diff --git a/config/_default/menus/api.en.yaml b/config/_default/menus/api.en.yaml index c470f5c5789..907846379bd 100644 --- a/config/_default/menus/api.en.yaml +++ b/config/_default/menus/api.en.yaml @@ -2624,6 +2624,30 @@ menu: unstable: - v2 order: 69 + - name: Get suggested actions for a signal + url: '#get-suggested-actions-for-a-signal' + identifier: security-monitoring-get-suggested-actions-for-a-signal + parent: security-monitoring + generated: true + params: + versions: + - v2 + operationids: + - GetSuggestedActionsMatchingSignal + unstable: [] + order: 88 + - name: Get investigation queries for a signal + url: '#get-investigation-queries-for-a-signal' + identifier: security-monitoring-get-investigation-queries-for-a-signal + parent: security-monitoring + generated: true + params: + versions: + - v2 + operationids: + - GetInvestigationLogQueriesMatchingSignal + unstable: [] + order: 87 - name: Change the related incidents of a security signal url: '#change-the-related-incidents-of-a-security-signal' identifier: security-monitoring-change-the-related-incidents-of-a-security-signal diff --git a/content/en/api/v2/security-monitoring/examples.json b/content/en/api/v2/security-monitoring/examples.json index 10b6d6067dd..fb0299c9c4c 100644 --- a/content/en/api/v2/security-monitoring/examples.json +++ b/content/en/api/v2/security-monitoring/examples.json @@ -8081,6 +8081,59 @@ "html": "
\n
\n
\n
\n

data [required]

\n
\n

object

\n

Data containing the patch for changing the related incidents of a signal.

\n
\n
\n
\n
\n
\n

attributes [required]

\n
\n

object

\n

Attributes describing the new list of related signals for a security signal.

\n
\n
\n
\n
\n
\n

incident_ids [required]

\n
\n

[integer]

\n

Array of incidents that are associated with this signal.

\n
\n \n
\n
\n
\n
\n
\n

version

\n
\n

int64

\n

Version of the updated signal. If server side version is higher, update will be rejected.

\n
\n \n
\n
\n
\n
\n
\n
" } }, + "GetInvestigationLogQueriesMatchingSignal": { + "responses": { + "200": { + "json": { + "data": [ + { + "attributes": { + "name": "Cloudtrail events for user ARN", + "query_filter": "source:cloudtrail @userIdentity.arn:\"foo\"", + "template_variables": { + "": [] + }, + "title": "Monitor Okta logs to track system access and unusual activity", + "url": "/logs?query=source%3Acloudtrail+%40userIdentity.arn%3A%22foo%22" + }, + "id": "w00-t10-992", + "type": "investigation_log_queries" + } + ] + }, + "html": "
\n
\n
\n
\n

data [required]

\n
\n

[object]

\n

List of suggested actions for a security signal.

\n
\n
\n
\n
\n
\n

attributes [required]

\n
\n

object

\n

Attributes of a suggested action for a security signal. The available fields depend on the action type.

\n
\n
\n
\n
\n
\n

name

\n
\n

string

\n

The name of the investigation log query.

\n
\n \n
\n
\n
\n
\n
\n

query_filter

\n
\n

string

\n

The log query filter for the investigation.

\n
\n \n
\n
\n
\n
\n
\n

template_variables

\n
\n

object

\n

Template variables applied to the investigation log query, mapping attribute paths to values extracted from the signal.

\n
\n
\n
\n
\n
\n

<any-key>

\n
\n

[string]

\n
\n
\n \n
\n
\n
\n
\n
\n
\n
\n

title

\n
\n

string

\n

The title of the recommended blog post.

\n
\n \n
\n
\n
\n
\n
\n

url

\n
\n

string

\n

The URL of the suggested action.

\n
\n \n
\n
\n
\n
\n
\n
\n
\n

id [required]

\n
\n

string

\n

The unique ID of the suggested action.

\n
\n \n
\n
\n
\n
\n
\n

type [required]

\n
\n

enum

\n

The type of the suggested action resource. \nAllowed enum values: investigation_log_queries,recommended_blog_posts

\n
\n \n
\n
\n
\n
" + }, + "403": { + "json": { + "errors": [ + "Bad Request" + ] + }, + "html": "
\n
\n
\n
\n

errors [required]

\n
\n

[string]

\n

A list of errors.

\n
\n \n
\n
" + }, + "404": { + "json": { + "errors": [ + "Bad Request" + ] + }, + "html": "
\n
\n
\n
\n

errors [required]

\n
\n

[string]

\n

A list of errors.

\n
\n \n
\n
" + }, + "429": { + "json": { + "errors": [ + "Bad Request" + ] + }, + "html": "
\n
\n
\n
\n

errors [required]

\n
\n

[string]

\n

A list of errors.

\n
\n \n
\n
" + } + }, + "request": { + "json_curl": {}, + "json": {}, + "html": "" + } + }, "EditSecurityMonitoringSignalState": { "responses": { "200": { @@ -8179,6 +8232,59 @@ "html": "
\n
\n
\n
\n

data [required]

\n
\n

object

\n

Data containing the patch for changing the state of a signal.

\n
\n
\n
\n
\n
\n

attributes [required]

\n
\n

object

\n

Attributes describing the change of state of a security signal.

\n
\n
\n
\n
\n
\n

archive_comment

\n
\n

string

\n

Optional comment to display on archived signals.

\n
\n \n
\n
\n
\n
\n
\n

archive_reason

\n
\n

enum

\n

Reason a signal is archived. \nAllowed enum values: none,false_positive,testing_or_maintenance,remediated,investigated_case_opened,true_positive_benign,true_positive_malicious,other

\n
\n \n
\n
\n
\n
\n
\n

state [required]

\n
\n

enum

\n

The new triage state of the signal. \nAllowed enum values: open,archived,under_review

\n
\n \n
\n
\n
\n
\n
\n

version

\n
\n

int64

\n

Version of the updated signal. If server side version is higher, update will be rejected.

\n
\n \n
\n
\n
\n
\n
\n
\n
\n

id

\n
\n

\n

The unique ID of the security signal.

\n
\n \n
\n
\n
\n
\n
\n

type

\n
\n

enum

\n

The type of event. \nAllowed enum values: signal_metadata

default: signal_metadata

\n
\n \n
\n
\n
\n
" } }, + "GetSuggestedActionsMatchingSignal": { + "responses": { + "200": { + "json": { + "data": [ + { + "attributes": { + "name": "Cloudtrail events for user ARN", + "query_filter": "source:cloudtrail @userIdentity.arn:\"foo\"", + "template_variables": { + "": [] + }, + "title": "Monitor Okta logs to track system access and unusual activity", + "url": "/logs?query=source%3Acloudtrail+%40userIdentity.arn%3A%22foo%22" + }, + "id": "w00-t10-992", + "type": "investigation_log_queries" + } + ] + }, + "html": "
\n
\n
\n
\n

data [required]

\n
\n

[object]

\n

List of suggested actions for a security signal.

\n
\n
\n
\n
\n
\n

attributes [required]

\n
\n

object

\n

Attributes of a suggested action for a security signal. The available fields depend on the action type.

\n
\n
\n
\n
\n
\n

name

\n
\n

string

\n

The name of the investigation log query.

\n
\n \n
\n
\n
\n
\n
\n

query_filter

\n
\n

string

\n

The log query filter for the investigation.

\n
\n \n
\n
\n
\n
\n
\n

template_variables

\n
\n

object

\n

Template variables applied to the investigation log query, mapping attribute paths to values extracted from the signal.

\n
\n
\n
\n
\n
\n

<any-key>

\n
\n

[string]

\n
\n
\n \n
\n
\n
\n
\n
\n
\n
\n

title

\n
\n

string

\n

The title of the recommended blog post.

\n
\n \n
\n
\n
\n
\n
\n

url

\n
\n

string

\n

The URL of the suggested action.

\n
\n \n
\n
\n
\n
\n
\n
\n
\n

id [required]

\n
\n

string

\n

The unique ID of the suggested action.

\n
\n \n
\n
\n
\n
\n
\n

type [required]

\n
\n

enum

\n

The type of the suggested action resource. \nAllowed enum values: investigation_log_queries,recommended_blog_posts

\n
\n \n
\n
\n
\n
" + }, + "403": { + "json": { + "errors": [ + "Bad Request" + ] + }, + "html": "
\n
\n
\n
\n

errors [required]

\n
\n

[string]

\n

A list of errors.

\n
\n \n
\n
" + }, + "404": { + "json": { + "errors": [ + "Bad Request" + ] + }, + "html": "
\n
\n
\n
\n

errors [required]

\n
\n

[string]

\n

A list of errors.

\n
\n \n
\n
" + }, + "429": { + "json": { + "errors": [ + "Bad Request" + ] + }, + "html": "
\n
\n
\n
\n

errors [required]

\n
\n

[string]

\n

A list of errors.

\n
\n \n
\n
" + } + }, + "request": { + "json_curl": {}, + "json": {}, + "html": "" + } + }, "ListSecurityMonitoringHistsignals": { "responses": { "200": { diff --git a/data/api/v2/full_spec.yaml b/data/api/v2/full_spec.yaml index 14543ff3396..3d869733226 100644 --- a/data/api/v2/full_spec.yaml +++ b/data/api/v2/full_spec.yaml @@ -59750,6 +59750,17 @@ components: required: - data type: object + SecurityMonitoringSignalInvestigationQueryTemplateVariables: + additionalProperties: + items: + description: A value for this template variable extracted from the signal. + type: string + type: array + description: Template variables applied to the investigation log query, mapping attribute paths to values extracted from the signal. + example: + "@userIdentity.arn": + - foo + type: object SecurityMonitoringSignalListRequest: description: The request for a security signal list. properties: @@ -60135,6 +60146,82 @@ components: required: - data type: object + SecurityMonitoringSignalSuggestedAction: + description: A suggested action for a security signal. + properties: + attributes: + $ref: "#/components/schemas/SecurityMonitoringSignalSuggestedActionAttributes" + id: + description: The unique ID of the suggested action. + example: w00-t10-992 + type: string + type: + $ref: "#/components/schemas/SecurityMonitoringSignalSuggestedActionType" + required: + - id + - type + - attributes + type: object + SecurityMonitoringSignalSuggestedActionAttributes: + description: Attributes of a suggested action for a security signal. The available fields depend on the action type. + properties: + name: + description: The name of the investigation log query. + example: Cloudtrail events for user ARN + type: string + query_filter: + description: The log query filter for the investigation. + example: 'source:cloudtrail @userIdentity.arn:"foo"' + type: string + template_variables: + $ref: "#/components/schemas/SecurityMonitoringSignalInvestigationQueryTemplateVariables" + title: + description: The title of the recommended blog post. + example: Monitor Okta logs to track system access and unusual activity + type: string + url: + description: The URL of the suggested action. + example: /logs?query=source%3Acloudtrail+%40userIdentity.arn%3A%22foo%22 + type: string + type: object + SecurityMonitoringSignalSuggestedActionList: + description: List of suggested actions for a security signal. + example: + - attributes: + name: Cloudtrail events for user ARN + query_filter: 'source:cloudtrail @userIdentity.arn:"foo"' + template_variables: + "@userIdentity.arn": + - foo + url: /logs?query=source%3Acloudtrail+%40userIdentity.arn%3A%22foo%22 + id: w00-t10-992 + type: investigation_log_queries + - attributes: + title: Monitor Okta logs to track system access and unusual activity + url: https://www.datadoghq.com/blog/monitor-activity-with-okta/ + id: bxy-o8v-i1a + type: recommended_blog_posts + items: + $ref: "#/components/schemas/SecurityMonitoringSignalSuggestedAction" + type: array + SecurityMonitoringSignalSuggestedActionType: + description: The type of the suggested action resource. + enum: + - investigation_log_queries + - recommended_blog_posts + example: investigation_log_queries + type: string + x-enum-varnames: + - INVESTIGATION_LOG_QUERIES + - RECOMMENDED_BLOG_POSTS + SecurityMonitoringSignalSuggestedActionsResponse: + description: Response with suggested actions for a security signal. + properties: + data: + $ref: "#/components/schemas/SecurityMonitoringSignalSuggestedActionList" + required: + - data + type: object SecurityMonitoringSignalTriageAttributes: description: Attributes describing a triage state update operation over a security signal. properties: @@ -108349,6 +108436,55 @@ paths: operator: OR permissions: - security_monitoring_signals_write + /api/v2/security_monitoring/signals/{signal_id}/investigation_queries: + get: + description: Get the list of investigation log queries available for a given security signal. + operationId: GetInvestigationLogQueriesMatchingSignal + parameters: + - $ref: "#/components/parameters/SignalID" + responses: + "200": + content: + application/json: + example: + data: + - attributes: + name: Cloudtrail events for user ARN + query_filter: 'source:cloudtrail @userIdentity.arn:"foo"' + template_variables: + "@userIdentity.arn": + - foo + url: /logs?query=source%3Acloudtrail+%40userIdentity.arn%3A%22foo%22 + id: w00-t10-992 + type: investigation_log_queries + - attributes: + title: Monitor Okta logs to track system access and unusual activity + url: https://www.datadoghq.com/blog/monitor-activity-with-okta/ + id: bxy-o8v-i1a + type: recommended_blog_posts + schema: + $ref: "#/components/schemas/SecurityMonitoringSignalSuggestedActionsResponse" + description: OK + "403": + $ref: "#/components/responses/NotAuthorizedResponse" + "404": + $ref: "#/components/responses/NotFoundResponse" + "429": + $ref: "#/components/responses/TooManyRequestsResponse" + security: + - apiKeyAuth: [] + appKeyAuth: [] + - AuthZ: + - security_monitoring_rules_read + - security_monitoring_signals_read + summary: Get investigation queries for a signal + tags: ["Security Monitoring"] + x-menu-order: 87 + x-permission: + operator: AND + permissions: + - security_monitoring_rules_read + - security_monitoring_signals_read /api/v2/security_monitoring/signals/{signal_id}/state: patch: description: |- @@ -108390,6 +108526,55 @@ paths: operator: OR permissions: - security_monitoring_signals_write + /api/v2/security_monitoring/signals/{signal_id}/suggested_actions: + get: + description: Get the list of suggested actions for a given security signal. + operationId: GetSuggestedActionsMatchingSignal + parameters: + - $ref: "#/components/parameters/SignalID" + responses: + "200": + content: + application/json: + example: + data: + - attributes: + name: Cloudtrail events for user ARN + query_filter: 'source:cloudtrail @userIdentity.arn:"foo"' + template_variables: + "@userIdentity.arn": + - foo + url: /logs?query=source%3Acloudtrail+%40userIdentity.arn%3A%22foo%22 + id: w00-t10-992 + type: investigation_log_queries + - attributes: + title: Monitor Okta logs to track system access and unusual activity + url: https://www.datadoghq.com/blog/monitor-activity-with-okta/ + id: bxy-o8v-i1a + type: recommended_blog_posts + schema: + $ref: "#/components/schemas/SecurityMonitoringSignalSuggestedActionsResponse" + description: OK + "403": + $ref: "#/components/responses/NotAuthorizedResponse" + "404": + $ref: "#/components/responses/NotFoundResponse" + "429": + $ref: "#/components/responses/TooManyRequestsResponse" + security: + - apiKeyAuth: [] + appKeyAuth: [] + - AuthZ: + - security_monitoring_rules_read + - security_monitoring_signals_read + summary: Get suggested actions for a signal + tags: ["Security Monitoring"] + x-menu-order: 88 + x-permission: + operator: AND + permissions: + - security_monitoring_rules_read + - security_monitoring_signals_read /api/v2/sensitive-data-scanner/config: get: description: List all the Scanning groups in your organization. diff --git a/data/api/v2/translate_actions.json b/data/api/v2/translate_actions.json index caa957c4494..d1388e6af1f 100644 --- a/data/api/v2/translate_actions.json +++ b/data/api/v2/translate_actions.json @@ -3777,12 +3777,20 @@ "request_description": "Attributes describing the signal update.", "request_schema_description": "Request body for changing the related incidents of a given security monitoring signal." }, + "GetInvestigationLogQueriesMatchingSignal": { + "description": "Get the list of investigation log queries available for a given security signal.", + "summary": "Get investigation queries for a signal" + }, "EditSecurityMonitoringSignalState": { "description": "Change the triage state of a security signal.", "summary": "Change the triage state of a security signal", "request_description": "Attributes describing the signal update.", "request_schema_description": "Request body for changing the state of a given security monitoring signal." }, + "GetSuggestedActionsMatchingSignal": { + "description": "Get the list of suggested actions for a given security signal.", + "summary": "Get suggested actions for a signal" + }, "ListScanningGroups": { "description": "List all the Scanning groups in your organization.", "summary": "List Scanning Groups"