Cloud SIEM - Document content packs SIEM endpoints (#3940)

Co-authored-by: ci.datadog-api-spec <packages@datadoghq.com>

Author: api-clients-generation-pipeline[bot]

.generator/schemas/v2/openapi.yaml

@@ -62654,19 +62654,23 @@ components:
         - DONE
         - TIMEOUT
     SecurityMonitoringContentPackActivation:
-      description: The activation status of a content pack
+      description: The activation status of a content pack.
       enum:
         - never_activated
         - activated
         - deactivated
       example: activated
       type: string
+      x-enum-descriptions:
+        - Pack has never been activated for this organization.
+        - Pack is currently activated.
+        - Pack was previously activated but has since been deactivated.
       x-enum-varnames:
         - NEVER_ACTIVATED
         - ACTIVATED
         - DEACTIVATED
     SecurityMonitoringContentPackIntegrationStatus:
-      description: The installation status of the related integration
+      description: The installation status of the related integration.
       enum:
         - installed
         - available
@@ -62675,6 +62679,12 @@ components:
         - error
       example: installed
       type: string
+      x-enum-descriptions:
+        - Integration is fully installed.
+        - Integration exists in the catalog but is not installed.
+        - Integration is only partially configured.
+        - Integration detected (for example, logs are flowing) but not explicitly installed.
+        - Integration is in an error state.
       x-enum-varnames:
         - INSTALLED
         - AVAILABLE
@@ -62691,15 +62701,17 @@ components:
         cp_activation:
           $ref: "#/components/schemas/SecurityMonitoringContentPackActivation"
         filters_configured_for_logs:
-          description: Whether filters (Security Filters or Index Query depending on the pricing model) are configured for logs
+          description: |-
+            Whether filters (Security Filters or Index Query depending on the pricing model) are
+            present and correctly configured to route logs into Cloud SIEM.
           example: true
           type: boolean
         integration_installed_status:
           $ref: "#/components/schemas/SecurityMonitoringContentPackIntegrationStatus"
         logs_last_collected:
           $ref: "#/components/schemas/SecurityMonitoringContentPackTimestampBucket"
         logs_seen_from_any_index:
-          description: Whether logs have been seen from any index
+          description: Whether logs for this content pack have been seen in any Datadog index within the last 72 hours.
           example: true
           type: boolean
         state:
@@ -62764,7 +62776,7 @@ components:
         - meta
       type: object
     SecurityMonitoringContentPackStatus:
-      description: The current status of a content pack
+      description: The current operational status of a content pack.
       enum:
         - install
         - activate
@@ -62774,6 +62786,13 @@ components:
         - broken
       example: active
       type: string
+      x-enum-descriptions:
+        - Not activated; no logs detected in the last 72 hours.
+        - Not activated; logs are flowing into a Datadog index but not yet routed through Cloud SIEM.
+        - Activated; awaiting first log ingestion.
+        - Activated; logs received within the last 24 hours.
+        - Activated; integration not installed or logs last seen 24 to 72 hours ago.
+        - Activated; no logs for over 72 hours, filter missing, or Cloud SIEM index incorrectly ordered.
       x-enum-varnames:
         - INSTALL
         - ACTIVATE
@@ -62782,7 +62801,7 @@ components:
         - WARNING
         - BROKEN
     SecurityMonitoringContentPackTimestampBucket:
-      description: Timestamp bucket indicating when logs were last collected
+      description: Timestamp bucket indicating when logs were last collected.
       enum:
         - not_seen
         - within_24_hours
@@ -62791,6 +62810,12 @@ components:
         - over_30d
       example: within_24_hours
       type: string
+      x-enum-descriptions:
+        - No logs observed.
+        - Logs received within the last 24 hours.
+        - Logs last seen 24 to 72 hours ago.
+        - Logs last seen 3 to 30 days ago.
+        - Logs last seen more than 30 days ago.
       x-enum-varnames:
         - NOT_SEEN
         - WITHIN_24_HOURS
@@ -63881,7 +63906,7 @@ components:
         - $ref: "#/components/schemas/SecurityMonitoringSignalRulePayload"
         - $ref: "#/components/schemas/CloudConfigurationRulePayload"
     SecurityMonitoringSKU:
-      description: The SIEM pricing model (SKU) for the organization
+      description: The Cloud SIEM pricing model (SKU) for the organization.
       enum:
         - per_gb_analyzed
         - per_event_in_siem_index_2023
@@ -118704,9 +118729,8 @@ paths:
   /api/v2/security_monitoring/content_packs/states:
     get:
       description: |-
-        Get the activation and configuration states for all security monitoring content packs.
-        This endpoint returns status information about each content pack including activation state,
-        integration status, and log collection status.
+        Get the activation state, integration status, and log collection status
+        for all Cloud SIEM content packs.
       operationId: GetContentPacksStates
       responses:
         "200":
@@ -118729,21 +118753,31 @@ paths:
           description: Not Found
         "429":
           $ref: "#/components/responses/TooManyRequestsResponse"
+      security:
+        - apiKeyAuth: []
+          appKeyAuth: []
+        - AuthZ:
+            - security_monitoring_filters_read
       summary: Get content pack states
       tags:
         - Security Monitoring
+      "x-permission":
+        operator: OR
+        permissions:
+          - security_monitoring_filters_read
+          - logs_read_index_data
       x-unstable: |-
         **Note**: This endpoint is in preview and is subject to change.
         If you have any feedback, contact [Datadog support](https://docs.datadoghq.com/help/).
   /api/v2/security_monitoring/content_packs/{content_pack_id}/activate:
     put:
       description: |-
-        Activate a security monitoring content pack. This operation configures the necessary
+        Activate a Cloud SIEM content pack. This operation configures the necessary
         log filters or security filters depending on the pricing model and updates the content
         pack activation state.
       operationId: ActivateContentPack
       parameters:
-        - description: The ID of the content pack to activate.
+        - description: The ID of the content pack to activate (for example, `aws-cloudtrail`).
           in: path
           name: content_pack_id
           required: true
@@ -118767,20 +118801,30 @@ paths:
           description: Not Found
         "429":
           $ref: "#/components/responses/TooManyRequestsResponse"
+      security:
+        - apiKeyAuth: []
+          appKeyAuth: []
+        - AuthZ:
+            - security_monitoring_filters_write
       summary: Activate content pack
       tags:
         - Security Monitoring
+      "x-permission":
+        operator: OR
+        permissions:
+          - security_monitoring_filters_write
+          - logs_modify_indexes
       x-unstable: |-
         **Note**: This endpoint is in preview and is subject to change.
         If you have any feedback, contact [Datadog support](https://docs.datadoghq.com/help/).
   /api/v2/security_monitoring/content_packs/{content_pack_id}/deactivate:
     put:
       description: |-
-        Deactivate a security monitoring content pack. This operation removes the content pack's
+        Deactivate a Cloud SIEM content pack. This operation removes the content pack's
         configuration from log filters or security filters and updates the content pack activation state.
       operationId: DeactivateContentPack
       parameters:
-        - description: The ID of the content pack to deactivate.
+        - description: The ID of the content pack to deactivate (for example, `aws-cloudtrail`).
           in: path
           name: content_pack_id
           required: true
@@ -118804,9 +118848,19 @@ paths:
           description: Not Found
         "429":
           $ref: "#/components/responses/TooManyRequestsResponse"
+      security:
+        - apiKeyAuth: []
+          appKeyAuth: []
+        - AuthZ:
+            - security_monitoring_filters_write
       summary: Deactivate content pack
       tags:
         - Security Monitoring
+      "x-permission":
+        operator: OR
+        permissions:
+          - security_monitoring_filters_write
+          - logs_modify_indexes
       x-unstable: |-
         **Note**: This endpoint is in preview and is subject to change.
         If you have any feedback, contact [Datadog support](https://docs.datadoghq.com/help/).

packages/datadog-api-client-v2/apis/SecurityMonitoringApi.ts

@@ -162,6 +162,7 @@ export class SecurityMonitoringApiRequestFactory extends BaseAPIRequestFactory {
     applySecurityAuthentication(_config, requestContext, [
       "apiKeyAuth",
       "appKeyAuth",
+      "AuthZ",
     ]);
 
     return requestContext;
@@ -1216,6 +1217,7 @@ export class SecurityMonitoringApiRequestFactory extends BaseAPIRequestFactory {
     applySecurityAuthentication(_config, requestContext, [
       "apiKeyAuth",
       "appKeyAuth",
+      "AuthZ",
     ]);
 
     return requestContext;
@@ -1877,6 +1879,7 @@ export class SecurityMonitoringApiRequestFactory extends BaseAPIRequestFactory {
     applySecurityAuthentication(_config, requestContext, [
       "apiKeyAuth",
       "appKeyAuth",
+      "AuthZ",
     ]);
 
     return requestContext;
@@ -11447,7 +11450,7 @@ export class SecurityMonitoringApiResponseProcessor {
 
 export interface SecurityMonitoringApiActivateContentPackRequest {
   /**
-   * The ID of the content pack to activate.
+   * The ID of the content pack to activate (for example, `aws-cloudtrail`).
    * @type string
    */
   contentPackId: string;
@@ -11631,7 +11634,7 @@ export interface SecurityMonitoringApiCreateVulnerabilityNotificationRuleRequest
 
 export interface SecurityMonitoringApiDeactivateContentPackRequest {
   /**
-   * The ID of the content pack to deactivate.
+   * The ID of the content pack to deactivate (for example, `aws-cloudtrail`).
    * @type string
    */
   contentPackId: string;
@@ -12886,7 +12889,7 @@ export class SecurityMonitoringApi {
   }
 
   /**
-   * Activate a security monitoring content pack. This operation configures the necessary
+   * Activate a Cloud SIEM content pack. This operation configures the necessary
    * log filters or security filters depending on the pricing model and updates the content
    * pack activation state.
    * @param param The request object
@@ -13417,7 +13420,7 @@ export class SecurityMonitoringApi {
   }
 
   /**
-   * Deactivate a security monitoring content pack. This operation removes the content pack's
+   * Deactivate a Cloud SIEM content pack. This operation removes the content pack's
    * configuration from log filters or security filters and updates the content pack activation state.
    * @param param The request object
    */
@@ -13766,9 +13769,8 @@ export class SecurityMonitoringApi {
   }
 
   /**
-   * Get the activation and configuration states for all security monitoring content packs.
-   * This endpoint returns status information about each content pack including activation state,
-   * integration status, and log collection status.
+   * Get the activation state, integration status, and log collection status
+   * for all Cloud SIEM content packs.
    * @param param The request object
    */
   public getContentPacksStates(

packages/datadog-api-client-v2/models/SecurityMonitoringContentPackActivation.ts

@@ -7,7 +7,7 @@
 import { UnparsedObject } from "../../datadog-api-client-common/util";
 
 /**
- * The activation status of a content pack
+ * The activation status of a content pack.
  */
 
 export type SecurityMonitoringContentPackActivation =

packages/datadog-api-client-v2/models/SecurityMonitoringContentPackIntegrationStatus.ts

@@ -7,7 +7,7 @@
 import { UnparsedObject } from "../../datadog-api-client-common/util";
 
 /**
- * The installation status of the related integration
+ * The installation status of the related integration.
  */
 
 export type SecurityMonitoringContentPackIntegrationStatus =

packages/datadog-api-client-v2/models/SecurityMonitoringContentPackStateAttributes.ts

@@ -19,27 +19,28 @@ export class SecurityMonitoringContentPackStateAttributes {
    */
   "cloudSiemIndexIncorrect": boolean;
   /**
-   * The activation status of a content pack
+   * The activation status of a content pack.
    */
   "cpActivation": SecurityMonitoringContentPackActivation;
   /**
-   * Whether filters (Security Filters or Index Query depending on the pricing model) are configured for logs
+   * Whether filters (Security Filters or Index Query depending on the pricing model) are
+   * present and correctly configured to route logs into Cloud SIEM.
    */
   "filtersConfiguredForLogs": boolean;
   /**
-   * The installation status of the related integration
+   * The installation status of the related integration.
    */
   "integrationInstalledStatus"?: SecurityMonitoringContentPackIntegrationStatus;
   /**
-   * Timestamp bucket indicating when logs were last collected
+   * Timestamp bucket indicating when logs were last collected.
    */
   "logsLastCollected": SecurityMonitoringContentPackTimestampBucket;
   /**
-   * Whether logs have been seen from any index
+   * Whether logs for this content pack have been seen in any Datadog index within the last 72 hours.
    */
   "logsSeenFromAnyIndex": boolean;
   /**
-   * The current status of a content pack
+   * The current operational status of a content pack.
    */
   "state": SecurityMonitoringContentPackStatus;
 

packages/datadog-api-client-v2/models/SecurityMonitoringContentPackStateMeta.ts

@@ -16,7 +16,7 @@ export class SecurityMonitoringContentPackStateMeta {
    */
   "cloudSiemIndexIncorrect": boolean;
   /**
-   * The SIEM pricing model (SKU) for the organization
+   * The Cloud SIEM pricing model (SKU) for the organization.
    */
   "sku": SecurityMonitoringSKU;
 

packages/datadog-api-client-v2/models/SecurityMonitoringContentPackStatus.ts

@@ -7,7 +7,7 @@
 import { UnparsedObject } from "../../datadog-api-client-common/util";
 
 /**
- * The current status of a content pack
+ * The current operational status of a content pack.
  */
 
 export type SecurityMonitoringContentPackStatus =

packages/datadog-api-client-v2/models/SecurityMonitoringContentPackTimestampBucket.ts

@@ -7,7 +7,7 @@
 import { UnparsedObject } from "../../datadog-api-client-common/util";
 
 /**
- * Timestamp bucket indicating when logs were last collected
+ * Timestamp bucket indicating when logs were last collected.
  */
 
 export type SecurityMonitoringContentPackTimestampBucket =

packages/datadog-api-client-v2/models/SecurityMonitoringSKU.ts

@@ -7,7 +7,7 @@
 import { UnparsedObject } from "../../datadog-api-client-common/util";
 
 /**
- * The SIEM pricing model (SKU) for the organization
+ * The Cloud SIEM pricing model (SKU) for the organization.
  */
 
 export type SecurityMonitoringSKU =