Add OpenAPI documentation for list and get indicators of compromise endpoints (#3943)

Co-authored-by: ci.datadog-api-spec <packages@datadoghq.com>

Author: api-clients-generation-pipeline[bot]

.generator/schemas/v2/openapi.yaml

@@ -0,0 +1 @@
+"2026-04-14T18:22:17.027Z"

cassettes/v2/Security-Monitoring_1187227211/Get-an-indicator-of-compromise-returns-Not-Found-response_2981717965/frozen.json

@@ -0,0 +1,62 @@
+{
+  "log": {
+    "_recordingName": "Security Monitoring/Get an indicator of compromise returns \"Not Found\" response",
+    "creator": {
+      "comment": "persister:fs",
+      "name": "Polly.JS",
+      "version": "6.0.5"
+    },
+    "entries": [
+      {
+        "_id": "729cc78d9a0ee7c3573d0a0a57a4612f",
+        "_order": 0,
+        "cache": {},
+        "request": {
+          "bodySize": 0,
+          "cookies": [],
+          "headers": [
+            {
+              "_fromType": "array",
+              "name": "accept",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 612,
+          "httpVersion": "HTTP/1.1",
+          "method": "GET",
+          "queryString": [
+            {
+              "name": "indicator",
+              "value": "this-indicator-does-not-exist.invalid"
+            }
+          ],
+          "url": "https://api.datadoghq.com/api/v2/security/siem/ioc-explorer/indicator?indicator=this-indicator-does-not-exist.invalid"
+        },
+        "response": {
+          "bodySize": 69,
+          "content": {
+            "mimeType": "application/vnd.api+json",
+            "size": 69,
+            "text": "{\"errors\":[{\"title\":\"Generic Error\",\"detail\":\"indicator not found\"}]}"
+          },
+          "cookies": [],
+          "headers": [
+            {
+              "name": "content-type",
+              "value": "application/vnd.api+json"
+            }
+          ],
+          "headersSize": 524,
+          "httpVersion": "HTTP/1.1",
+          "redirectURL": "",
+          "status": 404,
+          "statusText": "Not Found"
+        },
+        "startedDateTime": "2026-04-14T18:22:17.037Z",
+        "time": 999
+      }
+    ],
+    "pages": [],
+    "version": "1.2"
+  }
+}

cassettes/v2/Security-Monitoring_1187227211/Get-an-indicator-of-compromise-returns-Not-Found-response_2981717965/recording.har

@@ -0,0 +1 @@
+"2026-04-14T18:22:29.733Z"

cassettes/v2/Security-Monitoring_1187227211/Get-an-indicator-of-compromise-returns-OK-response_2670867212/frozen.json

@@ -0,0 +1,62 @@
+{
+  "log": {
+    "_recordingName": "Security Monitoring/Get an indicator of compromise returns \"OK\" response",
+    "creator": {
+      "comment": "persister:fs",
+      "name": "Polly.JS",
+      "version": "6.0.5"
+    },
+    "entries": [
+      {
+        "_id": "46983f3852589614d88dbeb54245e244",
+        "_order": 0,
+        "cache": {},
+        "request": {
+          "bodySize": 0,
+          "cookies": [],
+          "headers": [
+            {
+              "_fromType": "array",
+              "name": "accept",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 653,
+          "httpVersion": "HTTP/1.1",
+          "method": "GET",
+          "queryString": [
+            {
+              "name": "indicator",
+              "value": "masscan/1.3 (https://github.com/robertdavidgraham/masscan)"
+            }
+          ],
+          "url": "https://api.datadoghq.com/api/v2/security/siem/ioc-explorer/indicator?indicator=masscan%2F1.3%20%28https%3A%2F%2Fgithub.com%2Frobertdavidgraham%2Fmasscan%29"
+        },
+        "response": {
+          "bodySize": 855,
+          "content": {
+            "mimeType": "application/vnd.api+json",
+            "size": 855,
+            "text": "{\"data\":{\"id\":\"65a31893-cc59-4125-9424-44f7ba083e53\",\"type\":\"get_indicator_response\",\"attributes\":{\"data\":{\"id\":\"masscan/1.3 (https://github.com/robertdavidgraham/masscan)\",\"indicator\":\"masscan/1.3 (https://github.com/robertdavidgraham/masscan)\",\"indicator_type\":\"User Agent\",\"score\":4,\"as_type\":\"hosting\",\"malicious_sources\":null,\"suspicious_sources\":[{\"name\":\"Datadog Threat Research\"}],\"benign_sources\":null,\"categories\":[\"scanner\"],\"tags\":[],\"signal_matches\":0,\"log_matches\":45,\"first_seen\":\"2025-01-08T23:24:45Z\",\"last_seen\":\"2026-04-10T14:36:20Z\",\"signal_tier\":0,\"max_trust_score\":\"RAISE_SCORE\",\"m_sources\":\"NO_EFFECT\",\"m_persistence\":\"RAISE_SCORE\",\"m_signal\":\"NO_EFFECT\",\"m_as_type\":\"NO_EFFECT\",\"log_sources\":[],\"services\":[],\"signal_severity\":[],\"users\":{},\"critical_assets\":[],\"hosts\":[],\"as_number\":\"\",\"as_organization\":\"\",\"as_cidr_block\":\"\"}}}}"
+          },
+          "cookies": [],
+          "headers": [
+            {
+              "name": "content-type",
+              "value": "application/vnd.api+json"
+            }
+          ],
+          "headersSize": 526,
+          "httpVersion": "HTTP/1.1",
+          "redirectURL": "",
+          "status": 200,
+          "statusText": "OK"
+        },
+        "startedDateTime": "2026-04-14T18:22:29.744Z",
+        "time": 1461
+      }
+    ],
+    "pages": [],
+    "version": "1.2"
+  }
+}

cassettes/v2/Security-Monitoring_1187227211/Get-an-indicator-of-compromise-returns-OK-response_2670867212/recording.har

@@ -0,0 +1 @@
+"2026-04-14T18:22:40.711Z"

cassettes/v2/Security-Monitoring_1187227211/List-indicators-of-compromise-returns-Bad-Request-response_209392928/frozen.json

@@ -0,0 +1,62 @@
+{
+  "log": {
+    "_recordingName": "Security Monitoring/List indicators of compromise returns \"Bad Request\" response",
+    "creator": {
+      "comment": "persister:fs",
+      "name": "Polly.JS",
+      "version": "6.0.5"
+    },
+    "entries": [
+      {
+        "_id": "02b5fd499f5dcaf4c0c97eb95adecf70",
+        "_order": 0,
+        "cache": {},
+        "request": {
+          "bodySize": 0,
+          "cookies": [],
+          "headers": [
+            {
+              "_fromType": "array",
+              "name": "accept",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 586,
+          "httpVersion": "HTTP/1.1",
+          "method": "GET",
+          "queryString": [
+            {
+              "name": "query",
+              "value": "invalid:::query"
+            }
+          ],
+          "url": "https://api.datadoghq.com/api/v2/security/siem/ioc-explorer?query=invalid%3A%3A%3Aquery"
+        },
+        "response": {
+          "bodySize": 166,
+          "content": {
+            "mimeType": "application/vnd.api+json",
+            "size": 166,
+            "text": "{\"errors\":[{\"title\":\"Generic Error\",\"detail\":\"invalid query: invalid query: syntax error: no viable alternative at input 'invalid::' at line 1 and char position 8\"}]}"
+          },
+          "cookies": [],
+          "headers": [
+            {
+              "name": "content-type",
+              "value": "application/vnd.api+json"
+            }
+          ],
+          "headersSize": 525,
+          "httpVersion": "HTTP/1.1",
+          "redirectURL": "",
+          "status": 400,
+          "statusText": "Bad Request"
+        },
+        "startedDateTime": "2026-04-14T18:22:40.719Z",
+        "time": 507
+      }
+    ],
+    "pages": [],
+    "version": "1.2"
+  }
+}

cassettes/v2/Security-Monitoring_1187227211/List-indicators-of-compromise-returns-Bad-Request-response_209392928/recording.har

@@ -0,0 +1 @@
+"2026-04-14T18:22:48.392Z"

cassettes/v2/Security-Monitoring_1187227211/List-indicators-of-compromise-returns-OK-response_3833256302/frozen.json

@@ -0,0 +1,62 @@
+{
+  "log": {
+    "_recordingName": "Security Monitoring/List indicators of compromise returns \"OK\" response",
+    "creator": {
+      "comment": "persister:fs",
+      "name": "Polly.JS",
+      "version": "6.0.5"
+    },
+    "entries": [
+      {
+        "_id": "6fab925a65ec0cad89aaa6c228f598ee",
+        "_order": 0,
+        "cache": {},
+        "request": {
+          "bodySize": 0,
+          "cookies": [],
+          "headers": [
+            {
+              "_fromType": "array",
+              "name": "accept",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 566,
+          "httpVersion": "HTTP/1.1",
+          "method": "GET",
+          "queryString": [
+            {
+              "name": "limit",
+              "value": "1"
+            }
+          ],
+          "url": "https://api.datadoghq.com/api/v2/security/siem/ioc-explorer?limit=1"
+        },
+        "response": {
+          "bodySize": 715,
+          "content": {
+            "mimeType": "application/vnd.api+json",
+            "size": 715,
+            "text": "{\"data\":{\"id\":\"a4e3b616-e180-4b47-a379-43da9c5b300e\",\"type\":\"ioc_explorer_response\",\"attributes\":{\"data\":[{\"id\":\"43.228.157.121\",\"indicator\":\"43.228.157.121\",\"indicator_type\":\"IP Address\",\"score\":8,\"as_type\":\"hosting\",\"malicious_sources\":[{\"name\":\"threatfox\"}],\"suspicious_sources\":[{\"name\":\"tor\"},{\"name\":\"SPUR\"}],\"benign_sources\":null,\"categories\":[\"malware\",\"tor\",\"hosting_proxy\"],\"tags\":[],\"signal_matches\":0,\"log_matches\":14,\"signal_tier\":0,\"max_trust_score\":\"RAISE_SCORE\",\"m_sources\":\"RAISE_SCORE\",\"m_persistence\":\"NO_EFFECT\",\"m_signal\":\"NO_EFFECT\",\"m_as_type\":\"NO_EFFECT\",\"as_geo\":{\"city\":\"Frankfurt am Main\",\"country_code\":\"DE\",\"country_name\":\"Germany\"}}],\"metadata\":{\"count\":25091},\"paging\":{\"offset\":1}}}}"
+          },
+          "cookies": [],
+          "headers": [
+            {
+              "name": "content-type",
+              "value": "application/vnd.api+json"
+            }
+          ],
+          "headersSize": 525,
+          "httpVersion": "HTTP/1.1",
+          "redirectURL": "",
+          "status": 200,
+          "statusText": "OK"
+        },
+        "startedDateTime": "2026-04-14T18:22:48.401Z",
+        "time": 1221
+      }
+    ],
+    "pages": [],
+    "version": "1.2"
+  }
+}

cassettes/v2/Security-Monitoring_1187227211/List-indicators-of-compromise-returns-OK-response_3833256302/recording.har

@@ -1298,6 +1298,30 @@ Feature: Security Monitoring
     Then the response status is 200 OK
     And the response "data[0].attributes.name" is equal to "suppression2 {{ unique_hash }}"
 
+  @generated @skip @team:DataDog/k9-cloud-siem
+  Scenario: Get an indicator of compromise returns "Bad Request" response
+    Given operation "GetIndicatorOfCompromise" enabled
+    And new "GetIndicatorOfCompromise" request
+    And request contains "indicator" parameter from "REPLACE.ME"
+    When the request is sent
+    Then the response status is 400 Bad Request
+
+  @replay-only @skip-terraform-config @team:DataDog/k9-cloud-siem
+  Scenario: Get an indicator of compromise returns "Not Found" response
+    Given operation "GetIndicatorOfCompromise" enabled
+    And new "GetIndicatorOfCompromise" request
+    And request contains "indicator" parameter with value "this-indicator-does-not-exist.invalid"
+    When the request is sent
+    Then the response status is 404 Not Found
+
+  @replay-only @skip-terraform-config @team:DataDog/k9-cloud-siem
+  Scenario: Get an indicator of compromise returns "OK" response
+    Given operation "GetIndicatorOfCompromise" enabled
+    And new "GetIndicatorOfCompromise" request
+    And request contains "indicator" parameter with value "masscan/1.3 (https://github.com/robertdavidgraham/masscan)"
+    When the request is sent
+    Then the response status is 200 OK
+
   @generated @skip @team:DataDog/k9-cloud-siem
   Scenario: Get content pack states returns "Not Found" response
     Given operation "GetContentPacksStates" enabled
@@ -1573,6 +1597,22 @@ Feature: Security Monitoring
     When the request is sent
     Then the response status is 200 OK
 
+  @replay-only @skip-terraform-config @team:DataDog/k9-cloud-siem
+  Scenario: List indicators of compromise returns "Bad Request" response
+    Given operation "ListIndicatorsOfCompromise" enabled
+    And new "ListIndicatorsOfCompromise" request
+    And request contains "query" parameter with value "invalid:::query"
+    When the request is sent
+    Then the response status is 400 Bad Request
+
+  @replay-only @skip-terraform-config @team:DataDog/k9-cloud-siem
+  Scenario: List indicators of compromise returns "OK" response
+    Given operation "ListIndicatorsOfCompromise" enabled
+    And new "ListIndicatorsOfCompromise" request
+    And request contains "limit" parameter with value 1
+    When the request is sent
+    Then the response status is 200 OK
+
   @team:DataDog/k9-cloud-siem
   Scenario: List resource filters returns "Bad Request" response
     Given new "GetResourceEvaluationFilters" request