Add OpenAPI documentation for list and get indicators of compromise endpoints

cassettes/features/v2/security_monitoring/Get-an-indicator-of-compromise-returns-Not-Found-response.frozen

@@ -0,0 +1 @@
+2026-04-14T18:22:17.027Z

cassettes/features/v2/security_monitoring/Get-an-indicator-of-compromise-returns-OK-response.frozen

@@ -0,0 +1 @@
+2026-04-14T18:22:29.733Z

cassettes/features/v2/security_monitoring/List-indicators-of-compromise-returns-Bad-Request-response.frozen

@@ -0,0 +1 @@
+2026-04-14T18:22:40.711Z

cassettes/features/v2/security_monitoring/List-indicators-of-compromise-returns-OK-response.frozen

@@ -0,0 +1 @@
+2026-04-14T18:22:48.392Z

examples/v2/security-monitoring/GetIndicatorOfCompromise.rb

@@ -0,0 +1,8 @@
+# Get an indicator of compromise returns "OK" response
+
+require "datadog_api_client"
+DatadogAPIClient.configure do |config|
+  config.unstable_operations["v2.get_indicator_of_compromise".to_sym] = true
+end
+api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
+p api_instance.get_indicator_of_compromise("masscan/1.3 (https://github.com/robertdavidgraham/masscan)")

examples/v2/security-monitoring/ListIndicatorsOfCompromise.rb

@@ -0,0 +1,11 @@
+# List indicators of compromise returns "OK" response
+
+require "datadog_api_client"
+DatadogAPIClient.configure do |config|
+  config.unstable_operations["v2.list_indicators_of_compromise".to_sym] = true
+end
+api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
+opts = {
+  limit: 1,
+}
+p api_instance.list_indicators_of_compromise(opts)

features/scenarios_model_mapping.rb

@@ -1594,6 +1594,16 @@
             "filter_last_success_origin" => "String",
             "filter_last_success_env" => "String",
     },
+    "v2.ListIndicatorsOfCompromise" => {
+            "limit" => "Integer",
+            "offset" => "Integer",
+            "query" => "String",
+            "sort_column" => "String",
+            "sort_order" => "String",
+    },
+    "v2.GetIndicatorOfCompromise" => {
+            "indicator" => "String",
+    },
     "v2.CreateSignalNotificationRule" => {
             "body" => "CreateNotificationRuleParameters",
     },

features/v2/security_monitoring.feature

@@ -1298,6 +1298,30 @@ Feature: Security Monitoring
     Then the response status is 200 OK
     And the response "data[0].attributes.name" is equal to "suppression2 {{ unique_hash }}"
 
+  @generated @skip @team:DataDog/k9-cloud-siem
+  Scenario: Get an indicator of compromise returns "Bad Request" response
+    Given operation "GetIndicatorOfCompromise" enabled
+    And new "GetIndicatorOfCompromise" request
+    And request contains "indicator" parameter from "REPLACE.ME"
+    When the request is sent
+    Then the response status is 400 Bad Request
+
+  @replay-only @skip-terraform-config @team:DataDog/k9-cloud-siem
+  Scenario: Get an indicator of compromise returns "Not Found" response
+    Given operation "GetIndicatorOfCompromise" enabled
+    And new "GetIndicatorOfCompromise" request
+    And request contains "indicator" parameter with value "this-indicator-does-not-exist.invalid"
+    When the request is sent
+    Then the response status is 404 Not Found
+
+  @replay-only @skip-terraform-config @team:DataDog/k9-cloud-siem
+  Scenario: Get an indicator of compromise returns "OK" response
+    Given operation "GetIndicatorOfCompromise" enabled
+    And new "GetIndicatorOfCompromise" request
+    And request contains "indicator" parameter with value "masscan/1.3 (https://github.com/robertdavidgraham/masscan)"
+    When the request is sent
+    Then the response status is 200 OK
+
   @generated @skip @team:DataDog/k9-cloud-siem
   Scenario: Get content pack states returns "Not Found" response
     Given operation "GetContentPacksStates" enabled
@@ -1573,6 +1597,22 @@ Feature: Security Monitoring
     When the request is sent
     Then the response status is 200 OK
 
+  @replay-only @skip-terraform-config @team:DataDog/k9-cloud-siem
+  Scenario: List indicators of compromise returns "Bad Request" response
+    Given operation "ListIndicatorsOfCompromise" enabled
+    And new "ListIndicatorsOfCompromise" request
+    And request contains "query" parameter with value "invalid:::query"
+    When the request is sent
+    Then the response status is 400 Bad Request
+
+  @replay-only @skip-terraform-config @team:DataDog/k9-cloud-siem
+  Scenario: List indicators of compromise returns "OK" response
+    Given operation "ListIndicatorsOfCompromise" enabled
+    And new "ListIndicatorsOfCompromise" request
+    And request contains "limit" parameter with value 1
+    When the request is sent
+    Then the response status is 200 OK
+
   @team:DataDog/k9-cloud-siem
   Scenario: List resource filters returns "Bad Request" response
     Given new "GetResourceEvaluationFilters" request

features/v2/undo.json

@@ -5283,6 +5283,18 @@
       "type": "safe"
     }
   },
+  "ListIndicatorsOfCompromise": {
+    "tag": "Security Monitoring",
+    "undo": {
+      "type": "safe"
+    }
+  },
+  "GetIndicatorOfCompromise": {
+    "tag": "Security Monitoring",
+    "undo": {
+      "type": "safe"
+    }
+  },
   "GetSignalNotificationRules": {
     "tag": "Security Monitoring",
     "undo": {

lib/datadog_api_client/configuration.rb

@@ -246,12 +246,14 @@ def initialize
             "v2.delete_threat_hunting_job": false,
             "v2.get_content_packs_states": false,
             "v2.get_finding": false,
+            "v2.get_indicator_of_compromise": false,
             "v2.get_rule_version_history": false,
             "v2.get_secrets_rules": false,
             "v2.get_security_monitoring_histsignal": false,
             "v2.get_security_monitoring_histsignals_by_job_id": false,
             "v2.get_threat_hunting_job": false,
             "v2.list_findings": false,
+            "v2.list_indicators_of_compromise": false,
             "v2.list_multiple_rulesets": false,
             "v2.list_scanned_assets_metadata": false,
             "v2.list_security_monitoring_histsignals": false,

lib/datadog_api_client/inflector.rb

@@ -2871,6 +2871,9 @@ def overrides
           "v2.get_investigation_response_data" => "GetInvestigationResponseData",
           "v2.get_investigation_response_data_attributes" => "GetInvestigationResponseDataAttributes",
           "v2.get_investigation_response_links" => "GetInvestigationResponseLinks",
+          "v2.get_io_c_indicator_response" => "GetIoCIndicatorResponse",
+          "v2.get_io_c_indicator_response_attributes" => "GetIoCIndicatorResponseAttributes",
+          "v2.get_io_c_indicator_response_data" => "GetIoCIndicatorResponseData",
           "v2.get_issue_include_query_parameter_item" => "GetIssueIncludeQueryParameterItem",
           "v2.get_mapping_response" => "GetMappingResponse",
           "v2.get_mapping_response_data" => "GetMappingResponseData",
@@ -3231,6 +3234,17 @@ def overrides
           "v2.interface_attributes_status" => "InterfaceAttributesStatus",
           "v2.investigation_conclusion" => "InvestigationConclusion",
           "v2.investigation_type" => "InvestigationType",
+          "v2.io_c_explorer_list_response" => "IoCExplorerListResponse",
+          "v2.io_c_explorer_list_response_attributes" => "IoCExplorerListResponseAttributes",
+          "v2.io_c_explorer_list_response_data" => "IoCExplorerListResponseData",
+          "v2.io_c_explorer_list_response_metadata" => "IoCExplorerListResponseMetadata",
+          "v2.io_c_explorer_list_response_paging" => "IoCExplorerListResponsePaging",
+          "v2.io_c_geo_location" => "IoCGeoLocation",
+          "v2.io_c_indicator" => "IoCIndicator",
+          "v2.io_c_indicator_detailed" => "IoCIndicatorDetailed",
+          "v2.io_c_score_effect" => "IoCScoreEffect",
+          "v2.io_c_signal_severity_count" => "IoCSignalSeverityCount",
+          "v2.io_c_source" => "IoCSource",
           "v2.ip_allowlist_attributes" => "IPAllowlistAttributes",
           "v2.ip_allowlist_data" => "IPAllowlistData",
           "v2.ip_allowlist_entry" => "IPAllowlistEntry",