Add referenceTables field to security monitoring endpoints

.apigentools-info

@@ -4,13 +4,13 @@
     "spec_versions": {
         "v1": {
             "apigentools_version": "1.6.6",
-            "regenerated": "2024-09-30 14:37:34.279249",
-            "spec_repo_commit": "60bc9127"
+            "regenerated": "2024-09-30 19:44:33.843136",
+            "spec_repo_commit": "909e369c"
         },
         "v2": {
             "apigentools_version": "1.6.6",
-            "regenerated": "2024-09-30 14:37:34.293454",
-            "spec_repo_commit": "60bc9127"
+            "regenerated": "2024-09-30 19:44:33.857386",
+            "spec_repo_commit": "909e369c"
         }
     }
 }

.generator/schemas/v2/openapi.yaml

@@ -19089,6 +19089,25 @@ components:
         meta:
           $ref: '#/components/schemas/ResponseMetaAttributes'
       type: object
+    SecurityMonitoringReferenceTable:
+      description: Reference table for the rule.
+      properties:
+        checkPresence:
+          description: Whether to include or exclude the matched values.
+          type: boolean
+        columnName:
+          description: The name of the column in the reference table.
+          type: string
+        logFieldPath:
+          description: The field in the log to match against the reference table.
+          type: string
+        ruleQueryName:
+          description: The name of the rule query to apply the reference table to.
+          type: string
+        tableName:
+          description: The name of the reference table.
+          type: string
+      type: object
     SecurityMonitoringRuleCase:
       description: Case when signal is generated.
       properties:
@@ -19594,6 +19613,11 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringRuleQuery'
           type: array
+        referenceTables:
+          description: Reference tables for the rule.
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringReferenceTable'
+          type: array
         tags:
           description: Tags for generated signals.
           items:
@@ -20298,6 +20322,11 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringStandardRuleQuery'
           type: array
+        referenceTables:
+          description: Reference tables for the rule.
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringReferenceTable'
+          type: array
         tags:
           description: Tags for generated signals.
           example:
@@ -20365,6 +20394,11 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringStandardRuleQuery'
           type: array
+        referenceTables:
+          description: Reference tables for the rule.
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringReferenceTable'
+          type: array
         tags:
           description: Tags for generated signals.
           example:
@@ -20505,6 +20539,11 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringStandardRuleQuery'
           type: array
+        referenceTables:
+          description: Reference tables for the rule.
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringReferenceTable'
+          type: array
         tags:
           description: Tags for generated signals.
           items:
@@ -20569,6 +20608,11 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringStandardRuleQuery'
           type: array
+        referenceTables:
+          description: Reference tables for the rule.
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringReferenceTable'
+          type: array
         tags:
           description: Tags for generated signals.
           example:

cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-returns-OK-response_1993092739/frozen.json

@@ -1 +1 @@
-"2024-05-10T16:34:28.650Z"
+"2024-09-11T18:14:46.491Z"

cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-returns-OK-response_1993092739/recording.har

@@ -8,11 +8,11 @@
     },
     "entries": [
       {
-        "_id": "8974582a809bb984668170c6d78aa628",
+        "_id": "f8352665e30f024490260f076be3c3ad",
         "_order": 0,
         "cache": {},
         "request": {
-          "bodySize": 418,
+          "bodySize": 585,
           "cookies": [],
           "headers": [
             {
@@ -32,17 +32,17 @@
           "postData": {
             "mimeType": "application/json",
             "params": [],
-            "text": "{\"cases\":[{\"condition\":\"a > 0\",\"name\":\"\",\"notifications\":[],\"status\":\"info\"}],\"filters\":[],\"isEnabled\":true,\"message\":\"Test rule\",\"name\":\"Test-Create_a_detection_rule_returns_OK_response-1715358868\",\"options\":{\"evaluationWindow\":900,\"keepAlive\":3600,\"maxSignalDuration\":86400},\"queries\":[{\"aggregation\":\"count\",\"distinctFields\":[],\"groupByFields\":[],\"metric\":\"\",\"query\":\"@test:true\"}],\"tags\":[],\"type\":\"log_detection\"}"
+            "text": "{\"cases\":[{\"condition\":\"a > 0\",\"name\":\"\",\"notifications\":[],\"status\":\"info\"}],\"filters\":[],\"isEnabled\":true,\"message\":\"Test rule\",\"name\":\"Test-Create_a_detection_rule_returns_OK_response-1726078486\",\"options\":{\"evaluationWindow\":900,\"keepAlive\":3600,\"maxSignalDuration\":86400},\"queries\":[{\"aggregation\":\"count\",\"distinctFields\":[],\"groupByFields\":[],\"metric\":\"\",\"query\":\"@test:true\"}],\"referenceTables\":[{\"checkPresence\":true,\"columnName\":\"value\",\"logFieldPath\":\"testtag\",\"ruleQueryName\":\"a\",\"tableName\":\"synthetics_test_reference_table_dont_delete\"}],\"tags\":[],\"type\":\"log_detection\"}"
           },
           "queryString": [],
           "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules"
         },
         "response": {
-          "bodySize": 664,
+          "bodySize": 846,
           "content": {
             "mimeType": "application/json",
-            "size": 664,
-            "text": "{\"id\":\"oka-fqr-yqa\",\"version\":1,\"name\":\"Test-Create_a_detection_rule_returns_OK_response-1715358868\",\"createdAt\":1715358869030,\"creationAuthorId\":1445416,\"isDefault\":false,\"isPartner\":false,\"isEnabled\":true,\"isDeleted\":false,\"isDeprecated\":false,\"queries\":[{\"query\":\"@test:true\",\"groupByFields\":[],\"hasOptionalGroupByFields\":false,\"distinctFields\":[],\"aggregation\":\"count\",\"name\":\"\"}],\"options\":{\"keepAlive\":3600,\"maxSignalDuration\":86400,\"detectionMethod\":\"threshold\",\"evaluationWindow\":900},\"cases\":[{\"name\":\"\",\"status\":\"info\",\"notifications\":[],\"condition\":\"a > 0\"}],\"message\":\"Test rule\",\"tags\":[],\"hasExtendedTitle\":false,\"type\":\"log_detection\",\"filters\":[]}\n"
+            "size": 846,
+            "text": "{\"id\":\"5br-mto-gse\",\"version\":1,\"name\":\"Test-Create_a_detection_rule_returns_OK_response-1726078486\",\"createdAt\":1726078486689,\"creationAuthorId\":1445416,\"isDefault\":false,\"isPartner\":false,\"isEnabled\":true,\"isBeta\":false,\"isDeleted\":false,\"isDeprecated\":false,\"queries\":[{\"query\":\"@test:true\",\"groupByFields\":[],\"hasOptionalGroupByFields\":false,\"distinctFields\":[],\"aggregation\":\"count\",\"name\":\"\"}],\"options\":{\"keepAlive\":3600,\"maxSignalDuration\":86400,\"detectionMethod\":\"threshold\",\"evaluationWindow\":900},\"cases\":[{\"name\":\"\",\"status\":\"info\",\"notifications\":[],\"condition\":\"a > 0\"}],\"message\":\"Test rule\",\"tags\":[],\"hasExtendedTitle\":false,\"type\":\"log_detection\",\"filters\":[],\"referenceTables\":[{\"tableName\":\"synthetics_test_reference_table_dont_delete\",\"columnName\":\"value\",\"logFieldPath\":\"testtag\",\"checkPresence\":true,\"ruleQueryName\":\"a\"}]}\n"
           },
           "cookies": [],
           "headers": [
@@ -57,11 +57,11 @@
           "status": 200,
           "statusText": "OK"
         },
-        "startedDateTime": "2024-05-10T16:34:28.654Z",
-        "time": 436
+        "startedDateTime": "2024-09-11T18:14:46.492Z",
+        "time": 212
       },
       {
-        "_id": "d3f9139844fe094a07db3845650a283b",
+        "_id": "6f7f32a6451f8497327978c8caa8ef34",
         "_order": 0,
         "cache": {},
         "request": {
@@ -78,7 +78,7 @@
           "httpVersion": "HTTP/1.1",
           "method": "DELETE",
           "queryString": [],
-          "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules/oka-fqr-yqa"
+          "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules/5br-mto-gse"
         },
         "response": {
           "bodySize": 0,
@@ -94,8 +94,8 @@
           "status": 204,
           "statusText": "No Content"
         },
-        "startedDateTime": "2024-05-10T16:34:29.099Z",
-        "time": 374
+        "startedDateTime": "2024-09-11T18:14:46.710Z",
+        "time": 153
       }
     ],
     "pages": [],

examples/v2/security-monitoring/CreateSecurityMonitoringRule.ts

@@ -37,6 +37,15 @@ const params: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest = {
     tags: [],
     isEnabled: true,
     type: "log_detection",
+    referenceTables: [
+      {
+        tableName: "synthetics_test_reference_table_dont_delete",
+        columnName: "value",
+        logFieldPath: "testtag",
+        checkPresence: true,
+        ruleQueryName: "a",
+      },
+    ],
   },
 };
 

features/v2/security_monitoring.feature

@@ -123,12 +123,13 @@ Feature: Security Monitoring
   @skip-validation @team:DataDog/k9-cloud-security-platform
   Scenario: Create a detection rule returns "OK" response
     Given new "CreateSecurityMonitoringRule" request
-    And body with value {"name":"{{ unique }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"metric":""}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type":"log_detection"}
+    And body with value {"name":"{{ unique }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"metric":""}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type":"log_detection", "referenceTables":[{"tableName": "synthetics_test_reference_table_dont_delete", "columnName": "value", "logFieldPath":"testtag", "checkPresence":true, "ruleQueryName":"a"}]}
     When the request is sent
     Then the response status is 200 OK
     And the response "name" is equal to "{{ unique }}"
     And the response "type" is equal to "log_detection"
     And the response "message" is equal to "Test rule"
+    And the response "referenceTables" is equal to [{"tableName": "synthetics_test_reference_table_dont_delete", "columnName": "value", "logFieldPath":"testtag", "checkPresence":true, "ruleQueryName":"a"}]
 
   @team:DataDog/k9-cloud-security-platform
   Scenario: Create a detection rule with detection method 'third_party' returns "OK" response

packages/datadog-api-client-v2/index.ts

@@ -1732,6 +1732,7 @@ export { SecurityFilterUpdateRequest } from "./models/SecurityFilterUpdateReques
 export { SecurityMonitoringFilter } from "./models/SecurityMonitoringFilter";
 export { SecurityMonitoringFilterAction } from "./models/SecurityMonitoringFilterAction";
 export { SecurityMonitoringListRulesResponse } from "./models/SecurityMonitoringListRulesResponse";
+export { SecurityMonitoringReferenceTable } from "./models/SecurityMonitoringReferenceTable";
 export { SecurityMonitoringRuleCase } from "./models/SecurityMonitoringRuleCase";
 export { SecurityMonitoringRuleCaseCreate } from "./models/SecurityMonitoringRuleCaseCreate";
 export { SecurityMonitoringRuleConvertPayload } from "./models/SecurityMonitoringRuleConvertPayload";

packages/datadog-api-client-v2/models/ObjectSerializer.ts

@@ -940,6 +940,7 @@ import { SecurityFilterUpdateRequest } from "./SecurityFilterUpdateRequest";
 import { SecurityFiltersResponse } from "./SecurityFiltersResponse";
 import { SecurityMonitoringFilter } from "./SecurityMonitoringFilter";
 import { SecurityMonitoringListRulesResponse } from "./SecurityMonitoringListRulesResponse";
+import { SecurityMonitoringReferenceTable } from "./SecurityMonitoringReferenceTable";
 import { SecurityMonitoringRuleCase } from "./SecurityMonitoringRuleCase";
 import { SecurityMonitoringRuleCaseCreate } from "./SecurityMonitoringRuleCaseCreate";
 import { SecurityMonitoringRuleConvertResponse } from "./SecurityMonitoringRuleConvertResponse";
@@ -2890,6 +2891,7 @@ const typeMap: { [index: string]: any } = {
   SecurityFiltersResponse: SecurityFiltersResponse,
   SecurityMonitoringFilter: SecurityMonitoringFilter,
   SecurityMonitoringListRulesResponse: SecurityMonitoringListRulesResponse,
+  SecurityMonitoringReferenceTable: SecurityMonitoringReferenceTable,
   SecurityMonitoringRuleCase: SecurityMonitoringRuleCase,
   SecurityMonitoringRuleCaseCreate: SecurityMonitoringRuleCaseCreate,
   SecurityMonitoringRuleConvertResponse: SecurityMonitoringRuleConvertResponse,

packages/datadog-api-client-v2/models/SecurityMonitoringReferenceTable.ts

@@ -0,0 +1,84 @@
+/**
+ * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
+ * This product includes software developed at Datadog (https://www.datadoghq.com/).
+ * Copyright 2020-Present Datadog, Inc.
+ */
+
+import { AttributeTypeMap } from "../../datadog-api-client-common/util";
+
+/**
+ * Reference table for the rule.
+ */
+export class SecurityMonitoringReferenceTable {
+  /**
+   * Whether to include or exclude the matched values.
+   */
+  "checkPresence"?: boolean;
+  /**
+   * The name of the column in the reference table.
+   */
+  "columnName"?: string;
+  /**
+   * The field in the log to match against the reference table.
+   */
+  "logFieldPath"?: string;
+  /**
+   * The name of the rule query to apply the reference table to.
+   */
+  "ruleQueryName"?: string;
+  /**
+   * The name of the reference table.
+   */
+  "tableName"?: string;
+
+  /**
+   * A container for additional, undeclared properties.
+   * This is a holder for any undeclared properties as specified with
+   * the 'additionalProperties' keyword in the OAS document.
+   */
+  "additionalProperties"?: { [key: string]: any };
+
+  /**
+   * @ignore
+   */
+  "_unparsed"?: boolean;
+
+  /**
+   * @ignore
+   */
+  static readonly attributeTypeMap: AttributeTypeMap = {
+    checkPresence: {
+      baseName: "checkPresence",
+      type: "boolean",
+    },
+    columnName: {
+      baseName: "columnName",
+      type: "string",
+    },
+    logFieldPath: {
+      baseName: "logFieldPath",
+      type: "string",
+    },
+    ruleQueryName: {
+      baseName: "ruleQueryName",
+      type: "string",
+    },
+    tableName: {
+      baseName: "tableName",
+      type: "string",
+    },
+    additionalProperties: {
+      baseName: "additionalProperties",
+      type: "any",
+    },
+  };
+
+  /**
+   * @ignore
+   */
+  static getAttributeTypeMap(): AttributeTypeMap {
+    return SecurityMonitoringReferenceTable.attributeTypeMap;
+  }
+
+  public constructor() {}
+}

packages/datadog-api-client-v2/models/SecurityMonitoringRuleUpdatePayload.ts

@@ -5,6 +5,7 @@
  */
 import { CloudConfigurationRuleComplianceSignalOptions } from "./CloudConfigurationRuleComplianceSignalOptions";
 import { SecurityMonitoringFilter } from "./SecurityMonitoringFilter";
+import { SecurityMonitoringReferenceTable } from "./SecurityMonitoringReferenceTable";
 import { SecurityMonitoringRuleCase } from "./SecurityMonitoringRuleCase";
 import { SecurityMonitoringRuleOptions } from "./SecurityMonitoringRuleOptions";
 import { SecurityMonitoringRuleQuery } from "./SecurityMonitoringRuleQuery";
@@ -52,6 +53,10 @@ export class SecurityMonitoringRuleUpdatePayload {
    * Queries for selecting logs which are part of the rule.
    */
   "queries"?: Array<SecurityMonitoringRuleQuery>;
+  /**
+   * Reference tables for the rule.
+   */
+  "referenceTables"?: Array<SecurityMonitoringReferenceTable>;
   /**
    * Tags for generated signals.
    */
@@ -117,6 +122,10 @@ export class SecurityMonitoringRuleUpdatePayload {
       baseName: "queries",
       type: "Array<SecurityMonitoringRuleQuery>",
     },
+    referenceTables: {
+      baseName: "referenceTables",
+      type: "Array<SecurityMonitoringReferenceTable>",
+    },
     tags: {
       baseName: "tags",
       type: "Array<string>",

packages/datadog-api-client-v2/models/SecurityMonitoringStandardRuleCreatePayload.ts

@@ -4,6 +4,7 @@
  * Copyright 2020-Present Datadog, Inc.
  */
 import { SecurityMonitoringFilter } from "./SecurityMonitoringFilter";
+import { SecurityMonitoringReferenceTable } from "./SecurityMonitoringReferenceTable";
 import { SecurityMonitoringRuleCaseCreate } from "./SecurityMonitoringRuleCaseCreate";
 import { SecurityMonitoringRuleOptions } from "./SecurityMonitoringRuleOptions";
 import { SecurityMonitoringRuleTypeCreate } from "./SecurityMonitoringRuleTypeCreate";
@@ -48,6 +49,10 @@ export class SecurityMonitoringStandardRuleCreatePayload {
    * Queries for selecting logs which are part of the rule.
    */
   "queries": Array<SecurityMonitoringStandardRuleQuery>;
+  /**
+   * Reference tables for the rule.
+   */
+  "referenceTables"?: Array<SecurityMonitoringReferenceTable>;
   /**
    * Tags for generated signals.
    */
@@ -115,6 +120,10 @@ export class SecurityMonitoringStandardRuleCreatePayload {
       type: "Array<SecurityMonitoringStandardRuleQuery>",
       required: true,
     },
+    referenceTables: {
+      baseName: "referenceTables",
+      type: "Array<SecurityMonitoringReferenceTable>",
+    },
     tags: {
       baseName: "tags",
       type: "Array<string>",