diff --git a/.apigentools-info b/.apigentools-info index c6d1d604a66..02fa746e782 100644 --- a/.apigentools-info +++ b/.apigentools-info @@ -4,13 +4,13 @@ "spec_versions": { "v1": { "apigentools_version": "1.6.6", - "regenerated": "2025-02-10 19:09:26.701430", - "spec_repo_commit": "824f78a1" + "regenerated": "2025-02-11 09:59:41.165078", + "spec_repo_commit": "b980d49f" }, "v2": { "apigentools_version": "1.6.6", - "regenerated": "2025-02-10 19:09:26.716618", - "spec_repo_commit": "824f78a1" + "regenerated": "2025-02-11 09:59:41.182412", + "spec_repo_commit": "b980d49f" } } } \ No newline at end of file diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml index 1cb9d8453bb..b0adf622a07 100644 --- a/.generator/schemas/v2/openapi.yaml +++ b/.generator/schemas/v2/openapi.yaml @@ -15657,6 +15657,15 @@ components: example: 1729843470000 format: int64 type: integer + groupSignalsBy: + description: Additional grouping to perform on top of the existing groups + in the query section. Must be a subset of the existing groups. + example: + - service + items: + description: Field to group by. + type: string + type: array index: description: Index used to load the data. example: cloud_siem @@ -24242,6 +24251,11 @@ components: SecurityMonitoringRuleCase: description: Case when signal is generated. properties: + actions: + description: Action to perform for each rule case. + items: + $ref: '#/components/schemas/SecurityMonitoringRuleCaseAction' + type: array condition: description: 'A rule case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated @@ -24260,9 +24274,42 @@ components: status: $ref: '#/components/schemas/SecurityMonitoringRuleSeverity' type: object + SecurityMonitoringRuleCaseAction: + description: Action to perform when a signal is triggered. Only available for + Application Security rule type. + properties: + options: + $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionOptions' + type: + $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionType' + type: object + SecurityMonitoringRuleCaseActionOptions: + description: Options for the rule action + properties: + duration: + description: Duration of the action in seconds. 0 indicates no expiration. + example: 0 + format: int64 + minimum: 0 + type: integer + type: object + SecurityMonitoringRuleCaseActionType: + description: The action type. + enum: + - block_ip + - block_user + type: string + x-enum-varnames: + - BLOCK_IP + - BLOCK_USER SecurityMonitoringRuleCaseCreate: description: Case when signal is generated. properties: + actions: + description: Action to perform for each rule case. + items: + $ref: '#/components/schemas/SecurityMonitoringRuleCaseAction' + type: array condition: description: 'A case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated @@ -24724,6 +24771,15 @@ components: items: $ref: '#/components/schemas/SecurityMonitoringFilter' type: array + groupSignalsBy: + description: Additional grouping to perform on top of the existing groups + in the query section. Must be a subset of the existing groups. + example: + - service + items: + description: Field to group by. + type: string + type: array hasExtendedTitle: description: Whether the notifications include the triggering group-by values in their title. @@ -25429,6 +25485,15 @@ components: items: $ref: '#/components/schemas/SecurityMonitoringFilter' type: array + groupSignalsBy: + description: Additional grouping to perform on top of the existing groups + in the query section. Must be a subset of the existing groups. + example: + - service + items: + description: Field to group by. + type: string + type: array hasExtendedTitle: description: Whether the notifications include the triggering group-by values in their title. @@ -25501,6 +25566,15 @@ components: items: $ref: '#/components/schemas/SecurityMonitoringFilter' type: array + groupSignalsBy: + description: Additional grouping to perform on top of the existing groups + in the query section. Must be a subset of the existing groups. + example: + - service + items: + description: Field to group by. + type: string + type: array hasExtendedTitle: description: Whether the notifications include the triggering group-by values in their title. @@ -25642,6 +25716,15 @@ components: items: $ref: '#/components/schemas/SecurityMonitoringFilter' type: array + groupSignalsBy: + description: Additional grouping to perform on top of the existing groups + in the query section. Must be a subset of the existing groups. + example: + - service + items: + description: Field to group by. + type: string + type: array hasExtendedTitle: description: Whether the notifications include the triggering group-by values in their title. @@ -25719,6 +25802,15 @@ components: items: $ref: '#/components/schemas/SecurityMonitoringFilter' type: array + groupSignalsBy: + description: Additional grouping to perform on top of the existing groups + in the query section. Must be a subset of the existing groups. + example: + - service + items: + description: Field to group by. + type: string + type: array hasExtendedTitle: description: Whether the notifications include the triggering group-by values in their title. diff --git a/api/datadogV2/model_job_definition.go b/api/datadogV2/model_job_definition.go index a4167132386..70428bfa83e 100644 --- a/api/datadogV2/model_job_definition.go +++ b/api/datadogV2/model_job_definition.go @@ -18,6 +18,8 @@ type JobDefinition struct { Cases []SecurityMonitoringRuleCaseCreate `json:"cases"` // Starting time of data analyzed by the job. From int64 `json:"from"` + // Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups. + GroupSignalsBy []string `json:"groupSignalsBy,omitempty"` // Index used to load the data. Index string `json:"index"` // Message for generated results. @@ -141,6 +143,34 @@ func (o *JobDefinition) SetFrom(v int64) { o.From = v } +// GetGroupSignalsBy returns the GroupSignalsBy field value if set, zero value otherwise. +func (o *JobDefinition) GetGroupSignalsBy() []string { + if o == nil || o.GroupSignalsBy == nil { + var ret []string + return ret + } + return o.GroupSignalsBy +} + +// GetGroupSignalsByOk returns a tuple with the GroupSignalsBy field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *JobDefinition) GetGroupSignalsByOk() (*[]string, bool) { + if o == nil || o.GroupSignalsBy == nil { + return nil, false + } + return &o.GroupSignalsBy, true +} + +// HasGroupSignalsBy returns a boolean if a field has been set. +func (o *JobDefinition) HasGroupSignalsBy() bool { + return o != nil && o.GroupSignalsBy != nil +} + +// SetGroupSignalsBy gets a reference to the given []string and assigns it to the GroupSignalsBy field. +func (o *JobDefinition) SetGroupSignalsBy(v []string) { + o.GroupSignalsBy = v +} + // GetIndex returns the Index field value. func (o *JobDefinition) GetIndex() string { if o == nil { @@ -407,6 +437,9 @@ func (o JobDefinition) MarshalJSON() ([]byte, error) { } toSerialize["cases"] = o.Cases toSerialize["from"] = o.From + if o.GroupSignalsBy != nil { + toSerialize["groupSignalsBy"] = o.GroupSignalsBy + } toSerialize["index"] = o.Index toSerialize["message"] = o.Message toSerialize["name"] = o.Name @@ -440,6 +473,7 @@ func (o *JobDefinition) UnmarshalJSON(bytes []byte) (err error) { CalculatedFields []CalculatedField `json:"calculatedFields,omitempty"` Cases *[]SecurityMonitoringRuleCaseCreate `json:"cases"` From *int64 `json:"from"` + GroupSignalsBy []string `json:"groupSignalsBy,omitempty"` Index *string `json:"index"` Message *string `json:"message"` Name *string `json:"name"` @@ -477,7 +511,7 @@ func (o *JobDefinition) UnmarshalJSON(bytes []byte) (err error) { } additionalProperties := make(map[string]interface{}) if err = datadog.Unmarshal(bytes, &additionalProperties); err == nil { - datadog.DeleteKeys(additionalProperties, &[]string{"calculatedFields", "cases", "from", "index", "message", "name", "options", "queries", "referenceTables", "tags", "thirdPartyCases", "to", "type"}) + datadog.DeleteKeys(additionalProperties, &[]string{"calculatedFields", "cases", "from", "groupSignalsBy", "index", "message", "name", "options", "queries", "referenceTables", "tags", "thirdPartyCases", "to", "type"}) } else { return err } @@ -486,6 +520,7 @@ func (o *JobDefinition) UnmarshalJSON(bytes []byte) (err error) { o.CalculatedFields = all.CalculatedFields o.Cases = *all.Cases o.From = *all.From + o.GroupSignalsBy = all.GroupSignalsBy o.Index = *all.Index o.Message = *all.Message o.Name = *all.Name diff --git a/api/datadogV2/model_security_monitoring_rule_case.go b/api/datadogV2/model_security_monitoring_rule_case.go index 31ee4a05f59..c50ec4cfa70 100644 --- a/api/datadogV2/model_security_monitoring_rule_case.go +++ b/api/datadogV2/model_security_monitoring_rule_case.go @@ -10,6 +10,8 @@ import ( // SecurityMonitoringRuleCase Case when signal is generated. type SecurityMonitoringRuleCase struct { + // Action to perform for each rule case. + Actions []SecurityMonitoringRuleCaseAction `json:"actions,omitempty"` // A rule case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated // based on the event counts in the previously defined queries. Condition *string `json:"condition,omitempty"` @@ -41,6 +43,34 @@ func NewSecurityMonitoringRuleCaseWithDefaults() *SecurityMonitoringRuleCase { return &this } +// GetActions returns the Actions field value if set, zero value otherwise. +func (o *SecurityMonitoringRuleCase) GetActions() []SecurityMonitoringRuleCaseAction { + if o == nil || o.Actions == nil { + var ret []SecurityMonitoringRuleCaseAction + return ret + } + return o.Actions +} + +// GetActionsOk returns a tuple with the Actions field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *SecurityMonitoringRuleCase) GetActionsOk() (*[]SecurityMonitoringRuleCaseAction, bool) { + if o == nil || o.Actions == nil { + return nil, false + } + return &o.Actions, true +} + +// HasActions returns a boolean if a field has been set. +func (o *SecurityMonitoringRuleCase) HasActions() bool { + return o != nil && o.Actions != nil +} + +// SetActions gets a reference to the given []SecurityMonitoringRuleCaseAction and assigns it to the Actions field. +func (o *SecurityMonitoringRuleCase) SetActions(v []SecurityMonitoringRuleCaseAction) { + o.Actions = v +} + // GetCondition returns the Condition field value if set, zero value otherwise. func (o *SecurityMonitoringRuleCase) GetCondition() string { if o == nil || o.Condition == nil { @@ -159,6 +189,9 @@ func (o SecurityMonitoringRuleCase) MarshalJSON() ([]byte, error) { if o.UnparsedObject != nil { return datadog.Marshal(o.UnparsedObject) } + if o.Actions != nil { + toSerialize["actions"] = o.Actions + } if o.Condition != nil { toSerialize["condition"] = o.Condition } @@ -181,22 +214,24 @@ func (o SecurityMonitoringRuleCase) MarshalJSON() ([]byte, error) { // UnmarshalJSON deserializes the given payload. func (o *SecurityMonitoringRuleCase) UnmarshalJSON(bytes []byte) (err error) { all := struct { - Condition *string `json:"condition,omitempty"` - Name *string `json:"name,omitempty"` - Notifications []string `json:"notifications,omitempty"` - Status *SecurityMonitoringRuleSeverity `json:"status,omitempty"` + Actions []SecurityMonitoringRuleCaseAction `json:"actions,omitempty"` + Condition *string `json:"condition,omitempty"` + Name *string `json:"name,omitempty"` + Notifications []string `json:"notifications,omitempty"` + Status *SecurityMonitoringRuleSeverity `json:"status,omitempty"` }{} if err = datadog.Unmarshal(bytes, &all); err != nil { return datadog.Unmarshal(bytes, &o.UnparsedObject) } additionalProperties := make(map[string]interface{}) if err = datadog.Unmarshal(bytes, &additionalProperties); err == nil { - datadog.DeleteKeys(additionalProperties, &[]string{"condition", "name", "notifications", "status"}) + datadog.DeleteKeys(additionalProperties, &[]string{"actions", "condition", "name", "notifications", "status"}) } else { return err } hasInvalidField := false + o.Actions = all.Actions o.Condition = all.Condition o.Name = all.Name o.Notifications = all.Notifications diff --git a/api/datadogV2/model_security_monitoring_rule_case_action.go b/api/datadogV2/model_security_monitoring_rule_case_action.go new file mode 100644 index 00000000000..8f4b65f1f13 --- /dev/null +++ b/api/datadogV2/model_security_monitoring_rule_case_action.go @@ -0,0 +1,150 @@ +// Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +// This product includes software developed at Datadog (https://www.datadoghq.com/). +// Copyright 2019-Present Datadog, Inc. + +package datadogV2 + +import ( + "github.com/DataDog/datadog-api-client-go/v2/api/datadog" +) + +// SecurityMonitoringRuleCaseAction Action to perform when a signal is triggered. Only available for Application Security rule type. +type SecurityMonitoringRuleCaseAction struct { + // Options for the rule action + Options *SecurityMonitoringRuleCaseActionOptions `json:"options,omitempty"` + // The action type. + Type *SecurityMonitoringRuleCaseActionType `json:"type,omitempty"` + // UnparsedObject contains the raw value of the object if there was an error when deserializing into the struct + UnparsedObject map[string]interface{} `json:"-"` + AdditionalProperties map[string]interface{} `json:"-"` +} + +// NewSecurityMonitoringRuleCaseAction instantiates a new SecurityMonitoringRuleCaseAction object. +// This constructor will assign default values to properties that have it defined, +// and makes sure properties required by API are set, but the set of arguments +// will change when the set of required properties is changed. +func NewSecurityMonitoringRuleCaseAction() *SecurityMonitoringRuleCaseAction { + this := SecurityMonitoringRuleCaseAction{} + return &this +} + +// NewSecurityMonitoringRuleCaseActionWithDefaults instantiates a new SecurityMonitoringRuleCaseAction object. +// This constructor will only assign default values to properties that have it defined, +// but it doesn't guarantee that properties required by API are set. +func NewSecurityMonitoringRuleCaseActionWithDefaults() *SecurityMonitoringRuleCaseAction { + this := SecurityMonitoringRuleCaseAction{} + return &this +} + +// GetOptions returns the Options field value if set, zero value otherwise. +func (o *SecurityMonitoringRuleCaseAction) GetOptions() SecurityMonitoringRuleCaseActionOptions { + if o == nil || o.Options == nil { + var ret SecurityMonitoringRuleCaseActionOptions + return ret + } + return *o.Options +} + +// GetOptionsOk returns a tuple with the Options field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *SecurityMonitoringRuleCaseAction) GetOptionsOk() (*SecurityMonitoringRuleCaseActionOptions, bool) { + if o == nil || o.Options == nil { + return nil, false + } + return o.Options, true +} + +// HasOptions returns a boolean if a field has been set. +func (o *SecurityMonitoringRuleCaseAction) HasOptions() bool { + return o != nil && o.Options != nil +} + +// SetOptions gets a reference to the given SecurityMonitoringRuleCaseActionOptions and assigns it to the Options field. +func (o *SecurityMonitoringRuleCaseAction) SetOptions(v SecurityMonitoringRuleCaseActionOptions) { + o.Options = &v +} + +// GetType returns the Type field value if set, zero value otherwise. +func (o *SecurityMonitoringRuleCaseAction) GetType() SecurityMonitoringRuleCaseActionType { + if o == nil || o.Type == nil { + var ret SecurityMonitoringRuleCaseActionType + return ret + } + return *o.Type +} + +// GetTypeOk returns a tuple with the Type field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *SecurityMonitoringRuleCaseAction) GetTypeOk() (*SecurityMonitoringRuleCaseActionType, bool) { + if o == nil || o.Type == nil { + return nil, false + } + return o.Type, true +} + +// HasType returns a boolean if a field has been set. +func (o *SecurityMonitoringRuleCaseAction) HasType() bool { + return o != nil && o.Type != nil +} + +// SetType gets a reference to the given SecurityMonitoringRuleCaseActionType and assigns it to the Type field. +func (o *SecurityMonitoringRuleCaseAction) SetType(v SecurityMonitoringRuleCaseActionType) { + o.Type = &v +} + +// MarshalJSON serializes the struct using spec logic. +func (o SecurityMonitoringRuleCaseAction) MarshalJSON() ([]byte, error) { + toSerialize := map[string]interface{}{} + if o.UnparsedObject != nil { + return datadog.Marshal(o.UnparsedObject) + } + if o.Options != nil { + toSerialize["options"] = o.Options + } + if o.Type != nil { + toSerialize["type"] = o.Type + } + + for key, value := range o.AdditionalProperties { + toSerialize[key] = value + } + return datadog.Marshal(toSerialize) +} + +// UnmarshalJSON deserializes the given payload. +func (o *SecurityMonitoringRuleCaseAction) UnmarshalJSON(bytes []byte) (err error) { + all := struct { + Options *SecurityMonitoringRuleCaseActionOptions `json:"options,omitempty"` + Type *SecurityMonitoringRuleCaseActionType `json:"type,omitempty"` + }{} + if err = datadog.Unmarshal(bytes, &all); err != nil { + return datadog.Unmarshal(bytes, &o.UnparsedObject) + } + additionalProperties := make(map[string]interface{}) + if err = datadog.Unmarshal(bytes, &additionalProperties); err == nil { + datadog.DeleteKeys(additionalProperties, &[]string{"options", "type"}) + } else { + return err + } + + hasInvalidField := false + if all.Options != nil && all.Options.UnparsedObject != nil && o.UnparsedObject == nil { + hasInvalidField = true + } + o.Options = all.Options + if all.Type != nil && !all.Type.IsValid() { + hasInvalidField = true + } else { + o.Type = all.Type + } + + if len(additionalProperties) > 0 { + o.AdditionalProperties = additionalProperties + } + + if hasInvalidField { + return datadog.Unmarshal(bytes, &o.UnparsedObject) + } + + return nil +} diff --git a/api/datadogV2/model_security_monitoring_rule_case_action_options.go b/api/datadogV2/model_security_monitoring_rule_case_action_options.go new file mode 100644 index 00000000000..2a525b9ce40 --- /dev/null +++ b/api/datadogV2/model_security_monitoring_rule_case_action_options.go @@ -0,0 +1,102 @@ +// Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +// This product includes software developed at Datadog (https://www.datadoghq.com/). +// Copyright 2019-Present Datadog, Inc. + +package datadogV2 + +import ( + "github.com/DataDog/datadog-api-client-go/v2/api/datadog" +) + +// SecurityMonitoringRuleCaseActionOptions Options for the rule action +type SecurityMonitoringRuleCaseActionOptions struct { + // Duration of the action in seconds. 0 indicates no expiration. + Duration *int64 `json:"duration,omitempty"` + // UnparsedObject contains the raw value of the object if there was an error when deserializing into the struct + UnparsedObject map[string]interface{} `json:"-"` + AdditionalProperties map[string]interface{} `json:"-"` +} + +// NewSecurityMonitoringRuleCaseActionOptions instantiates a new SecurityMonitoringRuleCaseActionOptions object. +// This constructor will assign default values to properties that have it defined, +// and makes sure properties required by API are set, but the set of arguments +// will change when the set of required properties is changed. +func NewSecurityMonitoringRuleCaseActionOptions() *SecurityMonitoringRuleCaseActionOptions { + this := SecurityMonitoringRuleCaseActionOptions{} + return &this +} + +// NewSecurityMonitoringRuleCaseActionOptionsWithDefaults instantiates a new SecurityMonitoringRuleCaseActionOptions object. +// This constructor will only assign default values to properties that have it defined, +// but it doesn't guarantee that properties required by API are set. +func NewSecurityMonitoringRuleCaseActionOptionsWithDefaults() *SecurityMonitoringRuleCaseActionOptions { + this := SecurityMonitoringRuleCaseActionOptions{} + return &this +} + +// GetDuration returns the Duration field value if set, zero value otherwise. +func (o *SecurityMonitoringRuleCaseActionOptions) GetDuration() int64 { + if o == nil || o.Duration == nil { + var ret int64 + return ret + } + return *o.Duration +} + +// GetDurationOk returns a tuple with the Duration field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *SecurityMonitoringRuleCaseActionOptions) GetDurationOk() (*int64, bool) { + if o == nil || o.Duration == nil { + return nil, false + } + return o.Duration, true +} + +// HasDuration returns a boolean if a field has been set. +func (o *SecurityMonitoringRuleCaseActionOptions) HasDuration() bool { + return o != nil && o.Duration != nil +} + +// SetDuration gets a reference to the given int64 and assigns it to the Duration field. +func (o *SecurityMonitoringRuleCaseActionOptions) SetDuration(v int64) { + o.Duration = &v +} + +// MarshalJSON serializes the struct using spec logic. +func (o SecurityMonitoringRuleCaseActionOptions) MarshalJSON() ([]byte, error) { + toSerialize := map[string]interface{}{} + if o.UnparsedObject != nil { + return datadog.Marshal(o.UnparsedObject) + } + if o.Duration != nil { + toSerialize["duration"] = o.Duration + } + + for key, value := range o.AdditionalProperties { + toSerialize[key] = value + } + return datadog.Marshal(toSerialize) +} + +// UnmarshalJSON deserializes the given payload. +func (o *SecurityMonitoringRuleCaseActionOptions) UnmarshalJSON(bytes []byte) (err error) { + all := struct { + Duration *int64 `json:"duration,omitempty"` + }{} + if err = datadog.Unmarshal(bytes, &all); err != nil { + return datadog.Unmarshal(bytes, &o.UnparsedObject) + } + additionalProperties := make(map[string]interface{}) + if err = datadog.Unmarshal(bytes, &additionalProperties); err == nil { + datadog.DeleteKeys(additionalProperties, &[]string{"duration"}) + } else { + return err + } + o.Duration = all.Duration + + if len(additionalProperties) > 0 { + o.AdditionalProperties = additionalProperties + } + + return nil +} diff --git a/api/datadogV2/model_security_monitoring_rule_case_action_type.go b/api/datadogV2/model_security_monitoring_rule_case_action_type.go new file mode 100644 index 00000000000..e8c64c00c8a --- /dev/null +++ b/api/datadogV2/model_security_monitoring_rule_case_action_type.go @@ -0,0 +1,66 @@ +// Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +// This product includes software developed at Datadog (https://www.datadoghq.com/). +// Copyright 2019-Present Datadog, Inc. + +package datadogV2 + +import ( + "fmt" + + "github.com/DataDog/datadog-api-client-go/v2/api/datadog" +) + +// SecurityMonitoringRuleCaseActionType The action type. +type SecurityMonitoringRuleCaseActionType string + +// List of SecurityMonitoringRuleCaseActionType. +const ( + SECURITYMONITORINGRULECASEACTIONTYPE_BLOCK_IP SecurityMonitoringRuleCaseActionType = "block_ip" + SECURITYMONITORINGRULECASEACTIONTYPE_BLOCK_USER SecurityMonitoringRuleCaseActionType = "block_user" +) + +var allowedSecurityMonitoringRuleCaseActionTypeEnumValues = []SecurityMonitoringRuleCaseActionType{ + SECURITYMONITORINGRULECASEACTIONTYPE_BLOCK_IP, + SECURITYMONITORINGRULECASEACTIONTYPE_BLOCK_USER, +} + +// GetAllowedValues reeturns the list of possible values. +func (v *SecurityMonitoringRuleCaseActionType) GetAllowedValues() []SecurityMonitoringRuleCaseActionType { + return allowedSecurityMonitoringRuleCaseActionTypeEnumValues +} + +// UnmarshalJSON deserializes the given payload. +func (v *SecurityMonitoringRuleCaseActionType) UnmarshalJSON(src []byte) error { + var value string + err := datadog.Unmarshal(src, &value) + if err != nil { + return err + } + *v = SecurityMonitoringRuleCaseActionType(value) + return nil +} + +// NewSecurityMonitoringRuleCaseActionTypeFromValue returns a pointer to a valid SecurityMonitoringRuleCaseActionType +// for the value passed as argument, or an error if the value passed is not allowed by the enum. +func NewSecurityMonitoringRuleCaseActionTypeFromValue(v string) (*SecurityMonitoringRuleCaseActionType, error) { + ev := SecurityMonitoringRuleCaseActionType(v) + if ev.IsValid() { + return &ev, nil + } + return nil, fmt.Errorf("invalid value '%v' for SecurityMonitoringRuleCaseActionType: valid values are %v", v, allowedSecurityMonitoringRuleCaseActionTypeEnumValues) +} + +// IsValid return true if the value is valid for the enum, false otherwise. +func (v SecurityMonitoringRuleCaseActionType) IsValid() bool { + for _, existing := range allowedSecurityMonitoringRuleCaseActionTypeEnumValues { + if existing == v { + return true + } + } + return false +} + +// Ptr returns reference to SecurityMonitoringRuleCaseActionType value. +func (v SecurityMonitoringRuleCaseActionType) Ptr() *SecurityMonitoringRuleCaseActionType { + return &v +} diff --git a/api/datadogV2/model_security_monitoring_rule_case_create.go b/api/datadogV2/model_security_monitoring_rule_case_create.go index 01fcb094d11..73a422aa9e8 100644 --- a/api/datadogV2/model_security_monitoring_rule_case_create.go +++ b/api/datadogV2/model_security_monitoring_rule_case_create.go @@ -12,6 +12,8 @@ import ( // SecurityMonitoringRuleCaseCreate Case when signal is generated. type SecurityMonitoringRuleCaseCreate struct { + // Action to perform for each rule case. + Actions []SecurityMonitoringRuleCaseAction `json:"actions,omitempty"` // A case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated // based on the event counts in the previously defined queries. Condition *string `json:"condition,omitempty"` @@ -44,6 +46,34 @@ func NewSecurityMonitoringRuleCaseCreateWithDefaults() *SecurityMonitoringRuleCa return &this } +// GetActions returns the Actions field value if set, zero value otherwise. +func (o *SecurityMonitoringRuleCaseCreate) GetActions() []SecurityMonitoringRuleCaseAction { + if o == nil || o.Actions == nil { + var ret []SecurityMonitoringRuleCaseAction + return ret + } + return o.Actions +} + +// GetActionsOk returns a tuple with the Actions field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *SecurityMonitoringRuleCaseCreate) GetActionsOk() (*[]SecurityMonitoringRuleCaseAction, bool) { + if o == nil || o.Actions == nil { + return nil, false + } + return &o.Actions, true +} + +// HasActions returns a boolean if a field has been set. +func (o *SecurityMonitoringRuleCaseCreate) HasActions() bool { + return o != nil && o.Actions != nil +} + +// SetActions gets a reference to the given []SecurityMonitoringRuleCaseAction and assigns it to the Actions field. +func (o *SecurityMonitoringRuleCaseCreate) SetActions(v []SecurityMonitoringRuleCaseAction) { + o.Actions = v +} + // GetCondition returns the Condition field value if set, zero value otherwise. func (o *SecurityMonitoringRuleCaseCreate) GetCondition() string { if o == nil || o.Condition == nil { @@ -157,6 +187,9 @@ func (o SecurityMonitoringRuleCaseCreate) MarshalJSON() ([]byte, error) { if o.UnparsedObject != nil { return datadog.Marshal(o.UnparsedObject) } + if o.Actions != nil { + toSerialize["actions"] = o.Actions + } if o.Condition != nil { toSerialize["condition"] = o.Condition } @@ -177,10 +210,11 @@ func (o SecurityMonitoringRuleCaseCreate) MarshalJSON() ([]byte, error) { // UnmarshalJSON deserializes the given payload. func (o *SecurityMonitoringRuleCaseCreate) UnmarshalJSON(bytes []byte) (err error) { all := struct { - Condition *string `json:"condition,omitempty"` - Name *string `json:"name,omitempty"` - Notifications []string `json:"notifications,omitempty"` - Status *SecurityMonitoringRuleSeverity `json:"status"` + Actions []SecurityMonitoringRuleCaseAction `json:"actions,omitempty"` + Condition *string `json:"condition,omitempty"` + Name *string `json:"name,omitempty"` + Notifications []string `json:"notifications,omitempty"` + Status *SecurityMonitoringRuleSeverity `json:"status"` }{} if err = datadog.Unmarshal(bytes, &all); err != nil { return datadog.Unmarshal(bytes, &o.UnparsedObject) @@ -190,12 +224,13 @@ func (o *SecurityMonitoringRuleCaseCreate) UnmarshalJSON(bytes []byte) (err erro } additionalProperties := make(map[string]interface{}) if err = datadog.Unmarshal(bytes, &additionalProperties); err == nil { - datadog.DeleteKeys(additionalProperties, &[]string{"condition", "name", "notifications", "status"}) + datadog.DeleteKeys(additionalProperties, &[]string{"actions", "condition", "name", "notifications", "status"}) } else { return err } hasInvalidField := false + o.Actions = all.Actions o.Condition = all.Condition o.Name = all.Name o.Notifications = all.Notifications diff --git a/api/datadogV2/model_security_monitoring_rule_update_payload.go b/api/datadogV2/model_security_monitoring_rule_update_payload.go index 0be3bb62351..b3d5a42b2ff 100644 --- a/api/datadogV2/model_security_monitoring_rule_update_payload.go +++ b/api/datadogV2/model_security_monitoring_rule_update_payload.go @@ -16,6 +16,8 @@ type SecurityMonitoringRuleUpdatePayload struct { ComplianceSignalOptions *CloudConfigurationRuleComplianceSignalOptions `json:"complianceSignalOptions,omitempty"` // Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules. Filters []SecurityMonitoringFilter `json:"filters,omitempty"` + // Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups. + GroupSignalsBy []string `json:"groupSignalsBy,omitempty"` // Whether the notifications include the triggering group-by values in their title. HasExtendedTitle *bool `json:"hasExtendedTitle,omitempty"` // Whether the rule is enabled. @@ -142,6 +144,34 @@ func (o *SecurityMonitoringRuleUpdatePayload) SetFilters(v []SecurityMonitoringF o.Filters = v } +// GetGroupSignalsBy returns the GroupSignalsBy field value if set, zero value otherwise. +func (o *SecurityMonitoringRuleUpdatePayload) GetGroupSignalsBy() []string { + if o == nil || o.GroupSignalsBy == nil { + var ret []string + return ret + } + return o.GroupSignalsBy +} + +// GetGroupSignalsByOk returns a tuple with the GroupSignalsBy field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *SecurityMonitoringRuleUpdatePayload) GetGroupSignalsByOk() (*[]string, bool) { + if o == nil || o.GroupSignalsBy == nil { + return nil, false + } + return &o.GroupSignalsBy, true +} + +// HasGroupSignalsBy returns a boolean if a field has been set. +func (o *SecurityMonitoringRuleUpdatePayload) HasGroupSignalsBy() bool { + return o != nil && o.GroupSignalsBy != nil +} + +// SetGroupSignalsBy gets a reference to the given []string and assigns it to the GroupSignalsBy field. +func (o *SecurityMonitoringRuleUpdatePayload) SetGroupSignalsBy(v []string) { + o.GroupSignalsBy = v +} + // GetHasExtendedTitle returns the HasExtendedTitle field value if set, zero value otherwise. func (o *SecurityMonitoringRuleUpdatePayload) GetHasExtendedTitle() bool { if o == nil || o.HasExtendedTitle == nil { @@ -437,6 +467,9 @@ func (o SecurityMonitoringRuleUpdatePayload) MarshalJSON() ([]byte, error) { if o.Filters != nil { toSerialize["filters"] = o.Filters } + if o.GroupSignalsBy != nil { + toSerialize["groupSignalsBy"] = o.GroupSignalsBy + } if o.HasExtendedTitle != nil { toSerialize["hasExtendedTitle"] = o.HasExtendedTitle } @@ -480,6 +513,7 @@ func (o *SecurityMonitoringRuleUpdatePayload) UnmarshalJSON(bytes []byte) (err e Cases []SecurityMonitoringRuleCase `json:"cases,omitempty"` ComplianceSignalOptions *CloudConfigurationRuleComplianceSignalOptions `json:"complianceSignalOptions,omitempty"` Filters []SecurityMonitoringFilter `json:"filters,omitempty"` + GroupSignalsBy []string `json:"groupSignalsBy,omitempty"` HasExtendedTitle *bool `json:"hasExtendedTitle,omitempty"` IsEnabled *bool `json:"isEnabled,omitempty"` Message *string `json:"message,omitempty"` @@ -496,7 +530,7 @@ func (o *SecurityMonitoringRuleUpdatePayload) UnmarshalJSON(bytes []byte) (err e } additionalProperties := make(map[string]interface{}) if err = datadog.Unmarshal(bytes, &additionalProperties); err == nil { - datadog.DeleteKeys(additionalProperties, &[]string{"cases", "complianceSignalOptions", "filters", "hasExtendedTitle", "isEnabled", "message", "name", "options", "queries", "referenceTables", "tags", "thirdPartyCases", "version"}) + datadog.DeleteKeys(additionalProperties, &[]string{"cases", "complianceSignalOptions", "filters", "groupSignalsBy", "hasExtendedTitle", "isEnabled", "message", "name", "options", "queries", "referenceTables", "tags", "thirdPartyCases", "version"}) } else { return err } @@ -508,6 +542,7 @@ func (o *SecurityMonitoringRuleUpdatePayload) UnmarshalJSON(bytes []byte) (err e } o.ComplianceSignalOptions = all.ComplianceSignalOptions o.Filters = all.Filters + o.GroupSignalsBy = all.GroupSignalsBy o.HasExtendedTitle = all.HasExtendedTitle o.IsEnabled = all.IsEnabled o.Message = all.Message diff --git a/api/datadogV2/model_security_monitoring_standard_rule_create_payload.go b/api/datadogV2/model_security_monitoring_standard_rule_create_payload.go index 418065f0314..37d5bc5e589 100644 --- a/api/datadogV2/model_security_monitoring_standard_rule_create_payload.go +++ b/api/datadogV2/model_security_monitoring_standard_rule_create_payload.go @@ -16,6 +16,8 @@ type SecurityMonitoringStandardRuleCreatePayload struct { Cases []SecurityMonitoringRuleCaseCreate `json:"cases"` // Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules. Filters []SecurityMonitoringFilter `json:"filters,omitempty"` + // Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups. + GroupSignalsBy []string `json:"groupSignalsBy,omitempty"` // Whether the notifications include the triggering group-by values in their title. HasExtendedTitle *bool `json:"hasExtendedTitle,omitempty"` // Whether the rule is enabled. @@ -115,6 +117,34 @@ func (o *SecurityMonitoringStandardRuleCreatePayload) SetFilters(v []SecurityMon o.Filters = v } +// GetGroupSignalsBy returns the GroupSignalsBy field value if set, zero value otherwise. +func (o *SecurityMonitoringStandardRuleCreatePayload) GetGroupSignalsBy() []string { + if o == nil || o.GroupSignalsBy == nil { + var ret []string + return ret + } + return o.GroupSignalsBy +} + +// GetGroupSignalsByOk returns a tuple with the GroupSignalsBy field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *SecurityMonitoringStandardRuleCreatePayload) GetGroupSignalsByOk() (*[]string, bool) { + if o == nil || o.GroupSignalsBy == nil { + return nil, false + } + return &o.GroupSignalsBy, true +} + +// HasGroupSignalsBy returns a boolean if a field has been set. +func (o *SecurityMonitoringStandardRuleCreatePayload) HasGroupSignalsBy() bool { + return o != nil && o.GroupSignalsBy != nil +} + +// SetGroupSignalsBy gets a reference to the given []string and assigns it to the GroupSignalsBy field. +func (o *SecurityMonitoringStandardRuleCreatePayload) SetGroupSignalsBy(v []string) { + o.GroupSignalsBy = v +} + // GetHasExtendedTitle returns the HasExtendedTitle field value if set, zero value otherwise. func (o *SecurityMonitoringStandardRuleCreatePayload) GetHasExtendedTitle() bool { if o == nil || o.HasExtendedTitle == nil { @@ -380,6 +410,9 @@ func (o SecurityMonitoringStandardRuleCreatePayload) MarshalJSON() ([]byte, erro if o.Filters != nil { toSerialize["filters"] = o.Filters } + if o.GroupSignalsBy != nil { + toSerialize["groupSignalsBy"] = o.GroupSignalsBy + } if o.HasExtendedTitle != nil { toSerialize["hasExtendedTitle"] = o.HasExtendedTitle } @@ -412,6 +445,7 @@ func (o *SecurityMonitoringStandardRuleCreatePayload) UnmarshalJSON(bytes []byte all := struct { Cases *[]SecurityMonitoringRuleCaseCreate `json:"cases"` Filters []SecurityMonitoringFilter `json:"filters,omitempty"` + GroupSignalsBy []string `json:"groupSignalsBy,omitempty"` HasExtendedTitle *bool `json:"hasExtendedTitle,omitempty"` IsEnabled *bool `json:"isEnabled"` Message *string `json:"message"` @@ -446,7 +480,7 @@ func (o *SecurityMonitoringStandardRuleCreatePayload) UnmarshalJSON(bytes []byte } additionalProperties := make(map[string]interface{}) if err = datadog.Unmarshal(bytes, &additionalProperties); err == nil { - datadog.DeleteKeys(additionalProperties, &[]string{"cases", "filters", "hasExtendedTitle", "isEnabled", "message", "name", "options", "queries", "referenceTables", "tags", "thirdPartyCases", "type"}) + datadog.DeleteKeys(additionalProperties, &[]string{"cases", "filters", "groupSignalsBy", "hasExtendedTitle", "isEnabled", "message", "name", "options", "queries", "referenceTables", "tags", "thirdPartyCases", "type"}) } else { return err } @@ -454,6 +488,7 @@ func (o *SecurityMonitoringStandardRuleCreatePayload) UnmarshalJSON(bytes []byte hasInvalidField := false o.Cases = *all.Cases o.Filters = all.Filters + o.GroupSignalsBy = all.GroupSignalsBy o.HasExtendedTitle = all.HasExtendedTitle o.IsEnabled = *all.IsEnabled o.Message = *all.Message diff --git a/api/datadogV2/model_security_monitoring_standard_rule_payload.go b/api/datadogV2/model_security_monitoring_standard_rule_payload.go index a7b7bd182d8..617e079d6db 100644 --- a/api/datadogV2/model_security_monitoring_standard_rule_payload.go +++ b/api/datadogV2/model_security_monitoring_standard_rule_payload.go @@ -16,6 +16,8 @@ type SecurityMonitoringStandardRulePayload struct { Cases []SecurityMonitoringRuleCaseCreate `json:"cases"` // Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules. Filters []SecurityMonitoringFilter `json:"filters,omitempty"` + // Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups. + GroupSignalsBy []string `json:"groupSignalsBy,omitempty"` // Whether the notifications include the triggering group-by values in their title. HasExtendedTitle *bool `json:"hasExtendedTitle,omitempty"` // Whether the rule is enabled. @@ -115,6 +117,34 @@ func (o *SecurityMonitoringStandardRulePayload) SetFilters(v []SecurityMonitorin o.Filters = v } +// GetGroupSignalsBy returns the GroupSignalsBy field value if set, zero value otherwise. +func (o *SecurityMonitoringStandardRulePayload) GetGroupSignalsBy() []string { + if o == nil || o.GroupSignalsBy == nil { + var ret []string + return ret + } + return o.GroupSignalsBy +} + +// GetGroupSignalsByOk returns a tuple with the GroupSignalsBy field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *SecurityMonitoringStandardRulePayload) GetGroupSignalsByOk() (*[]string, bool) { + if o == nil || o.GroupSignalsBy == nil { + return nil, false + } + return &o.GroupSignalsBy, true +} + +// HasGroupSignalsBy returns a boolean if a field has been set. +func (o *SecurityMonitoringStandardRulePayload) HasGroupSignalsBy() bool { + return o != nil && o.GroupSignalsBy != nil +} + +// SetGroupSignalsBy gets a reference to the given []string and assigns it to the GroupSignalsBy field. +func (o *SecurityMonitoringStandardRulePayload) SetGroupSignalsBy(v []string) { + o.GroupSignalsBy = v +} + // GetHasExtendedTitle returns the HasExtendedTitle field value if set, zero value otherwise. func (o *SecurityMonitoringStandardRulePayload) GetHasExtendedTitle() bool { if o == nil || o.HasExtendedTitle == nil { @@ -380,6 +410,9 @@ func (o SecurityMonitoringStandardRulePayload) MarshalJSON() ([]byte, error) { if o.Filters != nil { toSerialize["filters"] = o.Filters } + if o.GroupSignalsBy != nil { + toSerialize["groupSignalsBy"] = o.GroupSignalsBy + } if o.HasExtendedTitle != nil { toSerialize["hasExtendedTitle"] = o.HasExtendedTitle } @@ -412,6 +445,7 @@ func (o *SecurityMonitoringStandardRulePayload) UnmarshalJSON(bytes []byte) (err all := struct { Cases *[]SecurityMonitoringRuleCaseCreate `json:"cases"` Filters []SecurityMonitoringFilter `json:"filters,omitempty"` + GroupSignalsBy []string `json:"groupSignalsBy,omitempty"` HasExtendedTitle *bool `json:"hasExtendedTitle,omitempty"` IsEnabled *bool `json:"isEnabled"` Message *string `json:"message"` @@ -446,7 +480,7 @@ func (o *SecurityMonitoringStandardRulePayload) UnmarshalJSON(bytes []byte) (err } additionalProperties := make(map[string]interface{}) if err = datadog.Unmarshal(bytes, &additionalProperties); err == nil { - datadog.DeleteKeys(additionalProperties, &[]string{"cases", "filters", "hasExtendedTitle", "isEnabled", "message", "name", "options", "queries", "referenceTables", "tags", "thirdPartyCases", "type"}) + datadog.DeleteKeys(additionalProperties, &[]string{"cases", "filters", "groupSignalsBy", "hasExtendedTitle", "isEnabled", "message", "name", "options", "queries", "referenceTables", "tags", "thirdPartyCases", "type"}) } else { return err } @@ -454,6 +488,7 @@ func (o *SecurityMonitoringStandardRulePayload) UnmarshalJSON(bytes []byte) (err hasInvalidField := false o.Cases = *all.Cases o.Filters = all.Filters + o.GroupSignalsBy = all.GroupSignalsBy o.HasExtendedTitle = all.HasExtendedTitle o.IsEnabled = *all.IsEnabled o.Message = *all.Message diff --git a/api/datadogV2/model_security_monitoring_standard_rule_response.go b/api/datadogV2/model_security_monitoring_standard_rule_response.go index e94d61f586f..fb096933779 100644 --- a/api/datadogV2/model_security_monitoring_standard_rule_response.go +++ b/api/datadogV2/model_security_monitoring_standard_rule_response.go @@ -24,6 +24,8 @@ type SecurityMonitoringStandardRuleResponse struct { DeprecationDate *int64 `json:"deprecationDate,omitempty"` // Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules. Filters []SecurityMonitoringFilter `json:"filters,omitempty"` + // Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups. + GroupSignalsBy []string `json:"groupSignalsBy,omitempty"` // Whether the notifications include the triggering group-by values in their title. HasExtendedTitle *bool `json:"hasExtendedTitle,omitempty"` // The ID of the rule. @@ -274,6 +276,34 @@ func (o *SecurityMonitoringStandardRuleResponse) SetFilters(v []SecurityMonitori o.Filters = v } +// GetGroupSignalsBy returns the GroupSignalsBy field value if set, zero value otherwise. +func (o *SecurityMonitoringStandardRuleResponse) GetGroupSignalsBy() []string { + if o == nil || o.GroupSignalsBy == nil { + var ret []string + return ret + } + return o.GroupSignalsBy +} + +// GetGroupSignalsByOk returns a tuple with the GroupSignalsBy field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *SecurityMonitoringStandardRuleResponse) GetGroupSignalsByOk() (*[]string, bool) { + if o == nil || o.GroupSignalsBy == nil { + return nil, false + } + return &o.GroupSignalsBy, true +} + +// HasGroupSignalsBy returns a boolean if a field has been set. +func (o *SecurityMonitoringStandardRuleResponse) HasGroupSignalsBy() bool { + return o != nil && o.GroupSignalsBy != nil +} + +// SetGroupSignalsBy gets a reference to the given []string and assigns it to the GroupSignalsBy field. +func (o *SecurityMonitoringStandardRuleResponse) SetGroupSignalsBy(v []string) { + o.GroupSignalsBy = v +} + // GetHasExtendedTitle returns the HasExtendedTitle field value if set, zero value otherwise. func (o *SecurityMonitoringStandardRuleResponse) GetHasExtendedTitle() bool { if o == nil || o.HasExtendedTitle == nil { @@ -749,6 +779,9 @@ func (o SecurityMonitoringStandardRuleResponse) MarshalJSON() ([]byte, error) { if o.Filters != nil { toSerialize["filters"] = o.Filters } + if o.GroupSignalsBy != nil { + toSerialize["groupSignalsBy"] = o.GroupSignalsBy + } if o.HasExtendedTitle != nil { toSerialize["hasExtendedTitle"] = o.HasExtendedTitle } @@ -814,6 +847,7 @@ func (o *SecurityMonitoringStandardRuleResponse) UnmarshalJSON(bytes []byte) (er DefaultTags []string `json:"defaultTags,omitempty"` DeprecationDate *int64 `json:"deprecationDate,omitempty"` Filters []SecurityMonitoringFilter `json:"filters,omitempty"` + GroupSignalsBy []string `json:"groupSignalsBy,omitempty"` HasExtendedTitle *bool `json:"hasExtendedTitle,omitempty"` Id *string `json:"id,omitempty"` IsDefault *bool `json:"isDefault,omitempty"` @@ -836,7 +870,7 @@ func (o *SecurityMonitoringStandardRuleResponse) UnmarshalJSON(bytes []byte) (er } additionalProperties := make(map[string]interface{}) if err = datadog.Unmarshal(bytes, &additionalProperties); err == nil { - datadog.DeleteKeys(additionalProperties, &[]string{"cases", "complianceSignalOptions", "createdAt", "creationAuthorId", "defaultTags", "deprecationDate", "filters", "hasExtendedTitle", "id", "isDefault", "isDeleted", "isEnabled", "message", "name", "options", "queries", "referenceTables", "tags", "thirdPartyCases", "type", "updateAuthorId", "updatedAt", "version"}) + datadog.DeleteKeys(additionalProperties, &[]string{"cases", "complianceSignalOptions", "createdAt", "creationAuthorId", "defaultTags", "deprecationDate", "filters", "groupSignalsBy", "hasExtendedTitle", "id", "isDefault", "isDeleted", "isEnabled", "message", "name", "options", "queries", "referenceTables", "tags", "thirdPartyCases", "type", "updateAuthorId", "updatedAt", "version"}) } else { return err } @@ -852,6 +886,7 @@ func (o *SecurityMonitoringStandardRuleResponse) UnmarshalJSON(bytes []byte) (er o.DefaultTags = all.DefaultTags o.DeprecationDate = all.DeprecationDate o.Filters = all.Filters + o.GroupSignalsBy = all.GroupSignalsBy o.HasExtendedTitle = all.HasExtendedTitle o.Id = all.Id o.IsDefault = all.IsDefault diff --git a/api/datadogV2/model_security_monitoring_standard_rule_test_payload.go b/api/datadogV2/model_security_monitoring_standard_rule_test_payload.go index 7f6b59e87cb..8eab9c846b8 100644 --- a/api/datadogV2/model_security_monitoring_standard_rule_test_payload.go +++ b/api/datadogV2/model_security_monitoring_standard_rule_test_payload.go @@ -16,6 +16,8 @@ type SecurityMonitoringStandardRuleTestPayload struct { Cases []SecurityMonitoringRuleCaseCreate `json:"cases"` // Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules. Filters []SecurityMonitoringFilter `json:"filters,omitempty"` + // Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups. + GroupSignalsBy []string `json:"groupSignalsBy,omitempty"` // Whether the notifications include the triggering group-by values in their title. HasExtendedTitle *bool `json:"hasExtendedTitle,omitempty"` // Whether the rule is enabled. @@ -115,6 +117,34 @@ func (o *SecurityMonitoringStandardRuleTestPayload) SetFilters(v []SecurityMonit o.Filters = v } +// GetGroupSignalsBy returns the GroupSignalsBy field value if set, zero value otherwise. +func (o *SecurityMonitoringStandardRuleTestPayload) GetGroupSignalsBy() []string { + if o == nil || o.GroupSignalsBy == nil { + var ret []string + return ret + } + return o.GroupSignalsBy +} + +// GetGroupSignalsByOk returns a tuple with the GroupSignalsBy field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *SecurityMonitoringStandardRuleTestPayload) GetGroupSignalsByOk() (*[]string, bool) { + if o == nil || o.GroupSignalsBy == nil { + return nil, false + } + return &o.GroupSignalsBy, true +} + +// HasGroupSignalsBy returns a boolean if a field has been set. +func (o *SecurityMonitoringStandardRuleTestPayload) HasGroupSignalsBy() bool { + return o != nil && o.GroupSignalsBy != nil +} + +// SetGroupSignalsBy gets a reference to the given []string and assigns it to the GroupSignalsBy field. +func (o *SecurityMonitoringStandardRuleTestPayload) SetGroupSignalsBy(v []string) { + o.GroupSignalsBy = v +} + // GetHasExtendedTitle returns the HasExtendedTitle field value if set, zero value otherwise. func (o *SecurityMonitoringStandardRuleTestPayload) GetHasExtendedTitle() bool { if o == nil || o.HasExtendedTitle == nil { @@ -380,6 +410,9 @@ func (o SecurityMonitoringStandardRuleTestPayload) MarshalJSON() ([]byte, error) if o.Filters != nil { toSerialize["filters"] = o.Filters } + if o.GroupSignalsBy != nil { + toSerialize["groupSignalsBy"] = o.GroupSignalsBy + } if o.HasExtendedTitle != nil { toSerialize["hasExtendedTitle"] = o.HasExtendedTitle } @@ -412,6 +445,7 @@ func (o *SecurityMonitoringStandardRuleTestPayload) UnmarshalJSON(bytes []byte) all := struct { Cases *[]SecurityMonitoringRuleCaseCreate `json:"cases"` Filters []SecurityMonitoringFilter `json:"filters,omitempty"` + GroupSignalsBy []string `json:"groupSignalsBy,omitempty"` HasExtendedTitle *bool `json:"hasExtendedTitle,omitempty"` IsEnabled *bool `json:"isEnabled"` Message *string `json:"message"` @@ -446,7 +480,7 @@ func (o *SecurityMonitoringStandardRuleTestPayload) UnmarshalJSON(bytes []byte) } additionalProperties := make(map[string]interface{}) if err = datadog.Unmarshal(bytes, &additionalProperties); err == nil { - datadog.DeleteKeys(additionalProperties, &[]string{"cases", "filters", "hasExtendedTitle", "isEnabled", "message", "name", "options", "queries", "referenceTables", "tags", "thirdPartyCases", "type"}) + datadog.DeleteKeys(additionalProperties, &[]string{"cases", "filters", "groupSignalsBy", "hasExtendedTitle", "isEnabled", "message", "name", "options", "queries", "referenceTables", "tags", "thirdPartyCases", "type"}) } else { return err } @@ -454,6 +488,7 @@ func (o *SecurityMonitoringStandardRuleTestPayload) UnmarshalJSON(bytes []byte) hasInvalidField := false o.Cases = *all.Cases o.Filters = all.Filters + o.GroupSignalsBy = all.GroupSignalsBy o.HasExtendedTitle = all.HasExtendedTitle o.IsEnabled = *all.IsEnabled o.Message = *all.Message diff --git a/examples/v2/security-monitoring/CreateSecurityMonitoringRule_1965169892.go b/examples/v2/security-monitoring/CreateSecurityMonitoringRule_1965169892.go new file mode 100644 index 00000000000..cbfbb09054c --- /dev/null +++ b/examples/v2/security-monitoring/CreateSecurityMonitoringRule_1965169892.go @@ -0,0 +1,74 @@ +// Create a detection rule with type 'application_security 'returns "OK" response + +package main + +import ( + "context" + "encoding/json" + "fmt" + "os" + + "github.com/DataDog/datadog-api-client-go/v2/api/datadog" + "github.com/DataDog/datadog-api-client-go/v2/api/datadogV2" +) + +func main() { + body := datadogV2.SecurityMonitoringRuleCreatePayload{ + SecurityMonitoringStandardRuleCreatePayload: &datadogV2.SecurityMonitoringStandardRuleCreatePayload{ + Type: datadogV2.SECURITYMONITORINGRULETYPECREATE_APPLICATION_SECURITY.Ptr(), + Name: "Example-Security-Monitoring_appsec_rule", + Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{ + { + Query: datadog.PtrString("@appsec.security_activity:business_logic.users.login.failure"), + Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_COUNT.Ptr(), + GroupByFields: []string{ + "service", + "@http.client_ip", + }, + DistinctFields: []string{}, + }, + }, + Filters: []datadogV2.SecurityMonitoringFilter{}, + Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{ + { + Name: datadog.PtrString(""), + Status: datadogV2.SECURITYMONITORINGRULESEVERITY_INFO, + Notifications: []string{}, + Condition: datadog.PtrString("a > 100000"), + Actions: []datadogV2.SecurityMonitoringRuleCaseAction{ + { + Type: datadogV2.SECURITYMONITORINGRULECASEACTIONTYPE_BLOCK_IP.Ptr(), + Options: &datadogV2.SecurityMonitoringRuleCaseActionOptions{ + Duration: datadog.PtrInt64(900), + }, + }, + }, + }, + }, + Options: datadogV2.SecurityMonitoringRuleOptions{ + KeepAlive: datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(), + MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(), + EvaluationWindow: datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(), + DetectionMethod: datadogV2.SECURITYMONITORINGRULEDETECTIONMETHOD_THRESHOLD.Ptr(), + }, + IsEnabled: true, + Message: "Test rule", + Tags: []string{}, + GroupSignalsBy: []string{ + "service", + }, + }} + ctx := datadog.NewDefaultContext(context.Background()) + configuration := datadog.NewConfiguration() + apiClient := datadog.NewAPIClient(configuration) + api := datadogV2.NewSecurityMonitoringApi(apiClient) + resp, r, err := api.CreateSecurityMonitoringRule(ctx, body) + + if err != nil { + fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringRule`: %v\n", err) + fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r) + } + + responseContent, _ := json.MarshalIndent(resp, "", " ") + fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringRule`:\n%s\n", responseContent) +} diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Security_Monitoring/Scenario_Create_a_detection_rule_with_type_application_security_returns_OK_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Security_Monitoring/Scenario_Create_a_detection_rule_with_type_application_security_returns_OK_response.freeze new file mode 100644 index 00000000000..7a935c1425b --- /dev/null +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Security_Monitoring/Scenario_Create_a_detection_rule_with_type_application_security_returns_OK_response.freeze @@ -0,0 +1 @@ +2025-02-06T16:50:39.787Z \ No newline at end of file diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Security_Monitoring/Scenario_Create_a_detection_rule_with_type_application_security_returns_OK_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Security_Monitoring/Scenario_Create_a_detection_rule_with_type_application_security_returns_OK_response.yaml new file mode 100644 index 00000000000..cf993b5ae8c --- /dev/null +++ b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Security_Monitoring/Scenario_Create_a_detection_rule_with_type_application_security_returns_OK_response.yaml @@ -0,0 +1,41 @@ +interactions: +- request: + body: | + {"cases":[{"actions":[{"options":{"duration":900},"type":"block_ip"}],"condition":"a \u003e 100000","name":"","notifications":[],"status":"info"}],"filters":[],"groupSignalsBy":["service"],"isEnabled":true,"message":"Test rule","name":"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1738860639_appsec_rule","options":{"detectionMethod":"threshold","evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"queries":[{"aggregation":"count","distinctFields":[],"groupByFields":["service","@http.client_ip"],"query":"@appsec.security_activity:business_logic.users.login.failure"}],"tags":[],"type":"application_security"} + form: {} + headers: + Accept: + - application/json + Content-Type: + - application/json + id: 0 + method: POST + url: https://api.datadoghq.com/api/v2/security_monitoring/rules + response: + body: '{"name":"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1738860639_appsec_rule","createdAt":1738860640426,"isDefault":false,"isPartner":false,"isEnabled":true,"isBeta":false,"isDeleted":false,"isDeprecated":false,"queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","groupByFields":["service","@http.client_ip"],"hasOptionalGroupByFields":false,"distinctFields":[],"aggregation":"count","name":"","dataSource":"app_sec_spans"}],"options":{"evaluationWindow":900,"detectionMethod":"threshold","maxSignalDuration":86400,"keepAlive":3600},"cases":[{"name":"","status":"info","notifications":[],"condition":"a + \u003e 100000","actions":[{"type":"block_ip","options":{"duration":900}}]}],"message":"Test + rule","tags":[],"hasExtendedTitle":false,"type":"application_security","filters":[],"version":1,"id":"rfn-h2v-udr","blocking":true,"groupSignalsBy":["service"],"casesActions":[[{"type":"block_ip","options":{"duration":900}}]],"dependencies":["business_logic.users.login.failure"],"metadata":{"entities":null,"sources":null},"creator":{"handle":"","name":""},"updater":{"handle":"","name":""}}' + code: 200 + duration: 0ms + headers: + Content-Type: + - application/json + status: 200 OK +- request: + body: '' + form: {} + headers: + Accept: + - '*/*' + id: 1 + method: DELETE + url: https://api.datadoghq.com/api/v2/security_monitoring/rules/rfn-h2v-udr + response: + body: '{"status":"404","title":"Not Found"}' + code: 404 + duration: 0ms + headers: + Content-Type: + - application/json + status: 404 Not Found +version: 2 diff --git a/tests/scenarios/features/v2/security_monitoring.feature b/tests/scenarios/features/v2/security_monitoring.feature index aaea07a9f8a..ec4c3d3f39d 100644 --- a/tests/scenarios/features/v2/security_monitoring.feature +++ b/tests/scenarios/features/v2/security_monitoring.feature @@ -200,6 +200,16 @@ Feature: Security Monitoring And the response "options.detectionMethod" is equal to "third_party" And the response "thirdPartyCases[0].query" is equal to "status:error" + @skip-validation @team:DataDog/k9-cloud-security-platform + Scenario: Create a detection rule with type 'application_security 'returns "OK" response + Given new "CreateSecurityMonitoringRule" request + And body with value {"type":"application_security","name":"{{unique}}_appsec_rule","queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","aggregation":"count","groupByFields":["service","@http.client_ip"],"distinctFields":[]}],"filters":[],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 100000","actions":[{"type":"block_ip","options":{"duration":900}}]}],"options":{"keepAlive":3600,"maxSignalDuration":86400,"evaluationWindow":900,"detectionMethod":"threshold"},"isEnabled":true,"message":"Test rule","tags":[],"groupSignalsBy":["service"]} + When the request is sent + Then the response status is 200 OK + And the response "name" is equal to "{{ unique }}_appsec_rule" + And the response "type" is equal to "application_security" + And the response "message" is equal to "Test rule" + @skip-validation @team:DataDog/k9-cloud-security-platform Scenario: Create a detection rule with type 'impossible_travel' returns "OK" response Given new "CreateSecurityMonitoringRule" request