292 lines
57 KiB
JSON
292 lines
57 KiB
JSON
{
|
|
"name": "TestSecurityRule",
|
|
"fully_qualified_name": "DatadogApi.TestSecurityRule@0.1.0",
|
|
"description": "Test a security monitoring rule.\n\nUse this tool to test a security monitoring rule within Datadog's system. It should be called when you need to verify the effectiveness or functionality of a specific rule.",
|
|
"toolkit": {
|
|
"name": "ArcadeDatadogApi",
|
|
"description": null,
|
|
"version": "0.1.0"
|
|
},
|
|
"input": {
|
|
"parameters": [
|
|
{
|
|
"name": "test_payload",
|
|
"required": true,
|
|
"description": "JSON object containing the rule to be tested and associated query payloads. Includes rule details and an array of query payloads, each with an expected result, index, and payload data including source, tags, hostname, message, and service.",
|
|
"value_schema": {
|
|
"val_type": "json",
|
|
"inner_val_type": null,
|
|
"enum": null,
|
|
"properties": {
|
|
"rule": {
|
|
"val_type": "json",
|
|
"inner_val_type": null,
|
|
"enum": null,
|
|
"properties": null,
|
|
"inner_properties": null,
|
|
"description": "Test a rule."
|
|
},
|
|
"ruleQueryPayloads": {
|
|
"val_type": "array",
|
|
"inner_val_type": "json",
|
|
"enum": null,
|
|
"properties": null,
|
|
"inner_properties": {
|
|
"expectedResult": {
|
|
"val_type": "boolean",
|
|
"inner_val_type": null,
|
|
"enum": null,
|
|
"properties": null,
|
|
"inner_properties": null,
|
|
"description": "Expected result of the test."
|
|
},
|
|
"index": {
|
|
"val_type": "integer",
|
|
"inner_val_type": null,
|
|
"enum": null,
|
|
"properties": null,
|
|
"inner_properties": null,
|
|
"description": "Index of the query under test."
|
|
},
|
|
"payload": {
|
|
"val_type": "json",
|
|
"inner_val_type": null,
|
|
"enum": null,
|
|
"properties": {
|
|
"ddsource": {
|
|
"val_type": "string",
|
|
"inner_val_type": null,
|
|
"enum": null,
|
|
"properties": null,
|
|
"inner_properties": null,
|
|
"description": "Source of the payload."
|
|
},
|
|
"ddtags": {
|
|
"val_type": "string",
|
|
"inner_val_type": null,
|
|
"enum": null,
|
|
"properties": null,
|
|
"inner_properties": null,
|
|
"description": "Tags associated with your data."
|
|
},
|
|
"hostname": {
|
|
"val_type": "string",
|
|
"inner_val_type": null,
|
|
"enum": null,
|
|
"properties": null,
|
|
"inner_properties": null,
|
|
"description": "The name of the originating host of the log."
|
|
},
|
|
"message": {
|
|
"val_type": "string",
|
|
"inner_val_type": null,
|
|
"enum": null,
|
|
"properties": null,
|
|
"inner_properties": null,
|
|
"description": "The message of the payload."
|
|
},
|
|
"service": {
|
|
"val_type": "string",
|
|
"inner_val_type": null,
|
|
"enum": null,
|
|
"properties": null,
|
|
"inner_properties": null,
|
|
"description": "The name of the application or service generating the data."
|
|
}
|
|
},
|
|
"inner_properties": null,
|
|
"description": "Payload used to test the rule query."
|
|
}
|
|
},
|
|
"description": "Data payloads used to test rules query with the expected result."
|
|
}
|
|
},
|
|
"inner_properties": null,
|
|
"description": ""
|
|
},
|
|
"inferrable": true,
|
|
"http_endpoint_parameter_name": "requestBody"
|
|
}
|
|
]
|
|
},
|
|
"output": {
|
|
"description": "Response from the API endpoint 'TestSecurityMonitoringRule'.",
|
|
"available_modes": [
|
|
"value",
|
|
"error",
|
|
"null"
|
|
],
|
|
"value_schema": {
|
|
"val_type": "json",
|
|
"inner_val_type": null,
|
|
"enum": null,
|
|
"properties": null,
|
|
"inner_properties": null,
|
|
"description": null
|
|
}
|
|
},
|
|
"requirements": {
|
|
"authorization": null,
|
|
"secrets": [
|
|
{
|
|
"key": "DATADOG_API_KEY"
|
|
},
|
|
{
|
|
"key": "DATADOG_APPLICATION_KEY"
|
|
},
|
|
{
|
|
"key": "DATADOG_BASE_URL"
|
|
}
|
|
],
|
|
"metadata": null
|
|
},
|
|
"deprecation_message": null,
|
|
"metadata": {
|
|
"object_type": "api_wrapper_tool",
|
|
"version": "1.1.0",
|
|
"description": "Tools that enable LLMs to interact directly with the Datadog API."
|
|
},
|
|
"http_endpoint": {
|
|
"metadata": {
|
|
"object_type": "http_endpoint",
|
|
"version": "1.2.0",
|
|
"description": ""
|
|
},
|
|
"url": "https://{datadog_base_url}/api/v2/security_monitoring/rules/test",
|
|
"http_method": "POST",
|
|
"headers": {},
|
|
"parameters": [
|
|
{
|
|
"name": "requestBody",
|
|
"tool_parameter_name": "test_payload",
|
|
"description": "",
|
|
"value_schema": {
|
|
"val_type": "json",
|
|
"inner_val_type": null,
|
|
"enum": null,
|
|
"properties": {
|
|
"rule": {
|
|
"val_type": "json",
|
|
"inner_val_type": null,
|
|
"enum": null,
|
|
"properties": null,
|
|
"inner_properties": null,
|
|
"description": "Test a rule."
|
|
},
|
|
"ruleQueryPayloads": {
|
|
"val_type": "array",
|
|
"inner_val_type": "json",
|
|
"enum": null,
|
|
"properties": null,
|
|
"inner_properties": {
|
|
"expectedResult": {
|
|
"val_type": "boolean",
|
|
"inner_val_type": null,
|
|
"enum": null,
|
|
"properties": null,
|
|
"inner_properties": null,
|
|
"description": "Expected result of the test."
|
|
},
|
|
"index": {
|
|
"val_type": "integer",
|
|
"inner_val_type": null,
|
|
"enum": null,
|
|
"properties": null,
|
|
"inner_properties": null,
|
|
"description": "Index of the query under test."
|
|
},
|
|
"payload": {
|
|
"val_type": "json",
|
|
"inner_val_type": null,
|
|
"enum": null,
|
|
"properties": {
|
|
"ddsource": {
|
|
"val_type": "string",
|
|
"inner_val_type": null,
|
|
"enum": null,
|
|
"properties": null,
|
|
"inner_properties": null,
|
|
"description": "Source of the payload."
|
|
},
|
|
"ddtags": {
|
|
"val_type": "string",
|
|
"inner_val_type": null,
|
|
"enum": null,
|
|
"properties": null,
|
|
"inner_properties": null,
|
|
"description": "Tags associated with your data."
|
|
},
|
|
"hostname": {
|
|
"val_type": "string",
|
|
"inner_val_type": null,
|
|
"enum": null,
|
|
"properties": null,
|
|
"inner_properties": null,
|
|
"description": "The name of the originating host of the log."
|
|
},
|
|
"message": {
|
|
"val_type": "string",
|
|
"inner_val_type": null,
|
|
"enum": null,
|
|
"properties": null,
|
|
"inner_properties": null,
|
|
"description": "The message of the payload."
|
|
},
|
|
"service": {
|
|
"val_type": "string",
|
|
"inner_val_type": null,
|
|
"enum": null,
|
|
"properties": null,
|
|
"inner_properties": null,
|
|
"description": "The name of the application or service generating the data."
|
|
}
|
|
},
|
|
"inner_properties": null,
|
|
"description": "Payload used to test the rule query."
|
|
}
|
|
},
|
|
"description": "Data payloads used to test rules query with the expected result."
|
|
}
|
|
},
|
|
"inner_properties": null,
|
|
"description": ""
|
|
},
|
|
"accepted_as": "body",
|
|
"required": true,
|
|
"deprecated": false,
|
|
"default": null,
|
|
"documentation_urls": []
|
|
}
|
|
],
|
|
"documentation_urls": [],
|
|
"secrets": [
|
|
{
|
|
"arcade_key": "DATADOG_API_KEY",
|
|
"parameter_name": "DD-API-KEY",
|
|
"accepted_as": "header",
|
|
"formatted_value": null,
|
|
"description": "",
|
|
"is_auth_token": false
|
|
},
|
|
{
|
|
"arcade_key": "DATADOG_APPLICATION_KEY",
|
|
"parameter_name": "DD-APPLICATION-KEY",
|
|
"accepted_as": "header",
|
|
"formatted_value": null,
|
|
"description": "",
|
|
"is_auth_token": false
|
|
},
|
|
{
|
|
"arcade_key": "DATADOG_BASE_URL",
|
|
"parameter_name": "datadog_base_url",
|
|
"accepted_as": "path",
|
|
"formatted_value": null,
|
|
"description": "",
|
|
"is_auth_token": false
|
|
}
|
|
],
|
|
"request_body_spec": "{\n \"content\": {\n \"application/json\": {\n \"schema\": {\n \"description\": \"Test the rule queries of a rule (rule property is ignored when applied to an existing rule)\",\n \"properties\": {\n \"rule\": {\n \"description\": \"Test a rule.\",\n \"oneOf\": [\n {\n \"description\": \"The payload of a rule to test\",\n \"properties\": {\n \"calculatedFields\": {\n \"description\": \"Calculated fields. Only allowed for scheduled rules - in other words, when schedulingOptions is also defined.\",\n \"items\": {\n \"description\": \"Calculated field.\",\n \"properties\": {\n \"expression\": {\n \"description\": \"Expression.\",\n \"example\": \"@request_end_timestamp - @request_start_timestamp\",\n \"type\": \"string\"\n },\n \"name\": {\n \"description\": \"Field name.\",\n \"example\": \"response_time\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\",\n \"expression\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"cases\": {\n \"description\": \"Cases for generating signals.\",\n \"example\": [],\n \"items\": {\n \"description\": \"Case when signal is generated.\",\n \"properties\": {\n \"actions\": {\n \"description\": \"Action to perform for each rule case.\",\n \"items\": {\n \"description\": \"Action to perform when a signal is triggered. Only available for Application Security rule type.\",\n \"properties\": {\n \"options\": {\n \"additionalProperties\": {},\n \"description\": \"Options for the rule action\",\n \"properties\": {\n \"duration\": {\n \"description\": \"Duration of the action in seconds. 0 indicates no expiration.\",\n \"example\": 0,\n \"format\": \"int64\",\n \"minimum\": 0,\n \"type\": \"integer\"\n },\n \"flaggedIPType\": {\n \"description\": \"Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IP addresses.\",\n \"enum\": [\n \"SUSPICIOUS\",\n \"FLAGGED\"\n ],\n \"example\": \"FLAGGED\",\n \"type\": \"string\",\n \"x-enum-varnames\": [\n \"SUSPICIOUS\",\n \"FLAGGED\"\n ]\n },\n \"userBehaviorName\": {\n \"description\": \"Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": {\n \"description\": \"The action type.\",\n \"enum\": [\n \"block_ip\",\n \"block_user\",\n \"user_behavior\",\n \"flag_ip\"\n ],\n \"type\": \"string\",\n \"x-enum-varnames\": [\n \"BLOCK_IP\",\n \"BLOCK_USER\",\n \"USER_BEHAVIOR\",\n \"FLAG_IP\"\n ]\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"condition\": {\n \"description\": \"A case contains logical operations (`>`,`>=`, `&&`, `||`) to determine if a signal should be generated\\nbased on the event counts in the previously defined queries.\",\n \"type\": \"string\"\n },\n \"name\": {\n \"description\": \"Name of the case.\",\n \"type\": \"string\"\n },\n \"notifications\": {\n \"description\": \"Notification targets.\",\n \"items\": {\n \"description\": \"Notification.\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"status\": {\n \"description\": \"Severity of the Security Signal.\",\n \"enum\": [\n \"info\",\n \"low\",\n \"medium\",\n \"high\",\n \"critical\"\n ],\n \"example\": \"critical\",\n \"type\": \"string\",\n \"x-enum-varnames\": [\n \"INFO\",\n \"LOW\",\n \"MEDIUM\",\n \"HIGH\",\n \"CRITICAL\"\n ]\n }\n },\n \"required\": [\n \"status\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"filters\": {\n \"description\": \"Additional queries to filter matched events before they are processed. This field is deprecated for log detection, signal correlation, and workload security rules.\",\n \"items\": {\n \"description\": \"The rule's suppression filter.\",\n \"properties\": {\n \"action\": {\n \"description\": \"The type of filtering action.\",\n \"enum\": [\n \"require\",\n \"suppress\"\n ],\n \"type\": \"string\",\n \"x-enum-varnames\": [\n \"REQUIRE\",\n \"SUPPRESS\"\n ]\n },\n \"query\": {\n \"description\": \"Query for selecting logs to apply the filtering action.\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"groupSignalsBy\": {\n \"description\": \"Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.\",\n \"example\": [\n \"service\"\n ],\n \"items\": {\n \"description\": \"Field to group by.\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"hasExtendedTitle\": {\n \"description\": \"Whether the notifications include the triggering group-by values in their title.\",\n \"example\": true,\n \"type\": \"boolean\"\n },\n \"isEnabled\": {\n \"description\": \"Whether the rule is enabled.\",\n \"example\": true,\n \"type\": \"boolean\"\n },\n \"message\": {\n \"description\": \"Message for generated signals.\",\n \"example\": \"\",\n \"type\": \"string\"\n },\n \"name\": {\n \"description\": \"The name of the rule.\",\n \"example\": \"My security monitoring rule.\",\n \"type\": \"string\"\n },\n \"options\": {\n \"description\": \"Options.\",\n \"properties\": {\n \"complianceRuleOptions\": {\n \"additionalProperties\": {},\n \"description\": \"Options for cloud_configuration rules.\\nFields `resourceType` and `regoRule` are mandatory when managing custom `cloud_configuration` rules.\",\n \"properties\": {\n \"complexRule\": {\n \"description\": \"Whether the rule is a complex one.\\nMust be set to true if `regoRule.resourceTypes` contains more than one item. Defaults to false.\",\n \"type\": \"boolean\"\n },\n \"regoRule\": {\n \"description\": \"Rule details.\",\n \"properties\": {\n \"policy\": {\n \"description\": \"The policy written in `rego`, see: https://www.openpolicyagent.org/docs/latest/policy-language/\",\n \"example\": \"package datadog\\n\\nimport data.datadog.output as dd_output\\nimport future.keywords.contains\\nimport future.keywords.if\\nimport future.keywords.in\\n\\neval(resource) = \\\"skip\\\" if {\\n # Logic that evaluates to true if the resource should be skipped\\n true\\n} else = \\\"pass\\\" {\\n # Logic that evaluates to true if the resource is compliant\\n true\\n} else = \\\"fail\\\" {\\n # Logic that evaluates to true if the resource is not compliant\\n true\\n}\\n\\n# This part remains unchanged for all rules\\nresults contains result if {\\n some resource in input.resources[input.main_resource_type]\\n result := dd_output.format(resource, eval(resource))\\n}\",\n \"type\": \"string\"\n },\n \"resourceTypes\": {\n \"description\": \"List of resource types that will be evaluated upon. Must have at least one element.\",\n \"example\": [\n \"gcp_iam_service_account\",\n \"gcp_iam_policy\"\n ],\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"required\": [\n \"policy\",\n \"resourceTypes\"\n ],\n \"type\": \"object\"\n },\n \"resourceType\": {\n \"description\": \"Main resource type to be checked by the rule. It should be specified again in `regoRule.resourceTypes`.\",\n \"example\": \"aws_acm\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"decreaseCriticalityBasedOnEnv\": {\n \"description\": \"If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce signal noise.\\nThe severity is decreased by one level: `CRITICAL` in production becomes `HIGH` in non-production, `HIGH` becomes `MEDIUM` and so on. `INFO` remains `INFO`.\\nThe decrement is applied when the environment tag of the signal starts with `staging`, `test` or `dev`.\",\n \"example\": false,\n \"type\": \"boolean\"\n },\n \"detectionMethod\": {\n \"description\": \"The detection method.\",\n \"enum\": [\n \"threshold\",\n \"new_value\",\n \"anomaly_detection\",\n \"impossible_travel\",\n \"hardcoded\",\n \"third_party\",\n \"anomaly_threshold\",\n \"sequence_detection\"\n ],\n \"type\": \"string\",\n \"x-enum-varnames\": [\n \"THRESHOLD\",\n \"NEW_VALUE\",\n \"ANOMALY_DETECTION\",\n \"IMPOSSIBLE_TRAVEL\",\n \"HARDCODED\",\n \"THIRD_PARTY\",\n \"ANOMALY_THRESHOLD\",\n \"SEQUENCE_DETECTION\"\n ]\n },\n \"evaluationWindow\": {\n \"description\": \"A time window is specified to match when at least one of the cases matches true. This is a sliding window\\nand evaluates in real time. For third party detection method, this field is not used.\",\n \"enum\": [\n 0,\n 60,\n 300,\n 600,\n 900,\n 1800,\n 3600,\n 7200,\n 10800,\n 21600,\n 43200,\n 86400\n ],\n \"format\": \"int32\",\n \"type\": \"integer\",\n \"x-enum-varnames\": [\n \"ZERO_MINUTES\",\n \"ONE_MINUTE\",\n \"FIVE_MINUTES\",\n \"TEN_MINUTES\",\n \"FIFTEEN_MINUTES\",\n \"THIRTY_MINUTES\",\n \"ONE_HOUR\",\n \"TWO_HOURS\",\n \"THREE_HOURS\",\n \"SIX_HOURS\",\n \"TWELVE_HOURS\",\n \"ONE_DAY\"\n ]\n },\n \"hardcodedEvaluatorType\": {\n \"description\": \"Hardcoded evaluator type.\",\n \"enum\": [\n \"log4shell\"\n ],\n \"type\": \"string\",\n \"x-enum-varnames\": [\n \"LOG4SHELL\"\n ]\n },\n \"impossibleTravelOptions\": {\n \"description\": \"Options on impossible travel detection method.\",\n \"properties\": {\n \"baselineUserLocations\": {\n \"description\": \"If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.\",\n \"example\": true,\n \"type\": \"boolean\"\n }\n },\n \"type\": \"object\"\n },\n \"keepAlive\": {\n \"description\": \"Once a signal is generated, the signal will remain \\\"open\\\" if a case is matched at least once within\\nthis keep alive window. For third party detection method, this field is not used.\",\n \"enum\": [\n 0,\n 60,\n 300,\n 600,\n 900,\n 1800,\n 3600,\n 7200,\n 10800,\n 21600,\n 43200,\n 86400\n ],\n \"format\": \"int32\",\n \"type\": \"integer\",\n \"x-enum-varnames\": [\n \"ZERO_MINUTES\",\n \"ONE_MINUTE\",\n \"FIVE_MINUTES\",\n \"TEN_MINUTES\",\n \"FIFTEEN_MINUTES\",\n \"THIRTY_MINUTES\",\n \"ONE_HOUR\",\n \"TWO_HOURS\",\n \"THREE_HOURS\",\n \"SIX_HOURS\",\n \"TWELVE_HOURS\",\n \"ONE_DAY\"\n ]\n },\n \"maxSignalDuration\": {\n \"description\": \"A signal will \\\"close\\\" regardless of the query being matched once the time exceeds the maximum duration.\\nThis time is calculated from the first seen timestamp.\",\n \"enum\": [\n 0,\n 60,\n 300,\n 600,\n 900,\n 1800,\n 3600,\n 7200,\n 10800,\n 21600,\n 43200,\n 86400\n ],\n \"format\": \"int32\",\n \"type\": \"integer\",\n \"x-enum-varnames\": [\n \"ZERO_MINUTES\",\n \"ONE_MINUTE\",\n \"FIVE_MINUTES\",\n \"TEN_MINUTES\",\n \"FIFTEEN_MINUTES\",\n \"THIRTY_MINUTES\",\n \"ONE_HOUR\",\n \"TWO_HOURS\",\n \"THREE_HOURS\",\n \"SIX_HOURS\",\n \"TWELVE_HOURS\",\n \"ONE_DAY\"\n ]\n },\n \"newValueOptions\": {\n \"description\": \"Options on new value detection method.\",\n \"properties\": {\n \"forgetAfter\": {\n \"description\": \"The duration in days after which a learned value is forgotten.\",\n \"enum\": [\n 1,\n 2,\n 7,\n 14,\n 21,\n 28\n ],\n \"format\": \"int32\",\n \"type\": \"integer\",\n \"x-enum-varnames\": [\n \"ONE_DAY\",\n \"TWO_DAYS\",\n \"ONE_WEEK\",\n \"TWO_WEEKS\",\n \"THREE_WEEKS\",\n \"FOUR_WEEKS\"\n ]\n },\n \"learningDuration\": {\n \"default\": 0,\n \"description\": \"The duration in days during which values are learned, and after which signals will be generated for values that\\nweren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.\",\n \"enum\": [\n 0,\n 1,\n 7\n ],\n \"format\": \"int32\",\n \"type\": \"integer\",\n \"x-enum-varnames\": [\n \"ZERO_DAYS\",\n \"ONE_DAY\",\n \"SEVEN_DAYS\"\n ]\n },\n \"learningMethod\": {\n \"default\": \"duration\",\n \"description\": \"The learning method used to determine when signals should be generated for values that weren't learned.\",\n \"enum\": [\n \"duration\",\n \"threshold\"\n ],\n \"type\": \"string\",\n \"x-enum-varnames\": [\n \"DURATION\",\n \"THRESHOLD\"\n ]\n },\n \"learningThreshold\": {\n \"default\": 0,\n \"description\": \"A number of occurrences after which signals will be generated for values that weren't learned.\",\n \"enum\": [\n 0,\n 1\n ],\n \"format\": \"int32\",\n \"type\": \"integer\",\n \"x-enum-varnames\": [\n \"ZERO_OCCURRENCES\",\n \"ONE_OCCURRENCE\"\n ]\n }\n },\n \"type\": \"object\"\n },\n \"sequenceDetectionOptions\": {\n \"description\": \"Options on sequence detection method.\",\n \"properties\": {\n \"stepTransitions\": {\n \"description\": \"Transitions defining the allowed order of steps and their evaluation windows.\",\n \"items\": {\n \"description\": \"Transition from a parent step to a child step within a sequence detection rule.\",\n \"properties\": {\n \"child\": {\n \"description\": \"Name of the child step.\",\n \"type\": \"string\"\n },\n \"evaluationWindow\": {\n \"description\": \"A time window is specified to match when at least one of the cases matches true. This is a sliding window\\nand evaluates in real time. For third party detection method, this field is not used.\",\n \"enum\": [\n 0,\n 60,\n 300,\n 600,\n 900,\n 1800,\n 3600,\n 7200,\n 10800,\n 21600,\n 43200,\n 86400\n ],\n \"format\": \"int32\",\n \"type\": \"integer\",\n \"x-enum-varnames\": [\n \"ZERO_MINUTES\",\n \"ONE_MINUTE\",\n \"FIVE_MINUTES\",\n \"TEN_MINUTES\",\n \"FIFTEEN_MINUTES\",\n \"THIRTY_MINUTES\",\n \"ONE_HOUR\",\n \"TWO_HOURS\",\n \"THREE_HOURS\",\n \"SIX_HOURS\",\n \"TWELVE_HOURS\",\n \"ONE_DAY\"\n ]\n },\n \"parent\": {\n \"description\": \"Name of the parent step.\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"steps\": {\n \"description\": \"Steps that define the conditions to be matched in sequence.\",\n \"items\": {\n \"description\": \"Step definition for sequence detection containing the step name, condition, and evaluation window.\",\n \"properties\": {\n \"condition\": {\n \"description\": \"Condition referencing rule queries (e.g., `a > 0`).\",\n \"type\": \"string\"\n },\n \"evaluationWindow\": {\n \"description\": \"A time window is specified to match when at least one of the cases matches true. This is a sliding window\\nand evaluates in real time. For third party detection method, this field is not used.\",\n \"enum\": [\n 0,\n 60,\n 300,\n 600,\n 900,\n 1800,\n 3600,\n 7200,\n 10800,\n 21600,\n 43200,\n 86400\n ],\n \"format\": \"int32\",\n \"type\": \"integer\",\n \"x-enum-varnames\": [\n \"ZERO_MINUTES\",\n \"ONE_MINUTE\",\n \"FIVE_MINUTES\",\n \"TEN_MINUTES\",\n \"FIFTEEN_MINUTES\",\n \"THIRTY_MINUTES\",\n \"ONE_HOUR\",\n \"TWO_HOURS\",\n \"THREE_HOURS\",\n \"SIX_HOURS\",\n \"TWELVE_HOURS\",\n \"ONE_DAY\"\n ]\n },\n \"name\": {\n \"description\": \"Unique name identifying the step.\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"thirdPartyRuleOptions\": {\n \"description\": \"Options on third party detection method.\",\n \"properties\": {\n \"defaultNotifications\": {\n \"description\": \"Notification targets for the logs that do not correspond to any of the cases.\",\n \"items\": {\n \"description\": \"Notification.\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"defaultStatus\": {\n \"description\": \"Severity of the Security Signal.\",\n \"enum\": [\n \"info\",\n \"low\",\n \"medium\",\n \"high\",\n \"critical\"\n ],\n \"example\": \"critical\",\n \"type\": \"string\",\n \"x-enum-varnames\": [\n \"INFO\",\n \"LOW\",\n \"MEDIUM\",\n \"HIGH\",\n \"CRITICAL\"\n ]\n },\n \"rootQueries\": {\n \"description\": \"Queries to be combined with third party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.\",\n \"items\": {\n \"description\": \"A query to be combined with the third party case query.\",\n \"properties\": {\n \"groupByFields\": {\n \"description\": \"Fields to group by.\",\n \"items\": {\n \"description\": \"Field.\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"query\": {\n \"description\": \"Query to run on logs.\",\n \"example\": \"source:cloudtrail\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"signalTitleTemplate\": {\n \"description\": \"A template for the signal title; if omitted, the title is generated based on the case name.\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"queries\": {\n \"description\": \"Queries for selecting logs which are part of the rule.\",\n \"example\": [],\n \"items\": {\n \"description\": \"Query for matching rule.\",\n \"properties\": {\n \"aggregation\": {\n \"description\": \"The aggregation type.\",\n \"enum\": [\n \"count\",\n \"cardinality\",\n \"sum\",\n \"max\",\n \"new_value\",\n \"geo_data\",\n \"event_count\",\n \"none\"\n ],\n \"type\": \"string\",\n \"x-enum-varnames\": [\n \"COUNT\",\n \"CARDINALITY\",\n \"SUM\",\n \"MAX\",\n \"NEW_VALUE\",\n \"GEO_DATA\",\n \"EVENT_COUNT\",\n \"NONE\"\n ]\n },\n \"customQueryExtension\": {\n \"description\": \"Query extension to append to the logs query.\",\n \"example\": \"a > 3\",\n \"type\": \"string\"\n },\n \"dataSource\": {\n \"default\": \"logs\",\n \"description\": \"Source of events, either logs, audit trail, or Datadog events.\",\n \"enum\": [\n \"logs\",\n \"audit\",\n \"app_sec_spans\",\n \"spans\",\n \"security_runtime\",\n \"network\",\n \"events\"\n ],\n \"example\": \"logs\",\n \"type\": \"string\",\n \"x-enum-varnames\": [\n \"LOGS\",\n \"AUDIT\",\n \"APP_SEC_SPANS\",\n \"SPANS\",\n \"SECURITY_RUNTIME\",\n \"NETWORK\",\n \"EVENTS\"\n ]\n },\n \"distinctFields\": {\n \"description\": \"Field for which the cardinality is measured. Sent as an array.\",\n \"items\": {\n \"description\": \"Field.\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"groupByFields\": {\n \"description\": \"Fields to group by.\",\n \"items\": {\n \"description\": \"Field.\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"hasOptionalGroupByFields\": {\n \"default\": false,\n \"description\": \"When false, events without a group-by value are ignored by the rule. When true, events with missing group-by fields are processed with `N/A`, replacing the missing values.\",\n \"example\": false,\n \"type\": \"boolean\"\n },\n \"index\": {\n \"description\": \"**This field is currently unstable and might be removed in a minor version upgrade.**\\nThe index to run the query on, if the `dataSource` is `logs`. Only used for scheduled rules - in other words, when the `schedulingOptions` field is present in the rule payload.\",\n \"type\": \"string\"\n },\n \"indexes\": {\n \"description\": \"List of indexes to query when the `dataSource` is `logs`. Only used for scheduled rules, such as when the `schedulingOptions` field is present in the rule payload.\",\n \"items\": {\n \"description\": \"Index.\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"metric\": {\n \"deprecated\": true,\n \"description\": \"(Deprecated) The target field to aggregate over when using the sum or max\\naggregations. `metrics` field should be used instead.\",\n \"type\": \"string\"\n },\n \"metrics\": {\n \"description\": \"Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.\",\n \"items\": {\n \"description\": \"Field.\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"name\": {\n \"description\": \"Name of the query.\",\n \"type\": \"string\"\n },\n \"query\": {\n \"description\": \"Query to run on logs.\",\n \"example\": \"a > 3\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"referenceTables\": {\n \"description\": \"Reference tables for the rule.\",\n \"items\": {\n \"description\": \"Reference tables used in the queries.\",\n \"properties\": {\n \"checkPresence\": {\n \"description\": \"Whether to include or exclude the matched values.\",\n \"type\": \"boolean\"\n },\n \"columnName\": {\n \"description\": \"The name of the column in the reference table.\",\n \"type\": \"string\"\n },\n \"logFieldPath\": {\n \"description\": \"The field in the log to match against the reference table.\",\n \"type\": \"string\"\n },\n \"ruleQueryName\": {\n \"description\": \"The name of the query to apply the reference table to.\",\n \"type\": \"string\"\n },\n \"tableName\": {\n \"description\": \"The name of the reference table.\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"schedulingOptions\": {\n \"description\": \"Options for scheduled rules. When this field is present, the rule runs based on the schedule. When absent, it runs real-time on ingested logs.\",\n \"nullable\": true,\n \"properties\": {\n \"rrule\": {\n \"description\": \"Schedule for the rule queries, written in RRULE syntax. See [RFC](https://icalendar.org/iCalendar-RFC-5545/3-8-5-3-recurrence-rule.html) for syntax reference.\",\n \"example\": \"FREQ=HOURLY;INTERVAL=1;\",\n \"type\": \"string\"\n },\n \"start\": {\n \"description\": \"Start date for the schedule, in ISO 8601 format without timezone.\",\n \"example\": \"2025-07-14T12:00:00\",\n \"type\": \"string\"\n },\n \"timezone\": {\n \"description\": \"Time zone of the start date, in the [tz database](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) format.\",\n \"example\": \"America/New_York\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"tags\": {\n \"description\": \"Tags for generated signals.\",\n \"example\": [\n \"env:prod\",\n \"team:security\"\n ],\n \"items\": {\n \"description\": \"Tag.\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"thirdPartyCases\": {\n \"description\": \"Cases for generating signals from third-party rules. Only available for third-party rules.\",\n \"example\": [],\n \"items\": {\n \"description\": \"Case when a signal is generated by a third party rule.\",\n \"properties\": {\n \"name\": {\n \"description\": \"Name of the case.\",\n \"type\": \"string\"\n },\n \"notifications\": {\n \"description\": \"Notification targets for each case.\",\n \"items\": {\n \"description\": \"Notification.\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"query\": {\n \"description\": \"A query to map a third party event to this case.\",\n \"type\": \"string\"\n },\n \"status\": {\n \"description\": \"Severity of the Security Signal.\",\n \"enum\": [\n \"info\",\n \"low\",\n \"medium\",\n \"high\",\n \"critical\"\n ],\n \"example\": \"critical\",\n \"type\": \"string\",\n \"x-enum-varnames\": [\n \"INFO\",\n \"LOW\",\n \"MEDIUM\",\n \"HIGH\",\n \"CRITICAL\"\n ]\n }\n },\n \"required\": [\n \"status\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"type\": {\n \"description\": \"The rule type.\",\n \"enum\": [\n \"log_detection\"\n ],\n \"type\": \"string\",\n \"x-enum-varnames\": [\n \"LOG_DETECTION\"\n ]\n }\n },\n \"required\": [\n \"name\",\n \"isEnabled\",\n \"queries\",\n \"options\",\n \"cases\",\n \"message\"\n ],\n \"type\": \"object\"\n }\n ]\n },\n \"ruleQueryPayloads\": {\n \"description\": \"Data payloads used to test rules query with the expected result.\",\n \"items\": {\n \"description\": \"Payload to test a rule query with the expected result.\",\n \"properties\": {\n \"expectedResult\": {\n \"description\": \"Expected result of the test.\",\n \"example\": true,\n \"type\": \"boolean\"\n },\n \"index\": {\n \"description\": \"Index of the query under test.\",\n \"example\": 0,\n \"format\": \"int64\",\n \"minimum\": 0,\n \"type\": \"integer\"\n },\n \"payload\": {\n \"additionalProperties\": {},\n \"description\": \"Payload used to test the rule query.\",\n \"properties\": {\n \"ddsource\": {\n \"description\": \"Source of the payload.\",\n \"example\": \"nginx\",\n \"type\": \"string\"\n },\n \"ddtags\": {\n \"description\": \"Tags associated with your data.\",\n \"example\": \"env:staging,version:5.1\",\n \"type\": \"string\"\n },\n \"hostname\": {\n \"description\": \"The name of the originating host of the log.\",\n \"example\": \"i-012345678\",\n \"type\": \"string\"\n },\n \"message\": {\n \"description\": \"The message of the payload.\",\n \"example\": \"2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World\",\n \"type\": \"string\"\n },\n \"service\": {\n \"description\": \"The name of the application or service generating the data.\",\n \"example\": \"payment\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n }\n }\n },\n \"required\": true\n}",
|
|
"use_request_body_schema_mode": true,
|
|
"validate_request_body_schema": true
|
|
}
|
|
}
|