Add actions and groupSignalsBy field in detection rules API (#2704)

Co-authored-by: ci.datadog-api-spec <packages@datadoghq.com>

Author: api-clients-generation-pipeline[bot]

.apigentools-info

@@ -4,13 +4,13 @@
     "spec_versions": {
         "v1": {
             "apigentools_version": "1.6.6",
-            "regenerated": "2025-02-10 19:09:34.449930",
-            "spec_repo_commit": "824f78a1"
+            "regenerated": "2025-02-11 09:59:45.428513",
+            "spec_repo_commit": "b980d49f"
         },
         "v2": {
             "apigentools_version": "1.6.6",
-            "regenerated": "2025-02-10 19:09:34.468088",
-            "spec_repo_commit": "824f78a1"
+            "regenerated": "2025-02-11 09:59:45.443328",
+            "spec_repo_commit": "b980d49f"
         }
     }
 }

.generator/schemas/v2/openapi.yaml

@@ -15657,6 +15657,15 @@ components:
           example: 1729843470000
           format: int64
           type: integer
+        groupSignalsBy:
+          description: Additional grouping to perform on top of the existing groups
+            in the query section. Must be a subset of the existing groups.
+          example:
+          - service
+          items:
+            description: Field to group by.
+            type: string
+          type: array
         index:
           description: Index used to load the data.
           example: cloud_siem
@@ -24242,6 +24251,11 @@ components:
     SecurityMonitoringRuleCase:
       description: Case when signal is generated.
       properties:
+        actions:
+          description: Action to perform for each rule case.
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringRuleCaseAction'
+          type: array
         condition:
           description: 'A rule case contains logical operations (`>`,`>=`, `&&`, `||`)
             to determine if a signal should be generated
@@ -24260,9 +24274,42 @@ components:
         status:
           $ref: '#/components/schemas/SecurityMonitoringRuleSeverity'
       type: object
+    SecurityMonitoringRuleCaseAction:
+      description: Action to perform when a signal is triggered. Only available for
+        Application Security rule type.
+      properties:
+        options:
+          $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionOptions'
+        type:
+          $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionType'
+      type: object
+    SecurityMonitoringRuleCaseActionOptions:
+      description: Options for the rule action
+      properties:
+        duration:
+          description: Duration of the action in seconds. 0 indicates no expiration.
+          example: 0
+          format: int64
+          minimum: 0
+          type: integer
+      type: object
+    SecurityMonitoringRuleCaseActionType:
+      description: The action type.
+      enum:
+      - block_ip
+      - block_user
+      type: string
+      x-enum-varnames:
+      - BLOCK_IP
+      - BLOCK_USER
     SecurityMonitoringRuleCaseCreate:
       description: Case when signal is generated.
       properties:
+        actions:
+          description: Action to perform for each rule case.
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringRuleCaseAction'
+          type: array
         condition:
           description: 'A case contains logical operations (`>`,`>=`, `&&`, `||`)
             to determine if a signal should be generated
@@ -24724,6 +24771,15 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringFilter'
           type: array
+        groupSignalsBy:
+          description: Additional grouping to perform on top of the existing groups
+            in the query section. Must be a subset of the existing groups.
+          example:
+          - service
+          items:
+            description: Field to group by.
+            type: string
+          type: array
         hasExtendedTitle:
           description: Whether the notifications include the triggering group-by values
             in their title.
@@ -25429,6 +25485,15 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringFilter'
           type: array
+        groupSignalsBy:
+          description: Additional grouping to perform on top of the existing groups
+            in the query section. Must be a subset of the existing groups.
+          example:
+          - service
+          items:
+            description: Field to group by.
+            type: string
+          type: array
         hasExtendedTitle:
           description: Whether the notifications include the triggering group-by values
             in their title.
@@ -25501,6 +25566,15 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringFilter'
           type: array
+        groupSignalsBy:
+          description: Additional grouping to perform on top of the existing groups
+            in the query section. Must be a subset of the existing groups.
+          example:
+          - service
+          items:
+            description: Field to group by.
+            type: string
+          type: array
         hasExtendedTitle:
           description: Whether the notifications include the triggering group-by values
             in their title.
@@ -25642,6 +25716,15 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringFilter'
           type: array
+        groupSignalsBy:
+          description: Additional grouping to perform on top of the existing groups
+            in the query section. Must be a subset of the existing groups.
+          example:
+          - service
+          items:
+            description: Field to group by.
+            type: string
+          type: array
         hasExtendedTitle:
           description: Whether the notifications include the triggering group-by values
             in their title.
@@ -25719,6 +25802,15 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringFilter'
           type: array
+        groupSignalsBy:
+          description: Additional grouping to perform on top of the existing groups
+            in the query section. Must be a subset of the existing groups.
+          example:
+          - service
+          items:
+            description: Field to group by.
+            type: string
+          type: array
         hasExtendedTitle:
           description: Whether the notifications include the triggering group-by values
             in their title.

examples/v2/security-monitoring/CreateSecurityMonitoringRule_1965169892.java

@@ -0,0 +1,76 @@
+// Create a detection rule with type 'application_security 'returns "OK" response
+
+import com.datadog.api.client.ApiClient;
+import com.datadog.api.client.ApiException;
+import com.datadog.api.client.v2.api.SecurityMonitoringApi;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseAction;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseActionOptions;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseActionType;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;
+import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleCreatePayload;
+import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
+import java.util.Arrays;
+import java.util.Collections;
+
+public class Example {
+  public static void main(String[] args) {
+    ApiClient defaultClient = ApiClient.getDefaultApiClient();
+    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
+
+    SecurityMonitoringRuleCreatePayload body =
+        new SecurityMonitoringRuleCreatePayload(
+            new SecurityMonitoringStandardRuleCreatePayload()
+                .type(SecurityMonitoringRuleTypeCreate.APPLICATION_SECURITY)
+                .name("Example-Security-Monitoring_appsec_rule")
+                .queries(
+                    Collections.singletonList(
+                        new SecurityMonitoringStandardRuleQuery()
+                            .query("@appsec.security_activity:business_logic.users.login.failure")
+                            .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
+                            .groupByFields(Arrays.asList("service", "@http.client_ip"))))
+                .cases(
+                    Collections.singletonList(
+                        new SecurityMonitoringRuleCaseCreate()
+                            .name("")
+                            .status(SecurityMonitoringRuleSeverity.INFO)
+                            .condition("a > 100000")
+                            .actions(
+                                Collections.singletonList(
+                                    new SecurityMonitoringRuleCaseAction()
+                                        .type(SecurityMonitoringRuleCaseActionType.BLOCK_IP)
+                                        .options(
+                                            new SecurityMonitoringRuleCaseActionOptions()
+                                                .duration(900L))))))
+                .options(
+                    new SecurityMonitoringRuleOptions()
+                        .keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR)
+                        .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ONE_DAY)
+                        .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES)
+                        .detectionMethod(SecurityMonitoringRuleDetectionMethod.THRESHOLD))
+                .isEnabled(true)
+                .message("Test rule")
+                .groupSignalsBy(Collections.singletonList("service")));
+
+    try {
+      SecurityMonitoringRuleResponse result = apiInstance.createSecurityMonitoringRule(body);
+      System.out.println(result);
+    } catch (ApiException e) {
+      System.err.println(
+          "Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule");
+      System.err.println("Status code: " + e.getCode());
+      System.err.println("Reason: " + e.getResponseBody());
+      System.err.println("Response headers: " + e.getResponseHeaders());
+      e.printStackTrace();
+    }
+  }
+}

src/main/java/com/datadog/api/client/v2/model/JobDefinition.java

@@ -24,6 +24,7 @@
   JobDefinition.JSON_PROPERTY_CALCULATED_FIELDS,
   JobDefinition.JSON_PROPERTY_CASES,
   JobDefinition.JSON_PROPERTY_FROM,
+  JobDefinition.JSON_PROPERTY_GROUP_SIGNALS_BY,
   JobDefinition.JSON_PROPERTY_INDEX,
   JobDefinition.JSON_PROPERTY_MESSAGE,
   JobDefinition.JSON_PROPERTY_NAME,
@@ -48,6 +49,9 @@ public class JobDefinition {
   public static final String JSON_PROPERTY_FROM = "from";
   private Long from;
 
+  public static final String JSON_PROPERTY_GROUP_SIGNALS_BY = "groupSignalsBy";
+  private List<String> groupSignalsBy = null;
+
   public static final String JSON_PROPERTY_INDEX = "index";
   private String index;
 
@@ -182,6 +186,36 @@ public void setFrom(Long from) {
     this.from = from;
   }
 
+  public JobDefinition groupSignalsBy(List<String> groupSignalsBy) {
+    this.groupSignalsBy = groupSignalsBy;
+    return this;
+  }
+
+  public JobDefinition addGroupSignalsByItem(String groupSignalsByItem) {
+    if (this.groupSignalsBy == null) {
+      this.groupSignalsBy = new ArrayList<>();
+    }
+    this.groupSignalsBy.add(groupSignalsByItem);
+    return this;
+  }
+
+  /**
+   * Additional grouping to perform on top of the existing groups in the query section. Must be a
+   * subset of the existing groups.
+   *
+   * @return groupSignalsBy
+   */
+  @jakarta.annotation.Nullable
+  @JsonProperty(JSON_PROPERTY_GROUP_SIGNALS_BY)
+  @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS)
+  public List<String> getGroupSignalsBy() {
+    return groupSignalsBy;
+  }
+
+  public void setGroupSignalsBy(List<String> groupSignalsBy) {
+    this.groupSignalsBy = groupSignalsBy;
+  }
+
   public JobDefinition index(String index) {
     this.index = index;
     return this;
@@ -492,6 +526,7 @@ public boolean equals(Object o) {
     return Objects.equals(this.calculatedFields, jobDefinition.calculatedFields)
         && Objects.equals(this.cases, jobDefinition.cases)
         && Objects.equals(this.from, jobDefinition.from)
+        && Objects.equals(this.groupSignalsBy, jobDefinition.groupSignalsBy)
         && Objects.equals(this.index, jobDefinition.index)
         && Objects.equals(this.message, jobDefinition.message)
         && Objects.equals(this.name, jobDefinition.name)
@@ -511,6 +546,7 @@ public int hashCode() {
         calculatedFields,
         cases,
         from,
+        groupSignalsBy,
         index,
         message,
         name,
@@ -531,6 +567,7 @@ public String toString() {
     sb.append("    calculatedFields: ").append(toIndentedString(calculatedFields)).append("\n");
     sb.append("    cases: ").append(toIndentedString(cases)).append("\n");
     sb.append("    from: ").append(toIndentedString(from)).append("\n");
+    sb.append("    groupSignalsBy: ").append(toIndentedString(groupSignalsBy)).append("\n");
     sb.append("    index: ").append(toIndentedString(index)).append("\n");
     sb.append("    message: ").append(toIndentedString(message)).append("\n");
     sb.append("    name: ").append(toIndentedString(name)).append("\n");