-
Notifications
You must be signed in to change notification settings - Fork 32
Expand file tree
/
Copy pathRunThreatHuntingJob.java
More file actions
75 lines (71 loc) · 4.18 KB
/
RunThreatHuntingJob.java
File metadata and controls
75 lines (71 loc) · 4.18 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
// Run a threat hunting job returns "Status created" response
import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.JobCreateResponse;
import com.datadog.api.client.v2.model.JobDefinition;
import com.datadog.api.client.v2.model.RunThreatHuntingJobRequest;
import com.datadog.api.client.v2.model.RunThreatHuntingJobRequestAttributes;
import com.datadog.api.client.v2.model.RunThreatHuntingJobRequestData;
import com.datadog.api.client.v2.model.RunThreatHuntingJobRequestDataType;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.ThreatHuntingJobOptions;
import com.datadog.api.client.v2.model.ThreatHuntingJobQuery;
import java.util.Collections;
public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
defaultClient.setUnstableOperationEnabled("v2.runThreatHuntingJob", true);
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
RunThreatHuntingJobRequest body =
new RunThreatHuntingJobRequest()
.data(
new RunThreatHuntingJobRequestData()
.type(RunThreatHuntingJobRequestDataType.HISTORICALDETECTIONSJOBCREATE)
.attributes(
new RunThreatHuntingJobRequestAttributes()
.jobDefinition(
new JobDefinition()
.type("log_detection")
.name("Excessive number of failed attempts.")
.queries(
Collections.singletonList(
new ThreatHuntingJobQuery()
.query("source:non_existing_src_weekend")
.aggregation(
SecurityMonitoringRuleQueryAggregation.COUNT)))
.cases(
Collections.singletonList(
new SecurityMonitoringRuleCaseCreate()
.name("Condition 1")
.status(SecurityMonitoringRuleSeverity.INFO)
.condition("a > 1")))
.options(
new ThreatHuntingJobOptions()
.keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR)
.maxSignalDuration(
SecurityMonitoringRuleMaxSignalDuration.ONE_DAY)
.evaluationWindow(
SecurityMonitoringRuleEvaluationWindow
.FIFTEEN_MINUTES))
.message("A large number of failed login attempts.")
.from(1730387522611L)
.to(1730387532611L)
.index("main"))));
try {
JobCreateResponse result = apiInstance.runThreatHuntingJob(body);
System.out.println(result);
} catch (ApiException e) {
System.err.println("Exception when calling SecurityMonitoringApi#runThreatHuntingJob");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}