Add GetSingleEntityContext endpoint to security monitoring spec (#1726)

Co-authored-by: ci.datadog-api-spec <packages@datadoghq.com>

Author: api-clients-generation-pipeline[bot]

.generator/schemas/v2/openapi.yaml

@@ -31464,9 +31464,10 @@ components:
       additionalProperties: {}
       description: The set of attributes recorded for the entity at this revision. The keys depend on the kind of entity.
       example:
+        accounts:
+          - linked-account-123
         display_name: Test User
-        emails:
-          - user@example.com
+        email: user@example.com
         principal_id: user@example.com
       type: object
     EntityData:
@@ -88286,6 +88287,14 @@ components:
       type: string
       x-enum-varnames:
         - AGGREGATED_DNS
+    SingleEntityContextResponse:
+      description: Response from the single entity context endpoint, containing the matching entity.
+      properties:
+        data:
+          $ref: "#/components/schemas/EntityContextEntity"
+      required:
+        - data
+      type: object
     SlackIntegrationMetadata:
       description: Incident integration metadata for the Slack integration.
       properties:
@@ -166474,9 +166483,10 @@ paths:
                       - attributes:
                           revisions:
                             - attributes:
+                                accounts:
+                                  - linked-account-123
                                 display_name: Test User
-                                emails:
-                                  - user@example.com
+                                email: user@example.com
                                 principal_id: user@example.com
                               first_seen_at: "2026-04-01T00:00:00Z"
                               last_seen_at: "2026-05-01T00:00:00Z"
@@ -166507,7 +166517,98 @@ paths:
         permissions:
           - siem_entities_read
       x-unstable: |-
-        **Note**: This endpoint is in preview and is subject to change.
+        **Note**: This endpoint is in Preview and is subject to change.
+        If you have any feedback, contact [Datadog support](https://docs.datadoghq.com/help/).
+  /api/v2/security_monitoring/entity_context/{id}:
+    get:
+      description: |-
+        Get a single entity from the Cloud SIEM entity context store by its identifier, returning the historical
+        revisions of the entity in the requested time range. The endpoint can either return revisions across an
+        interval (`from` / `to`) or the snapshot of the entity at a single point in time (`as_of`); the two modes
+        are mutually exclusive.
+      operationId: GetSingleEntityContext
+      parameters:
+        - description: The unique identifier of the entity to retrieve.
+          in: path
+          name: id
+          required: true
+          schema:
+            example: user@example.com
+            type: string
+        - description: |-
+            The start of the time range to query, as an RFC3339 timestamp or a relative time (for example, `now-7d`).
+            Defaults to `now-7d`. Ignored when `as_of` is set.
+          in: query
+          name: from
+          required: false
+          schema:
+            default: now-7d
+            example: now-7d
+            type: string
+        - description: |-
+            The end of the time range to query, as an RFC3339 timestamp or a relative time (for example, `now`).
+            Defaults to `now`. Ignored when `as_of` is set.
+          in: query
+          name: to
+          required: false
+          schema:
+            default: now
+            example: now
+            type: string
+        - description: |-
+            A point in time at which to query the entity revisions, as an RFC3339 timestamp, a Unix timestamp
+            (in seconds), or a relative time (for example, `now-1d`). When set, `from` and `to` are ignored.
+            Cannot be combined with custom `from` / `to` values.
+          example: now-1d
+          in: query
+          name: as_of
+          required: false
+          schema:
+            type: string
+      responses:
+        "200":
+          content:
+            application/json:
+              examples:
+                default:
+                  value:
+                    data:
+                      attributes:
+                        revisions:
+                          - attributes:
+                              accounts:
+                                - linked-account-123
+                              display_name: Test User
+                              email: user@example.com
+                              principal_id: user@example.com
+                            first_seen_at: "2026-04-01T00:00:00Z"
+                            last_seen_at: "2026-05-01T00:00:00Z"
+                      id: user@example.com
+                      type: siem_entity_identity
+              schema:
+                $ref: "#/components/schemas/SingleEntityContextResponse"
+          description: OK
+        "400":
+          $ref: "#/components/responses/BadRequestResponse"
+        "403":
+          $ref: "#/components/responses/NotAuthorizedResponse"
+        "404":
+          $ref: "#/components/responses/NotFoundResponse"
+        "429":
+          $ref: "#/components/responses/TooManyRequestsResponse"
+      security:
+        - apiKeyAuth: []
+          appKeyAuth: []
+        - AuthZ:
+            - siem_entities_read
+      summary: Get a single entity context
+      tags: ["Security Monitoring"]
+      x-permission:
+        operator: OR
+        permissions:
+          - siem_entities_read
+      x-unstable: |-
+        **Note**: This endpoint is in Preview and is subject to change.
         If you have any feedback, contact [Datadog support](https://docs.datadoghq.com/help/).
   /api/v2/security_monitoring/rules:
     get:

examples/v2_security-monitoring_GetSingleEntityContext.rs

@@ -0,0 +1,22 @@
+// Get a single entity context returns "OK" response
+use datadog_api_client::datadog;
+use datadog_api_client::datadogV2::api_security_monitoring::GetSingleEntityContextOptionalParams;
+use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
+
+#[tokio::main]
+async fn main() {
+    let mut configuration = datadog::Configuration::new();
+    configuration.set_unstable_operation_enabled("v2.GetSingleEntityContext", true);
+    let api = SecurityMonitoringAPI::with_config(configuration);
+    let resp = api
+        .get_single_entity_context(
+            "user@example.com".to_string(),
+            GetSingleEntityContextOptionalParams::default(),
+        )
+        .await;
+    if let Ok(value) = resp {
+        println!("{:#?}", value);
+    } else {
+        println!("{:#?}", resp.unwrap_err());
+    }
+}

src/datadog/configuration.rs

@@ -350,6 +350,7 @@ impl Default for Configuration {
                 false,
             ),
             ("v2.get_signal_entities".to_owned(), false),
+            ("v2.get_single_entity_context".to_owned(), false),
             ("v2.get_static_analysis_default_rulesets".to_owned(), false),
             ("v2.get_static_analysis_node_types".to_owned(), false),
             ("v2.get_static_analysis_ruleset".to_owned(), false),

src/datadogV2/api/api_security_monitoring.rs

@@ -254,6 +254,44 @@ impl GetSignalEntitiesOptionalParams {
     }
 }
 
+/// GetSingleEntityContextOptionalParams is a struct for passing parameters to the method [`SecurityMonitoringAPI::get_single_entity_context`]
+#[non_exhaustive]
+#[derive(Clone, Default, Debug)]
+pub struct GetSingleEntityContextOptionalParams {
+    /// The start of the time range to query, as an RFC3339 timestamp or a relative time (for example, `now-7d`).
+    /// Defaults to `now-7d`. Ignored when `as_of` is set.
+    pub from: Option<String>,
+    /// The end of the time range to query, as an RFC3339 timestamp or a relative time (for example, `now`).
+    /// Defaults to `now`. Ignored when `as_of` is set.
+    pub to: Option<String>,
+    /// A point in time at which to query the entity revisions, as an RFC3339 timestamp, a Unix timestamp
+    /// (in seconds), or a relative time (for example, `now-1d`). When set, `from` and `to` are ignored.
+    /// Cannot be combined with custom `from` / `to` values.
+    pub as_of: Option<String>,
+}
+
+impl GetSingleEntityContextOptionalParams {
+    /// The start of the time range to query, as an RFC3339 timestamp or a relative time (for example, `now-7d`).
+    /// Defaults to `now-7d`. Ignored when `as_of` is set.
+    pub fn from(mut self, value: String) -> Self {
+        self.from = Some(value);
+        self
+    }
+    /// The end of the time range to query, as an RFC3339 timestamp or a relative time (for example, `now`).
+    /// Defaults to `now`. Ignored when `as_of` is set.
+    pub fn to(mut self, value: String) -> Self {
+        self.to = Some(value);
+        self
+    }
+    /// A point in time at which to query the entity revisions, as an RFC3339 timestamp, a Unix timestamp
+    /// (in seconds), or a relative time (for example, `now-1d`). When set, `from` and `to` are ignored.
+    /// Cannot be combined with custom `from` / `to` values.
+    pub fn as_of(mut self, value: String) -> Self {
+        self.as_of = Some(value);
+        self
+    }
+}
+
 /// GetStaticAnalysisRulesetOptionalParams is a struct for passing parameters to the method [`SecurityMonitoringAPI::get_static_analysis_ruleset`]
 #[non_exhaustive]
 #[derive(Clone, Default, Debug)]
@@ -2048,6 +2086,14 @@ pub enum GetSignalNotificationRulesError {
     UnknownValue(serde_json::Value),
 }
 
+/// GetSingleEntityContextError is a struct for typed errors of method [`SecurityMonitoringAPI::get_single_entity_context`]
+#[derive(Debug, Clone, Serialize, Deserialize)]
+#[serde(untagged)]
+pub enum GetSingleEntityContextError {
+    APIErrorResponse(crate::datadogV2::model::APIErrorResponse),
+    UnknownValue(serde_json::Value),
+}
+
 /// GetStaticAnalysisDefaultRulesetsError is a struct for typed errors of method [`SecurityMonitoringAPI::get_static_analysis_default_rulesets`]
 #[derive(Debug, Clone, Serialize, Deserialize)]
 #[serde(untagged)]
@@ -13076,6 +13122,151 @@ impl SecurityMonitoringAPI {
         }
     }
 
+    /// Get a single entity from the Cloud SIEM entity context store by its identifier, returning the historical
+    /// revisions of the entity in the requested time range. The endpoint can either return revisions across an
+    /// interval (`from` / `to`) or the snapshot of the entity at a single point in time (`as_of`); the two modes
+    /// are mutually exclusive.
+    pub async fn get_single_entity_context(
+        &self,
+        id: String,
+        params: GetSingleEntityContextOptionalParams,
+    ) -> Result<
+        crate::datadogV2::model::SingleEntityContextResponse,
+        datadog::Error<GetSingleEntityContextError>,
+    > {
+        match self
+            .get_single_entity_context_with_http_info(id, params)
+            .await
+        {
+            Ok(response_content) => {
+                if let Some(e) = response_content.entity {
+                    Ok(e)
+                } else {
+                    Err(datadog::Error::Serde(serde::de::Error::custom(
+                        "response content was None",
+                    )))
+                }
+            }
+            Err(err) => Err(err),
+        }
+    }
+
+    /// Get a single entity from the Cloud SIEM entity context store by its identifier, returning the historical
+    /// revisions of the entity in the requested time range. The endpoint can either return revisions across an
+    /// interval (`from` / `to`) or the snapshot of the entity at a single point in time (`as_of`); the two modes
+    /// are mutually exclusive.
+    pub async fn get_single_entity_context_with_http_info(
+        &self,
+        id: String,
+        params: GetSingleEntityContextOptionalParams,
+    ) -> Result<
+        datadog::ResponseContent<crate::datadogV2::model::SingleEntityContextResponse>,
+        datadog::Error<GetSingleEntityContextError>,
+    > {
+        let local_configuration = &self.config;
+        let operation_id = "v2.get_single_entity_context";
+        if local_configuration.is_unstable_operation_enabled(operation_id) {
+            warn!("Using unstable operation {operation_id}");
+        } else {
+            let local_error = datadog::UnstableOperationDisabledError {
+                msg: "Operation 'v2.get_single_entity_context' is not enabled".to_string(),
+            };
+            return Err(datadog::Error::UnstableOperationDisabledError(local_error));
+        }
+
+        // unbox and build optional parameters
+        let from = params.from;
+        let to = params.to;
+        let as_of = params.as_of;
+
+        let local_client = &self.client;
+
+        let local_uri_str = format!(
+            "{}/api/v2/security_monitoring/entity_context/{id}",
+            local_configuration.get_operation_host(operation_id),
+            id = datadog::urlencode(id)
+        );
+        let mut local_req_builder =
+            local_client.request(reqwest::Method::GET, local_uri_str.as_str());
+
+        if let Some(ref local_query_param) = from {
+            local_req_builder =
+                local_req_builder.query(&[("from", &local_query_param.to_string())]);
+        };
+        if let Some(ref local_query_param) = to {
+            local_req_builder = local_req_builder.query(&[("to", &local_query_param.to_string())]);
+        };
+        if let Some(ref local_query_param) = as_of {
+            local_req_builder =
+                local_req_builder.query(&[("as_of", &local_query_param.to_string())]);
+        };
+
+        // build headers
+        let mut headers = HeaderMap::new();
+        headers.insert("Accept", HeaderValue::from_static("application/json"));
+
+        // build user agent
+        match HeaderValue::from_str(local_configuration.user_agent.as_str()) {
+            Ok(user_agent) => headers.insert(reqwest::header::USER_AGENT, user_agent),
+            Err(e) => {
+                log::warn!("Failed to parse user agent header: {e}, falling back to default");
+                headers.insert(
+                    reqwest::header::USER_AGENT,
+                    HeaderValue::from_static(datadog::DEFAULT_USER_AGENT.as_str()),
+                )
+            }
+        };
+
+        // build auth
+        if let Some(local_key) = local_configuration.auth_keys.get("apiKeyAuth") {
+            headers.insert(
+                "DD-API-KEY",
+                HeaderValue::from_str(local_key.key.as_str())
+                    .expect("failed to parse DD-API-KEY header"),
+            );
+        };
+        if let Some(local_key) = local_configuration.auth_keys.get("appKeyAuth") {
+            headers.insert(
+                "DD-APPLICATION-KEY",
+                HeaderValue::from_str(local_key.key.as_str())
+                    .expect("failed to parse DD-APPLICATION-KEY header"),
+            );
+        };
+
+        local_req_builder = local_req_builder.headers(headers);
+        let local_req = local_req_builder.build()?;
+        log::debug!("request content: {:?}", local_req.body());
+        let local_resp = local_client.execute(local_req).await?;
+
+        let local_status = local_resp.status();
+        let local_content = local_resp.text().await?;
+        log::debug!("response content: {}", local_content);
+
+        if !local_status.is_client_error() && !local_status.is_server_error() {
+            match serde_json::from_str::<crate::datadogV2::model::SingleEntityContextResponse>(
+                &local_content,
+            ) {
+                Ok(e) => {
+                    return Ok(datadog::ResponseContent {
+                        status: local_status,
+                        content: local_content,
+                        entity: Some(e),
+                    })
+                }
+                Err(e) => return Err(datadog::Error::Serde(e)),
+            };
+        } else {
+            let local_entity: Option<GetSingleEntityContextError> =
+                serde_json::from_str(&local_content).ok();
+            let local_error = datadog::ResponseContent {
+                status: local_status,
+                content: local_content,
+                entity: local_entity,
+            };
+            Err(datadog::Error::ResponseError(local_error))
+        }
+    }
+
     /// Get the default SAST ruleset names for a given programming language.
     pub async fn get_static_analysis_default_rulesets(
         &self,

src/datadogV2/model/mod.rs

@@ -10142,6 +10142,8 @@ pub mod model_entity_context_response_meta;
 pub use self::model_entity_context_response_meta::EntityContextResponseMeta;
 pub mod model_entity_context_page;
 pub use self::model_entity_context_page::EntityContextPage;
+pub mod model_single_entity_context_response;
+pub use self::model_single_entity_context_response::SingleEntityContextResponse;
 pub mod model_security_monitoring_rule_sort;
 pub use self::model_security_monitoring_rule_sort::SecurityMonitoringRuleSort;
 pub mod model_security_monitoring_list_rules_response;