Security Monitoring - Support custom third party rules (#1470)

Co-authored-by: ci.datadog-api-spec <packages@datadoghq.com>
Co-authored-by: api-clients-generation-pipeline[bot] <54105614+api-clients-generation-pipeline[bot]@users.noreply.github.com>

Author: api-clients-generation-pipeline[bot]

.apigentools-info

@@ -4,13 +4,13 @@
     "spec_versions": {
         "v1": {
             "apigentools_version": "1.6.6",
-            "regenerated": "2024-01-03 19:28:29.514415",
-            "spec_repo_commit": "b2d74fec"
+            "regenerated": "2024-01-04 15:18:01.735783",
+            "spec_repo_commit": "e7cfa56f"
         },
         "v2": {
             "apigentools_version": "1.6.6",
-            "regenerated": "2024-01-03 19:28:29.530568",
-            "spec_repo_commit": "b2d74fec"
+            "regenerated": "2024-01-04 15:18:01.751959",
+            "spec_repo_commit": "e7cfa56f"
         }
     }
 }

.generator/schemas/v2/openapi.yaml

@@ -15616,6 +15616,8 @@ components:
           $ref: '#/components/schemas/SecurityMonitoringRuleMaxSignalDuration'
         newValueOptions:
           $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptions'
+        thirdPartyRuleOptions:
+          $ref: '#/components/schemas/SecurityMonitoringRuleThirdPartyOptions'
       type: object
     SecurityMonitoringRuleQuery:
       description: Query for matching rule.
@@ -15664,6 +15666,30 @@ components:
       - MEDIUM
       - HIGH
       - CRITICAL
+    SecurityMonitoringRuleThirdPartyOptions:
+      description: Options on third party rules.
+      properties:
+        defaultNotifications:
+          description: Notification targets for the logs that do not correspond to
+            any of the cases.
+          items:
+            description: Notification.
+            type: string
+          type: array
+        defaultStatus:
+          $ref: '#/components/schemas/SecurityMonitoringRuleSeverity'
+        rootQueries:
+          description: Queries to be combined with third party case queries. Each
+            of them can have different group by fields, to aggregate differently based
+            on the type of alert.
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringThirdPartyRootQuery'
+          type: array
+        signalTitleTemplate:
+          description: A template for the signal title; if omitted, the title is generated
+            based on the case name.
+          type: string
+      type: object
     SecurityMonitoringRuleTypeCreate:
       description: The rule type.
       enum:
@@ -15733,6 +15759,13 @@ components:
             description: Tag.
             type: string
           type: array
+        thirdPartyCases:
+          description: Cases for generating signals from third party rules. Only available
+            for third party rules.
+          example: []
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringThirdPartyRuleCase'
+          type: array
         version:
           description: The version of the rule being updated.
           example: 1
@@ -16362,6 +16395,13 @@ components:
             description: Tag.
             type: string
           type: array
+        thirdPartyCases:
+          description: Cases for generating signals from third party rules. Only available
+            for third party rules.
+          example: []
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringThirdPartyRuleCaseCreate'
+          type: array
         type:
           $ref: '#/components/schemas/SecurityMonitoringRuleTypeCreate'
       required:
@@ -16483,6 +16523,13 @@ components:
             description: Tag.
             type: string
           type: array
+        thirdPartyCases:
+          description: Cases for generating signals from third party rules. Only available
+            for third party rules.
+          example: []
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringThirdPartyRuleCase'
+          type: array
         type:
           $ref: '#/components/schemas/SecurityMonitoringRuleTypeRead'
         updateAuthorId:
@@ -16493,6 +16540,58 @@ components:
           description: The version of the rule.
           format: int64
           type: integer
+    SecurityMonitoringThirdPartyRootQuery:
+      description: A query to be combined with the third party case query.
+      properties:
+        groupByFields:
+          description: Fields to group by.
+          items:
+            description: Field.
+            type: string
+          type: array
+        query:
+          description: Query to run on logs.
+          example: source:cloudtrail
+          type: string
+      type: object
+    SecurityMonitoringThirdPartyRuleCase:
+      description: Case when signal is generated by a third party rule.
+      properties:
+        name:
+          description: Name of the case.
+          type: string
+        notifications:
+          description: Notification targets for each rule case.
+          items:
+            description: Notification.
+            type: string
+          type: array
+        query:
+          description: A query to map a third party event to this case.
+          type: string
+        status:
+          $ref: '#/components/schemas/SecurityMonitoringRuleSeverity'
+      type: object
+    SecurityMonitoringThirdPartyRuleCaseCreate:
+      description: Case when a signal is generated by a third party rule.
+      properties:
+        name:
+          description: Name of the case.
+          type: string
+        notifications:
+          description: Notification targets for each rule case.
+          items:
+            description: Notification.
+            type: string
+          type: array
+        query:
+          description: A query to map a third party event to this case.
+          type: string
+        status:
+          $ref: '#/components/schemas/SecurityMonitoringRuleSeverity'
+      required:
+      - status
+      type: object
     SecurityMonitoringTriageUser:
       description: Object representing a given user entity.
       properties:

cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-detection-method-third_party-returns-OK-response_1476655317/frozen.json

@@ -0,0 +1 @@
+"2024-01-03T15:07:54.290Z"

cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-detection-method-third_party-returns-OK-response_1476655317/recording.har

@@ -0,0 +1,104 @@
+{
+  "log": {
+    "_recordingName": "Security Monitoring/Create a detection rule with detection method 'third_party' returns \"OK\" response",
+    "creator": {
+      "comment": "persister:fs",
+      "name": "Polly.JS",
+      "version": "6.0.5"
+    },
+    "entries": [
+      {
+        "_id": "4a87db9d8ab6a6359a8738ed42c5f31b",
+        "_order": 0,
+        "cache": {},
+        "request": {
+          "bodySize": 613,
+          "cookies": [],
+          "headers": [
+            {
+              "_fromType": "array",
+              "name": "accept",
+              "value": "application/json"
+            },
+            {
+              "_fromType": "array",
+              "name": "content-type",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 588,
+          "httpVersion": "HTTP/1.1",
+          "method": "POST",
+          "postData": {
+            "mimeType": "application/json",
+            "params": [],
+            "text": "{\"cases\":[],\"isEnabled\":true,\"message\":\"This is a third party rule\",\"name\":\"Test-Create_a_detection_rule_with_detection_method_third_party_returns_OK_response-1704294474\",\"options\":{\"detectionMethod\":\"third_party\",\"keepAlive\":0,\"maxSignalDuration\":0,\"thirdPartyRuleOptions\":{\"defaultStatus\":\"info\",\"rootQueries\":[{\"groupByFields\":[\"instance-id\"],\"query\":\"source:guardduty @details.alertType:*EC2*\"},{\"groupByFields\":[],\"query\":\"source:guardduty\"}]}},\"queries\":[],\"thirdPartyCases\":[{\"name\":\"high\",\"query\":\"status:error\",\"status\":\"high\"},{\"name\":\"low\",\"query\":\"status:info\",\"status\":\"low\"}],\"type\":\"log_detection\"}"
+          },
+          "queryString": [],
+          "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules"
+        },
+        "response": {
+          "bodySize": 1259,
+          "content": {
+            "mimeType": "application/json",
+            "size": 1259,
+            "text": "{\"id\":\"ut1-s7a-0kn\",\"version\":1,\"name\":\"Test-Create_a_detection_rule_with_detection_method_third_party_returns_OK_response-1704294474\",\"createdAt\":1704294474748,\"creationAuthorId\":1445416,\"isDefault\":false,\"isPartner\":false,\"isEnabled\":true,\"isDeleted\":false,\"isDeprecated\":false,\"queries\":[{\"query\":\"status:error\",\"groupByFields\":[],\"hasOptionalGroupByFields\":false,\"distinctFields\":[],\"aggregation\":\"none\",\"name\":\"\"},{\"query\":\"status:info\",\"groupByFields\":[],\"hasOptionalGroupByFields\":false,\"distinctFields\":[],\"aggregation\":\"none\",\"name\":\"\"}],\"options\":{\"keepAlive\":0,\"maxSignalDuration\":0,\"detectionMethod\":\"third_party\",\"evaluationWindow\":0,\"thirdPartyRuleOptions\":{\"defaultStatus\":\"info\",\"defaultNotifications\":[],\"rootQueries\":[{\"query\":\"source:guardduty @details.alertType:*EC2*\",\"groupByFields\":[\"instance-id\"]},{\"query\":\"source:guardduty\",\"groupByFields\":[]}]}},\"cases\":[{\"name\":\"high\",\"status\":\"high\",\"notifications\":[]},{\"name\":\"low\",\"status\":\"low\",\"notifications\":[]}],\"message\":\"This is a third party rule\",\"tags\":[],\"hasExtendedTitle\":false,\"type\":\"log_detection\",\"filters\":[],\"thirdPartyCases\":[{\"name\":\"high\",\"status\":\"high\",\"notifications\":[],\"query\":\"status:error\"},{\"name\":\"low\",\"status\":\"low\",\"notifications\":[],\"query\":\"status:info\"}]}\n"
+          },
+          "cookies": [],
+          "headers": [
+            {
+              "name": "content-type",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 655,
+          "httpVersion": "HTTP/1.1",
+          "redirectURL": "",
+          "status": 200,
+          "statusText": "OK"
+        },
+        "startedDateTime": "2024-01-03T15:07:54.294Z",
+        "time": 499
+      },
+      {
+        "_id": "59d5aaa9367664c73c237fc46c3e36cc",
+        "_order": 0,
+        "cache": {},
+        "request": {
+          "bodySize": 0,
+          "cookies": [],
+          "headers": [
+            {
+              "_fromType": "array",
+              "name": "accept",
+              "value": "*/*"
+            }
+          ],
+          "headersSize": 536,
+          "httpVersion": "HTTP/1.1",
+          "method": "DELETE",
+          "queryString": [],
+          "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules/ut1-s7a-0kn"
+        },
+        "response": {
+          "bodySize": 0,
+          "content": {
+            "mimeType": "text/plain",
+            "size": 0
+          },
+          "cookies": [],
+          "headers": [],
+          "headersSize": 601,
+          "httpVersion": "HTTP/1.1",
+          "redirectURL": "",
+          "status": 204,
+          "statusText": "No Content"
+        },
+        "startedDateTime": "2024-01-03T15:07:54.802Z",
+        "time": 533
+      }
+    ],
+    "pages": [],
+    "version": "1.2"
+  }
+}

examples/v2/security-monitoring/CreateSecurityMonitoringRule_3367706049.ts

@@ -0,0 +1,58 @@
+/**
+ * Create a detection rule with detection method 'third_party' returns "OK" response
+ */
+
+import { client, v2 } from "@datadog/datadog-api-client";
+
+const configuration = client.createConfiguration();
+const apiInstance = new v2.SecurityMonitoringApi(configuration);
+
+const params: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest = {
+  body: {
+    name: "Example-Security-Monitoring",
+    type: "log_detection",
+    isEnabled: true,
+    thirdPartyCases: [
+      {
+        query: "status:error",
+        name: "high",
+        status: "high",
+      },
+      {
+        query: "status:info",
+        name: "low",
+        status: "low",
+      },
+    ],
+    queries: [],
+    cases: [],
+    message: "This is a third party rule",
+    options: {
+      detectionMethod: "third_party",
+      keepAlive: 0,
+      maxSignalDuration: 0,
+      thirdPartyRuleOptions: {
+        defaultStatus: "info",
+        rootQueries: [
+          {
+            query: "source:guardduty @details.alertType:*EC2*",
+            groupByFields: ["instance-id"],
+          },
+          {
+            query: "source:guardduty",
+            groupByFields: [],
+          },
+        ],
+      },
+    },
+  },
+};
+
+apiInstance
+  .createSecurityMonitoringRule(params)
+  .then((data: v2.SecurityMonitoringRuleResponse) => {
+    console.log(
+      "API called successfully. Returned data: " + JSON.stringify(data)
+    );
+  })
+  .catch((error: any) => console.error(error));

features/v2/security_monitoring.feature

@@ -83,6 +83,17 @@ Feature: Security Monitoring
     And the response "type" is equal to "log_detection"
     And the response "message" is equal to "Test rule"
 
+  @team:DataDog/k9-cloud-security-platform
+  Scenario: Create a detection rule with detection method 'third_party' returns "OK" response
+    Given new "CreateSecurityMonitoringRule" request
+    And body with value {"name":"{{ unique }}","type":"log_detection","isEnabled":true,"thirdPartyCases":[{"query":"status:error","name":"high","status":"high"},{"query":"status:info","name":"low","status":"low"}],"queries":[],"cases":[],"message":"This is a third party rule","options":{"detectionMethod":"third_party","keepAlive":0,"maxSignalDuration":0,"thirdPartyRuleOptions":{"defaultStatus":"info","rootQueries":[{"query":"source:guardduty @details.alertType:*EC2*", "groupByFields":["instance-id"]},{"query":"source:guardduty", "groupByFields":[]}]}}}
+    When the request is sent
+    Then the response status is 200 OK
+    And the response "name" is equal to "{{ unique }}"
+    And the response "type" is equal to "log_detection"
+    And the response "options.detectionMethod" is equal to "third_party"
+    And the response "thirdPartyCases[0].query" is equal to "status:error"
+
   @skip-validation @team:DataDog/k9-cloud-security-platform
   Scenario: Create a detection rule with type 'impossible_travel' returns "OK" response
     Given new "CreateSecurityMonitoringRule" request

packages/datadog-api-client-v2/index.ts

@@ -1443,6 +1443,7 @@ export { SecurityMonitoringRuleQuery } from "./models/SecurityMonitoringRuleQuer
 export { SecurityMonitoringRuleQueryAggregation } from "./models/SecurityMonitoringRuleQueryAggregation";
 export { SecurityMonitoringRuleResponse } from "./models/SecurityMonitoringRuleResponse";
 export { SecurityMonitoringRuleSeverity } from "./models/SecurityMonitoringRuleSeverity";
+export { SecurityMonitoringRuleThirdPartyOptions } from "./models/SecurityMonitoringRuleThirdPartyOptions";
 export { SecurityMonitoringRuleTypeCreate } from "./models/SecurityMonitoringRuleTypeCreate";
 export { SecurityMonitoringRuleTypeRead } from "./models/SecurityMonitoringRuleTypeRead";
 export { SecurityMonitoringRuleUpdatePayload } from "./models/SecurityMonitoringRuleUpdatePayload";
@@ -1481,6 +1482,9 @@ export { SecurityMonitoringSignalType } from "./models/SecurityMonitoringSignalT
 export { SecurityMonitoringStandardRuleCreatePayload } from "./models/SecurityMonitoringStandardRuleCreatePayload";
 export { SecurityMonitoringStandardRuleQuery } from "./models/SecurityMonitoringStandardRuleQuery";
 export { SecurityMonitoringStandardRuleResponse } from "./models/SecurityMonitoringStandardRuleResponse";
+export { SecurityMonitoringThirdPartyRootQuery } from "./models/SecurityMonitoringThirdPartyRootQuery";
+export { SecurityMonitoringThirdPartyRuleCase } from "./models/SecurityMonitoringThirdPartyRuleCase";
+export { SecurityMonitoringThirdPartyRuleCaseCreate } from "./models/SecurityMonitoringThirdPartyRuleCaseCreate";
 export { SecurityMonitoringTriageUser } from "./models/SecurityMonitoringTriageUser";
 export { SensitiveDataScannerConfigRequest } from "./models/SensitiveDataScannerConfigRequest";
 export { SensitiveDataScannerConfiguration } from "./models/SensitiveDataScannerConfiguration";

packages/datadog-api-client-v2/models/ObjectSerializer.ts

@@ -760,6 +760,7 @@ import { SecurityMonitoringRuleCaseCreate } from "./SecurityMonitoringRuleCaseCr
 import { SecurityMonitoringRuleImpossibleTravelOptions } from "./SecurityMonitoringRuleImpossibleTravelOptions";
 import { SecurityMonitoringRuleNewValueOptions } from "./SecurityMonitoringRuleNewValueOptions";
 import { SecurityMonitoringRuleOptions } from "./SecurityMonitoringRuleOptions";
+import { SecurityMonitoringRuleThirdPartyOptions } from "./SecurityMonitoringRuleThirdPartyOptions";
 import { SecurityMonitoringRuleUpdatePayload } from "./SecurityMonitoringRuleUpdatePayload";
 import { SecurityMonitoringSignal } from "./SecurityMonitoringSignal";
 import { SecurityMonitoringSignalAssigneeUpdateAttributes } from "./SecurityMonitoringSignalAssigneeUpdateAttributes";
@@ -790,6 +791,9 @@ import { SecurityMonitoringSignalsListResponseMetaPage } from "./SecurityMonitor
 import { SecurityMonitoringStandardRuleCreatePayload } from "./SecurityMonitoringStandardRuleCreatePayload";
 import { SecurityMonitoringStandardRuleQuery } from "./SecurityMonitoringStandardRuleQuery";
 import { SecurityMonitoringStandardRuleResponse } from "./SecurityMonitoringStandardRuleResponse";
+import { SecurityMonitoringThirdPartyRootQuery } from "./SecurityMonitoringThirdPartyRootQuery";
+import { SecurityMonitoringThirdPartyRuleCase } from "./SecurityMonitoringThirdPartyRuleCase";
+import { SecurityMonitoringThirdPartyRuleCaseCreate } from "./SecurityMonitoringThirdPartyRuleCaseCreate";
 import { SecurityMonitoringTriageUser } from "./SecurityMonitoringTriageUser";
 import { SensitiveDataScannerConfigRequest } from "./SensitiveDataScannerConfigRequest";
 import { SensitiveDataScannerConfiguration } from "./SensitiveDataScannerConfiguration";
@@ -2384,6 +2388,8 @@ const typeMap: { [index: string]: any } = {
     SecurityMonitoringRuleImpossibleTravelOptions,
   SecurityMonitoringRuleNewValueOptions: SecurityMonitoringRuleNewValueOptions,
   SecurityMonitoringRuleOptions: SecurityMonitoringRuleOptions,
+  SecurityMonitoringRuleThirdPartyOptions:
+    SecurityMonitoringRuleThirdPartyOptions,
   SecurityMonitoringRuleUpdatePayload: SecurityMonitoringRuleUpdatePayload,
   SecurityMonitoringSignal: SecurityMonitoringSignal,
   SecurityMonitoringSignalAssigneeUpdateAttributes:
@@ -2435,6 +2441,10 @@ const typeMap: { [index: string]: any } = {
   SecurityMonitoringStandardRuleQuery: SecurityMonitoringStandardRuleQuery,
   SecurityMonitoringStandardRuleResponse:
     SecurityMonitoringStandardRuleResponse,
+  SecurityMonitoringThirdPartyRootQuery: SecurityMonitoringThirdPartyRootQuery,
+  SecurityMonitoringThirdPartyRuleCase: SecurityMonitoringThirdPartyRuleCase,
+  SecurityMonitoringThirdPartyRuleCaseCreate:
+    SecurityMonitoringThirdPartyRuleCaseCreate,
   SecurityMonitoringTriageUser: SecurityMonitoringTriageUser,
   SensitiveDataScannerConfigRequest: SensitiveDataScannerConfigRequest,
   SensitiveDataScannerConfiguration: SensitiveDataScannerConfiguration,