DataDog · api-clients-generation-pipeline · Jul 17, 2025
@@ -1,4 +1,4 @@
 {
-  "spec_repo_commit": "2ffdc3f",
-  "generated": "2025-07-16 19:15:36.794"
+  "spec_repo_commit": "31a6042",
+  "generated": "2025-07-17 09:24:47.667"
 }
@@ -33903,9 +33903,22 @@ components:
           format: int64
           minimum: 0
           type: integer
+        flaggedIPType:
+          $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionOptionsFlaggedIPType'
         userBehaviorName:
           $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionOptionsUserBehaviorName'
       type: object
+    SecurityMonitoringRuleCaseActionOptionsFlaggedIPType:
+      description: Used with the case action of type 'flag_ip'. The value specified
+        in this field is applied as a flag to the IPs addresses.
+      enum:
+      - SUSPICIOUS
+      - FLAGGED
+      example: FLAGGED
+      type: string
+      x-enum-varnames:
+      - SUSPICIOUS
+      - FLAGGED
     SecurityMonitoringRuleCaseActionOptionsUserBehaviorName:
       description: Used with the case action of type 'user_behavior'. The value specified
         in this field is applied as a risk tag to all users affected by the rule.
@@ -33916,11 +33929,13 @@ components:
       - block_ip
       - block_user
       - user_behavior
+      - flag_ip
       type: string
       x-enum-varnames:
       - BLOCK_IP
       - BLOCK_USER
       - USER_BEHAVIOR
+      - FLAG_IP
     SecurityMonitoringRuleCaseCreate:
       description: Case when signal is generated.
       properties:

@@ -5,6 +5,7 @@
 import com.datadog.api.client.v2.api.SecurityMonitoringApi;
 import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseAction;
 import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseActionOptions;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseActionOptionsFlaggedIPType;
 import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseActionType;
 import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
 import com.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload;
@@ -55,7 +56,14 @@ public static void main(String[] args) {
                                         .type(SecurityMonitoringRuleCaseActionType.USER_BEHAVIOR)
                                         .options(
                                             new SecurityMonitoringRuleCaseActionOptions()
-                                                .userBehaviorName("behavior"))))))
+                                                .userBehaviorName("behavior")),
+                                    new SecurityMonitoringRuleCaseAction()
+                                        .type(SecurityMonitoringRuleCaseActionType.FLAG_IP)
+                                        .options(
+                                            new SecurityMonitoringRuleCaseActionOptions()
+                                                .flaggedIpType(
+                                                    SecurityMonitoringRuleCaseActionOptionsFlaggedIPType
+                                                        .FLAGGED))))))
                 .options(
                     new SecurityMonitoringRuleOptions()
                         .keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR)

@@ -19,6 +19,7 @@
 /** Options for the rule action */
 @JsonPropertyOrder({
   SecurityMonitoringRuleCaseActionOptions.JSON_PROPERTY_DURATION,
+  SecurityMonitoringRuleCaseActionOptions.JSON_PROPERTY_FLAGGED_IP_TYPE,
   SecurityMonitoringRuleCaseActionOptions.JSON_PROPERTY_USER_BEHAVIOR_NAME
 })
 @jakarta.annotation.Generated(
@@ -28,6 +29,9 @@ public class SecurityMonitoringRuleCaseActionOptions {
   public static final String JSON_PROPERTY_DURATION = "duration";
   private Long duration;
 
+  public static final String JSON_PROPERTY_FLAGGED_IP_TYPE = "flaggedIPType";
+  private SecurityMonitoringRuleCaseActionOptionsFlaggedIPType flaggedIpType;
+
   public static final String JSON_PROPERTY_USER_BEHAVIOR_NAME = "userBehaviorName";
   private String userBehaviorName;
 
@@ -52,6 +56,33 @@ public void setDuration(Long duration) {
     this.duration = duration;
   }
 
+  public SecurityMonitoringRuleCaseActionOptions flaggedIpType(
+      SecurityMonitoringRuleCaseActionOptionsFlaggedIPType flaggedIpType) {
+    this.flaggedIpType = flaggedIpType;
+    this.unparsed |= !flaggedIpType.isValid();
+    return this;
+  }
+
+  /**
+   * Used with the case action of type 'flag_ip'. The value specified in this field is applied as a
+   * flag to the IPs addresses.
+   *
+   * @return flaggedIpType
+   */
+  @jakarta.annotation.Nullable
+  @JsonProperty(JSON_PROPERTY_FLAGGED_IP_TYPE)
+  @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS)
+  public SecurityMonitoringRuleCaseActionOptionsFlaggedIPType getFlaggedIpType() {
+    return flaggedIpType;
+  }
+
+  public void setFlaggedIpType(SecurityMonitoringRuleCaseActionOptionsFlaggedIPType flaggedIpType) {
+    if (!flaggedIpType.isValid()) {
+      this.unparsed = true;
+    }
+    this.flaggedIpType = flaggedIpType;
+  }
+
   public SecurityMonitoringRuleCaseActionOptions userBehaviorName(String userBehaviorName) {
     this.userBehaviorName = userBehaviorName;
     return this;
@@ -132,6 +163,7 @@ public boolean equals(Object o) {
     SecurityMonitoringRuleCaseActionOptions securityMonitoringRuleCaseActionOptions =
         (SecurityMonitoringRuleCaseActionOptions) o;
     return Objects.equals(this.duration, securityMonitoringRuleCaseActionOptions.duration)
+        && Objects.equals(this.flaggedIpType, securityMonitoringRuleCaseActionOptions.flaggedIpType)
         && Objects.equals(
             this.userBehaviorName, securityMonitoringRuleCaseActionOptions.userBehaviorName)
         && Objects.equals(
@@ -141,14 +173,15 @@ public boolean equals(Object o) {
 
   @Override
   public int hashCode() {
-    return Objects.hash(duration, userBehaviorName, additionalProperties);
+    return Objects.hash(duration, flaggedIpType, userBehaviorName, additionalProperties);
   }
 
   @Override
   public String toString() {
     StringBuilder sb = new StringBuilder();
     sb.append("class SecurityMonitoringRuleCaseActionOptions {\n");
     sb.append("    duration: ").append(toIndentedString(duration)).append("\n");
+    sb.append("    flaggedIpType: ").append(toIndentedString(flaggedIpType)).append("\n");
     sb.append("    userBehaviorName: ").append(toIndentedString(userBehaviorName)).append("\n");
     sb.append("    additionalProperties: ")
         .append(toIndentedString(additionalProperties))

@@ -0,0 +1,68 @@
+/*
+ * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
+ * This product includes software developed at Datadog (https://www.datadoghq.com/).
+ * Copyright 2019-Present Datadog, Inc.
+ */
+
+package com.datadog.api.client.v2.model;
+
+import com.datadog.api.client.ModelEnum;
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.SerializerProvider;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import com.fasterxml.jackson.databind.ser.std.StdSerializer;
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+
+/**
+ * Used with the case action of type 'flag_ip'. The value specified in this field is applied as a
+ * flag to the IPs addresses.
+ */
+@JsonSerialize(
+    using =
+        SecurityMonitoringRuleCaseActionOptionsFlaggedIPType
+            .SecurityMonitoringRuleCaseActionOptionsFlaggedIPTypeSerializer.class)
+public class SecurityMonitoringRuleCaseActionOptionsFlaggedIPType extends ModelEnum<String> {
+
+  private static final Set<String> allowedValues =
+      new HashSet<String>(Arrays.asList("SUSPICIOUS", "FLAGGED"));
+
+  public static final SecurityMonitoringRuleCaseActionOptionsFlaggedIPType SUSPICIOUS =
+      new SecurityMonitoringRuleCaseActionOptionsFlaggedIPType("SUSPICIOUS");
+  public static final SecurityMonitoringRuleCaseActionOptionsFlaggedIPType FLAGGED =
+      new SecurityMonitoringRuleCaseActionOptionsFlaggedIPType("FLAGGED");
+
+  SecurityMonitoringRuleCaseActionOptionsFlaggedIPType(String value) {
+    super(value, allowedValues);
+  }
+
+  public static class SecurityMonitoringRuleCaseActionOptionsFlaggedIPTypeSerializer
+      extends StdSerializer<SecurityMonitoringRuleCaseActionOptionsFlaggedIPType> {
+    public SecurityMonitoringRuleCaseActionOptionsFlaggedIPTypeSerializer(
+        Class<SecurityMonitoringRuleCaseActionOptionsFlaggedIPType> t) {
+      super(t);
+    }
+
+    public SecurityMonitoringRuleCaseActionOptionsFlaggedIPTypeSerializer() {
+      this(null);
+    }
+
+    @Override
+    public void serialize(
+        SecurityMonitoringRuleCaseActionOptionsFlaggedIPType value,
+        JsonGenerator jgen,
+        SerializerProvider provider)
+        throws IOException, JsonProcessingException {
+      jgen.writeObject(value.value);
+    }
+  }
+
+  @JsonCreator
+  public static SecurityMonitoringRuleCaseActionOptionsFlaggedIPType fromValue(String value) {
+    return new SecurityMonitoringRuleCaseActionOptionsFlaggedIPType(value);
+  }
+}
@@ -25,14 +25,16 @@
 public class SecurityMonitoringRuleCaseActionType extends ModelEnum<String> {
 
   private static final Set<String> allowedValues =
-      new HashSet<String>(Arrays.asList("block_ip", "block_user", "user_behavior"));
+      new HashSet<String>(Arrays.asList("block_ip", "block_user", "user_behavior", "flag_ip"));
 
   public static final SecurityMonitoringRuleCaseActionType BLOCK_IP =
       new SecurityMonitoringRuleCaseActionType("block_ip");
   public static final SecurityMonitoringRuleCaseActionType BLOCK_USER =
       new SecurityMonitoringRuleCaseActionType("block_user");
   public static final SecurityMonitoringRuleCaseActionType USER_BEHAVIOR =
       new SecurityMonitoringRuleCaseActionType("user_behavior");
+  public static final SecurityMonitoringRuleCaseActionType FLAG_IP =
+      new SecurityMonitoringRuleCaseActionType("flag_ip");
 
   SecurityMonitoringRuleCaseActionType(String value) {
     super(value, allowedValues);

@@ -225,7 +225,7 @@ Feature: Security Monitoring
   @skip-validation @team:DataDog/k9-cloud-security-platform
   Scenario: Create a detection rule with type 'application_security 'returns "OK" response
     Given new "CreateSecurityMonitoringRule" request
-    And body with value {"type":"application_security","name":"{{unique}}_appsec_rule","queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","aggregation":"count","groupByFields":["service","@http.client_ip"],"distinctFields":[]}],"filters":[],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 100000","actions":[{"type":"block_ip","options":{"duration":900}}, {"type":"user_behavior","options":{"userBehaviorName":"behavior"}}]}],"options":{"keepAlive":3600,"maxSignalDuration":86400,"evaluationWindow":900,"detectionMethod":"threshold"},"isEnabled":true,"message":"Test rule","tags":[],"groupSignalsBy":["service"]}
+    And body with value {"type":"application_security","name":"{{unique}}_appsec_rule","queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","aggregation":"count","groupByFields":["service","@http.client_ip"],"distinctFields":[]}],"filters":[],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 100000","actions":[{"type":"block_ip","options":{"duration":900}}, {"type":"user_behavior","options":{"userBehaviorName":"behavior"}},{"type":"flag_ip","options":{"flaggedIPType":"FLAGGED"}}]}],"options":{"keepAlive":3600,"maxSignalDuration":86400,"evaluationWindow":900,"detectionMethod":"threshold"},"isEnabled":true,"message":"Test rule","tags":[],"groupSignalsBy":["service"]}
     When the request is sent
     Then the response status is 200 OK
     And the response "name" is equal to "{{ unique }}_appsec_rule"