Add GetSingleEntityContext endpoint to security monitoring spec

.generator/schemas/v2/openapi.yaml

@@ -30868,9 +30868,10 @@ components:
       additionalProperties: {}
       description: The set of attributes recorded for the entity at this revision. The keys depend on the kind of entity.
       example:
+        accounts:
+          - linked-account-123
         display_name: Test User
-        emails:
-          - user@example.com
+        email: user@example.com
         principal_id: user@example.com
       type: object
     EntityData:
@@ -86488,6 +86489,14 @@ components:
       type: string
       x-enum-varnames:
         - AGGREGATED_DNS
+    SingleEntityContextResponse:
+      description: Response from the single entity context endpoint, containing the matching entity.
+      properties:
+        data:
+          $ref: "#/components/schemas/EntityContextEntity"
+      required:
+        - data
+      type: object
     SlackIntegrationMetadata:
       description: Incident integration metadata for the Slack integration.
       properties:
@@ -163328,9 +163337,10 @@ paths:
                       - attributes:
                           revisions:
                             - attributes:
+                                accounts:
+                                  - linked-account-123
                                 display_name: Test User
-                                emails:
-                                  - user@example.com
+                                email: user@example.com
                                 principal_id: user@example.com
                               first_seen_at: "2026-04-01T00:00:00Z"
                               last_seen_at: "2026-05-01T00:00:00Z"
@@ -163361,7 +163371,98 @@ paths:
         permissions:
           - siem_entities_read
       x-unstable: |-
-        **Note**: This endpoint is in preview and is subject to change.
+        **Note**: This endpoint is in Preview and is subject to change.
+        If you have any feedback, contact [Datadog support](https://docs.datadoghq.com/help/).
+  /api/v2/security_monitoring/entity_context/{id}:
+    get:
+      description: |-
+        Get a single entity from the Cloud SIEM entity context store by its identifier, returning the historical
+        revisions of the entity in the requested time range. The endpoint can either return revisions across an
+        interval (`from` / `to`) or the snapshot of the entity at a single point in time (`as_of`); the two modes
+        are mutually exclusive.
+      operationId: GetSingleEntityContext
+      parameters:
+        - description: The unique identifier of the entity to retrieve.
+          in: path
+          name: id
+          required: true
+          schema:
+            example: user@example.com
+            type: string
+        - description: |-
+            The start of the time range to query, as an RFC3339 timestamp or a relative time (for example, `now-7d`).
+            Defaults to `now-7d`. Ignored when `as_of` is set.
+          in: query
+          name: from
+          required: false
+          schema:
+            default: now-7d
+            example: now-7d
+            type: string
+        - description: |-
+            The end of the time range to query, as an RFC3339 timestamp or a relative time (for example, `now`).
+            Defaults to `now`. Ignored when `as_of` is set.
+          in: query
+          name: to
+          required: false
+          schema:
+            default: now
+            example: now
+            type: string
+        - description: |-
+            A point in time at which to query the entity revisions, as an RFC3339 timestamp, a Unix timestamp
+            (in seconds), or a relative time (for example, `now-1d`). When set, `from` and `to` are ignored.
+            Cannot be combined with custom `from` / `to` values.
+          example: now-1d
+          in: query
+          name: as_of
+          required: false
+          schema:
+            type: string
+      responses:
+        "200":
+          content:
+            application/json:
+              examples:
+                default:
+                  value:
+                    data:
+                      attributes:
+                        revisions:
+                          - attributes:
+                              accounts:
+                                - linked-account-123
+                              display_name: Test User
+                              email: user@example.com
+                              principal_id: user@example.com
+                            first_seen_at: "2026-04-01T00:00:00Z"
+                            last_seen_at: "2026-05-01T00:00:00Z"
+                      id: user@example.com
+                      type: siem_entity_identity
+              schema:
+                $ref: "#/components/schemas/SingleEntityContextResponse"
+          description: OK
+        "400":
+          $ref: "#/components/responses/BadRequestResponse"
+        "403":
+          $ref: "#/components/responses/NotAuthorizedResponse"
+        "404":
+          $ref: "#/components/responses/NotFoundResponse"
+        "429":
+          $ref: "#/components/responses/TooManyRequestsResponse"
+      security:
+        - apiKeyAuth: []
+          appKeyAuth: []
+        - AuthZ:
+            - siem_entities_read
+      summary: Get a single entity context
+      tags: ["Security Monitoring"]
+      x-permission:
+        operator: OR
+        permissions:
+          - siem_entities_read
+      x-unstable: |-
+        **Note**: This endpoint is in Preview and is subject to change.
         If you have any feedback, contact [Datadog support](https://docs.datadoghq.com/help/).
   /api/v2/security_monitoring/rules:
     get:

examples/v2/security-monitoring/GetSingleEntityContext.rb

@@ -0,0 +1,8 @@
+# Get a single entity context returns "OK" response
+
+require "datadog_api_client"
+DatadogAPIClient.configure do |config|
+  config.unstable_operations["v2.get_single_entity_context".to_sym] = true
+end
+api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
+p api_instance.get_single_entity_context("user@example.com")

features/scenarios_model_mapping.rb

@@ -2314,6 +2314,12 @@
             "limit" => "Integer",
             "page_token" => "String",
     },
+    "v2.GetSingleEntityContext" => {
+            "id" => "String",
+            "from" => "String",
+            "to" => "String",
+            "as_of" => "String",
+    },
     "v2.ListSecurityMonitoringRules" => {
             "page_size" => "Integer",
             "page_number" => "Integer",

features/v2/security_monitoring.feature

@@ -1608,6 +1608,30 @@ Feature: Security Monitoring
     When the request is sent
     Then the response status is 200 OK
 
+  @generated @skip @team:DataDog/k9-cloud-siem
+  Scenario: Get a single entity context returns "Bad Request" response
+    Given operation "GetSingleEntityContext" enabled
+    And new "GetSingleEntityContext" request
+    And request contains "id" parameter from "REPLACE.ME"
+    When the request is sent
+    Then the response status is 400 Bad Request
+
+  @generated @skip @team:DataDog/k9-cloud-siem
+  Scenario: Get a single entity context returns "Not Found" response
+    Given operation "GetSingleEntityContext" enabled
+    And new "GetSingleEntityContext" request
+    And request contains "id" parameter from "REPLACE.ME"
+    When the request is sent
+    Then the response status is 404 Not Found
+
+  @generated @skip @team:DataDog/k9-cloud-siem
+  Scenario: Get a single entity context returns "OK" response
+    Given operation "GetSingleEntityContext" enabled
+    And new "GetSingleEntityContext" request
+    And request contains "id" parameter from "REPLACE.ME"
+    When the request is sent
+    Then the response status is 200 OK
+
   @skip-validation @team:DataDog/k9-cloud-siem
   Scenario: Get a suppression rule returns "Not Found" response
     Given new "GetSecurityMonitoringSuppression" request

features/v2/undo.json

@@ -7104,6 +7104,12 @@
       "type": "safe"
     }
   },
+  "GetSingleEntityContext": {
+    "tag": "Security Monitoring",
+    "undo": {
+      "type": "safe"
+    }
+  },
   "ListSecurityMonitoringRules": {
     "tag": "Security Monitoring",
     "undo": {

lib/datadog_api_client/configuration.rb

@@ -362,6 +362,7 @@ def initialize
             "v2.get_security_monitoring_histsignals_by_job_id": false,
             "v2.get_security_monitoring_integration_config": false,
             "v2.get_signal_entities": false,
+            "v2.get_single_entity_context": false,
             "v2.get_static_analysis_default_rulesets": false,
             "v2.get_static_analysis_node_types": false,
             "v2.get_static_analysis_ruleset": false,

lib/datadog_api_client/inflector.rb

@@ -6430,6 +6430,7 @@ def overrides
           "v2.single_aggregated_dns_response_data_attributes_group_by_items" => "SingleAggregatedDnsResponseDataAttributesGroupByItems",
           "v2.single_aggregated_dns_response_data_attributes_metrics_items" => "SingleAggregatedDnsResponseDataAttributesMetricsItems",
           "v2.single_aggregated_dns_response_data_type" => "SingleAggregatedDnsResponseDataType",
+          "v2.single_entity_context_response" => "SingleEntityContextResponse",
           "v2.slack_integration_metadata" => "SlackIntegrationMetadata",
           "v2.slack_integration_metadata_channel_item" => "SlackIntegrationMetadataChannelItem",
           "v2.slack_trigger_wrapper" => "SlackTriggerWrapper",

lib/datadog_api_client/v2/api/security_monitoring_api.rb

@@ -5494,6 +5494,86 @@ def get_signal_notification_rules_with_http_info(opts = {})
       return data, status_code, headers
     end
 
+    # Get a single entity context.
+    #
+    # @see #get_single_entity_context_with_http_info
+    def get_single_entity_context(id, opts = {})
+      data, _status_code, _headers = get_single_entity_context_with_http_info(id, opts)
+      data
+    end
+
+    # Get a single entity context.
+    #
+    # Get a single entity from the Cloud SIEM entity context store by its identifier, returning the historical
+    # revisions of the entity in the requested time range. The endpoint can either return revisions across an
+    # interval (`from` / `to`) or the snapshot of the entity at a single point in time (`as_of`); the two modes
+    # are mutually exclusive.
+    #
+    # @param id [String] The unique identifier of the entity to retrieve.
+    # @param opts [Hash] the optional parameters
+    # @option opts [String] :from The start of the time range to query, as an RFC3339 timestamp or a relative time (for example, `now-7d`). Defaults to `now-7d`. Ignored when `as_of` is set.
+    # @option opts [String] :to The end of the time range to query, as an RFC3339 timestamp or a relative time (for example, `now`). Defaults to `now`. Ignored when `as_of` is set.
+    # @option opts [String] :as_of A point in time at which to query the entity revisions, as an RFC3339 timestamp, a Unix timestamp (in seconds), or a relative time (for example, `now-1d`). When set, `from` and `to` are ignored. Cannot be combined with custom `from` / `to` values.
+    # @return [Array<(SingleEntityContextResponse, Integer, Hash)>] SingleEntityContextResponse data, response status code and response headers
+    def get_single_entity_context_with_http_info(id, opts = {})
+      unstable_enabled = @api_client.config.unstable_operations["v2.get_single_entity_context".to_sym]
+      if unstable_enabled
+        @api_client.config.logger.warn format("Using unstable operation '%s'", "v2.get_single_entity_context")
+      else
+        raise DatadogAPIClient::APIError.new(message: format("Unstable operation '%s' is disabled", "v2.get_single_entity_context"))
+      end
+
+      if @api_client.config.debugging
+        @api_client.config.logger.debug 'Calling API: SecurityMonitoringAPI.get_single_entity_context ...'
+      end
+      # verify the required parameter 'id' is set
+      if @api_client.config.client_side_validation && id.nil?
+        fail ArgumentError, "Missing the required parameter 'id' when calling SecurityMonitoringAPI.get_single_entity_context"
+      end
+      # resource path
+      local_var_path = '/api/v2/security_monitoring/entity_context/{id}'.sub('{id}', CGI.escape(id.to_s).gsub('%2F', '/'))
+
+      # query parameters
+      query_params = opts[:query_params] || {}
+      query_params[:'from'] = opts[:'from'] if !opts[:'from'].nil?
+      query_params[:'to'] = opts[:'to'] if !opts[:'to'].nil?
+      query_params[:'as_of'] = opts[:'as_of'] if !opts[:'as_of'].nil?
+
+      # header parameters
+      header_params = opts[:header_params] || {}
+      # HTTP header 'Accept' (if needed)
+      header_params['Accept'] = @api_client.select_header_accept(['application/json'])
+
+      # form parameters
+      form_params = opts[:form_params] || {}
+
+      # http body (model)
+      post_body = opts[:debug_body]
+
+      # return_type
+      return_type = opts[:debug_return_type] || 'SingleEntityContextResponse'
+
+      # auth_names
+      auth_names = opts[:debug_auth_names] || [:apiKeyAuth, :appKeyAuth, :AuthZ]
+
+      new_options = opts.merge(
+        :operation => :get_single_entity_context,
+        :header_params => header_params,
+        :query_params => query_params,
+        :form_params => form_params,
+        :body => post_body,
+        :auth_names => auth_names,
+        :return_type => return_type,
+        :api_version => "V2"
+      )
+
+      data, status_code, headers = @api_client.call_api(Net::HTTP::Get, local_var_path, new_options)
+      if @api_client.config.debugging
+        @api_client.config.logger.debug "API called: SecurityMonitoringAPI#get_single_entity_context\nData: #{data.inspect}\nStatus code: #{status_code}\nHeaders: #{headers}"
+      end
+      return data, status_code, headers
+    end
+
     # Get default rulesets for a language.
     #
     # @see #get_static_analysis_default_rulesets_with_http_info