Skip to content

Add sequence detection to security monitoring rules #3132

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
api-clients-generation-pipeline merged 1 commit into from
Sep 19, 2025
Merged

Add sequence detection to security monitoring rules #3132

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions .generator/schemas/v2/openapi.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20470,6 +20470,8 @@ components:
$ref: '#/components/schemas/SecurityMonitoringRuleMaxSignalDuration'
newValueOptions:
$ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptions'
sequenceDetectionOptions:
$ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionOptions'
thirdPartyRuleOptions:
$ref: '#/components/schemas/SecurityMonitoringRuleThirdPartyOptions'
type: object
Expand Down Expand Up @@ -40786,6 +40788,7 @@ components:
- hardcoded
- third_party
- anomaly_threshold
- sequence_detection
type: string
x-enum-varnames:
- THRESHOLD
Expand All @@ -40795,6 +40798,7 @@ components:
- HARDCODED
- THIRD_PARTY
- ANOMALY_THRESHOLD
- SEQUENCE_DETECTION
SecurityMonitoringRuleEvaluationWindow:
description: 'A time window is specified to match when at least one of the cases
matches true. This is a sliding window
Expand Down Expand Up @@ -41008,6 +41012,8 @@ components:
$ref: '#/components/schemas/SecurityMonitoringRuleMaxSignalDuration'
newValueOptions:
$ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptions'
sequenceDetectionOptions:
$ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionOptions'
thirdPartyRuleOptions:
$ref: '#/components/schemas/SecurityMonitoringRuleThirdPartyOptions'
type: object
Expand Down Expand Up @@ -41083,6 +41089,47 @@ components:
oneOf:
- $ref: '#/components/schemas/SecurityMonitoringStandardRuleResponse'
- $ref: '#/components/schemas/SecurityMonitoringSignalRuleResponse'
SecurityMonitoringRuleSequenceDetectionOptions:
description: Options on sequence detection method.
properties:
stepTransitions:
description: Transitions defining the allowed order of steps and their evaluation
windows.
items:
$ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionStepTransition'
type: array
steps:
description: Steps that define the conditions to be matched in sequence.
items:
$ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionStep'
type: array
type: object
SecurityMonitoringRuleSequenceDetectionStep:
description: Step definition for sequence detection containing the step name,
condition, and evaluation window.
properties:
condition:
description: Condition referencing rule queries (e.g., `a > 0`).
type: string
evaluationWindow:
$ref: '#/components/schemas/SecurityMonitoringRuleEvaluationWindow'
name:
description: Unique name identifying the step.
type: string
type: object
SecurityMonitoringRuleSequenceDetectionStepTransition:
description: Transition from a parent step to a child step within a sequence
detection rule.
properties:
child:
description: Name of the child step.
type: string
evaluationWindow:
$ref: '#/components/schemas/SecurityMonitoringRuleEvaluationWindow'
parent:
description: Name of the parent step.
type: string
type: object
SecurityMonitoringRuleSeverity:
description: Severity of the Security Signal.
enum:
Expand Down
99 changes: 99 additions & 0 deletions examples/v2/security-monitoring/CreateSecurityMonitoringRule_2899714190.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
// Create a detection rule with detection method 'sequence_detection' returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSequenceDetectionOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSequenceDetectionStep;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSequenceDetectionStepTransition;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardDataSource;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleCreatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import java.util.Arrays;
import java.util.Collections;

public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

SecurityMonitoringRuleCreatePayload body =
new SecurityMonitoringRuleCreatePayload(
new SecurityMonitoringStandardRuleCreatePayload()
.name("Example-Security-Monitoring")
.type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION)
.isEnabled(true)
.queries(
Arrays.asList(
new SecurityMonitoringStandardRuleQuery()
.aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
.dataSource(SecurityMonitoringStandardDataSource.LOGS)
.hasOptionalGroupByFields(false)
.name("")
.query("service:logs-rule-reducer source:paul test2"),
new SecurityMonitoringStandardRuleQuery()
.aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
.dataSource(SecurityMonitoringStandardDataSource.LOGS)
.hasOptionalGroupByFields(false)
.name("")
.query("service:logs-rule-reducer source:paul test1")))
.cases(
Collections.singletonList(
new SecurityMonitoringRuleCaseCreate()
.name("")
.status(SecurityMonitoringRuleSeverity.INFO)
.condition("step_b > 0")))
.message("Logs and signals asdf")
.options(
new SecurityMonitoringRuleOptions()
.detectionMethod(SecurityMonitoringRuleDetectionMethod.SEQUENCE_DETECTION)
.evaluationWindow(SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES)
.keepAlive(SecurityMonitoringRuleKeepAlive.FIVE_MINUTES)
.maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.TEN_MINUTES)
.sequenceDetectionOptions(
new SecurityMonitoringRuleSequenceDetectionOptions()
.stepTransitions(
Collections.singletonList(
new SecurityMonitoringRuleSequenceDetectionStepTransition()
.child("step_b")
.evaluationWindow(
SecurityMonitoringRuleEvaluationWindow
.FIFTEEN_MINUTES)
.parent("step_a")))
.steps(
Arrays.asList(
new SecurityMonitoringRuleSequenceDetectionStep()
.condition("a > 0")
.evaluationWindow(
SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE)
.name("step_a"),
new SecurityMonitoringRuleSequenceDetectionStep()
.condition("b > 0")
.evaluationWindow(
SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE)
.name("step_b"))))));

try {
SecurityMonitoringRuleResponse result = apiInstance.createSecurityMonitoringRule(body);
System.out.println(result);
} catch (ApiException e) {
System.err.println(
"Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
95 changes: 95 additions & 0 deletions examples/v2/security-monitoring/ValidateSecurityMonitoringRule_4152369508.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
// Validate a detection rule with detection method 'sequence_detection' returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSequenceDetectionOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSequenceDetectionStep;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSequenceDetectionStepTransition;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleValidatePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRulePayload;
import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
import java.util.Arrays;
import java.util.Collections;

public class Example {
public static void main(String[] args) {
ApiClient defaultClient = ApiClient.getDefaultApiClient();
SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);

SecurityMonitoringRuleValidatePayload body =
new SecurityMonitoringRuleValidatePayload(
new SecurityMonitoringStandardRulePayload()
.cases(
Collections.singletonList(
new SecurityMonitoringRuleCaseCreate()
.name("")
.status(SecurityMonitoringRuleSeverity.INFO)
.condition("step_b > 0")))
.hasExtendedTitle(true)
.isEnabled(true)
.message("My security monitoring rule")
.name("My security monitoring rule")
.options(
new SecurityMonitoringRuleOptions()
.evaluationWindow(SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES)
.keepAlive(SecurityMonitoringRuleKeepAlive.FIVE_MINUTES)
.maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.TEN_MINUTES)
.detectionMethod(SecurityMonitoringRuleDetectionMethod.SEQUENCE_DETECTION)
.sequenceDetectionOptions(
new SecurityMonitoringRuleSequenceDetectionOptions()
.stepTransitions(
Collections.singletonList(
new SecurityMonitoringRuleSequenceDetectionStepTransition()
.child("step_b")
.evaluationWindow(
SecurityMonitoringRuleEvaluationWindow
.FIFTEEN_MINUTES)
.parent("step_a")))
.steps(
Arrays.asList(
new SecurityMonitoringRuleSequenceDetectionStep()
.condition("a > 0")
.evaluationWindow(
SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE)
.name("step_a"),
new SecurityMonitoringRuleSequenceDetectionStep()
.condition("b > 0")
.evaluationWindow(
SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE)
.name("step_b")))))
.queries(
Arrays.asList(
new SecurityMonitoringStandardRuleQuery()
.query("source:source_here")
.groupByFields(Collections.singletonList("@userIdentity.assumed_role"))
.aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
.name(""),
new SecurityMonitoringStandardRuleQuery()
.query("source:source_here2")
.aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
.name("")))
.tags(Arrays.asList("env:prod", "team:security"))
.type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION));

try {
apiInstance.validateSecurityMonitoringRule(body);
} catch (ApiException e) {
System.err.println(
"Exception when calling SecurityMonitoringApi#validateSecurityMonitoringRule");
System.err.println("Status code: " + e.getCode());
System.err.println("Reason: " + e.getResponseBody());
System.err.println("Response headers: " + e.getResponseHeaders());
e.printStackTrace();
}
}
}
34 changes: 34 additions & 0 deletions src/main/java/com/datadog/api/client/v2/model/HistoricalJobOptions.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
HistoricalJobOptions.JSON_PROPERTY_KEEP_ALIVE,
HistoricalJobOptions.JSON_PROPERTY_MAX_SIGNAL_DURATION,
HistoricalJobOptions.JSON_PROPERTY_NEW_VALUE_OPTIONS,
HistoricalJobOptions.JSON_PROPERTY_SEQUENCE_DETECTION_OPTIONS,
HistoricalJobOptions.JSON_PROPERTY_THIRD_PARTY_RULE_OPTIONS
})
@jakarta.annotation.Generated(
Expand All @@ -48,6 +49,9 @@ public class HistoricalJobOptions {
public static final String JSON_PROPERTY_NEW_VALUE_OPTIONS = "newValueOptions";
private SecurityMonitoringRuleNewValueOptions newValueOptions;

public static final String JSON_PROPERTY_SEQUENCE_DETECTION_OPTIONS = "sequenceDetectionOptions";
private SecurityMonitoringRuleSequenceDetectionOptions sequenceDetectionOptions;

public static final String JSON_PROPERTY_THIRD_PARTY_RULE_OPTIONS = "thirdPartyRuleOptions";
private SecurityMonitoringRuleThirdPartyOptions thirdPartyRuleOptions;

Expand Down Expand Up @@ -205,6 +209,30 @@ public void setNewValueOptions(SecurityMonitoringRuleNewValueOptions newValueOpt
this.newValueOptions = newValueOptions;
}

public HistoricalJobOptions sequenceDetectionOptions(
SecurityMonitoringRuleSequenceDetectionOptions sequenceDetectionOptions) {
this.sequenceDetectionOptions = sequenceDetectionOptions;
this.unparsed |= sequenceDetectionOptions.unparsed;
return this;
}

/**
* Options on sequence detection method.
*
* @return sequenceDetectionOptions
*/
@jakarta.annotation.Nullable
@JsonProperty(JSON_PROPERTY_SEQUENCE_DETECTION_OPTIONS)
@JsonInclude(value = JsonInclude.Include.USE_DEFAULTS)
public SecurityMonitoringRuleSequenceDetectionOptions getSequenceDetectionOptions() {
return sequenceDetectionOptions;
}

public void setSequenceDetectionOptions(
SecurityMonitoringRuleSequenceDetectionOptions sequenceDetectionOptions) {
this.sequenceDetectionOptions = sequenceDetectionOptions;
}

public HistoricalJobOptions thirdPartyRuleOptions(
SecurityMonitoringRuleThirdPartyOptions thirdPartyRuleOptions) {
this.thirdPartyRuleOptions = thirdPartyRuleOptions;
Expand Down Expand Up @@ -292,6 +320,8 @@ public boolean equals(Object o) {
&& Objects.equals(this.keepAlive, historicalJobOptions.keepAlive)
&& Objects.equals(this.maxSignalDuration, historicalJobOptions.maxSignalDuration)
&& Objects.equals(this.newValueOptions, historicalJobOptions.newValueOptions)
&& Objects.equals(
this.sequenceDetectionOptions, historicalJobOptions.sequenceDetectionOptions)
&& Objects.equals(this.thirdPartyRuleOptions, historicalJobOptions.thirdPartyRuleOptions)
&& Objects.equals(this.additionalProperties, historicalJobOptions.additionalProperties);
}
Expand All @@ -305,6 +335,7 @@ public int hashCode() {
keepAlive,
maxSignalDuration,
newValueOptions,
sequenceDetectionOptions,
thirdPartyRuleOptions,
additionalProperties);
}
Expand All @@ -321,6 +352,9 @@ public String toString() {
sb.append(" keepAlive: ").append(toIndentedString(keepAlive)).append("\n");
sb.append(" maxSignalDuration: ").append(toIndentedString(maxSignalDuration)).append("\n");
sb.append(" newValueOptions: ").append(toIndentedString(newValueOptions)).append("\n");
sb.append(" sequenceDetectionOptions: ")
.append(toIndentedString(sequenceDetectionOptions))
.append("\n");
sb.append(" thirdPartyRuleOptions: ")
.append(toIndentedString(thirdPartyRuleOptions))
.append("\n");
Expand Down
5 changes: 4 additions & 1 deletion src/main/java/com/datadog/api/client/v2/model/SecurityMonitoringRuleDetectionMethod.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,8 @@ public class SecurityMonitoringRuleDetectionMethod extends ModelEnum<String> {
"impossible_travel",
"hardcoded",
"third_party",
"anomaly_threshold"));
"anomaly_threshold",
"sequence_detection"));

public static final SecurityMonitoringRuleDetectionMethod THRESHOLD =
new SecurityMonitoringRuleDetectionMethod("threshold");
Expand All @@ -49,6 +50,8 @@ public class SecurityMonitoringRuleDetectionMethod extends ModelEnum<String> {
new SecurityMonitoringRuleDetectionMethod("third_party");
public static final SecurityMonitoringRuleDetectionMethod ANOMALY_THRESHOLD =
new SecurityMonitoringRuleDetectionMethod("anomaly_threshold");
public static final SecurityMonitoringRuleDetectionMethod SEQUENCE_DETECTION =
new SecurityMonitoringRuleDetectionMethod("sequence_detection");

SecurityMonitoringRuleDetectionMethod(String value) {
super(value, allowedValues);
Expand Down
Loading