data
\n[object]
Array containing the list of historical jobs.
attributes
\nobject
Historical job attributes.
createdAt
\nstring
Time when the job was created.
createdByHandle
\nstring
The handle of the user who created the job.
createdByName
\nstring
The name of the user who created the job.
createdFromRuleId
\nstring
ID of the rule used to create the job (if it is created from a rule).
jobDefinition
\nobject
Definition of a historical job.
calculatedFields
\n[object]
Calculated fields.
expression [required]
\nstring
Expression.
name [required]
\nstring
Field name.
cases [required]
\n[object]
Cases used for generating job results.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
from [required]
\nint64
Starting time of data analyzed by the job.
groupSignalsBy
\n[string]
Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
index [required]
\nstring
Index used to load the data.
message [required]
\nstring
Message for generated results.
name [required]
\nstring
Job name.
options
\nobject
Job options.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
\n[object]
Queries for selecting logs analyzed by the job.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
dataSource
\nenum
Source of events, either logs, audit trail, or Datadog events. \nAllowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events
default: logs
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
hasOptionalGroupByFields
\nboolean
When false, events without a group-by value are ignored by the query. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
metrics
\n[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
\nstring
Name of the query.
query
\nstring
Query to run on logs.
referenceTables
\n[object]
Reference tables used in the queries.
checkPresence
\nboolean
Whether to include or exclude the matched values.
columnName
\nstring
The name of the column in the reference table.
logFieldPath
\nstring
The field in the log to match against the reference table.
ruleQueryName
\nstring
The name of the query to apply the reference table to.
tableName
\nstring
The name of the reference table.
tags
\n[string]
Tags for generated signals.
thirdPartyCases
\n[object]
Cases for generating results from third-party detection method. Only available for third-party detection method.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each case.
query
\nstring
A query to map a third party event to this case.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
to [required]
\nint64
Ending time of data analyzed by the job.
type
\nstring
Job type.
jobName
\nstring
Job name.
jobStatus
\nstring
Job status.
modifiedAt
\nstring
Last modification time of the job.
id
\nstring
ID of the job.
type
\nenum
Type of payload. \nAllowed enum values: historicalDetectionsJob
meta
\nobject
Metadata about the list of jobs.
totalCount
\nint32
Number of jobs in the list.
data
\n[object]
Array containing the list of threat hunting jobs.
attributes
\nobject
Threat hunting job attributes.
createdAt
\nstring
Time when the job was created.
createdByHandle
\nstring
The handle of the user who created the job.
createdByName
\nstring
The name of the user who created the job.
createdFromRuleId
\nstring
ID of the rule used to create the job (if it is created from a rule).
jobDefinition
\nobject
Definition of a threat hunting job.
calculatedFields
\n[object]
Calculated fields.
expression [required]
\nstring
Expression.
name [required]
\nstring
Field name.
cases [required]
\n[object]
Cases used for generating job results.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
from [required]
\nint64
Starting time of data analyzed by the job.
groupSignalsBy
\n[string]
Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
index [required]
\nstring
Index used to load the data.
message [required]
\nstring
Message for generated results.
name [required]
\nstring
Job name.
options
\nobject
Job options.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
\n[object]
Queries for selecting logs analyzed by the job.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
dataSource
\nenum
Source of events, either logs, audit trail, or Datadog events. \nAllowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events
default: logs
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
hasOptionalGroupByFields
\nboolean
When false, events without a group-by value are ignored by the query. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
metrics
\n[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
\nstring
Name of the query.
query
\nstring
Query to run on logs.
referenceTables
\n[object]
Reference tables used in the queries.
checkPresence
\nboolean
Whether to include or exclude the matched values.
columnName
\nstring
The name of the column in the reference table.
logFieldPath
\nstring
The field in the log to match against the reference table.
ruleQueryName
\nstring
The name of the query to apply the reference table to.
tableName
\nstring
The name of the reference table.
tags
\n[string]
Tags for generated signals.
thirdPartyCases
\n[object]
Cases for generating results from third-party detection method. Only available for third-party detection method.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each case.
query
\nstring
A query to map a third party event to this case.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
to [required]
\nint64
Ending time of data analyzed by the job.
type
\nstring
Job type.
jobName
\nstring
Job name.
jobStatus
\nstring
Job status.
modifiedAt
\nstring
Last modification time of the job.
id
\nstring
ID of the job.
type
\nenum
Type of payload. \nAllowed enum values: historicalDetectionsJob
meta
\nobject
Metadata about the list of jobs.
totalCount
\nint32
Number of jobs in the list.
data
\nobject
Data for running a historical job request.
attributes
\nobject
Run a historical job request.
fromRule
\nobject
Definition of a historical job based on a security monitoring rule.
from [required]
\nint64
Starting time of data analyzed by the job.
id [required]
\nstring
ID of the detection rule used to create the job.
index [required]
\nstring
Index used to load the data.
notifications
\n[string]
Notifications sent when the job is completed.
to [required]
\nint64
Ending time of data analyzed by the job.
id
\nstring
Request ID.
jobDefinition
\nobject
Definition of a historical job.
calculatedFields
\n[object]
Calculated fields.
expression [required]
\nstring
Expression.
name [required]
\nstring
Field name.
cases [required]
\n[object]
Cases used for generating job results.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
from [required]
\nint64
Starting time of data analyzed by the job.
groupSignalsBy
\n[string]
Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
index [required]
\nstring
Index used to load the data.
message [required]
\nstring
Message for generated results.
name [required]
\nstring
Job name.
options
\nobject
Job options.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
\n[object]
Queries for selecting logs analyzed by the job.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
dataSource
\nenum
Source of events, either logs, audit trail, or Datadog events. \nAllowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events
default: logs
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
hasOptionalGroupByFields
\nboolean
When false, events without a group-by value are ignored by the query. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
metrics
\n[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
\nstring
Name of the query.
query
\nstring
Query to run on logs.
referenceTables
\n[object]
Reference tables used in the queries.
checkPresence
\nboolean
Whether to include or exclude the matched values.
columnName
\nstring
The name of the column in the reference table.
logFieldPath
\nstring
The field in the log to match against the reference table.
ruleQueryName
\nstring
The name of the query to apply the reference table to.
tableName
\nstring
The name of the reference table.
tags
\n[string]
Tags for generated signals.
thirdPartyCases
\n[object]
Cases for generating results from third-party detection method. Only available for third-party detection method.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each case.
query
\nstring
A query to map a third party event to this case.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
to [required]
\nint64
Ending time of data analyzed by the job.
type
\nstring
Job type.
type
\nenum
Type of data. \nAllowed enum values: historicalDetectionsJobCreate
data
\nobject
Data for running a threat hunting job request.
attributes
\nobject
Run a threat hunting job request.
fromRule
\nobject
Definition of a threat hunting job based on a security monitoring rule.
from [required]
\nint64
Starting time of data analyzed by the job.
id [required]
\nstring
ID of the detection rule used to create the job.
index [required]
\nstring
Index used to load the data.
notifications
\n[string]
Notifications sent when the job is completed.
to [required]
\nint64
Ending time of data analyzed by the job.
id
\nstring
Request ID.
jobDefinition
\nobject
Definition of a threat hunting job.
calculatedFields
\n[object]
Calculated fields.
expression [required]
\nstring
Expression.
name [required]
\nstring
Field name.
cases [required]
\n[object]
Cases used for generating job results.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
from [required]
\nint64
Starting time of data analyzed by the job.
groupSignalsBy
\n[string]
Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
index [required]
\nstring
Index used to load the data.
message [required]
\nstring
Message for generated results.
name [required]
\nstring
Job name.
options
\nobject
Job options.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
\n[object]
Queries for selecting logs analyzed by the job.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
dataSource
\nenum
Source of events, either logs, audit trail, or Datadog events. \nAllowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events
default: logs
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
hasOptionalGroupByFields
\nboolean
When false, events without a group-by value are ignored by the query. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
metrics
\n[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
\nstring
Name of the query.
query
\nstring
Query to run on logs.
referenceTables
\n[object]
Reference tables used in the queries.
checkPresence
\nboolean
Whether to include or exclude the matched values.
columnName
\nstring
The name of the column in the reference table.
logFieldPath
\nstring
The field in the log to match against the reference table.
ruleQueryName
\nstring
The name of the query to apply the reference table to.
tableName
\nstring
The name of the reference table.
tags
\n[string]
Tags for generated signals.
thirdPartyCases
\n[object]
Cases for generating results from third-party detection method. Only available for third-party detection method.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each case.
query
\nstring
A query to map a third party event to this case.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
to [required]
\nint64
Ending time of data analyzed by the job.
type
\nstring
Job type.
type
\nenum
Type of data. \nAllowed enum values: historicalDetectionsJobCreate
data
\nobject
Data for converting historical job results to signals.
attributes
\nobject
Attributes for converting historical job results to signals.
id
\nstring
Request ID.
jobResultIds [required]
\n[string]
Job result IDs.
notifications [required]
\n[string]
Notifications sent.
signalMessage [required]
\nstring
Message of generated signals.
signalSeverity [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
type
\nenum
Type of payload. \nAllowed enum values: historicalDetectionsJobResultSignalConversion
data
\nobject
Data for converting threat hunting job results to signals.
attributes
\nobject
Attributes for converting threat hunting job results to signals.
id
\nstring
Request ID.
jobResultIds [required]
\n[string]
Job result IDs.
notifications [required]
\n[string]
Notifications sent.
signalMessage [required]
\nstring
Message of generated signals.
signalSeverity [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
type
\nenum
Type of payload. \nAllowed enum values: historicalDetectionsJobResultSignalConversion
data
\nobject
Historical job response data.
attributes
\nobject
Historical job attributes.
createdAt
\nstring
Time when the job was created.
createdByHandle
\nstring
The handle of the user who created the job.
createdByName
\nstring
The name of the user who created the job.
createdFromRuleId
\nstring
ID of the rule used to create the job (if it is created from a rule).
jobDefinition
\nobject
Definition of a historical job.
calculatedFields
\n[object]
Calculated fields.
expression [required]
\nstring
Expression.
name [required]
\nstring
Field name.
cases [required]
\n[object]
Cases used for generating job results.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
from [required]
\nint64
Starting time of data analyzed by the job.
groupSignalsBy
\n[string]
Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
index [required]
\nstring
Index used to load the data.
message [required]
\nstring
Message for generated results.
name [required]
\nstring
Job name.
options
\nobject
Job options.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
\n[object]
Queries for selecting logs analyzed by the job.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
dataSource
\nenum
Source of events, either logs, audit trail, or Datadog events. \nAllowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events
default: logs
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
hasOptionalGroupByFields
\nboolean
When false, events without a group-by value are ignored by the query. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
metrics
\n[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
\nstring
Name of the query.
query
\nstring
Query to run on logs.
referenceTables
\n[object]
Reference tables used in the queries.
checkPresence
\nboolean
Whether to include or exclude the matched values.
columnName
\nstring
The name of the column in the reference table.
logFieldPath
\nstring
The field in the log to match against the reference table.
ruleQueryName
\nstring
The name of the query to apply the reference table to.
tableName
\nstring
The name of the reference table.
tags
\n[string]
Tags for generated signals.
thirdPartyCases
\n[object]
Cases for generating results from third-party detection method. Only available for third-party detection method.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each case.
query
\nstring
A query to map a third party event to this case.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
to [required]
\nint64
Ending time of data analyzed by the job.
type
\nstring
Job type.
jobName
\nstring
Job name.
jobStatus
\nstring
Job status.
modifiedAt
\nstring
Last modification time of the job.
id
\nstring
ID of the job.
type
\nenum
Type of payload. \nAllowed enum values: historicalDetectionsJob
data
\nobject
Threat hunting job response data.
attributes
\nobject
Threat hunting job attributes.
createdAt
\nstring
Time when the job was created.
createdByHandle
\nstring
The handle of the user who created the job.
createdByName
\nstring
The name of the user who created the job.
createdFromRuleId
\nstring
ID of the rule used to create the job (if it is created from a rule).
jobDefinition
\nobject
Definition of a threat hunting job.
calculatedFields
\n[object]
Calculated fields.
expression [required]
\nstring
Expression.
name [required]
\nstring
Field name.
cases [required]
\n[object]
Cases used for generating job results.
actions
\n[object]
Action to perform for each rule case.
options
\nobject
Options for the rule action
duration
\nint64
Duration of the action in seconds. 0 indicates no expiration.
flaggedIPType
\nenum
Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses. \nAllowed enum values: SUSPICIOUS,FLAGGED
userBehaviorName
\nstring
Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
type
\nenum
The action type. \nAllowed enum values: block_ip,block_user,user_behavior,flag_ip
condition
\nstring
A case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated\nbased on the event counts in the previously defined queries.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
from [required]
\nint64
Starting time of data analyzed by the job.
groupSignalsBy
\n[string]
Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
index [required]
\nstring
Index used to load the data.
message [required]
\nstring
Message for generated results.
name [required]
\nstring
Job name.
options
\nobject
Job options.
detectionMethod
\nenum
The detection method. \nAllowed enum values: threshold,new_value,anomaly_detection,impossible_travel,hardcoded,third_party,anomaly_threshold,sequence_detection
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
impossibleTravelOptions
\nobject
Options on impossible travel detection method.
baselineUserLocations
\nboolean
If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
keepAlive
\nenum
Once a signal is generated, the signal will remain "open" if a case is matched at least once within\nthis keep alive window. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
maxSignalDuration
\nenum
A signal will "close" regardless of the query being matched once the time exceeds the maximum duration.\nThis time is calculated from the first seen timestamp. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
newValueOptions
\nobject
Options on new value detection method.
forgetAfter
\nenum
The duration in days after which a learned value is forgotten. \nAllowed enum values: 1,2,7,14,21,28
learningDuration
\nenum
The duration in days during which values are learned, and after which signals will be generated for values that\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. \nAllowed enum values: 0,1,7
learningMethod
\nenum
The learning method used to determine when signals should be generated for values that weren't learned. \nAllowed enum values: duration,threshold
default: duration
learningThreshold
\nenum
A number of occurrences after which signals will be generated for values that weren't learned. \nAllowed enum values: 0,1
sequenceDetectionOptions
\nobject
Options on sequence detection method.
stepTransitions
\n[object]
Transitions defining the allowed order of steps and their evaluation windows.
child
\nstring
Name of the child step.
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
parent
\nstring
Name of the parent step.
steps
\n[object]
Steps that define the conditions to be matched in sequence.
condition
\nstring
Condition referencing rule queries (e.g., a > 0).
evaluationWindow
\nenum
A time window is specified to match when at least one of the cases matches true. This is a sliding window\nand evaluates in real time. For third party detection method, this field is not used. \nAllowed enum values: 0,60,300,600,900,1800,3600,7200,10800,21600,43200,86400
name
\nstring
Unique name identifying the step.
thirdPartyRuleOptions
\nobject
Options on third party detection method.
defaultNotifications
\n[string]
Notification targets for the logs that do not correspond to any of the cases.
defaultStatus
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
rootQueries
\n[object]
Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
groupByFields
\n[string]
Fields to group by.
query
\nstring
Query to run on logs.
signalTitleTemplate
\nstring
A template for the signal title; if omitted, the title is generated based on the case name.
queries [required]
\n[object]
Queries for selecting logs analyzed by the job.
aggregation
\nenum
The aggregation type. \nAllowed enum values: count,cardinality,sum,max,new_value,geo_data,event_count,none
dataSource
\nenum
Source of events, either logs, audit trail, or Datadog events. \nAllowed enum values: logs,audit,app_sec_spans,spans,security_runtime,network,events
default: logs
distinctFields
\n[string]
Field for which the cardinality is measured. Sent as an array.
groupByFields
\n[string]
Fields to group by.
hasOptionalGroupByFields
\nboolean
When false, events without a group-by value are ignored by the query. When true, events with missing group-by fields are processed with N/A, replacing the missing values.
metrics
\n[string]
Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
name
\nstring
Name of the query.
query
\nstring
Query to run on logs.
referenceTables
\n[object]
Reference tables used in the queries.
checkPresence
\nboolean
Whether to include or exclude the matched values.
columnName
\nstring
The name of the column in the reference table.
logFieldPath
\nstring
The field in the log to match against the reference table.
ruleQueryName
\nstring
The name of the query to apply the reference table to.
tableName
\nstring
The name of the reference table.
tags
\n[string]
Tags for generated signals.
thirdPartyCases
\n[object]
Cases for generating results from third-party detection method. Only available for third-party detection method.
name
\nstring
Name of the case.
notifications
\n[string]
Notification targets for each case.
query
\nstring
A query to map a third party event to this case.
status [required]
\nenum
Severity of the Security Signal. \nAllowed enum values: info,low,medium,high,critical
to [required]
\nint64
Ending time of data analyzed by the job.
type
\nstring
Job type.
jobName
\nstring
Job name.
jobStatus
\nstring
Job status.
modifiedAt
\nstring
Last modification time of the job.
id
\nstring
ID of the job.
type
\nenum
Type of payload. \nAllowed enum values: historicalDetectionsJob