Security Monitoring - Support custom third party rules

.apigentools-info

@@ -4,13 +4,13 @@
     "spec_versions": {
         "v1": {
             "apigentools_version": "1.6.6",
-            "regenerated": "2024-01-03 19:28:37.707850",
-            "spec_repo_commit": "b2d74fec"
+            "regenerated": "2024-01-04 15:18:12.079716",
+            "spec_repo_commit": "e7cfa56f"
         },
         "v2": {
             "apigentools_version": "1.6.6",
-            "regenerated": "2024-01-03 19:28:37.726416",
-            "spec_repo_commit": "b2d74fec"
+            "regenerated": "2024-01-04 15:18:12.102717",
+            "spec_repo_commit": "e7cfa56f"
         }
     }
 }

.generator/schemas/v2/openapi.yaml

@@ -15616,6 +15616,8 @@ components:
           $ref: '#/components/schemas/SecurityMonitoringRuleMaxSignalDuration'
         newValueOptions:
           $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptions'
+        thirdPartyRuleOptions:
+          $ref: '#/components/schemas/SecurityMonitoringRuleThirdPartyOptions'
       type: object
     SecurityMonitoringRuleQuery:
       description: Query for matching rule.
@@ -15664,6 +15666,30 @@ components:
       - MEDIUM
       - HIGH
       - CRITICAL
+    SecurityMonitoringRuleThirdPartyOptions:
+      description: Options on third party rules.
+      properties:
+        defaultNotifications:
+          description: Notification targets for the logs that do not correspond to
+            any of the cases.
+          items:
+            description: Notification.
+            type: string
+          type: array
+        defaultStatus:
+          $ref: '#/components/schemas/SecurityMonitoringRuleSeverity'
+        rootQueries:
+          description: Queries to be combined with third party case queries. Each
+            of them can have different group by fields, to aggregate differently based
+            on the type of alert.
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringThirdPartyRootQuery'
+          type: array
+        signalTitleTemplate:
+          description: A template for the signal title; if omitted, the title is generated
+            based on the case name.
+          type: string
+      type: object
     SecurityMonitoringRuleTypeCreate:
       description: The rule type.
       enum:
@@ -15733,6 +15759,13 @@ components:
             description: Tag.
             type: string
           type: array
+        thirdPartyCases:
+          description: Cases for generating signals from third party rules. Only available
+            for third party rules.
+          example: []
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringThirdPartyRuleCase'
+          type: array
         version:
           description: The version of the rule being updated.
           example: 1
@@ -16362,6 +16395,13 @@ components:
             description: Tag.
             type: string
           type: array
+        thirdPartyCases:
+          description: Cases for generating signals from third party rules. Only available
+            for third party rules.
+          example: []
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringThirdPartyRuleCaseCreate'
+          type: array
         type:
           $ref: '#/components/schemas/SecurityMonitoringRuleTypeCreate'
       required:
@@ -16483,6 +16523,13 @@ components:
             description: Tag.
             type: string
           type: array
+        thirdPartyCases:
+          description: Cases for generating signals from third party rules. Only available
+            for third party rules.
+          example: []
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringThirdPartyRuleCase'
+          type: array
         type:
           $ref: '#/components/schemas/SecurityMonitoringRuleTypeRead'
         updateAuthorId:
@@ -16493,6 +16540,58 @@ components:
           description: The version of the rule.
           format: int64
           type: integer
+    SecurityMonitoringThirdPartyRootQuery:
+      description: A query to be combined with the third party case query.
+      properties:
+        groupByFields:
+          description: Fields to group by.
+          items:
+            description: Field.
+            type: string
+          type: array
+        query:
+          description: Query to run on logs.
+          example: source:cloudtrail
+          type: string
+      type: object
+    SecurityMonitoringThirdPartyRuleCase:
+      description: Case when signal is generated by a third party rule.
+      properties:
+        name:
+          description: Name of the case.
+          type: string
+        notifications:
+          description: Notification targets for each rule case.
+          items:
+            description: Notification.
+            type: string
+          type: array
+        query:
+          description: A query to map a third party event to this case.
+          type: string
+        status:
+          $ref: '#/components/schemas/SecurityMonitoringRuleSeverity'
+      type: object
+    SecurityMonitoringThirdPartyRuleCaseCreate:
+      description: Case when a signal is generated by a third party rule.
+      properties:
+        name:
+          description: Name of the case.
+          type: string
+        notifications:
+          description: Notification targets for each rule case.
+          items:
+            description: Notification.
+            type: string
+          type: array
+        query:
+          description: A query to map a third party event to this case.
+          type: string
+        status:
+          $ref: '#/components/schemas/SecurityMonitoringRuleSeverity'
+      required:
+      - status
+      type: object
     SecurityMonitoringTriageUser:
       description: Object representing a given user entity.
       properties:

examples/v2/security-monitoring/CreateSecurityMonitoringRule_3367706049.java

@@ -0,0 +1,72 @@
+// Create a detection rule with detection method 'third_party' returns "OK" response
+
+import com.datadog.api.client.ApiClient;
+import com.datadog.api.client.ApiException;
+import com.datadog.api.client.v2.api.SecurityMonitoringApi;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleThirdPartyOptions;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;
+import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleCreatePayload;
+import com.datadog.api.client.v2.model.SecurityMonitoringThirdPartyRootQuery;
+import com.datadog.api.client.v2.model.SecurityMonitoringThirdPartyRuleCaseCreate;
+import java.util.Arrays;
+import java.util.Collections;
+
+public class Example {
+  public static void main(String[] args) {
+    ApiClient defaultClient = ApiClient.getDefaultApiClient();
+    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
+
+    SecurityMonitoringRuleCreatePayload body =
+        new SecurityMonitoringRuleCreatePayload(
+            new SecurityMonitoringStandardRuleCreatePayload()
+                .name("Example-Security-Monitoring")
+                .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION)
+                .isEnabled(true)
+                .thirdPartyCases(
+                    Arrays.asList(
+                        new SecurityMonitoringThirdPartyRuleCaseCreate()
+                            .query("status:error")
+                            .name("high")
+                            .status(SecurityMonitoringRuleSeverity.HIGH),
+                        new SecurityMonitoringThirdPartyRuleCaseCreate()
+                            .query("status:info")
+                            .name("low")
+                            .status(SecurityMonitoringRuleSeverity.LOW)))
+                .message("This is a third party rule")
+                .options(
+                    new SecurityMonitoringRuleOptions()
+                        .detectionMethod(SecurityMonitoringRuleDetectionMethod.THIRD_PARTY)
+                        .keepAlive(SecurityMonitoringRuleKeepAlive.ZERO_MINUTES)
+                        .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ZERO_MINUTES)
+                        .thirdPartyRuleOptions(
+                            new SecurityMonitoringRuleThirdPartyOptions()
+                                .defaultStatus(SecurityMonitoringRuleSeverity.INFO)
+                                .rootQueries(
+                                    Arrays.asList(
+                                        new SecurityMonitoringThirdPartyRootQuery()
+                                            .query("source:guardduty @details.alertType:*EC2*")
+                                            .groupByFields(
+                                                Collections.singletonList("instance-id")),
+                                        new SecurityMonitoringThirdPartyRootQuery()
+                                            .query("source:guardduty"))))));
+
+    try {
+      SecurityMonitoringRuleResponse result = apiInstance.createSecurityMonitoringRule(body);
+      System.out.println(result);
+    } catch (ApiException e) {
+      System.err.println(
+          "Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule");
+      System.err.println("Status code: " + e.getCode());
+      System.err.println("Reason: " + e.getResponseBody());
+      System.err.println("Response headers: " + e.getResponseHeaders());
+      e.printStackTrace();
+    }
+  }
+}

src/main/java/com/datadog/api/client/v2/model/SecurityMonitoringRuleOptions.java

@@ -26,7 +26,8 @@
   SecurityMonitoringRuleOptions.JSON_PROPERTY_IMPOSSIBLE_TRAVEL_OPTIONS,
   SecurityMonitoringRuleOptions.JSON_PROPERTY_KEEP_ALIVE,
   SecurityMonitoringRuleOptions.JSON_PROPERTY_MAX_SIGNAL_DURATION,
-  SecurityMonitoringRuleOptions.JSON_PROPERTY_NEW_VALUE_OPTIONS
+  SecurityMonitoringRuleOptions.JSON_PROPERTY_NEW_VALUE_OPTIONS,
+  SecurityMonitoringRuleOptions.JSON_PROPERTY_THIRD_PARTY_RULE_OPTIONS
 })
 @jakarta.annotation.Generated(
     value = "https://github.com/DataDog/datadog-api-client-java/blob/master/.generator")
@@ -60,6 +61,9 @@ public class SecurityMonitoringRuleOptions {
   public static final String JSON_PROPERTY_NEW_VALUE_OPTIONS = "newValueOptions";
   private SecurityMonitoringRuleNewValueOptions newValueOptions;
 
+  public static final String JSON_PROPERTY_THIRD_PARTY_RULE_OPTIONS = "thirdPartyRuleOptions";
+  private SecurityMonitoringRuleThirdPartyOptions thirdPartyRuleOptions;
+
   public SecurityMonitoringRuleOptions complianceRuleOptions(
       CloudConfigurationComplianceRuleOptions complianceRuleOptions) {
     this.complianceRuleOptions = complianceRuleOptions;
@@ -292,6 +296,30 @@ public void setNewValueOptions(SecurityMonitoringRuleNewValueOptions newValueOpt
     this.newValueOptions = newValueOptions;
   }
 
+  public SecurityMonitoringRuleOptions thirdPartyRuleOptions(
+      SecurityMonitoringRuleThirdPartyOptions thirdPartyRuleOptions) {
+    this.thirdPartyRuleOptions = thirdPartyRuleOptions;
+    this.unparsed |= thirdPartyRuleOptions.unparsed;
+    return this;
+  }
+
+  /**
+   * Options on third party rules.
+   *
+   * @return thirdPartyRuleOptions
+   */
+  @jakarta.annotation.Nullable
+  @JsonProperty(JSON_PROPERTY_THIRD_PARTY_RULE_OPTIONS)
+  @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS)
+  public SecurityMonitoringRuleThirdPartyOptions getThirdPartyRuleOptions() {
+    return thirdPartyRuleOptions;
+  }
+
+  public void setThirdPartyRuleOptions(
+      SecurityMonitoringRuleThirdPartyOptions thirdPartyRuleOptions) {
+    this.thirdPartyRuleOptions = thirdPartyRuleOptions;
+  }
+
   /**
    * A container for additional, undeclared properties. This is a holder for any undeclared
    * properties as specified with the 'additionalProperties' keyword in the OAS document.
@@ -362,6 +390,8 @@ public boolean equals(Object o) {
         && Objects.equals(this.keepAlive, securityMonitoringRuleOptions.keepAlive)
         && Objects.equals(this.maxSignalDuration, securityMonitoringRuleOptions.maxSignalDuration)
         && Objects.equals(this.newValueOptions, securityMonitoringRuleOptions.newValueOptions)
+        && Objects.equals(
+            this.thirdPartyRuleOptions, securityMonitoringRuleOptions.thirdPartyRuleOptions)
         && Objects.equals(
             this.additionalProperties, securityMonitoringRuleOptions.additionalProperties);
   }
@@ -378,6 +408,7 @@ public int hashCode() {
         keepAlive,
         maxSignalDuration,
         newValueOptions,
+        thirdPartyRuleOptions,
         additionalProperties);
   }
 
@@ -402,6 +433,9 @@ public String toString() {
     sb.append("    keepAlive: ").append(toIndentedString(keepAlive)).append("\n");
     sb.append("    maxSignalDuration: ").append(toIndentedString(maxSignalDuration)).append("\n");
     sb.append("    newValueOptions: ").append(toIndentedString(newValueOptions)).append("\n");
+    sb.append("    thirdPartyRuleOptions: ")
+        .append(toIndentedString(thirdPartyRuleOptions))
+        .append("\n");
     sb.append("    additionalProperties: ")
         .append(toIndentedString(additionalProperties))
         .append("\n");