Add sequence detection to security monitoring rules (#3348)

Co-authored-by: ci.datadog-api-spec <packages@datadoghq.com>

Author: api-clients-generation-pipeline[bot]

.generator/schemas/v2/openapi.yaml

@@ -20470,6 +20470,8 @@ components:
           $ref: '#/components/schemas/SecurityMonitoringRuleMaxSignalDuration'
         newValueOptions:
           $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptions'
+        sequenceDetectionOptions:
+          $ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionOptions'
         thirdPartyRuleOptions:
           $ref: '#/components/schemas/SecurityMonitoringRuleThirdPartyOptions'
       type: object
@@ -40786,6 +40788,7 @@ components:
       - hardcoded
       - third_party
       - anomaly_threshold
+      - sequence_detection
       type: string
       x-enum-varnames:
       - THRESHOLD
@@ -40795,6 +40798,7 @@ components:
       - HARDCODED
       - THIRD_PARTY
       - ANOMALY_THRESHOLD
+      - SEQUENCE_DETECTION
     SecurityMonitoringRuleEvaluationWindow:
       description: 'A time window is specified to match when at least one of the cases
         matches true. This is a sliding window
@@ -41008,6 +41012,8 @@ components:
           $ref: '#/components/schemas/SecurityMonitoringRuleMaxSignalDuration'
         newValueOptions:
           $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptions'
+        sequenceDetectionOptions:
+          $ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionOptions'
         thirdPartyRuleOptions:
           $ref: '#/components/schemas/SecurityMonitoringRuleThirdPartyOptions'
       type: object
@@ -41083,6 +41089,47 @@ components:
       oneOf:
       - $ref: '#/components/schemas/SecurityMonitoringStandardRuleResponse'
       - $ref: '#/components/schemas/SecurityMonitoringSignalRuleResponse'
+    SecurityMonitoringRuleSequenceDetectionOptions:
+      description: Options on sequence detection method.
+      properties:
+        stepTransitions:
+          description: Transitions defining the allowed order of steps and their evaluation
+            windows.
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionStepTransition'
+          type: array
+        steps:
+          description: Steps that define the conditions to be matched in sequence.
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionStep'
+          type: array
+      type: object
+    SecurityMonitoringRuleSequenceDetectionStep:
+      description: Step definition for sequence detection containing the step name,
+        condition, and evaluation window.
+      properties:
+        condition:
+          description: Condition referencing rule queries (e.g., `a > 0`).
+          type: string
+        evaluationWindow:
+          $ref: '#/components/schemas/SecurityMonitoringRuleEvaluationWindow'
+        name:
+          description: Unique name identifying the step.
+          type: string
+      type: object
+    SecurityMonitoringRuleSequenceDetectionStepTransition:
+      description: Transition from a parent step to a child step within a sequence
+        detection rule.
+      properties:
+        child:
+          description: Name of the child step.
+          type: string
+        evaluationWindow:
+          $ref: '#/components/schemas/SecurityMonitoringRuleEvaluationWindow'
+        parent:
+          description: Name of the parent step.
+          type: string
+      type: object
     SecurityMonitoringRuleSeverity:
       description: Severity of the Security Signal.
       enum:

api/datadogV2/model_historical_job_options.go

@@ -25,6 +25,8 @@ type HistoricalJobOptions struct {
 	MaxSignalDuration *SecurityMonitoringRuleMaxSignalDuration `json:"maxSignalDuration,omitempty"`
 	// Options on new value detection method.
 	NewValueOptions *SecurityMonitoringRuleNewValueOptions `json:"newValueOptions,omitempty"`
+	// Options on sequence detection method.
+	SequenceDetectionOptions *SecurityMonitoringRuleSequenceDetectionOptions `json:"sequenceDetectionOptions,omitempty"`
 	// Options on third party detection method.
 	ThirdPartyRuleOptions *SecurityMonitoringRuleThirdPartyOptions `json:"thirdPartyRuleOptions,omitempty"`
 	// UnparsedObject contains the raw value of the object if there was an error when deserializing into the struct
@@ -217,6 +219,34 @@ func (o *HistoricalJobOptions) SetNewValueOptions(v SecurityMonitoringRuleNewVal
 	o.NewValueOptions = &v
 }
 
+// GetSequenceDetectionOptions returns the SequenceDetectionOptions field value if set, zero value otherwise.
+func (o *HistoricalJobOptions) GetSequenceDetectionOptions() SecurityMonitoringRuleSequenceDetectionOptions {
+	if o == nil || o.SequenceDetectionOptions == nil {
+		var ret SecurityMonitoringRuleSequenceDetectionOptions
+		return ret
+	}
+	return *o.SequenceDetectionOptions
+}
+
+// GetSequenceDetectionOptionsOk returns a tuple with the SequenceDetectionOptions field value if set, nil otherwise
+// and a boolean to check if the value has been set.
+func (o *HistoricalJobOptions) GetSequenceDetectionOptionsOk() (*SecurityMonitoringRuleSequenceDetectionOptions, bool) {
+	if o == nil || o.SequenceDetectionOptions == nil {
+		return nil, false
+	}
+	return o.SequenceDetectionOptions, true
+}
+
+// HasSequenceDetectionOptions returns a boolean if a field has been set.
+func (o *HistoricalJobOptions) HasSequenceDetectionOptions() bool {
+	return o != nil && o.SequenceDetectionOptions != nil
+}
+
+// SetSequenceDetectionOptions gets a reference to the given SecurityMonitoringRuleSequenceDetectionOptions and assigns it to the SequenceDetectionOptions field.
+func (o *HistoricalJobOptions) SetSequenceDetectionOptions(v SecurityMonitoringRuleSequenceDetectionOptions) {
+	o.SequenceDetectionOptions = &v
+}
+
 // GetThirdPartyRuleOptions returns the ThirdPartyRuleOptions field value if set, zero value otherwise.
 func (o *HistoricalJobOptions) GetThirdPartyRuleOptions() SecurityMonitoringRuleThirdPartyOptions {
 	if o == nil || o.ThirdPartyRuleOptions == nil {
@@ -269,6 +299,9 @@ func (o HistoricalJobOptions) MarshalJSON() ([]byte, error) {
 	if o.NewValueOptions != nil {
 		toSerialize["newValueOptions"] = o.NewValueOptions
 	}
+	if o.SequenceDetectionOptions != nil {
+		toSerialize["sequenceDetectionOptions"] = o.SequenceDetectionOptions
+	}
 	if o.ThirdPartyRuleOptions != nil {
 		toSerialize["thirdPartyRuleOptions"] = o.ThirdPartyRuleOptions
 	}
@@ -282,20 +315,21 @@ func (o HistoricalJobOptions) MarshalJSON() ([]byte, error) {
 // UnmarshalJSON deserializes the given payload.
 func (o *HistoricalJobOptions) UnmarshalJSON(bytes []byte) (err error) {
 	all := struct {
-		DetectionMethod         *SecurityMonitoringRuleDetectionMethod         `json:"detectionMethod,omitempty"`
-		EvaluationWindow        *SecurityMonitoringRuleEvaluationWindow        `json:"evaluationWindow,omitempty"`
-		ImpossibleTravelOptions *SecurityMonitoringRuleImpossibleTravelOptions `json:"impossibleTravelOptions,omitempty"`
-		KeepAlive               *SecurityMonitoringRuleKeepAlive               `json:"keepAlive,omitempty"`
-		MaxSignalDuration       *SecurityMonitoringRuleMaxSignalDuration       `json:"maxSignalDuration,omitempty"`
-		NewValueOptions         *SecurityMonitoringRuleNewValueOptions         `json:"newValueOptions,omitempty"`
-		ThirdPartyRuleOptions   *SecurityMonitoringRuleThirdPartyOptions       `json:"thirdPartyRuleOptions,omitempty"`
+		DetectionMethod          *SecurityMonitoringRuleDetectionMethod          `json:"detectionMethod,omitempty"`
+		EvaluationWindow         *SecurityMonitoringRuleEvaluationWindow         `json:"evaluationWindow,omitempty"`
+		ImpossibleTravelOptions  *SecurityMonitoringRuleImpossibleTravelOptions  `json:"impossibleTravelOptions,omitempty"`
+		KeepAlive                *SecurityMonitoringRuleKeepAlive                `json:"keepAlive,omitempty"`
+		MaxSignalDuration        *SecurityMonitoringRuleMaxSignalDuration        `json:"maxSignalDuration,omitempty"`
+		NewValueOptions          *SecurityMonitoringRuleNewValueOptions          `json:"newValueOptions,omitempty"`
+		SequenceDetectionOptions *SecurityMonitoringRuleSequenceDetectionOptions `json:"sequenceDetectionOptions,omitempty"`
+		ThirdPartyRuleOptions    *SecurityMonitoringRuleThirdPartyOptions        `json:"thirdPartyRuleOptions,omitempty"`
 	}{}
 	if err = datadog.Unmarshal(bytes, &all); err != nil {
 		return datadog.Unmarshal(bytes, &o.UnparsedObject)
 	}
 	additionalProperties := make(map[string]interface{})
 	if err = datadog.Unmarshal(bytes, &additionalProperties); err == nil {
-		datadog.DeleteKeys(additionalProperties, &[]string{"detectionMethod", "evaluationWindow", "impossibleTravelOptions", "keepAlive", "maxSignalDuration", "newValueOptions", "thirdPartyRuleOptions"})
+		datadog.DeleteKeys(additionalProperties, &[]string{"detectionMethod", "evaluationWindow", "impossibleTravelOptions", "keepAlive", "maxSignalDuration", "newValueOptions", "sequenceDetectionOptions", "thirdPartyRuleOptions"})
 	} else {
 		return err
 	}
@@ -329,6 +363,10 @@ func (o *HistoricalJobOptions) UnmarshalJSON(bytes []byte) (err error) {
 		hasInvalidField = true
 	}
 	o.NewValueOptions = all.NewValueOptions
+	if all.SequenceDetectionOptions != nil && all.SequenceDetectionOptions.UnparsedObject != nil && o.UnparsedObject == nil {
+		hasInvalidField = true
+	}
+	o.SequenceDetectionOptions = all.SequenceDetectionOptions
 	if all.ThirdPartyRuleOptions != nil && all.ThirdPartyRuleOptions.UnparsedObject != nil && o.UnparsedObject == nil {
 		hasInvalidField = true
 	}

api/datadogV2/model_security_monitoring_rule_detection_method.go

@@ -15,13 +15,14 @@ type SecurityMonitoringRuleDetectionMethod string
 
 // List of SecurityMonitoringRuleDetectionMethod.
 const (
-	SECURITYMONITORINGRULEDETECTIONMETHOD_THRESHOLD         SecurityMonitoringRuleDetectionMethod = "threshold"
-	SECURITYMONITORINGRULEDETECTIONMETHOD_NEW_VALUE         SecurityMonitoringRuleDetectionMethod = "new_value"
-	SECURITYMONITORINGRULEDETECTIONMETHOD_ANOMALY_DETECTION SecurityMonitoringRuleDetectionMethod = "anomaly_detection"
-	SECURITYMONITORINGRULEDETECTIONMETHOD_IMPOSSIBLE_TRAVEL SecurityMonitoringRuleDetectionMethod = "impossible_travel"
-	SECURITYMONITORINGRULEDETECTIONMETHOD_HARDCODED         SecurityMonitoringRuleDetectionMethod = "hardcoded"
-	SECURITYMONITORINGRULEDETECTIONMETHOD_THIRD_PARTY       SecurityMonitoringRuleDetectionMethod = "third_party"
-	SECURITYMONITORINGRULEDETECTIONMETHOD_ANOMALY_THRESHOLD SecurityMonitoringRuleDetectionMethod = "anomaly_threshold"
+	SECURITYMONITORINGRULEDETECTIONMETHOD_THRESHOLD          SecurityMonitoringRuleDetectionMethod = "threshold"
+	SECURITYMONITORINGRULEDETECTIONMETHOD_NEW_VALUE          SecurityMonitoringRuleDetectionMethod = "new_value"
+	SECURITYMONITORINGRULEDETECTIONMETHOD_ANOMALY_DETECTION  SecurityMonitoringRuleDetectionMethod = "anomaly_detection"
+	SECURITYMONITORINGRULEDETECTIONMETHOD_IMPOSSIBLE_TRAVEL  SecurityMonitoringRuleDetectionMethod = "impossible_travel"
+	SECURITYMONITORINGRULEDETECTIONMETHOD_HARDCODED          SecurityMonitoringRuleDetectionMethod = "hardcoded"
+	SECURITYMONITORINGRULEDETECTIONMETHOD_THIRD_PARTY        SecurityMonitoringRuleDetectionMethod = "third_party"
+	SECURITYMONITORINGRULEDETECTIONMETHOD_ANOMALY_THRESHOLD  SecurityMonitoringRuleDetectionMethod = "anomaly_threshold"
+	SECURITYMONITORINGRULEDETECTIONMETHOD_SEQUENCE_DETECTION SecurityMonitoringRuleDetectionMethod = "sequence_detection"
 )
 
 var allowedSecurityMonitoringRuleDetectionMethodEnumValues = []SecurityMonitoringRuleDetectionMethod{
@@ -32,6 +33,7 @@ var allowedSecurityMonitoringRuleDetectionMethodEnumValues = []SecurityMonitorin
 	SECURITYMONITORINGRULEDETECTIONMETHOD_HARDCODED,
 	SECURITYMONITORINGRULEDETECTIONMETHOD_THIRD_PARTY,
 	SECURITYMONITORINGRULEDETECTIONMETHOD_ANOMALY_THRESHOLD,
+	SECURITYMONITORINGRULEDETECTIONMETHOD_SEQUENCE_DETECTION,
 }
 
 // GetAllowedValues reeturns the list of possible values.

api/datadogV2/model_security_monitoring_rule_options.go

@@ -35,6 +35,8 @@ type SecurityMonitoringRuleOptions struct {
 	MaxSignalDuration *SecurityMonitoringRuleMaxSignalDuration `json:"maxSignalDuration,omitempty"`
 	// Options on new value detection method.
 	NewValueOptions *SecurityMonitoringRuleNewValueOptions `json:"newValueOptions,omitempty"`
+	// Options on sequence detection method.
+	SequenceDetectionOptions *SecurityMonitoringRuleSequenceDetectionOptions `json:"sequenceDetectionOptions,omitempty"`
 	// Options on third party detection method.
 	ThirdPartyRuleOptions *SecurityMonitoringRuleThirdPartyOptions `json:"thirdPartyRuleOptions,omitempty"`
 	// UnparsedObject contains the raw value of the object if there was an error when deserializing into the struct
@@ -311,6 +313,34 @@ func (o *SecurityMonitoringRuleOptions) SetNewValueOptions(v SecurityMonitoringR
 	o.NewValueOptions = &v
 }
 
+// GetSequenceDetectionOptions returns the SequenceDetectionOptions field value if set, zero value otherwise.
+func (o *SecurityMonitoringRuleOptions) GetSequenceDetectionOptions() SecurityMonitoringRuleSequenceDetectionOptions {
+	if o == nil || o.SequenceDetectionOptions == nil {
+		var ret SecurityMonitoringRuleSequenceDetectionOptions
+		return ret
+	}
+	return *o.SequenceDetectionOptions
+}
+
+// GetSequenceDetectionOptionsOk returns a tuple with the SequenceDetectionOptions field value if set, nil otherwise
+// and a boolean to check if the value has been set.
+func (o *SecurityMonitoringRuleOptions) GetSequenceDetectionOptionsOk() (*SecurityMonitoringRuleSequenceDetectionOptions, bool) {
+	if o == nil || o.SequenceDetectionOptions == nil {
+		return nil, false
+	}
+	return o.SequenceDetectionOptions, true
+}
+
+// HasSequenceDetectionOptions returns a boolean if a field has been set.
+func (o *SecurityMonitoringRuleOptions) HasSequenceDetectionOptions() bool {
+	return o != nil && o.SequenceDetectionOptions != nil
+}
+
+// SetSequenceDetectionOptions gets a reference to the given SecurityMonitoringRuleSequenceDetectionOptions and assigns it to the SequenceDetectionOptions field.
+func (o *SecurityMonitoringRuleOptions) SetSequenceDetectionOptions(v SecurityMonitoringRuleSequenceDetectionOptions) {
+	o.SequenceDetectionOptions = &v
+}
+
 // GetThirdPartyRuleOptions returns the ThirdPartyRuleOptions field value if set, zero value otherwise.
 func (o *SecurityMonitoringRuleOptions) GetThirdPartyRuleOptions() SecurityMonitoringRuleThirdPartyOptions {
 	if o == nil || o.ThirdPartyRuleOptions == nil {
@@ -372,6 +402,9 @@ func (o SecurityMonitoringRuleOptions) MarshalJSON() ([]byte, error) {
 	if o.NewValueOptions != nil {
 		toSerialize["newValueOptions"] = o.NewValueOptions
 	}
+	if o.SequenceDetectionOptions != nil {
+		toSerialize["sequenceDetectionOptions"] = o.SequenceDetectionOptions
+	}
 	if o.ThirdPartyRuleOptions != nil {
 		toSerialize["thirdPartyRuleOptions"] = o.ThirdPartyRuleOptions
 	}
@@ -385,23 +418,24 @@ func (o SecurityMonitoringRuleOptions) MarshalJSON() ([]byte, error) {
 // UnmarshalJSON deserializes the given payload.
 func (o *SecurityMonitoringRuleOptions) UnmarshalJSON(bytes []byte) (err error) {
 	all := struct {
-		ComplianceRuleOptions         *CloudConfigurationComplianceRuleOptions       `json:"complianceRuleOptions,omitempty"`
-		DecreaseCriticalityBasedOnEnv *bool                                          `json:"decreaseCriticalityBasedOnEnv,omitempty"`
-		DetectionMethod               *SecurityMonitoringRuleDetectionMethod         `json:"detectionMethod,omitempty"`
-		EvaluationWindow              *SecurityMonitoringRuleEvaluationWindow        `json:"evaluationWindow,omitempty"`
-		HardcodedEvaluatorType        *SecurityMonitoringRuleHardcodedEvaluatorType  `json:"hardcodedEvaluatorType,omitempty"`
-		ImpossibleTravelOptions       *SecurityMonitoringRuleImpossibleTravelOptions `json:"impossibleTravelOptions,omitempty"`
-		KeepAlive                     *SecurityMonitoringRuleKeepAlive               `json:"keepAlive,omitempty"`
-		MaxSignalDuration             *SecurityMonitoringRuleMaxSignalDuration       `json:"maxSignalDuration,omitempty"`
-		NewValueOptions               *SecurityMonitoringRuleNewValueOptions         `json:"newValueOptions,omitempty"`
-		ThirdPartyRuleOptions         *SecurityMonitoringRuleThirdPartyOptions       `json:"thirdPartyRuleOptions,omitempty"`
+		ComplianceRuleOptions         *CloudConfigurationComplianceRuleOptions        `json:"complianceRuleOptions,omitempty"`
+		DecreaseCriticalityBasedOnEnv *bool                                           `json:"decreaseCriticalityBasedOnEnv,omitempty"`
+		DetectionMethod               *SecurityMonitoringRuleDetectionMethod          `json:"detectionMethod,omitempty"`
+		EvaluationWindow              *SecurityMonitoringRuleEvaluationWindow         `json:"evaluationWindow,omitempty"`
+		HardcodedEvaluatorType        *SecurityMonitoringRuleHardcodedEvaluatorType   `json:"hardcodedEvaluatorType,omitempty"`
+		ImpossibleTravelOptions       *SecurityMonitoringRuleImpossibleTravelOptions  `json:"impossibleTravelOptions,omitempty"`
+		KeepAlive                     *SecurityMonitoringRuleKeepAlive                `json:"keepAlive,omitempty"`
+		MaxSignalDuration             *SecurityMonitoringRuleMaxSignalDuration        `json:"maxSignalDuration,omitempty"`
+		NewValueOptions               *SecurityMonitoringRuleNewValueOptions          `json:"newValueOptions,omitempty"`
+		SequenceDetectionOptions      *SecurityMonitoringRuleSequenceDetectionOptions `json:"sequenceDetectionOptions,omitempty"`
+		ThirdPartyRuleOptions         *SecurityMonitoringRuleThirdPartyOptions        `json:"thirdPartyRuleOptions,omitempty"`
 	}{}
 	if err = datadog.Unmarshal(bytes, &all); err != nil {
 		return datadog.Unmarshal(bytes, &o.UnparsedObject)
 	}
 	additionalProperties := make(map[string]interface{})
 	if err = datadog.Unmarshal(bytes, &additionalProperties); err == nil {
-		datadog.DeleteKeys(additionalProperties, &[]string{"complianceRuleOptions", "decreaseCriticalityBasedOnEnv", "detectionMethod", "evaluationWindow", "hardcodedEvaluatorType", "impossibleTravelOptions", "keepAlive", "maxSignalDuration", "newValueOptions", "thirdPartyRuleOptions"})
+		datadog.DeleteKeys(additionalProperties, &[]string{"complianceRuleOptions", "decreaseCriticalityBasedOnEnv", "detectionMethod", "evaluationWindow", "hardcodedEvaluatorType", "impossibleTravelOptions", "keepAlive", "maxSignalDuration", "newValueOptions", "sequenceDetectionOptions", "thirdPartyRuleOptions"})
 	} else {
 		return err
 	}
@@ -445,6 +479,10 @@ func (o *SecurityMonitoringRuleOptions) UnmarshalJSON(bytes []byte) (err error)
 		hasInvalidField = true
 	}
 	o.NewValueOptions = all.NewValueOptions
+	if all.SequenceDetectionOptions != nil && all.SequenceDetectionOptions.UnparsedObject != nil && o.UnparsedObject == nil {
+		hasInvalidField = true
+	}
+	o.SequenceDetectionOptions = all.SequenceDetectionOptions
 	if all.ThirdPartyRuleOptions != nil && all.ThirdPartyRuleOptions.UnparsedObject != nil && o.UnparsedObject == nil {
 		hasInvalidField = true
 	}