DataDog · api-clients-generation-pipeline · Jul 17, 2025
@@ -1,4 +1,4 @@
 {
-  "spec_repo_commit": "2ffdc3f",
-  "generated": "2025-07-16 19:19:08.488"
+  "spec_repo_commit": "31a6042",
+  "generated": "2025-07-17 09:28:01.179"
 }
@@ -33903,9 +33903,22 @@ components:
           format: int64
           minimum: 0
           type: integer
+        flaggedIPType:
+          $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionOptionsFlaggedIPType'
         userBehaviorName:
           $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionOptionsUserBehaviorName'
       type: object
+    SecurityMonitoringRuleCaseActionOptionsFlaggedIPType:
+      description: Used with the case action of type 'flag_ip'. The value specified
+        in this field is applied as a flag to the IPs addresses.
+      enum:
+      - SUSPICIOUS
+      - FLAGGED
+      example: FLAGGED
+      type: string
+      x-enum-varnames:
+      - SUSPICIOUS
+      - FLAGGED
     SecurityMonitoringRuleCaseActionOptionsUserBehaviorName:
       description: Used with the case action of type 'user_behavior'. The value specified
         in this field is applied as a risk tag to all users affected by the rule.
@@ -33916,11 +33929,13 @@ components:
       - block_ip
       - block_user
       - user_behavior
+      - flag_ip
       type: string
       x-enum-varnames:
       - BLOCK_IP
       - BLOCK_USER
       - USER_BEHAVIOR
+      - FLAG_IP
     SecurityMonitoringRuleCaseCreate:
       description: Case when signal is generated.
       properties:

@@ -3,6 +3,7 @@ use datadog_api_client::datadog;
 use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
 use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseAction;
 use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseActionOptions;
+use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseActionOptionsFlaggedIPType;
 use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseActionType;
 use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate;
 use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCreatePayload;
@@ -25,18 +26,23 @@ async fn main() {
                 vec![
                     SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO)
                         .actions(vec![
-                            SecurityMonitoringRuleCaseAction::new()
-                                .options(
-                                    SecurityMonitoringRuleCaseActionOptions::new().duration(900),
-                                )
-                                .type_(SecurityMonitoringRuleCaseActionType::BLOCK_IP),
-                            SecurityMonitoringRuleCaseAction::new()
-                                .options(
-                                    SecurityMonitoringRuleCaseActionOptions::new()
-                                        .user_behavior_name("behavior".to_string()),
-                                )
-                                .type_(SecurityMonitoringRuleCaseActionType::USER_BEHAVIOR),
-                        ])
+                        SecurityMonitoringRuleCaseAction::new()
+                            .options(SecurityMonitoringRuleCaseActionOptions::new().duration(900))
+                            .type_(SecurityMonitoringRuleCaseActionType::BLOCK_IP),
+                        SecurityMonitoringRuleCaseAction::new()
+                            .options(
+                                SecurityMonitoringRuleCaseActionOptions::new()
+                                    .user_behavior_name("behavior".to_string()),
+                            )
+                            .type_(SecurityMonitoringRuleCaseActionType::USER_BEHAVIOR),
+                        SecurityMonitoringRuleCaseAction::new()
+                            .options(
+                                SecurityMonitoringRuleCaseActionOptions::new().flagged_ip_type(
+                                    SecurityMonitoringRuleCaseActionOptionsFlaggedIPType::FLAGGED,
+                                ),
+                            )
+                            .type_(SecurityMonitoringRuleCaseActionType::FLAG_IP),
+                    ])
                         .condition("a > 100000".to_string())
                         .name("".to_string())
                         .notifications(vec![]),

@@ -4228,6 +4228,8 @@ pub mod model_security_monitoring_rule_case_action;
 pub use self::model_security_monitoring_rule_case_action::SecurityMonitoringRuleCaseAction;
 pub mod model_security_monitoring_rule_case_action_options;
 pub use self::model_security_monitoring_rule_case_action_options::SecurityMonitoringRuleCaseActionOptions;
+pub mod model_security_monitoring_rule_case_action_options_flagged_ip_type;
+pub use self::model_security_monitoring_rule_case_action_options_flagged_ip_type::SecurityMonitoringRuleCaseActionOptionsFlaggedIPType;
 pub mod model_security_monitoring_rule_case_action_type;
 pub use self::model_security_monitoring_rule_case_action_type::SecurityMonitoringRuleCaseActionType;
 pub mod model_security_monitoring_rule_severity;

@@ -14,6 +14,10 @@ pub struct SecurityMonitoringRuleCaseActionOptions {
     /// Duration of the action in seconds. 0 indicates no expiration.
     #[serde(rename = "duration")]
     pub duration: Option<i64>,
+    /// Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IPs addresses.
+    #[serde(rename = "flaggedIPType")]
+    pub flagged_ip_type:
+        Option<crate::datadogV2::model::SecurityMonitoringRuleCaseActionOptionsFlaggedIPType>,
     /// Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
     #[serde(rename = "userBehaviorName")]
     pub user_behavior_name: Option<String>,
@@ -28,6 +32,7 @@ impl SecurityMonitoringRuleCaseActionOptions {
     pub fn new() -> SecurityMonitoringRuleCaseActionOptions {
         SecurityMonitoringRuleCaseActionOptions {
             duration: None,
+            flagged_ip_type: None,
             user_behavior_name: None,
             additional_properties: std::collections::BTreeMap::new(),
             _unparsed: false,
@@ -39,6 +44,14 @@ impl SecurityMonitoringRuleCaseActionOptions {
         self
     }
 
+    pub fn flagged_ip_type(
+        mut self,
+        value: crate::datadogV2::model::SecurityMonitoringRuleCaseActionOptionsFlaggedIPType,
+    ) -> Self {
+        self.flagged_ip_type = Some(value);
+        self
+    }
+
     pub fn user_behavior_name(mut self, value: String) -> Self {
         self.user_behavior_name = Some(value);
         self
@@ -77,6 +90,9 @@ impl<'de> Deserialize<'de> for SecurityMonitoringRuleCaseActionOptions {
                 M: MapAccess<'a>,
             {
                 let mut duration: Option<i64> = None;
+                let mut flagged_ip_type: Option<
+                    crate::datadogV2::model::SecurityMonitoringRuleCaseActionOptionsFlaggedIPType,
+                > = None;
                 let mut user_behavior_name: Option<String> = None;
                 let mut additional_properties: std::collections::BTreeMap<
                     String,
@@ -92,6 +108,21 @@ impl<'de> Deserialize<'de> for SecurityMonitoringRuleCaseActionOptions {
                             }
                             duration = Some(serde_json::from_value(v).map_err(M::Error::custom)?);
                         }
+                        "flaggedIPType" => {
+                            if v.is_null() {
+                                continue;
+                            }
+                            flagged_ip_type =
+                                Some(serde_json::from_value(v).map_err(M::Error::custom)?);
+                            if let Some(ref _flagged_ip_type) = flagged_ip_type {
+                                match _flagged_ip_type {
+                                    crate::datadogV2::model::SecurityMonitoringRuleCaseActionOptionsFlaggedIPType::UnparsedObject(_flagged_ip_type) => {
+                                        _unparsed = true;
+                                    },
+                                    _ => {}
+                                }
+                            }
+                        }
                         "userBehaviorName" => {
                             if v.is_null() {
                                 continue;
@@ -109,6 +140,7 @@ impl<'de> Deserialize<'de> for SecurityMonitoringRuleCaseActionOptions {
 
                 let content = SecurityMonitoringRuleCaseActionOptions {
                     duration,
+                    flagged_ip_type,
                     user_behavior_name,
                     additional_properties,
                     _unparsed,

@@ -0,0 +1,51 @@
+// Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2019-Present Datadog, Inc.
+
+use serde::{Deserialize, Deserializer, Serialize, Serializer};
+
+#[non_exhaustive]
+#[derive(Clone, Debug, Eq, PartialEq)]
+pub enum SecurityMonitoringRuleCaseActionOptionsFlaggedIPType {
+    SUSPICIOUS,
+    FLAGGED,
+    UnparsedObject(crate::datadog::UnparsedObject),
+}
+
+impl ToString for SecurityMonitoringRuleCaseActionOptionsFlaggedIPType {
+    fn to_string(&self) -> String {
+        match self {
+            Self::SUSPICIOUS => String::from("SUSPICIOUS"),
+            Self::FLAGGED => String::from("FLAGGED"),
+            Self::UnparsedObject(v) => v.value.to_string(),
+        }
+    }
+}
+
+impl Serialize for SecurityMonitoringRuleCaseActionOptionsFlaggedIPType {
+    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
+    where
+        S: Serializer,
+    {
+        match self {
+            Self::UnparsedObject(v) => v.serialize(serializer),
+            _ => serializer.serialize_str(self.to_string().as_str()),
+        }
+    }
+}
+
+impl<'de> Deserialize<'de> for SecurityMonitoringRuleCaseActionOptionsFlaggedIPType {
+    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
+    where
+        D: Deserializer<'de>,
+    {
+        let s: String = String::deserialize(deserializer)?;
+        Ok(match s.as_str() {
+            "SUSPICIOUS" => Self::SUSPICIOUS,
+            "FLAGGED" => Self::FLAGGED,
+            _ => Self::UnparsedObject(crate::datadog::UnparsedObject {
+                value: serde_json::Value::String(s.into()),
+            }),
+        })
+    }
+}
@@ -10,6 +10,7 @@ pub enum SecurityMonitoringRuleCaseActionType {
     BLOCK_IP,
     BLOCK_USER,
     USER_BEHAVIOR,
+    FLAG_IP,
     UnparsedObject(crate::datadog::UnparsedObject),
 }
 
@@ -19,6 +20,7 @@ impl ToString for SecurityMonitoringRuleCaseActionType {
             Self::BLOCK_IP => String::from("block_ip"),
             Self::BLOCK_USER => String::from("block_user"),
             Self::USER_BEHAVIOR => String::from("user_behavior"),
+            Self::FLAG_IP => String::from("flag_ip"),
             Self::UnparsedObject(v) => v.value.to_string(),
         }
     }
@@ -46,6 +48,7 @@ impl<'de> Deserialize<'de> for SecurityMonitoringRuleCaseActionType {
             "block_ip" => Self::BLOCK_IP,
             "block_user" => Self::BLOCK_USER,
             "user_behavior" => Self::USER_BEHAVIOR,
+            "flag_ip" => Self::FLAG_IP,
             _ => Self::UnparsedObject(crate::datadog::UnparsedObject {
                 value: serde_json::Value::String(s.into()),
             }),

@@ -225,7 +225,7 @@ Feature: Security Monitoring
   @skip-validation @team:DataDog/k9-cloud-security-platform
   Scenario: Create a detection rule with type 'application_security 'returns "OK" response
     Given new "CreateSecurityMonitoringRule" request
-    And body with value {"type":"application_security","name":"{{unique}}_appsec_rule","queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","aggregation":"count","groupByFields":["service","@http.client_ip"],"distinctFields":[]}],"filters":[],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 100000","actions":[{"type":"block_ip","options":{"duration":900}}, {"type":"user_behavior","options":{"userBehaviorName":"behavior"}}]}],"options":{"keepAlive":3600,"maxSignalDuration":86400,"evaluationWindow":900,"detectionMethod":"threshold"},"isEnabled":true,"message":"Test rule","tags":[],"groupSignalsBy":["service"]}
+    And body with value {"type":"application_security","name":"{{unique}}_appsec_rule","queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","aggregation":"count","groupByFields":["service","@http.client_ip"],"distinctFields":[]}],"filters":[],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 100000","actions":[{"type":"block_ip","options":{"duration":900}}, {"type":"user_behavior","options":{"userBehaviorName":"behavior"}},{"type":"flag_ip","options":{"flaggedIPType":"FLAGGED"}}]}],"options":{"keepAlive":3600,"maxSignalDuration":86400,"evaluationWindow":900,"detectionMethod":"threshold"},"isEnabled":true,"message":"Test rule","tags":[],"groupSignalsBy":["service"]}
     When the request is sent
     Then the response status is 200 OK
     And the response "name" is equal to "{{ unique }}_appsec_rule"