Add actions and groupSignalsBy field in detection rules API

.apigentools-info

@@ -4,13 +4,13 @@
     "spec_versions": {
         "v1": {
             "apigentools_version": "1.6.6",
-            "regenerated": "2025-02-10 19:09:26.701430",
-            "spec_repo_commit": "824f78a1"
+            "regenerated": "2025-02-11 09:59:41.165078",
+            "spec_repo_commit": "b980d49f"
         },
         "v2": {
             "apigentools_version": "1.6.6",
-            "regenerated": "2025-02-10 19:09:26.716618",
-            "spec_repo_commit": "824f78a1"
+            "regenerated": "2025-02-11 09:59:41.182412",
+            "spec_repo_commit": "b980d49f"
         }
     }
 }

.generator/schemas/v2/openapi.yaml

@@ -15657,6 +15657,15 @@ components:
           example: 1729843470000
           format: int64
           type: integer
+        groupSignalsBy:
+          description: Additional grouping to perform on top of the existing groups
+            in the query section. Must be a subset of the existing groups.
+          example:
+          - service
+          items:
+            description: Field to group by.
+            type: string
+          type: array
         index:
           description: Index used to load the data.
           example: cloud_siem
@@ -24242,6 +24251,11 @@ components:
     SecurityMonitoringRuleCase:
       description: Case when signal is generated.
       properties:
+        actions:
+          description: Action to perform for each rule case.
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringRuleCaseAction'
+          type: array
         condition:
           description: 'A rule case contains logical operations (`>`,`>=`, `&&`, `||`)
             to determine if a signal should be generated
@@ -24260,9 +24274,42 @@ components:
         status:
           $ref: '#/components/schemas/SecurityMonitoringRuleSeverity'
       type: object
+    SecurityMonitoringRuleCaseAction:
+      description: Action to perform when a signal is triggered. Only available for
+        Application Security rule type.
+      properties:
+        options:
+          $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionOptions'
+        type:
+          $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionType'
+      type: object
+    SecurityMonitoringRuleCaseActionOptions:
+      description: Options for the rule action
+      properties:
+        duration:
+          description: Duration of the action in seconds. 0 indicates no expiration.
+          example: 0
+          format: int64
+          minimum: 0
+          type: integer
+      type: object
+    SecurityMonitoringRuleCaseActionType:
+      description: The action type.
+      enum:
+      - block_ip
+      - block_user
+      type: string
+      x-enum-varnames:
+      - BLOCK_IP
+      - BLOCK_USER
     SecurityMonitoringRuleCaseCreate:
       description: Case when signal is generated.
       properties:
+        actions:
+          description: Action to perform for each rule case.
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringRuleCaseAction'
+          type: array
         condition:
           description: 'A case contains logical operations (`>`,`>=`, `&&`, `||`)
             to determine if a signal should be generated
@@ -24724,6 +24771,15 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringFilter'
           type: array
+        groupSignalsBy:
+          description: Additional grouping to perform on top of the existing groups
+            in the query section. Must be a subset of the existing groups.
+          example:
+          - service
+          items:
+            description: Field to group by.
+            type: string
+          type: array
         hasExtendedTitle:
           description: Whether the notifications include the triggering group-by values
             in their title.
@@ -25429,6 +25485,15 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringFilter'
           type: array
+        groupSignalsBy:
+          description: Additional grouping to perform on top of the existing groups
+            in the query section. Must be a subset of the existing groups.
+          example:
+          - service
+          items:
+            description: Field to group by.
+            type: string
+          type: array
         hasExtendedTitle:
           description: Whether the notifications include the triggering group-by values
             in their title.
@@ -25501,6 +25566,15 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringFilter'
           type: array
+        groupSignalsBy:
+          description: Additional grouping to perform on top of the existing groups
+            in the query section. Must be a subset of the existing groups.
+          example:
+          - service
+          items:
+            description: Field to group by.
+            type: string
+          type: array
         hasExtendedTitle:
           description: Whether the notifications include the triggering group-by values
             in their title.
@@ -25642,6 +25716,15 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringFilter'
           type: array
+        groupSignalsBy:
+          description: Additional grouping to perform on top of the existing groups
+            in the query section. Must be a subset of the existing groups.
+          example:
+          - service
+          items:
+            description: Field to group by.
+            type: string
+          type: array
         hasExtendedTitle:
           description: Whether the notifications include the triggering group-by values
             in their title.
@@ -25719,6 +25802,15 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringFilter'
           type: array
+        groupSignalsBy:
+          description: Additional grouping to perform on top of the existing groups
+            in the query section. Must be a subset of the existing groups.
+          example:
+          - service
+          items:
+            description: Field to group by.
+            type: string
+          type: array
         hasExtendedTitle:
           description: Whether the notifications include the triggering group-by values
             in their title.

api/datadogV2/model_job_definition.go

@@ -18,6 +18,8 @@ type JobDefinition struct {
 	Cases []SecurityMonitoringRuleCaseCreate `json:"cases"`
 	// Starting time of data analyzed by the job.
 	From int64 `json:"from"`
+	// Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
+	GroupSignalsBy []string `json:"groupSignalsBy,omitempty"`
 	// Index used to load the data.
 	Index string `json:"index"`
 	// Message for generated results.
@@ -141,6 +143,34 @@ func (o *JobDefinition) SetFrom(v int64) {
 	o.From = v
 }
 
+// GetGroupSignalsBy returns the GroupSignalsBy field value if set, zero value otherwise.
+func (o *JobDefinition) GetGroupSignalsBy() []string {
+	if o == nil || o.GroupSignalsBy == nil {
+		var ret []string
+		return ret
+	}
+	return o.GroupSignalsBy
+}
+
+// GetGroupSignalsByOk returns a tuple with the GroupSignalsBy field value if set, nil otherwise
+// and a boolean to check if the value has been set.
+func (o *JobDefinition) GetGroupSignalsByOk() (*[]string, bool) {
+	if o == nil || o.GroupSignalsBy == nil {
+		return nil, false
+	}
+	return &o.GroupSignalsBy, true
+}
+
+// HasGroupSignalsBy returns a boolean if a field has been set.
+func (o *JobDefinition) HasGroupSignalsBy() bool {
+	return o != nil && o.GroupSignalsBy != nil
+}
+
+// SetGroupSignalsBy gets a reference to the given []string and assigns it to the GroupSignalsBy field.
+func (o *JobDefinition) SetGroupSignalsBy(v []string) {
+	o.GroupSignalsBy = v
+}
+
 // GetIndex returns the Index field value.
 func (o *JobDefinition) GetIndex() string {
 	if o == nil {
@@ -407,6 +437,9 @@ func (o JobDefinition) MarshalJSON() ([]byte, error) {
 	}
 	toSerialize["cases"] = o.Cases
 	toSerialize["from"] = o.From
+	if o.GroupSignalsBy != nil {
+		toSerialize["groupSignalsBy"] = o.GroupSignalsBy
+	}
 	toSerialize["index"] = o.Index
 	toSerialize["message"] = o.Message
 	toSerialize["name"] = o.Name
@@ -440,6 +473,7 @@ func (o *JobDefinition) UnmarshalJSON(bytes []byte) (err error) {
 		CalculatedFields []CalculatedField                            `json:"calculatedFields,omitempty"`
 		Cases            *[]SecurityMonitoringRuleCaseCreate          `json:"cases"`
 		From             *int64                                       `json:"from"`
+		GroupSignalsBy   []string                                     `json:"groupSignalsBy,omitempty"`
 		Index            *string                                      `json:"index"`
 		Message          *string                                      `json:"message"`
 		Name             *string                                      `json:"name"`
@@ -477,7 +511,7 @@ func (o *JobDefinition) UnmarshalJSON(bytes []byte) (err error) {
 	}
 	additionalProperties := make(map[string]interface{})
 	if err = datadog.Unmarshal(bytes, &additionalProperties); err == nil {
-		datadog.DeleteKeys(additionalProperties, &[]string{"calculatedFields", "cases", "from", "index", "message", "name", "options", "queries", "referenceTables", "tags", "thirdPartyCases", "to", "type"})
+		datadog.DeleteKeys(additionalProperties, &[]string{"calculatedFields", "cases", "from", "groupSignalsBy", "index", "message", "name", "options", "queries", "referenceTables", "tags", "thirdPartyCases", "to", "type"})
 	} else {
 		return err
 	}
@@ -486,6 +520,7 @@ func (o *JobDefinition) UnmarshalJSON(bytes []byte) (err error) {
 	o.CalculatedFields = all.CalculatedFields
 	o.Cases = *all.Cases
 	o.From = *all.From
+	o.GroupSignalsBy = all.GroupSignalsBy
 	o.Index = *all.Index
 	o.Message = *all.Message
 	o.Name = *all.Name

api/datadogV2/model_security_monitoring_rule_case.go

@@ -10,6 +10,8 @@ import (
 
 // SecurityMonitoringRuleCase Case when signal is generated.
 type SecurityMonitoringRuleCase struct {
+	// Action to perform for each rule case.
+	Actions []SecurityMonitoringRuleCaseAction `json:"actions,omitempty"`
 	// A rule case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated
 	// based on the event counts in the previously defined queries.
 	Condition *string `json:"condition,omitempty"`
@@ -41,6 +43,34 @@ func NewSecurityMonitoringRuleCaseWithDefaults() *SecurityMonitoringRuleCase {
 	return &this
 }
 
+// GetActions returns the Actions field value if set, zero value otherwise.
+func (o *SecurityMonitoringRuleCase) GetActions() []SecurityMonitoringRuleCaseAction {
+	if o == nil || o.Actions == nil {
+		var ret []SecurityMonitoringRuleCaseAction
+		return ret
+	}
+	return o.Actions
+}
+
+// GetActionsOk returns a tuple with the Actions field value if set, nil otherwise
+// and a boolean to check if the value has been set.
+func (o *SecurityMonitoringRuleCase) GetActionsOk() (*[]SecurityMonitoringRuleCaseAction, bool) {
+	if o == nil || o.Actions == nil {
+		return nil, false
+	}
+	return &o.Actions, true
+}
+
+// HasActions returns a boolean if a field has been set.
+func (o *SecurityMonitoringRuleCase) HasActions() bool {
+	return o != nil && o.Actions != nil
+}
+
+// SetActions gets a reference to the given []SecurityMonitoringRuleCaseAction and assigns it to the Actions field.
+func (o *SecurityMonitoringRuleCase) SetActions(v []SecurityMonitoringRuleCaseAction) {
+	o.Actions = v
+}
+
 // GetCondition returns the Condition field value if set, zero value otherwise.
 func (o *SecurityMonitoringRuleCase) GetCondition() string {
 	if o == nil || o.Condition == nil {
@@ -159,6 +189,9 @@ func (o SecurityMonitoringRuleCase) MarshalJSON() ([]byte, error) {
 	if o.UnparsedObject != nil {
 		return datadog.Marshal(o.UnparsedObject)
 	}
+	if o.Actions != nil {
+		toSerialize["actions"] = o.Actions
+	}
 	if o.Condition != nil {
 		toSerialize["condition"] = o.Condition
 	}
@@ -181,22 +214,24 @@ func (o SecurityMonitoringRuleCase) MarshalJSON() ([]byte, error) {
 // UnmarshalJSON deserializes the given payload.
 func (o *SecurityMonitoringRuleCase) UnmarshalJSON(bytes []byte) (err error) {
 	all := struct {
-		Condition     *string                         `json:"condition,omitempty"`
-		Name          *string                         `json:"name,omitempty"`
-		Notifications []string                        `json:"notifications,omitempty"`
-		Status        *SecurityMonitoringRuleSeverity `json:"status,omitempty"`
+		Actions       []SecurityMonitoringRuleCaseAction `json:"actions,omitempty"`
+		Condition     *string                            `json:"condition,omitempty"`
+		Name          *string                            `json:"name,omitempty"`
+		Notifications []string                           `json:"notifications,omitempty"`
+		Status        *SecurityMonitoringRuleSeverity    `json:"status,omitempty"`
 	}{}
 	if err = datadog.Unmarshal(bytes, &all); err != nil {
 		return datadog.Unmarshal(bytes, &o.UnparsedObject)
 	}
 	additionalProperties := make(map[string]interface{})
 	if err = datadog.Unmarshal(bytes, &additionalProperties); err == nil {
-		datadog.DeleteKeys(additionalProperties, &[]string{"condition", "name", "notifications", "status"})
+		datadog.DeleteKeys(additionalProperties, &[]string{"actions", "condition", "name", "notifications", "status"})
 	} else {
 		return err
 	}
 
 	hasInvalidField := false
+	o.Actions = all.Actions
 	o.Condition = all.Condition
 	o.Name = all.Name
 	o.Notifications = all.Notifications