Add user behavior case actions in API spec (#2146)

Co-authored-by: ci.datadog-api-spec <packages@datadoghq.com>

Author: api-clients-generation-pipeline[bot]

.apigentools-info

@@ -4,13 +4,13 @@
     "spec_versions": {
         "v1": {
             "apigentools_version": "1.6.6",
-            "regenerated": "2025-04-10 11:41:52.470601",
-            "spec_repo_commit": "7f98e0a9"
+            "regenerated": "2025-04-10 18:01:23.455805",
+            "spec_repo_commit": "c0a45137"
         },
         "v2": {
             "apigentools_version": "1.6.6",
-            "regenerated": "2025-04-10 11:41:52.486222",
-            "spec_repo_commit": "7f98e0a9"
+            "regenerated": "2025-04-10 18:01:23.473008",
+            "spec_repo_commit": "c0a45137"
         }
     }
 }

.generator/schemas/v2/openapi.yaml

@@ -27215,6 +27215,7 @@ components:
           $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionType'
       type: object
     SecurityMonitoringRuleCaseActionOptions:
+      additionalProperties: {}
       description: Options for the rule action
       properties:
         duration:
@@ -27223,16 +27224,24 @@ components:
           format: int64
           minimum: 0
           type: integer
+        userBehaviorName:
+          $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionOptionsUserBehaviorName'
       type: object
+    SecurityMonitoringRuleCaseActionOptionsUserBehaviorName:
+      description: Used with the case action of type 'user_behavior'. The value specified
+        in this field is applied as a risk tag to all users affected by the rule.
+      type: string
     SecurityMonitoringRuleCaseActionType:
       description: The action type.
       enum:
       - block_ip
       - block_user
+      - user_behavior
       type: string
       x-enum-varnames:
       - BLOCK_IP
       - BLOCK_USER
+      - USER_BEHAVIOR
     SecurityMonitoringRuleCaseCreate:
       description: Case when signal is generated.
       properties:

cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-type-application_security-returns-OK-response_4179263030/frozen.json

@@ -1 +1 @@
-"2025-02-06T16:50:39.787Z"
+"2025-04-09T15:02:05.047Z"

cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-type-application_security-returns-OK-response_4179263030/recording.har

@@ -8,11 +8,11 @@
     },
     "entries": [
       {
-        "_id": "e25ba2dd2cd854ae985a97cf9b520975",
+        "_id": "2f689fb3a0a54f45bf3637e6331a9f25",
         "_order": 0,
         "cache": {},
         "request": {
-          "bodySize": 656,
+          "bodySize": 723,
           "cookies": [],
           "headers": [
             {
@@ -32,17 +32,17 @@
           "postData": {
             "mimeType": "application/json",
             "params": [],
-            "text": "{\"cases\":[{\"actions\":[{\"options\":{\"duration\":900},\"type\":\"block_ip\"}],\"condition\":\"a > 100000\",\"name\":\"\",\"notifications\":[],\"status\":\"info\"}],\"filters\":[],\"groupSignalsBy\":[\"service\"],\"isEnabled\":true,\"message\":\"Test rule\",\"name\":\"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1738860639_appsec_rule\",\"options\":{\"detectionMethod\":\"threshold\",\"evaluationWindow\":900,\"keepAlive\":3600,\"maxSignalDuration\":86400},\"queries\":[{\"aggregation\":\"count\",\"distinctFields\":[],\"groupByFields\":[\"service\",\"@http.client_ip\"],\"query\":\"@appsec.security_activity:business_logic.users.login.failure\"}],\"tags\":[],\"type\":\"application_security\"}"
+            "text": "{\"cases\":[{\"actions\":[{\"options\":{\"duration\":900},\"type\":\"block_ip\"},{\"options\":{\"userBehaviorName\":\"behavior\"},\"type\":\"user_behavior\"}],\"condition\":\"a > 100000\",\"name\":\"\",\"notifications\":[],\"status\":\"info\"}],\"filters\":[],\"groupSignalsBy\":[\"service\"],\"isEnabled\":true,\"message\":\"Test rule\",\"name\":\"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1744210925_appsec_rule\",\"options\":{\"detectionMethod\":\"threshold\",\"evaluationWindow\":900,\"keepAlive\":3600,\"maxSignalDuration\":86400},\"queries\":[{\"aggregation\":\"count\",\"distinctFields\":[],\"groupByFields\":[\"service\",\"@http.client_ip\"],\"query\":\"@appsec.security_activity:business_logic.users.login.failure\"}],\"tags\":[],\"type\":\"application_security\"}"
           },
           "queryString": [],
           "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules"
         },
         "response": {
-          "bodySize": 1153,
+          "bodySize": 1227,
           "content": {
             "mimeType": "application/json",
-            "size": 1153,
-            "text": "{\"name\":\"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1738860639_appsec_rule\",\"createdAt\":1738860640426,\"isDefault\":false,\"isPartner\":false,\"isEnabled\":true,\"isBeta\":false,\"isDeleted\":false,\"isDeprecated\":false,\"queries\":[{\"query\":\"@appsec.security_activity:business_logic.users.login.failure\",\"groupByFields\":[\"service\",\"@http.client_ip\"],\"hasOptionalGroupByFields\":false,\"distinctFields\":[],\"aggregation\":\"count\",\"name\":\"\",\"dataSource\":\"app_sec_spans\"}],\"options\":{\"evaluationWindow\":900,\"detectionMethod\":\"threshold\",\"maxSignalDuration\":86400,\"keepAlive\":3600},\"cases\":[{\"name\":\"\",\"status\":\"info\",\"notifications\":[],\"condition\":\"a \\u003e 100000\",\"actions\":[{\"type\":\"block_ip\",\"options\":{\"duration\":900}}]}],\"message\":\"Test rule\",\"tags\":[],\"hasExtendedTitle\":false,\"type\":\"application_security\",\"filters\":[],\"version\":1,\"id\":\"rfn-h2v-udr\",\"blocking\":true,\"groupSignalsBy\":[\"service\"],\"casesActions\":[[{\"type\":\"block_ip\",\"options\":{\"duration\":900}}]],\"dependencies\":[\"business_logic.users.login.failure\"],\"metadata\":{\"entities\":null,\"sources\":null},\"creator\":{\"handle\":\"\",\"name\":\"\"},\"updater\":{\"handle\":\"\",\"name\":\"\"}}"
+            "size": 1227,
+            "text": "{\"name\":\"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1744210925_appsec_rule\",\"createdAt\":1744210925675,\"isDefault\":false,\"isPartner\":false,\"isEnabled\":true,\"isBeta\":false,\"isDeleted\":false,\"isDeprecated\":false,\"queries\":[{\"query\":\"@appsec.security_activity:business_logic.users.login.failure\",\"groupByFields\":[\"service\",\"@http.client_ip\"],\"hasOptionalGroupByFields\":false,\"distinctFields\":[],\"aggregation\":\"count\",\"name\":\"\",\"dataSource\":\"app_sec_spans\"}],\"options\":{\"evaluationWindow\":900,\"detectionMethod\":\"threshold\",\"maxSignalDuration\":86400,\"keepAlive\":3600},\"cases\":[{\"name\":\"\",\"status\":\"info\",\"notifications\":[],\"condition\":\"a \\u003e 100000\",\"actions\":[{\"type\":\"block_ip\",\"options\":{\"duration\":900}},{\"type\":\"user_behavior\",\"options\":{\"userBehaviorName\":\"behavior\"}}]}],\"message\":\"Test rule\",\"tags\":[],\"hasExtendedTitle\":false,\"type\":\"application_security\",\"filters\":[],\"version\":1,\"id\":\"lfr-zxg-fyc\",\"blocking\":true,\"groupSignalsBy\":[\"service\"],\"dependencies\":[\"business_logic.users.login.failure\"],\"metadata\":{\"entities\":null,\"sources\":null},\"creationAuthorId\":2320499,\"creator\":{\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"name\":\"CI Account\"},\"updater\":{\"handle\":\"\",\"name\":\"\"}}"
           },
           "cookies": [],
           "headers": [
@@ -51,17 +51,17 @@
               "value": "application/json"
             }
           ],
-          "headersSize": 656,
+          "headersSize": 655,
           "httpVersion": "HTTP/1.1",
           "redirectURL": "",
           "status": 200,
           "statusText": "OK"
         },
-        "startedDateTime": "2025-02-06T16:50:40.180Z",
-        "time": 287
+        "startedDateTime": "2025-04-09T15:02:05.465Z",
+        "time": 259
       },
       {
-        "_id": "d0c7ee9e7178f2b7bb6ab84e899effed",
+        "_id": "a32045c85c74ebb299fe6584f15ea321",
         "_order": 0,
         "cache": {},
         "request": {
@@ -78,30 +78,24 @@
           "httpVersion": "HTTP/1.1",
           "method": "DELETE",
           "queryString": [],
-          "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules/rfn-h2v-udr"
+          "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules/lfr-zxg-fyc"
         },
         "response": {
-          "bodySize": 36,
+          "bodySize": 0,
           "content": {
-            "mimeType": "application/json",
-            "size": 36,
-            "text": "{\"status\":\"404\",\"title\":\"Not Found\"}"
+            "mimeType": "text/plain",
+            "size": 0
           },
           "cookies": [],
-          "headers": [
-            {
-              "name": "content-type",
-              "value": "application/json"
-            }
-          ],
-          "headersSize": 654,
+          "headers": [],
+          "headersSize": 601,
           "httpVersion": "HTTP/1.1",
           "redirectURL": "",
-          "status": 404,
-          "statusText": "Not Found"
+          "status": 204,
+          "statusText": "No Content"
         },
-        "startedDateTime": "2025-02-06T16:50:40.475Z",
-        "time": 127
+        "startedDateTime": "2025-04-09T15:02:05.734Z",
+        "time": 194
       }
     ],
     "pages": [],

examples/v2/security-monitoring/CreateSecurityMonitoringRule_1965169892.ts

@@ -33,6 +33,12 @@ const params: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest = {
               duration: 900,
             },
           },
+          {
+            type: "user_behavior",
+            options: {
+              userBehaviorName: "behavior",
+            },
+          },
         ],
       },
     ],

features/v2/security_monitoring.feature

@@ -203,7 +203,7 @@ Feature: Security Monitoring
   @skip-validation @team:DataDog/k9-cloud-security-platform
   Scenario: Create a detection rule with type 'application_security 'returns "OK" response
     Given new "CreateSecurityMonitoringRule" request
-    And body with value {"type":"application_security","name":"{{unique}}_appsec_rule","queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","aggregation":"count","groupByFields":["service","@http.client_ip"],"distinctFields":[]}],"filters":[],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 100000","actions":[{"type":"block_ip","options":{"duration":900}}]}],"options":{"keepAlive":3600,"maxSignalDuration":86400,"evaluationWindow":900,"detectionMethod":"threshold"},"isEnabled":true,"message":"Test rule","tags":[],"groupSignalsBy":["service"]}
+    And body with value {"type":"application_security","name":"{{unique}}_appsec_rule","queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","aggregation":"count","groupByFields":["service","@http.client_ip"],"distinctFields":[]}],"filters":[],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 100000","actions":[{"type":"block_ip","options":{"duration":900}}, {"type":"user_behavior","options":{"userBehaviorName":"behavior"}}]}],"options":{"keepAlive":3600,"maxSignalDuration":86400,"evaluationWindow":900,"detectionMethod":"threshold"},"isEnabled":true,"message":"Test rule","tags":[],"groupSignalsBy":["service"]}
     When the request is sent
     Then the response status is 200 OK
     And the response "name" is equal to "{{ unique }}_appsec_rule"

packages/datadog-api-client-v2/models/ObjectSerializer.ts

@@ -2361,7 +2361,11 @@ const enumsMap: { [key: string]: any[] } = {
   SecurityFilterFilteredDataType: ["logs"],
   SecurityFilterType: ["security_filters"],
   SecurityMonitoringFilterAction: ["require", "suppress"],
-  SecurityMonitoringRuleCaseActionType: ["block_ip", "block_user"],
+  SecurityMonitoringRuleCaseActionType: [
+    "block_ip",
+    "block_user",
+    "user_behavior",
+  ],
   SecurityMonitoringRuleDetectionMethod: [
     "threshold",
     "new_value",

packages/datadog-api-client-v2/models/SecurityMonitoringRuleCaseActionOptions.ts

@@ -14,6 +14,10 @@ export class SecurityMonitoringRuleCaseActionOptions {
    * Duration of the action in seconds. 0 indicates no expiration.
    */
   "duration"?: number;
+  /**
+   * Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
+   */
+  "userBehaviorName"?: string;
 
   /**
    * A container for additional, undeclared properties.
@@ -36,6 +40,10 @@ export class SecurityMonitoringRuleCaseActionOptions {
       type: "number",
       format: "int64",
     },
+    userBehaviorName: {
+      baseName: "userBehaviorName",
+      type: "string",
+    },
     additionalProperties: {
       baseName: "additionalProperties",
       type: "any",

packages/datadog-api-client-v2/models/SecurityMonitoringRuleCaseActionType.ts

@@ -13,6 +13,8 @@ import { UnparsedObject } from "../../datadog-api-client-common/util";
 export type SecurityMonitoringRuleCaseActionType =
   | typeof BLOCK_IP
   | typeof BLOCK_USER
+  | typeof USER_BEHAVIOR
   | UnparsedObject;
 export const BLOCK_IP = "block_ip";
 export const BLOCK_USER = "block_user";
+export const USER_BEHAVIOR = "user_behavior";