Skip to content

New flag_ip case action #3013

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .generated-info
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{
"spec_repo_commit": "2ffdc3f",
"generated": "2025-07-16 19:15:36.794"
"spec_repo_commit": "31a6042",
"generated": "2025-07-17 09:24:47.667"
}
15 changes: 15 additions & 0 deletions .generator/schemas/v2/openapi.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33903,9 +33903,22 @@ components:
format: int64
minimum: 0
type: integer
flaggedIPType:
$ref: '#/components/schemas/SecurityMonitoringRuleCaseActionOptionsFlaggedIPType'
userBehaviorName:
$ref: '#/components/schemas/SecurityMonitoringRuleCaseActionOptionsUserBehaviorName'
type: object
SecurityMonitoringRuleCaseActionOptionsFlaggedIPType:
description: Used with the case action of type 'flag_ip'. The value specified
in this field is applied as a flag to the IPs addresses.
enum:
- SUSPICIOUS
- FLAGGED
example: FLAGGED
type: string
x-enum-varnames:
- SUSPICIOUS
- FLAGGED
SecurityMonitoringRuleCaseActionOptionsUserBehaviorName:
description: Used with the case action of type 'user_behavior'. The value specified
in this field is applied as a risk tag to all users affected by the rule.
Expand All @@ -33916,11 +33929,13 @@ components:
- block_ip
- block_user
- user_behavior
- flag_ip
type: string
x-enum-varnames:
- BLOCK_IP
- BLOCK_USER
- USER_BEHAVIOR
- FLAG_IP
SecurityMonitoringRuleCaseCreate:
description: Case when signal is generated.
properties:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
import com.datadog.api.client.v2.api.SecurityMonitoringApi;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseAction;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseActionOptions;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseActionOptionsFlaggedIPType;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseActionType;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
import com.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload;
Expand Down Expand Up @@ -55,7 +56,14 @@ public static void main(String[] args) {
.type(SecurityMonitoringRuleCaseActionType.USER_BEHAVIOR)
.options(
new SecurityMonitoringRuleCaseActionOptions()
.userBehaviorName("behavior"))))))
.userBehaviorName("behavior")),
new SecurityMonitoringRuleCaseAction()
.type(SecurityMonitoringRuleCaseActionType.FLAG_IP)
.options(
new SecurityMonitoringRuleCaseActionOptions()
.flaggedIpType(
SecurityMonitoringRuleCaseActionOptionsFlaggedIPType
.FLAGGED))))))
.options(
new SecurityMonitoringRuleOptions()
.keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
/** Options for the rule action */
@JsonPropertyOrder({
SecurityMonitoringRuleCaseActionOptions.JSON_PROPERTY_DURATION,
SecurityMonitoringRuleCaseActionOptions.JSON_PROPERTY_FLAGGED_IP_TYPE,
SecurityMonitoringRuleCaseActionOptions.JSON_PROPERTY_USER_BEHAVIOR_NAME
})
@jakarta.annotation.Generated(
Expand All @@ -28,6 +29,9 @@ public class SecurityMonitoringRuleCaseActionOptions {
public static final String JSON_PROPERTY_DURATION = "duration";
private Long duration;

public static final String JSON_PROPERTY_FLAGGED_IP_TYPE = "flaggedIPType";
private SecurityMonitoringRuleCaseActionOptionsFlaggedIPType flaggedIpType;

public static final String JSON_PROPERTY_USER_BEHAVIOR_NAME = "userBehaviorName";
private String userBehaviorName;

Expand All @@ -52,6 +56,33 @@ public void setDuration(Long duration) {
this.duration = duration;
}

public SecurityMonitoringRuleCaseActionOptions flaggedIpType(
SecurityMonitoringRuleCaseActionOptionsFlaggedIPType flaggedIpType) {
this.flaggedIpType = flaggedIpType;
this.unparsed |= !flaggedIpType.isValid();
return this;
}

/**
* Used with the case action of type 'flag_ip'. The value specified in this field is applied as a
* flag to the IPs addresses.
*
* @return flaggedIpType
*/
@jakarta.annotation.Nullable
@JsonProperty(JSON_PROPERTY_FLAGGED_IP_TYPE)
@JsonInclude(value = JsonInclude.Include.USE_DEFAULTS)
public SecurityMonitoringRuleCaseActionOptionsFlaggedIPType getFlaggedIpType() {
return flaggedIpType;
}

public void setFlaggedIpType(SecurityMonitoringRuleCaseActionOptionsFlaggedIPType flaggedIpType) {
if (!flaggedIpType.isValid()) {
this.unparsed = true;
}
this.flaggedIpType = flaggedIpType;
}

public SecurityMonitoringRuleCaseActionOptions userBehaviorName(String userBehaviorName) {
this.userBehaviorName = userBehaviorName;
return this;
Expand Down Expand Up @@ -132,6 +163,7 @@ public boolean equals(Object o) {
SecurityMonitoringRuleCaseActionOptions securityMonitoringRuleCaseActionOptions =
(SecurityMonitoringRuleCaseActionOptions) o;
return Objects.equals(this.duration, securityMonitoringRuleCaseActionOptions.duration)
&& Objects.equals(this.flaggedIpType, securityMonitoringRuleCaseActionOptions.flaggedIpType)
&& Objects.equals(
this.userBehaviorName, securityMonitoringRuleCaseActionOptions.userBehaviorName)
&& Objects.equals(
Expand All @@ -141,14 +173,15 @@ public boolean equals(Object o) {

@Override
public int hashCode() {
return Objects.hash(duration, userBehaviorName, additionalProperties);
return Objects.hash(duration, flaggedIpType, userBehaviorName, additionalProperties);
}

@Override
public String toString() {
StringBuilder sb = new StringBuilder();
sb.append("class SecurityMonitoringRuleCaseActionOptions {\n");
sb.append(" duration: ").append(toIndentedString(duration)).append("\n");
sb.append(" flaggedIpType: ").append(toIndentedString(flaggedIpType)).append("\n");
sb.append(" userBehaviorName: ").append(toIndentedString(userBehaviorName)).append("\n");
sb.append(" additionalProperties: ")
.append(toIndentedString(additionalProperties))
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
/*
* Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
* This product includes software developed at Datadog (https://www.datadoghq.com/).
* Copyright 2019-Present Datadog, Inc.
*/

package com.datadog.api.client.v2.model;

import com.datadog.api.client.ModelEnum;
import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.core.JsonGenerator;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.SerializerProvider;
import com.fasterxml.jackson.databind.annotation.JsonSerialize;
import com.fasterxml.jackson.databind.ser.std.StdSerializer;
import java.io.IOException;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;

/**
* Used with the case action of type 'flag_ip'. The value specified in this field is applied as a
* flag to the IPs addresses.
*/
@JsonSerialize(
using =
SecurityMonitoringRuleCaseActionOptionsFlaggedIPType
.SecurityMonitoringRuleCaseActionOptionsFlaggedIPTypeSerializer.class)
public class SecurityMonitoringRuleCaseActionOptionsFlaggedIPType extends ModelEnum<String> {

private static final Set<String> allowedValues =
new HashSet<String>(Arrays.asList("SUSPICIOUS", "FLAGGED"));

public static final SecurityMonitoringRuleCaseActionOptionsFlaggedIPType SUSPICIOUS =
new SecurityMonitoringRuleCaseActionOptionsFlaggedIPType("SUSPICIOUS");
public static final SecurityMonitoringRuleCaseActionOptionsFlaggedIPType FLAGGED =
new SecurityMonitoringRuleCaseActionOptionsFlaggedIPType("FLAGGED");

SecurityMonitoringRuleCaseActionOptionsFlaggedIPType(String value) {
super(value, allowedValues);
}

public static class SecurityMonitoringRuleCaseActionOptionsFlaggedIPTypeSerializer
extends StdSerializer<SecurityMonitoringRuleCaseActionOptionsFlaggedIPType> {
public SecurityMonitoringRuleCaseActionOptionsFlaggedIPTypeSerializer(
Class<SecurityMonitoringRuleCaseActionOptionsFlaggedIPType> t) {
super(t);
}

public SecurityMonitoringRuleCaseActionOptionsFlaggedIPTypeSerializer() {
this(null);
}

@Override
public void serialize(
SecurityMonitoringRuleCaseActionOptionsFlaggedIPType value,
JsonGenerator jgen,
SerializerProvider provider)
throws IOException, JsonProcessingException {
jgen.writeObject(value.value);
}
}

@JsonCreator
public static SecurityMonitoringRuleCaseActionOptionsFlaggedIPType fromValue(String value) {
return new SecurityMonitoringRuleCaseActionOptionsFlaggedIPType(value);
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -25,14 +25,16 @@
public class SecurityMonitoringRuleCaseActionType extends ModelEnum<String> {

private static final Set<String> allowedValues =
new HashSet<String>(Arrays.asList("block_ip", "block_user", "user_behavior"));
new HashSet<String>(Arrays.asList("block_ip", "block_user", "user_behavior", "flag_ip"));

public static final SecurityMonitoringRuleCaseActionType BLOCK_IP =
new SecurityMonitoringRuleCaseActionType("block_ip");
public static final SecurityMonitoringRuleCaseActionType BLOCK_USER =
new SecurityMonitoringRuleCaseActionType("block_user");
public static final SecurityMonitoringRuleCaseActionType USER_BEHAVIOR =
new SecurityMonitoringRuleCaseActionType("user_behavior");
public static final SecurityMonitoringRuleCaseActionType FLAG_IP =
new SecurityMonitoringRuleCaseActionType("flag_ip");

SecurityMonitoringRuleCaseActionType(String value) {
super(value, allowedValues);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -225,7 +225,7 @@ Feature: Security Monitoring
@skip-validation @team:DataDog/k9-cloud-security-platform
Scenario: Create a detection rule with type 'application_security 'returns "OK" response
Given new "CreateSecurityMonitoringRule" request
And body with value {"type":"application_security","name":"{{unique}}_appsec_rule","queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","aggregation":"count","groupByFields":["service","@http.client_ip"],"distinctFields":[]}],"filters":[],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 100000","actions":[{"type":"block_ip","options":{"duration":900}}, {"type":"user_behavior","options":{"userBehaviorName":"behavior"}}]}],"options":{"keepAlive":3600,"maxSignalDuration":86400,"evaluationWindow":900,"detectionMethod":"threshold"},"isEnabled":true,"message":"Test rule","tags":[],"groupSignalsBy":["service"]}
And body with value {"type":"application_security","name":"{{unique}}_appsec_rule","queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","aggregation":"count","groupByFields":["service","@http.client_ip"],"distinctFields":[]}],"filters":[],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 100000","actions":[{"type":"block_ip","options":{"duration":900}}, {"type":"user_behavior","options":{"userBehaviorName":"behavior"}},{"type":"flag_ip","options":{"flaggedIPType":"FLAGGED"}}]}],"options":{"keepAlive":3600,"maxSignalDuration":86400,"evaluationWindow":900,"detectionMethod":"threshold"},"isEnabled":true,"message":"Test rule","tags":[],"groupSignalsBy":["service"]}
When the request is sent
Then the response status is 200 OK
And the response "name" is equal to "{{ unique }}_appsec_rule"
Expand Down
Loading