]
\nboolean
Whether the rule is enabled.
message [required]
\nstring
Message in markdown format for generated findings and signals.
name [required]
\nstring
The name of the rule.
options [required]
\nobject
Options on cloud configuration rules.
complianceRuleOptions [required]
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
tags
\n[string]
Tags for generated findings and signals.
type
\nenum
The rule type. \nAllowed enum values: cloud_configuration
Option 1
\nobject
Rule.
calculatedFields
\n[object]
Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.
expression [required]
\nstring
Expression.
name [required]
\nstring
Field name.
cases
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
complianceSignalOptions
\nobject
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
\nboolean
The default activation status.
defaultGroupByFields
\n[string]
The default group by fields.
userActivationStatus
\nboolean
Whether signals will be sent.
userGroupByFields
\n[string]
Fields to use to group findings by when sending signals.
createdAt
\nint64
When the rule was created, timestamp in milliseconds.
creationAuthorId
\nint64
User ID of the user who created the rule.
customMessage
\nstring
Custom/Overridden message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name of the rule (used in case of Default rule update).
defaultTags
\n[string]
Default Tags for default rules (included in tags)
deprecationDate
\nint64
When the rule will be deprecated, timestamp in milliseconds.
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
groupSignalsBy
\n[string]
Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
id
\nstring
The ID of the rule.
isDefault
\nboolean
Whether the rule is included by default.
isDeleted
\nboolean
Whether the rule has been deleted.
isEnabled
\nboolean
Whether the rule is enabled.
message
\nstring
Message for generated signals.
name
\nstring
The name of the rule.
options
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
customQueryExtension
\nstring
Query extension to append to the logs query.
dataSource
\nenum
Source of events, either logs, audit trail, or Datadog events. \nAllowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events
default: logs
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
hasOptionalGroupByFields
\nboolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
index
\nstring
This field is currently unstable and might be removed in a minor version upgrade.\nThe index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.
metric
\nstring
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max\naggregations. metrics field should be used instead.
metrics
\n[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
\nstring
Name of the query.
query
\nstring
Query to run on logs.
referenceTables
\n[object]
Reference tables for the rule.
checkPresence
\nboolean
Whether to include or exclude the matched values.
columnName
\nstring
The name of the column in the reference table.
logFieldPath
\nstring
The field in the log to match against the reference table.
ruleQueryName
\nstring
The name of the query to apply the reference table to.
tableName
\nstring
The name of the reference table.
schedulingOptions
\nobject
Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
rrule
\nstring
Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.
start
\nstring
Start date for the schedule, in ISO 8601 format without timezone.
tags
\n[string]
Tags for generated signals.
thirdPartyCases
\n[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
query
\nstring
A query to map a third party event to this case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
type
\nenum
The rule type. \nAllowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration,application_security,api_security
updateAuthorId
\nint64
User ID of the user who updated the rule.
updatedAt
\nint64
The date the rule was last updated, in milliseconds.
version
\nint64
The version of the rule.
Option 2
\nobject
Rule.
cases
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
createdAt
\nint64
When the rule was created, timestamp in milliseconds.
creationAuthorId
\nint64
User ID of the user who created the rule.
customMessage
\nstring
Custom/Overridden message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name of the rule (used in case of Default rule update).
deprecationDate
\nint64
When the rule will be deprecated, timestamp in milliseconds.
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
id
\nstring
The ID of the rule.
isDefault
\nboolean
Whether the rule is included by default.
isDeleted
\nboolean
Whether the rule has been deleted.
isEnabled
\nboolean
Whether the rule is enabled.
message
\nstring
Message for generated signals.
name
\nstring
The name of the rule.
options
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
\n[string]
Fields to correlate by.
correlatedQueryIndex
\nint32
Index of the rule query used to retrieve the correlated field.
defaultRuleId
\nstring
Default Rule ID to match on signals.
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
metrics
\n[string]
Group of target fields to aggregate over.
name
\nstring
Name of the query.
ruleId
\nstring
Rule ID to match on signals.
tags
\n[string]
Tags for generated signals.
type
\nenum
The rule type. \nAllowed enum values: signal_correlation
updateAuthorId
\nint64
User ID of the user who updated the rule.
version
\nint64
The version of the rule.
Option 1
\nobject
Rule.
calculatedFields
\n[object]
Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.
expression [required]
\nstring
Expression.
name [required]
\nstring
Field name.
cases
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
complianceSignalOptions
\nobject
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
\nboolean
The default activation status.
defaultGroupByFields
\n[string]
The default group by fields.
userActivationStatus
\nboolean
Whether signals will be sent.
userGroupByFields
\n[string]
Fields to use to group findings by when sending signals.
createdAt
\nint64
When the rule was created, timestamp in milliseconds.
creationAuthorId
\nint64
User ID of the user who created the rule.
customMessage
\nstring
Custom/Overridden message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name of the rule (used in case of Default rule update).
defaultTags
\n[string]
Default Tags for default rules (included in tags)
deprecationDate
\nint64
When the rule will be deprecated, timestamp in milliseconds.
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
groupSignalsBy
\n[string]
Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
id
\nstring
The ID of the rule.
isDefault
\nboolean
Whether the rule is included by default.
isDeleted
\nboolean
Whether the rule has been deleted.
isEnabled
\nboolean
Whether the rule is enabled.
message
\nstring
Message for generated signals.
name
\nstring
The name of the rule.
options
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
customQueryExtension
\nstring
Query extension to append to the logs query.
dataSource
\nenum
Source of events, either logs, audit trail, or Datadog events. \nAllowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events
default: logs
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
hasOptionalGroupByFields
\nboolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
index
\nstring
This field is currently unstable and might be removed in a minor version upgrade.\nThe index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.
indexes
\n[string]
List of indexes to query when the dataSource is logs. Only used for scheduled rules, such as when the schedulingOptions field is present in the rule payload.
metric
\nstring
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max\naggregations. metrics field should be used instead.
metrics
\n[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
\nstring
Name of the query.
query
\nstring
Query to run on logs.
referenceTables
\n[object]
Reference tables for the rule.
checkPresence
\nboolean
Whether to include or exclude the matched values.
columnName
\nstring
The name of the column in the reference table.
logFieldPath
\nstring
The field in the log to match against the reference table.
ruleQueryName
\nstring
The name of the query to apply the reference table to.
tableName
\nstring
The name of the reference table.
schedulingOptions
\nobject
Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
rrule
\nstring
Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.
start
\nstring
Start date for the schedule, in ISO 8601 format without timezone.
tags
\n[string]
Tags for generated signals.
thirdPartyCases
\n[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
query
\nstring
A query to map a third party event to this case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
type
\nenum
The rule type. \nAllowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration,application_security,api_security
updateAuthorId
\nint64
User ID of the user who updated the rule.
updatedAt
\nint64
The date the rule was last updated, in milliseconds.
version
\nint64
The version of the rule.
Option 2
\nobject
Rule.
cases
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
createdAt
\nint64
When the rule was created, timestamp in milliseconds.
creationAuthorId
\nint64
User ID of the user who created the rule.
customMessage
\nstring
Custom/Overridden message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name of the rule (used in case of Default rule update).
deprecationDate
\nint64
When the rule will be deprecated, timestamp in milliseconds.
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
id
\nstring
The ID of the rule.
isDefault
\nboolean
Whether the rule is included by default.
isDeleted
\nboolean
Whether the rule has been deleted.
isEnabled
\nboolean
Whether the rule is enabled.
message
\nstring
Message for generated signals.
name
\nstring
The name of the rule.
options
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
\n[string]
Fields to correlate by.
correlatedQueryIndex
\nint32
Index of the rule query used to retrieve the correlated field.
defaultRuleId
\nstring
Default Rule ID to match on signals.
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
metrics
\n[string]
Group of target fields to aggregate over.
name
\nstring
Name of the query.
ruleId
\nstring
Rule ID to match on signals.
tags
\n[string]
Tags for generated signals.
type
\nenum
The rule type. \nAllowed enum values: signal_correlation
updateAuthorId
\nint64
User ID of the user who updated the rule.
version
\nint64
The version of the rule.
Option 1
\nobject
Rule.
calculatedFields
\n[object]
Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.
expression [required]
\nstring
Expression.
name [required]
\nstring
Field name.
cases
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
complianceSignalOptions
\nobject
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
\nboolean
The default activation status.
defaultGroupByFields
\n[string]
The default group by fields.
userActivationStatus
\nboolean
Whether signals will be sent.
userGroupByFields
\n[string]
Fields to use to group findings by when sending signals.
createdAt
\nint64
When the rule was created, timestamp in milliseconds.
creationAuthorId
\nint64
User ID of the user who created the rule.
customMessage
\nstring
Custom/Overridden message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name of the rule (used in case of Default rule update).
defaultTags
\n[string]
Default Tags for default rules (included in tags)
deprecationDate
\nint64
When the rule will be deprecated, timestamp in milliseconds.
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
groupSignalsBy
\n[string]
Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
id
\nstring
The ID of the rule.
isDefault
\nboolean
Whether the rule is included by default.
isDeleted
\nboolean
Whether the rule has been deleted.
isEnabled
\nboolean
Whether the rule is enabled.
message
\nstring
Message for generated signals.
name
\nstring
The name of the rule.
options
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
customQueryExtension
\nstring
Query extension to append to the logs query.
dataSource
\nenum
Source of events, either logs, audit trail, or Datadog events. \nAllowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events
default: logs
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
hasOptionalGroupByFields
\nboolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
index
\nstring
This field is currently unstable and might be removed in a minor version upgrade.\nThe index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.
metric
\nstring
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max\naggregations. metrics field should be used instead.
metrics
\n[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
\nstring
Name of the query.
query
\nstring
Query to run on logs.
referenceTables
\n[object]
Reference tables for the rule.
checkPresence
\nboolean
Whether to include or exclude the matched values.
columnName
\nstring
The name of the column in the reference table.
logFieldPath
\nstring
The field in the log to match against the reference table.
ruleQueryName
\nstring
The name of the query to apply the reference table to.
tableName
\nstring
The name of the reference table.
schedulingOptions
\nobject
Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
rrule
\nstring
Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.
start
\nstring
Start date for the schedule, in ISO 8601 format without timezone.
tags
\n[string]
Tags for generated signals.
thirdPartyCases
\n[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
query
\nstring
A query to map a third party event to this case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
type
\nenum
The rule type. \nAllowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration,application_security,api_security
updateAuthorId
\nint64
User ID of the user who updated the rule.
updatedAt
\nint64
The date the rule was last updated, in milliseconds.
version
\nint64
The version of the rule.
Option 2
\nobject
Rule.
cases
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
createdAt
\nint64
When the rule was created, timestamp in milliseconds.
creationAuthorId
\nint64
User ID of the user who created the rule.
customMessage
\nstring
Custom/Overridden message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name of the rule (used in case of Default rule update).
deprecationDate
\nint64
When the rule will be deprecated, timestamp in milliseconds.
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
id
\nstring
The ID of the rule.
isDefault
\nboolean
Whether the rule is included by default.
isDeleted
\nboolean
Whether the rule has been deleted.
isEnabled
\nboolean
Whether the rule is enabled.
message
\nstring
Message for generated signals.
name
\nstring
The name of the rule.
options
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
\n[string]
Fields to correlate by.
correlatedQueryIndex
\nint32
Index of the rule query used to retrieve the correlated field.
defaultRuleId
\nstring
Default Rule ID to match on signals.
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
metrics
\n[string]
Group of target fields to aggregate over.
name
\nstring
Name of the query.
ruleId
\nstring
Rule ID to match on signals.
tags
\n[string]
Tags for generated signals.
type
\nenum
The rule type. \nAllowed enum values: signal_correlation
updateAuthorId
\nint64
User ID of the user who updated the rule.
version
\nint64
The version of the rule.
Option 1
\nobject
Rule.
calculatedFields
\n[object]
Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.
expression [required]
\nstring
Expression.
name [required]
\nstring
Field name.
cases
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
complianceSignalOptions
\nobject
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
\nboolean
The default activation status.
defaultGroupByFields
\n[string]
The default group by fields.
userActivationStatus
\nboolean
Whether signals will be sent.
userGroupByFields
\n[string]
Fields to use to group findings by when sending signals.
createdAt
\nint64
When the rule was created, timestamp in milliseconds.
creationAuthorId
\nint64
User ID of the user who created the rule.
customMessage
\nstring
Custom/Overridden message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name of the rule (used in case of Default rule update).
defaultTags
\n[string]
Default Tags for default rules (included in tags)
deprecationDate
\nint64
When the rule will be deprecated, timestamp in milliseconds.
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
groupSignalsBy
\n[string]
Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
id
\nstring
The ID of the rule.
isDefault
\nboolean
Whether the rule is included by default.
isDeleted
\nboolean
Whether the rule has been deleted.
isEnabled
\nboolean
Whether the rule is enabled.
message
\nstring
Message for generated signals.
name
\nstring
The name of the rule.
options
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
customQueryExtension
\nstring
Query extension to append to the logs query.
dataSource
\nenum
Source of events, either logs, audit trail, or Datadog events. \nAllowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events
default: logs
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
hasOptionalGroupByFields
\nboolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
index
\nstring
This field is currently unstable and might be removed in a minor version upgrade.\nThe index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.
indexes
\n[string]
List of indexes to query when the dataSource is logs. Only used for scheduled rules, such as when the schedulingOptions field is present in the rule payload.
metric
\nstring
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max\naggregations. metrics field should be used instead.
metrics
\n[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
\nstring
Name of the query.
query
\nstring
Query to run on logs.
referenceTables
\n[object]
Reference tables for the rule.
checkPresence
\nboolean
Whether to include or exclude the matched values.
columnName
\nstring
The name of the column in the reference table.
logFieldPath
\nstring
The field in the log to match against the reference table.
ruleQueryName
\nstring
The name of the query to apply the reference table to.
tableName
\nstring
The name of the reference table.
schedulingOptions
\nobject
Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
rrule
\nstring
Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.
start
\nstring
Start date for the schedule, in ISO 8601 format without timezone.
tags
\n[string]
Tags for generated signals.
thirdPartyCases
\n[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
query
\nstring
A query to map a third party event to this case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
type
\nenum
The rule type. \nAllowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration,application_security,api_security
updateAuthorId
\nint64
User ID of the user who updated the rule.
updatedAt
\nint64
The date the rule was last updated, in milliseconds.
version
\nint64
The version of the rule.
Option 2
\nobject
Rule.
cases
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
createdAt
\nint64
When the rule was created, timestamp in milliseconds.
creationAuthorId
\nint64
User ID of the user who created the rule.
customMessage
\nstring
Custom/Overridden message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name of the rule (used in case of Default rule update).
deprecationDate
\nint64
When the rule will be deprecated, timestamp in milliseconds.
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
id
\nstring
The ID of the rule.
isDefault
\nboolean
Whether the rule is included by default.
isDeleted
\nboolean
Whether the rule has been deleted.
isEnabled
\nboolean
Whether the rule is enabled.
message
\nstring
Message for generated signals.
name
\nstring
The name of the rule.
options
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
\n[string]
Fields to correlate by.
correlatedQueryIndex
\nint32
Index of the rule query used to retrieve the correlated field.
defaultRuleId
\nstring
Default Rule ID to match on signals.
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
metrics
\n[string]
Group of target fields to aggregate over.
name
\nstring
Name of the query.
ruleId
\nstring
Rule ID to match on signals.
tags
\n[string]
Tags for generated signals.
type
\nenum
The rule type. \nAllowed enum values: signal_correlation
updateAuthorId
\nint64
User ID of the user who updated the rule.
version
\nint64
The version of the rule.
calculatedFields
\n[object]
Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.
expression [required]
\nstring
Expression.
name [required]
\nstring
Field name.
cases
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
complianceSignalOptions
\nobject
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
\nboolean
The default activation status.
defaultGroupByFields
\n[string]
The default group by fields.
userActivationStatus
\nboolean
Whether signals will be sent.
userGroupByFields
\n[string]
Fields to use to group findings by when sending signals.
customMessage
\nstring
Custom/Overridden Message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name (used in case of Default rule update).
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
groupSignalsBy
\n[string]
Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
isEnabled
\nboolean
Whether the rule is enabled.
message
\nstring
Message for generated signals.
name
\nstring
Name of the rule.
options
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries
\n[ <oneOf>]
Queries for selecting logs which are part of the rule.
Option 1
\nobject
Query for matching rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
customQueryExtension
\nstring
Query extension to append to the logs query.
dataSource
\nenum
Source of events, either logs, audit trail, or Datadog events. \nAllowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events
default: logs
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
hasOptionalGroupByFields
\nboolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
index
\nstring
This field is currently unstable and might be removed in a minor version upgrade.\nThe index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.
metric
\nstring
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max\naggregations. metrics field should be used instead.
metrics
\n[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
\nstring
Name of the query.
query
\nstring
Query to run on logs.
Option 2
\nobject
Query for matching rule on signals.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
\n[string]
Fields to group by.
correlatedQueryIndex
\nint32
Index of the rule query used to retrieve the correlated field.
metrics
\n[string]
Group of target fields to aggregate over.
name
\nstring
Name of the query.
ruleId [required]
\nstring
Rule ID to match on signals.
referenceTables
\n[object]
Reference tables for the rule.
checkPresence
\nboolean
Whether to include or exclude the matched values.
columnName
\nstring
The name of the column in the reference table.
logFieldPath
\nstring
The field in the log to match against the reference table.
ruleQueryName
\nstring
The name of the query to apply the reference table to.
tableName
\nstring
The name of the reference table.
schedulingOptions
\nobject
Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
rrule
\nstring
Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.
start
\nstring
Start date for the schedule, in ISO 8601 format without timezone.
tags
\n[string]
Tags for generated signals.
thirdPartyCases
\n[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
query
\nstring
A query to map a third party event to this case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
version
\nint32
The version of the rule being updated.
calculatedFields
\n[object]
Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.
expression [required]
\nstring
Expression.
name [required]
\nstring
Field name.
cases
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
complianceSignalOptions
\nobject
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
\nboolean
The default activation status.
defaultGroupByFields
\n[string]
The default group by fields.
userActivationStatus
\nboolean
Whether signals will be sent.
userGroupByFields
\n[string]
Fields to use to group findings by when sending signals.
customMessage
\nstring
Custom/Overridden Message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name (used in case of Default rule update).
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
groupSignalsBy
\n[string]
Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
isEnabled
\nboolean
Whether the rule is enabled.
message
\nstring
Message for generated signals.
name
\nstring
Name of the rule.
options
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries
\n[ <oneOf>]
Queries for selecting logs which are part of the rule.
Option 1
\nobject
Query for matching rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
customQueryExtension
\nstring
Query extension to append to the logs query.
dataSource
\nenum
Source of events, either logs, audit trail, or Datadog events. \nAllowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events
default: logs
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
hasOptionalGroupByFields
\nboolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
index
\nstring
This field is currently unstable and might be removed in a minor version upgrade.\nThe index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.
indexes
\n[string]
List of indexes to query when the dataSource is logs. Only used for scheduled rules, such as when the schedulingOptions field is present in the rule payload.
metric
\nstring
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max\naggregations. metrics field should be used instead.
metrics
\n[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
\nstring
Name of the query.
query
\nstring
Query to run on logs.
Option 2
\nobject
Query for matching rule on signals.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
\n[string]
Fields to group by.
correlatedQueryIndex
\nint32
Index of the rule query used to retrieve the correlated field.
metrics
\n[string]
Group of target fields to aggregate over.
name
\nstring
Name of the query.
ruleId [required]
\nstring
Rule ID to match on signals.
referenceTables
\n[object]
Reference tables for the rule.
checkPresence
\nboolean
Whether to include or exclude the matched values.
columnName
\nstring
The name of the column in the reference table.
logFieldPath
\nstring
The field in the log to match against the reference table.
ruleQueryName
\nstring
The name of the query to apply the reference table to.
tableName
\nstring
The name of the reference table.
schedulingOptions
\nobject
Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
rrule
\nstring
Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.
start
\nstring
Start date for the schedule, in ISO 8601 format without timezone.
tags
\n[string]
Tags for generated signals.
thirdPartyCases
\n[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
query
\nstring
A query to map a third party event to this case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
version
\nint32
The version of the rule being updated.
rule
\n<oneOf>
Test a rule.
Option 1
\nobject
The payload of a rule to test
calculatedFields
\n[object]
Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.
expression [required]
\nstring
Expression.
name [required]
\nstring
Field name.
cases [required]
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
groupSignalsBy
\n[string]
Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
\nboolean
Whether the rule is enabled.
message [required]
\nstring
Message for generated signals.
name [required]
\nstring
The name of the rule.
options [required]
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
customQueryExtension
\nstring
Query extension to append to the logs query.
dataSource
\nenum
Source of events, either logs, audit trail, or Datadog events. \nAllowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events
default: logs
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
hasOptionalGroupByFields
\nboolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
index
\nstring
This field is currently unstable and might be removed in a minor version upgrade.\nThe index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.
metric
\nstring
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max\naggregations. metrics field should be used instead.
metrics
\n[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
\nstring
Name of the query.
query
\nstring
Query to run on logs.
referenceTables
\n[object]
Reference tables for the rule.
checkPresence
\nboolean
Whether to include or exclude the matched values.
columnName
\nstring
The name of the column in the reference table.
logFieldPath
\nstring
The field in the log to match against the reference table.
ruleQueryName
\nstring
The name of the query to apply the reference table to.
tableName
\nstring
The name of the reference table.
schedulingOptions
\nobject
Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
rrule
\nstring
Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.
start
\nstring
Start date for the schedule, in ISO 8601 format without timezone.
tags
\n[string]
Tags for generated signals.
thirdPartyCases
\n[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each case.
query
\nstring
A query to map a third party event to this case.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
type
\nenum
The rule type. \nAllowed enum values: log_detection
ruleQueryPayloads
\n[object]
Data payloads used to test rules query with the expected result.
expectedResult
\nboolean
Expected result of the test.
index
\nint64
Index of the query under test.
payload
\nobject
Payload used to test the rule query.
ddsource
\nstring
Source of the payload.
ddtags
\nstring
Tags associated with your data.
hostname
\nstring
The name of the originating host of the log.
message
\nstring
The message of the payload.
service
\nstring
The name of the application or service generating the data.
rule
\n<oneOf>
Test a rule.
Option 1
\nobject
The payload of a rule to test
calculatedFields
\n[object]
Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.
expression [required]
\nstring
Expression.
name [required]
\nstring
Field name.
cases [required]
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
groupSignalsBy
\n[string]
Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
isEnabled [required]
\nboolean
Whether the rule is enabled.
message [required]
\nstring
Message for generated signals.
name [required]
\nstring
The name of the rule.
options [required]
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
customQueryExtension
\nstring
Query extension to append to the logs query.
dataSource
\nenum
Source of events, either logs, audit trail, or Datadog events. \nAllowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events
default: logs
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
hasOptionalGroupByFields
\nboolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
index
\nstring
This field is currently unstable and might be removed in a minor version upgrade.\nThe index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.
indexes
\n[string]
List of indexes to query when the dataSource is logs. Only used for scheduled rules, such as when the schedulingOptions field is present in the rule payload.
metric
\nstring
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max\naggregations. metrics field should be used instead.
metrics
\n[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
\nstring
Name of the query.
query
\nstring
Query to run on logs.
referenceTables
\n[object]
Reference tables for the rule.
checkPresence
\nboolean
Whether to include or exclude the matched values.
columnName
\nstring
The name of the column in the reference table.
logFieldPath
\nstring
The field in the log to match against the reference table.
ruleQueryName
\nstring
The name of the query to apply the reference table to.
tableName
\nstring
The name of the reference table.
schedulingOptions
\nobject
Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
rrule
\nstring
Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.
start
\nstring
Start date for the schedule, in ISO 8601 format without timezone.
tags
\n[string]
Tags for generated signals.
thirdPartyCases
\n[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each case.
query
\nstring
A query to map a third party event to this case.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
type
\nenum
The rule type. \nAllowed enum values: log_detection
ruleQueryPayloads
\n[object]
Data payloads used to test rules query with the expected result.
expectedResult
\nboolean
Expected result of the test.
index
\nint64
Index of the query under test.
payload
\nobject
Payload used to test the rule query.
ddsource
\nstring
Source of the payload.
ddtags
\nstring
Tags associated with your data.
hostname
\nstring
The name of the originating host of the log.
message
\nstring
The message of the payload.
service
\nstring
The name of the application or service generating the data.
data
\nobject
Data for the rule version history.
attributes
\nobject
Response object containing the version history of a rule.
count
\nint32
The number of rule versions.
data
\nobject
The RuleVersionHistory data.
<any-key>
\nobject
A rule version with a list of updates.
changes
\n[object]
A list of changes.
change
\nstring
The new value of the field.
field
\nstring
The field that was changed.
type
\nenum
The type of change. \nAllowed enum values: create,update,delete
rule
\n<oneOf>
Create a new rule.
Option 1
\nobject
Rule.
calculatedFields
\n[object]
Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.
expression [required]
\nstring
Expression.
name [required]
\nstring
Field name.
cases
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
complianceSignalOptions
\nobject
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
\nboolean
The default activation status.
defaultGroupByFields
\n[string]
The default group by fields.
userActivationStatus
\nboolean
Whether signals will be sent.
userGroupByFields
\n[string]
Fields to use to group findings by when sending signals.
createdAt
\nint64
When the rule was created, timestamp in milliseconds.
creationAuthorId
\nint64
User ID of the user who created the rule.
customMessage
\nstring
Custom/Overridden message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name of the rule (used in case of Default rule update).
defaultTags
\n[string]
Default Tags for default rules (included in tags)
deprecationDate
\nint64
When the rule will be deprecated, timestamp in milliseconds.
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
groupSignalsBy
\n[string]
Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
id
\nstring
The ID of the rule.
isDefault
\nboolean
Whether the rule is included by default.
isDeleted
\nboolean
Whether the rule has been deleted.
isEnabled
\nboolean
Whether the rule is enabled.
message
\nstring
Message for generated signals.
name
\nstring
The name of the rule.
options
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
customQueryExtension
\nstring
Query extension to append to the logs query.
dataSource
\nenum
Source of events, either logs, audit trail, or Datadog events. \nAllowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events
default: logs
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
hasOptionalGroupByFields
\nboolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
index
\nstring
This field is currently unstable and might be removed in a minor version upgrade.\nThe index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.
metric
\nstring
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max\naggregations. metrics field should be used instead.
metrics
\n[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
\nstring
Name of the query.
query
\nstring
Query to run on logs.
referenceTables
\n[object]
Reference tables for the rule.
checkPresence
\nboolean
Whether to include or exclude the matched values.
columnName
\nstring
The name of the column in the reference table.
logFieldPath
\nstring
The field in the log to match against the reference table.
ruleQueryName
\nstring
The name of the query to apply the reference table to.
tableName
\nstring
The name of the reference table.
schedulingOptions
\nobject
Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
rrule
\nstring
Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.
start
\nstring
Start date for the schedule, in ISO 8601 format without timezone.
tags
\n[string]
Tags for generated signals.
thirdPartyCases
\n[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
query
\nstring
A query to map a third party event to this case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
type
\nenum
The rule type. \nAllowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration,application_security,api_security
updateAuthorId
\nint64
User ID of the user who updated the rule.
updatedAt
\nint64
The date the rule was last updated, in milliseconds.
version
\nint64
The version of the rule.
Option 2
\nobject
Rule.
cases
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
createdAt
\nint64
When the rule was created, timestamp in milliseconds.
creationAuthorId
\nint64
User ID of the user who created the rule.
customMessage
\nstring
Custom/Overridden message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name of the rule (used in case of Default rule update).
deprecationDate
\nint64
When the rule will be deprecated, timestamp in milliseconds.
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
id
\nstring
The ID of the rule.
isDefault
\nboolean
Whether the rule is included by default.
isDeleted
\nboolean
Whether the rule has been deleted.
isEnabled
\nboolean
Whether the rule is enabled.
message
\nstring
Message for generated signals.
name
\nstring
The name of the rule.
options
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
\n[string]
Fields to correlate by.
correlatedQueryIndex
\nint32
Index of the rule query used to retrieve the correlated field.
defaultRuleId
\nstring
Default Rule ID to match on signals.
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
metrics
\n[string]
Group of target fields to aggregate over.
name
\nstring
Name of the query.
ruleId
\nstring
Rule ID to match on signals.
tags
\n[string]
Tags for generated signals.
type
\nenum
The rule type. \nAllowed enum values: signal_correlation
updateAuthorId
\nint64
User ID of the user who updated the rule.
version
\nint64
The version of the rule.
id
\nstring
ID of the rule.
type
\nenum
Type of data. \nAllowed enum values: GetRuleVersionHistoryResponse
data
\nobject
Data for the rule version history.
attributes
\nobject
Response object containing the version history of a rule.
count
\nint32
The number of rule versions.
data
\nobject
The RuleVersionHistory data.
<any-key>
\nobject
A rule version with a list of updates.
changes
\n[object]
A list of changes.
change
\nstring
The new value of the field.
field
\nstring
The field that was changed.
type
\nenum
The type of change. \nAllowed enum values: create,update,delete
rule
\n<oneOf>
Create a new rule.
Option 1
\nobject
Rule.
calculatedFields
\n[object]
Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.
expression [required]
\nstring
Expression.
name [required]
\nstring
Field name.
cases
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
complianceSignalOptions
\nobject
How to generate compliance signals. Useful for cloud_configuration rules only.
defaultActivationStatus
\nboolean
The default activation status.
defaultGroupByFields
\n[string]
The default group by fields.
userActivationStatus
\nboolean
Whether signals will be sent.
userGroupByFields
\n[string]
Fields to use to group findings by when sending signals.
createdAt
\nint64
When the rule was created, timestamp in milliseconds.
creationAuthorId
\nint64
User ID of the user who created the rule.
customMessage
\nstring
Custom/Overridden message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name of the rule (used in case of Default rule update).
defaultTags
\n[string]
Default Tags for default rules (included in tags)
deprecationDate
\nint64
When the rule will be deprecated, timestamp in milliseconds.
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
groupSignalsBy
\n[string]
Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
id
\nstring
The ID of the rule.
isDefault
\nboolean
Whether the rule is included by default.
isDeleted
\nboolean
Whether the rule has been deleted.
isEnabled
\nboolean
Whether the rule is enabled.
message
\nstring
Message for generated signals.
name
\nstring
The name of the rule.
options
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
customQueryExtension
\nstring
Query extension to append to the logs query.
dataSource
\nenum
Source of events, either logs, audit trail, or Datadog events. \nAllowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events
default: logs
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
hasOptionalGroupByFields
\nboolean
When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
index
\nstring
This field is currently unstable and might be removed in a minor version upgrade.\nThe index to run the query on, if the dataSource is logs. Only used for scheduled rules - in other words, when the schedulingOptions field is present in the rule payload.
indexes
\n[string]
List of indexes to query when the dataSource is logs. Only used for scheduled rules, such as when the schedulingOptions field is present in the rule payload.
metric
\nstring
DEPRECATED: (Deprecated) The target field to aggregate over when using the sum or max\naggregations. metrics field should be used instead.
metrics
\n[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
\nstring
Name of the query.
query
\nstring
Query to run on logs.
referenceTables
\n[object]
Reference tables for the rule.
checkPresence
\nboolean
Whether to include or exclude the matched values.
columnName
\nstring
The name of the column in the reference table.
logFieldPath
\nstring
The field in the log to match against the reference table.
ruleQueryName
\nstring
The name of the query to apply the reference table to.
tableName
\nstring
The name of the reference table.
schedulingOptions
\nobject
Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.
rrule
\nstring
Schedule for the rule queries, written in RRULE syntax. See RFC for syntax reference.
start
\nstring
Start date for the schedule, in ISO 8601 format without timezone.
tags
\n[string]
Tags for generated signals.
thirdPartyCases
\n[object]
Cases for generating signals from third-party rules. Only available for third-party rules.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
query
\nstring
A query to map a third party event to this case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
type
\nenum
The rule type. \nAllowed enum values: log_detection,infrastructure_configuration,workload_security,cloud_configuration,application_security,api_security
updateAuthorId
\nint64
User ID of the user who updated the rule.
updatedAt
\nint64
The date the rule was last updated, in milliseconds.
version
\nint64
The version of the rule.
Option 2
\nobject
Rule.
cases
\n[object]
Cases for generating signals.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
customStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each rule case.
status
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
createdAt
\nint64
When the rule was created, timestamp in milliseconds.
creationAuthorId
\nint64
User ID of the user who created the rule.
customMessage
\nstring
Custom/Overridden message for generated signals (used in case of Default rule update).
customName
\nstring
Custom/Overridden name of the rule (used in case of Default rule update).
deprecationDate
\nint64
When the rule will be deprecated, timestamp in milliseconds.
filters
\n[object]
Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.
action
\nenum
The type of filtering action. \nAllowed enum values: require,suppress
query
\nstring
Query for selecting logs to apply the filtering action.
hasExtendedTitle
\nboolean
Whether the notifications include the triggering group-by values in their title.
id
\nstring
The ID of the rule.
isDefault
\nboolean
Whether the rule is included by default.
isDeleted
\nboolean
Whether the rule has been deleted.
isEnabled
\nboolean
Whether the rule is enabled.
message
\nstring
Message for generated signals.
name
\nstring
The name of the rule.
options
\nobject
Options.
complianceRuleOptions
\nobject
Options for cloud_configuration rules.\nFields resourceType and regoRule are mandatory when managing custom cloud_configuration rules.
complexRule
\nboolean
Whether the rule is a complex one.\nMust be set to true if regoRule.resourceTypes contains more than one item. Defaults to false.
regoRule
\nobject
Rule details.
policy [required]
\nstring
The policy written in rego, see: https://www.openpolicyagent.org/docs/latest/policy-language/
resourceTypes [required]
\n[string]
List of resource types that will be evaluated upon. Must have at least one element.
resourceType
\nstring
Main resource type to be checked by the rule. It should be specified again in regoRule.resourceTypes.
decreaseCriticalityBasedOnEnv
\nboolean
If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\nThe severity is decreased by one level: CRITICAL in production becomes HIGH in non-production, HIGH becomes MEDIUM and so on. INFO remains INFO.\nThe decrement is applied when the environment tag of the signal starts with staging, test or dev.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
hardcodedEvaluatorType
\nenum
Hardcoded evaluator type. \nAllowed enum values: log4shell
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries
\n[object]
Queries for selecting logs which are part of the rule.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
correlatedByFields
\n[string]
Fields to correlate by.
correlatedQueryIndex
\nint32
Index of the rule query used to retrieve the correlated field.
defaultRuleId
\nstring
Default Rule ID to match on signals.
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
metrics
\n[string]
Group of target fields to aggregate over.
name
\nstring
Name of the query.
ruleId
\nstring
Rule ID to match on signals.
tags
\n[string]
Tags for generated signals.
type
\nenum
The rule type. \nAllowed enum values: signal_correlation
updateAuthorId
\nint64
User ID of the user who updated the rule.
version
\nint64
The version of the rule.
id
\nstring
ID of the rule.
type
\nenum
Type of data. \nAllowed enum values: GetRuleVersionHistoryResponse