diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml index a954de475f6..b4944c9eb4e 100644 --- a/.generator/schemas/v2/openapi.yaml +++ b/.generator/schemas/v2/openapi.yaml @@ -47320,6 +47320,86 @@ components: description: The name of the reference table. type: string type: object + SecurityMonitoringRuleAnomalyDetectionOptions: + additionalProperties: {} + description: Options on anomaly detection method. + properties: + bucketDuration: + $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration' + detectionTolerance: + $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance' + learningDuration: + $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration' + learningPeriodBaseline: + description: An optional override baseline to apply while the rule is in + the learning period. Must be greater than or equal to 0. + format: int64 + minimum: 0 + type: integer + type: object + SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration: + description: 'Duration in seconds of the time buckets used to aggregate events + matched by the rule. + + Must be greater than or equal to 300.' + enum: + - 300 + - 600 + - 900 + - 1800 + - 3600 + - 10800 + example: 300 + format: int32 + type: integer + x-enum-varnames: + - FIVE_MINUTES + - TEN_MINUTES + - FIFTEEN_MINUTES + - THIRTY_MINUTES + - ONE_HOUR + - THREE_HOURS + SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance: + description: 'An optional parameter that sets how permissive anomaly detection + is. + + Higher values require higher deviations before triggering a signal.' + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + example: 5 + format: int32 + type: integer + x-enum-varnames: + - ONE + - TWO + - THREE + - FOUR + - FIVE + SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration: + description: Learning duration in hours. Anomaly detection waits for at least + this amount of historical data before it starts evaluating. + enum: + - 1 + - 6 + - 12 + - 24 + - 48 + - 168 + - 336 + format: int32 + type: integer + x-enum-varnames: + - ONE_HOUR + - SIX_HOURS + - TWELVE_HOURS + - ONE_DAY + - TWO_DAYS + - ONE_WEEK + - TWO_WEEKS SecurityMonitoringRuleCase: description: Case when signal is generated. properties: @@ -47685,6 +47765,8 @@ components: SecurityMonitoringRuleOptions: description: Options. properties: + anomalyDetectionOptions: + $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptions' complianceRuleOptions: $ref: '#/components/schemas/CloudConfigurationComplianceRuleOptions' decreaseCriticalityBasedOnEnv: @@ -55124,6 +55206,8 @@ components: ThreatHuntingJobOptions: description: Job options. properties: + anomalyDetectionOptions: + $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptions' detectionMethod: $ref: '#/components/schemas/SecurityMonitoringRuleDetectionMethod' evaluationWindow: diff --git a/examples/v2/security-monitoring/CreateSecurityMonitoringRule_2323193894.java b/examples/v2/security-monitoring/CreateSecurityMonitoringRule_2323193894.java new file mode 100644 index 00000000000..32613eb523b --- /dev/null +++ b/examples/v2/security-monitoring/CreateSecurityMonitoringRule_2323193894.java @@ -0,0 +1,85 @@ +// Create a detection rule with detection method 'anomaly_detection' returns "OK" response + +import com.datadog.api.client.ApiClient; +import com.datadog.api.client.ApiException; +import com.datadog.api.client.v2.api.SecurityMonitoringApi; +import com.datadog.api.client.v2.model.SecurityMonitoringRuleAnomalyDetectionOptions; +import com.datadog.api.client.v2.model.SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration; +import com.datadog.api.client.v2.model.SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance; +import com.datadog.api.client.v2.model.SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration; +import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate; +import com.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload; +import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod; +import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow; +import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive; +import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration; +import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions; +import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation; +import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse; +import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity; +import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate; +import com.datadog.api.client.v2.model.SecurityMonitoringStandardDataSource; +import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleCreatePayload; +import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery; +import java.util.Arrays; +import java.util.Collections; + +public class Example { + public static void main(String[] args) { + ApiClient defaultClient = ApiClient.getDefaultApiClient(); + SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient); + + SecurityMonitoringRuleCreatePayload body = + new SecurityMonitoringRuleCreatePayload( + new SecurityMonitoringStandardRuleCreatePayload() + .name("Example-Security-Monitoring") + .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION) + .isEnabled(true) + .queries( + Collections.singletonList( + new SecurityMonitoringStandardRuleQuery() + .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT) + .dataSource(SecurityMonitoringStandardDataSource.LOGS) + .groupByFields(Arrays.asList("@usr.email", "@network.client.ip")) + .hasOptionalGroupByFields(false) + .name("") + .query("service:app status:error"))) + .cases( + Collections.singletonList( + new SecurityMonitoringRuleCaseCreate() + .name("") + .status(SecurityMonitoringRuleSeverity.INFO) + .condition("a > 0.995"))) + .message("An anomaly detection rule") + .options( + new SecurityMonitoringRuleOptions() + .detectionMethod(SecurityMonitoringRuleDetectionMethod.ANOMALY_DETECTION) + .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES) + .keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR) + .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ONE_DAY) + .anomalyDetectionOptions( + new SecurityMonitoringRuleAnomalyDetectionOptions() + .bucketDuration( + SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration + .FIVE_MINUTES) + .learningDuration( + SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration + .ONE_DAY) + .detectionTolerance( + SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance + .THREE) + .learningPeriodBaseline(10L)))); + + try { + SecurityMonitoringRuleResponse result = apiInstance.createSecurityMonitoringRule(body); + System.out.println(result); + } catch (ApiException e) { + System.err.println( + "Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule"); + System.err.println("Status code: " + e.getCode()); + System.err.println("Reason: " + e.getResponseBody()); + System.err.println("Response headers: " + e.getResponseHeaders()); + e.printStackTrace(); + } + } +} diff --git a/src/main/java/com/datadog/api/client/v2/model/SecurityMonitoringRuleAnomalyDetectionOptions.java b/src/main/java/com/datadog/api/client/v2/model/SecurityMonitoringRuleAnomalyDetectionOptions.java new file mode 100644 index 00000000000..61e54ac7a78 --- /dev/null +++ b/src/main/java/com/datadog/api/client/v2/model/SecurityMonitoringRuleAnomalyDetectionOptions.java @@ -0,0 +1,258 @@ +/* + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2019-Present Datadog, Inc. + */ + +package com.datadog.api.client.v2.model; + +import com.fasterxml.jackson.annotation.JsonAnyGetter; +import com.fasterxml.jackson.annotation.JsonAnySetter; +import com.fasterxml.jackson.annotation.JsonIgnore; +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonPropertyOrder; +import java.util.HashMap; +import java.util.Map; +import java.util.Objects; + +/** Options on anomaly detection method. */ +@JsonPropertyOrder({ + SecurityMonitoringRuleAnomalyDetectionOptions.JSON_PROPERTY_BUCKET_DURATION, + SecurityMonitoringRuleAnomalyDetectionOptions.JSON_PROPERTY_DETECTION_TOLERANCE, + SecurityMonitoringRuleAnomalyDetectionOptions.JSON_PROPERTY_LEARNING_DURATION, + SecurityMonitoringRuleAnomalyDetectionOptions.JSON_PROPERTY_LEARNING_PERIOD_BASELINE +}) +@jakarta.annotation.Generated( + value = "https://github.com/DataDog/datadog-api-client-java/blob/master/.generator") +public class SecurityMonitoringRuleAnomalyDetectionOptions { + @JsonIgnore public boolean unparsed = false; + public static final String JSON_PROPERTY_BUCKET_DURATION = "bucketDuration"; + private SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration bucketDuration; + + public static final String JSON_PROPERTY_DETECTION_TOLERANCE = "detectionTolerance"; + private SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance detectionTolerance; + + public static final String JSON_PROPERTY_LEARNING_DURATION = "learningDuration"; + private SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration learningDuration; + + public static final String JSON_PROPERTY_LEARNING_PERIOD_BASELINE = "learningPeriodBaseline"; + private Long learningPeriodBaseline; + + public SecurityMonitoringRuleAnomalyDetectionOptions bucketDuration( + SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration bucketDuration) { + this.bucketDuration = bucketDuration; + this.unparsed |= !bucketDuration.isValid(); + return this; + } + + /** + * Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be + * greater than or equal to 300. + * + * @return bucketDuration + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_BUCKET_DURATION) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration getBucketDuration() { + return bucketDuration; + } + + public void setBucketDuration( + SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration bucketDuration) { + if (!bucketDuration.isValid()) { + this.unparsed = true; + } + this.bucketDuration = bucketDuration; + } + + public SecurityMonitoringRuleAnomalyDetectionOptions detectionTolerance( + SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance detectionTolerance) { + this.detectionTolerance = detectionTolerance; + this.unparsed |= !detectionTolerance.isValid(); + return this; + } + + /** + * An optional parameter that sets how permissive anomaly detection is. Higher values require + * higher deviations before triggering a signal. + * + * @return detectionTolerance + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_DETECTION_TOLERANCE) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance getDetectionTolerance() { + return detectionTolerance; + } + + public void setDetectionTolerance( + SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance detectionTolerance) { + if (!detectionTolerance.isValid()) { + this.unparsed = true; + } + this.detectionTolerance = detectionTolerance; + } + + public SecurityMonitoringRuleAnomalyDetectionOptions learningDuration( + SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration learningDuration) { + this.learningDuration = learningDuration; + this.unparsed |= !learningDuration.isValid(); + return this; + } + + /** + * Learning duration in hours. Anomaly detection waits for at least this amount of historical data + * before it starts evaluating. + * + * @return learningDuration + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_LEARNING_DURATION) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration getLearningDuration() { + return learningDuration; + } + + public void setLearningDuration( + SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration learningDuration) { + if (!learningDuration.isValid()) { + this.unparsed = true; + } + this.learningDuration = learningDuration; + } + + public SecurityMonitoringRuleAnomalyDetectionOptions learningPeriodBaseline( + Long learningPeriodBaseline) { + this.learningPeriodBaseline = learningPeriodBaseline; + return this; + } + + /** + * An optional override baseline to apply while the rule is in the learning period. Must be + * greater than or equal to 0. minimum: 0 + * + * @return learningPeriodBaseline + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_LEARNING_PERIOD_BASELINE) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public Long getLearningPeriodBaseline() { + return learningPeriodBaseline; + } + + public void setLearningPeriodBaseline(Long learningPeriodBaseline) { + this.learningPeriodBaseline = learningPeriodBaseline; + } + + /** + * A container for additional, undeclared properties. This is a holder for any undeclared + * properties as specified with the 'additionalProperties' keyword in the OAS document. + */ + private Map additionalProperties; + + /** + * Set the additional (undeclared) property with the specified name and value. If the property + * does not already exist, create it otherwise replace it. + * + * @param key The arbitrary key to set + * @param value The associated value + * @return SecurityMonitoringRuleAnomalyDetectionOptions + */ + @JsonAnySetter + public SecurityMonitoringRuleAnomalyDetectionOptions putAdditionalProperty( + String key, Object value) { + if (this.additionalProperties == null) { + this.additionalProperties = new HashMap(); + } + this.additionalProperties.put(key, value); + return this; + } + + /** + * Return the additional (undeclared) property. + * + * @return The additional properties + */ + @JsonAnyGetter + public Map getAdditionalProperties() { + return additionalProperties; + } + + /** + * Return the additional (undeclared) property with the specified name. + * + * @param key The arbitrary key to get + * @return The specific additional property for the given key + */ + public Object getAdditionalProperty(String key) { + if (this.additionalProperties == null) { + return null; + } + return this.additionalProperties.get(key); + } + + /** Return true if this SecurityMonitoringRuleAnomalyDetectionOptions object is equal to o. */ + @Override + public boolean equals(Object o) { + if (this == o) { + return true; + } + if (o == null || getClass() != o.getClass()) { + return false; + } + SecurityMonitoringRuleAnomalyDetectionOptions securityMonitoringRuleAnomalyDetectionOptions = + (SecurityMonitoringRuleAnomalyDetectionOptions) o; + return Objects.equals( + this.bucketDuration, securityMonitoringRuleAnomalyDetectionOptions.bucketDuration) + && Objects.equals( + this.detectionTolerance, + securityMonitoringRuleAnomalyDetectionOptions.detectionTolerance) + && Objects.equals( + this.learningDuration, securityMonitoringRuleAnomalyDetectionOptions.learningDuration) + && Objects.equals( + this.learningPeriodBaseline, + securityMonitoringRuleAnomalyDetectionOptions.learningPeriodBaseline) + && Objects.equals( + this.additionalProperties, + securityMonitoringRuleAnomalyDetectionOptions.additionalProperties); + } + + @Override + public int hashCode() { + return Objects.hash( + bucketDuration, + detectionTolerance, + learningDuration, + learningPeriodBaseline, + additionalProperties); + } + + @Override + public String toString() { + StringBuilder sb = new StringBuilder(); + sb.append("class SecurityMonitoringRuleAnomalyDetectionOptions {\n"); + sb.append(" bucketDuration: ").append(toIndentedString(bucketDuration)).append("\n"); + sb.append(" detectionTolerance: ").append(toIndentedString(detectionTolerance)).append("\n"); + sb.append(" learningDuration: ").append(toIndentedString(learningDuration)).append("\n"); + sb.append(" learningPeriodBaseline: ") + .append(toIndentedString(learningPeriodBaseline)) + .append("\n"); + sb.append(" additionalProperties: ") + .append(toIndentedString(additionalProperties)) + .append("\n"); + sb.append('}'); + return sb.toString(); + } + + /** + * Convert the given object to string with each line indented by 4 spaces (except the first line). + */ + private String toIndentedString(Object o) { + if (o == null) { + return "null"; + } + return o.toString().replace("\n", "\n "); + } +} diff --git a/src/main/java/com/datadog/api/client/v2/model/SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration.java b/src/main/java/com/datadog/api/client/v2/model/SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration.java new file mode 100644 index 00000000000..21fc22b242a --- /dev/null +++ b/src/main/java/com/datadog/api/client/v2/model/SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration.java @@ -0,0 +1,78 @@ +/* + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2019-Present Datadog, Inc. + */ + +package com.datadog.api.client.v2.model; + +import com.datadog.api.client.ModelEnum; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.core.JsonGenerator; +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.SerializerProvider; +import com.fasterxml.jackson.databind.annotation.JsonSerialize; +import com.fasterxml.jackson.databind.ser.std.StdSerializer; +import java.io.IOException; +import java.util.Arrays; +import java.util.HashSet; +import java.util.Set; + +/** + * Duration in seconds of the time buckets used to aggregate events matched by the rule. Must be + * greater than or equal to 300. + */ +@JsonSerialize( + using = + SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration + .SecurityMonitoringRuleAnomalyDetectionOptionsBucketDurationSerializer.class) +public class SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration + extends ModelEnum { + + private static final Set allowedValues = + new HashSet(Arrays.asList(300, 600, 900, 1800, 3600, 10800)); + + public static final SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration FIVE_MINUTES = + new SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration(300); + public static final SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration TEN_MINUTES = + new SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration(600); + public static final SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration FIFTEEN_MINUTES = + new SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration(900); + public static final SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration THIRTY_MINUTES = + new SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration(1800); + public static final SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration ONE_HOUR = + new SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration(3600); + public static final SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration THREE_HOURS = + new SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration(10800); + + SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration(Integer value) { + super(value, allowedValues); + } + + public static class SecurityMonitoringRuleAnomalyDetectionOptionsBucketDurationSerializer + extends StdSerializer { + public SecurityMonitoringRuleAnomalyDetectionOptionsBucketDurationSerializer( + Class t) { + super(t); + } + + public SecurityMonitoringRuleAnomalyDetectionOptionsBucketDurationSerializer() { + this(null); + } + + @Override + public void serialize( + SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration value, + JsonGenerator jgen, + SerializerProvider provider) + throws IOException, JsonProcessingException { + jgen.writeObject(value.value); + } + } + + @JsonCreator + public static SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration fromValue( + Integer value) { + return new SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration(value); + } +} diff --git a/src/main/java/com/datadog/api/client/v2/model/SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance.java b/src/main/java/com/datadog/api/client/v2/model/SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance.java new file mode 100644 index 00000000000..042d9e38371 --- /dev/null +++ b/src/main/java/com/datadog/api/client/v2/model/SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance.java @@ -0,0 +1,76 @@ +/* + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2019-Present Datadog, Inc. + */ + +package com.datadog.api.client.v2.model; + +import com.datadog.api.client.ModelEnum; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.core.JsonGenerator; +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.SerializerProvider; +import com.fasterxml.jackson.databind.annotation.JsonSerialize; +import com.fasterxml.jackson.databind.ser.std.StdSerializer; +import java.io.IOException; +import java.util.Arrays; +import java.util.HashSet; +import java.util.Set; + +/** + * An optional parameter that sets how permissive anomaly detection is. Higher values require higher + * deviations before triggering a signal. + */ +@JsonSerialize( + using = + SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance + .SecurityMonitoringRuleAnomalyDetectionOptionsDetectionToleranceSerializer.class) +public class SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance + extends ModelEnum { + + private static final Set allowedValues = + new HashSet(Arrays.asList(1, 2, 3, 4, 5)); + + public static final SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance ONE = + new SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance(1); + public static final SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance TWO = + new SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance(2); + public static final SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance THREE = + new SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance(3); + public static final SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance FOUR = + new SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance(4); + public static final SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance FIVE = + new SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance(5); + + SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance(Integer value) { + super(value, allowedValues); + } + + public static class SecurityMonitoringRuleAnomalyDetectionOptionsDetectionToleranceSerializer + extends StdSerializer { + public SecurityMonitoringRuleAnomalyDetectionOptionsDetectionToleranceSerializer( + Class t) { + super(t); + } + + public SecurityMonitoringRuleAnomalyDetectionOptionsDetectionToleranceSerializer() { + this(null); + } + + @Override + public void serialize( + SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance value, + JsonGenerator jgen, + SerializerProvider provider) + throws IOException, JsonProcessingException { + jgen.writeObject(value.value); + } + } + + @JsonCreator + public static SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance fromValue( + Integer value) { + return new SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance(value); + } +} diff --git a/src/main/java/com/datadog/api/client/v2/model/SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration.java b/src/main/java/com/datadog/api/client/v2/model/SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration.java new file mode 100644 index 00000000000..287323a39c8 --- /dev/null +++ b/src/main/java/com/datadog/api/client/v2/model/SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration.java @@ -0,0 +1,80 @@ +/* + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2019-Present Datadog, Inc. + */ + +package com.datadog.api.client.v2.model; + +import com.datadog.api.client.ModelEnum; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.core.JsonGenerator; +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.SerializerProvider; +import com.fasterxml.jackson.databind.annotation.JsonSerialize; +import com.fasterxml.jackson.databind.ser.std.StdSerializer; +import java.io.IOException; +import java.util.Arrays; +import java.util.HashSet; +import java.util.Set; + +/** + * Learning duration in hours. Anomaly detection waits for at least this amount of historical data + * before it starts evaluating. + */ +@JsonSerialize( + using = + SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration + .SecurityMonitoringRuleAnomalyDetectionOptionsLearningDurationSerializer.class) +public class SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration + extends ModelEnum { + + private static final Set allowedValues = + new HashSet(Arrays.asList(1, 6, 12, 24, 48, 168, 336)); + + public static final SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration ONE_HOUR = + new SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration(1); + public static final SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration SIX_HOURS = + new SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration(6); + public static final SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration TWELVE_HOURS = + new SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration(12); + public static final SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration ONE_DAY = + new SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration(24); + public static final SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration TWO_DAYS = + new SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration(48); + public static final SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration ONE_WEEK = + new SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration(168); + public static final SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration TWO_WEEKS = + new SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration(336); + + SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration(Integer value) { + super(value, allowedValues); + } + + public static class SecurityMonitoringRuleAnomalyDetectionOptionsLearningDurationSerializer + extends StdSerializer { + public SecurityMonitoringRuleAnomalyDetectionOptionsLearningDurationSerializer( + Class t) { + super(t); + } + + public SecurityMonitoringRuleAnomalyDetectionOptionsLearningDurationSerializer() { + this(null); + } + + @Override + public void serialize( + SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration value, + JsonGenerator jgen, + SerializerProvider provider) + throws IOException, JsonProcessingException { + jgen.writeObject(value.value); + } + } + + @JsonCreator + public static SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration fromValue( + Integer value) { + return new SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration(value); + } +} diff --git a/src/main/java/com/datadog/api/client/v2/model/SecurityMonitoringRuleOptions.java b/src/main/java/com/datadog/api/client/v2/model/SecurityMonitoringRuleOptions.java index 9e6749dbfea..c917be38970 100644 --- a/src/main/java/com/datadog/api/client/v2/model/SecurityMonitoringRuleOptions.java +++ b/src/main/java/com/datadog/api/client/v2/model/SecurityMonitoringRuleOptions.java @@ -18,6 +18,7 @@ /** Options. */ @JsonPropertyOrder({ + SecurityMonitoringRuleOptions.JSON_PROPERTY_ANOMALY_DETECTION_OPTIONS, SecurityMonitoringRuleOptions.JSON_PROPERTY_COMPLIANCE_RULE_OPTIONS, SecurityMonitoringRuleOptions.JSON_PROPERTY_DECREASE_CRITICALITY_BASED_ON_ENV, SecurityMonitoringRuleOptions.JSON_PROPERTY_DETECTION_METHOD, @@ -34,6 +35,9 @@ value = "https://github.com/DataDog/datadog-api-client-java/blob/master/.generator") public class SecurityMonitoringRuleOptions { @JsonIgnore public boolean unparsed = false; + public static final String JSON_PROPERTY_ANOMALY_DETECTION_OPTIONS = "anomalyDetectionOptions"; + private SecurityMonitoringRuleAnomalyDetectionOptions anomalyDetectionOptions; + public static final String JSON_PROPERTY_COMPLIANCE_RULE_OPTIONS = "complianceRuleOptions"; private CloudConfigurationComplianceRuleOptions complianceRuleOptions; @@ -68,6 +72,30 @@ public class SecurityMonitoringRuleOptions { public static final String JSON_PROPERTY_THIRD_PARTY_RULE_OPTIONS = "thirdPartyRuleOptions"; private SecurityMonitoringRuleThirdPartyOptions thirdPartyRuleOptions; + public SecurityMonitoringRuleOptions anomalyDetectionOptions( + SecurityMonitoringRuleAnomalyDetectionOptions anomalyDetectionOptions) { + this.anomalyDetectionOptions = anomalyDetectionOptions; + this.unparsed |= anomalyDetectionOptions.unparsed; + return this; + } + + /** + * Options on anomaly detection method. + * + * @return anomalyDetectionOptions + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_ANOMALY_DETECTION_OPTIONS) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public SecurityMonitoringRuleAnomalyDetectionOptions getAnomalyDetectionOptions() { + return anomalyDetectionOptions; + } + + public void setAnomalyDetectionOptions( + SecurityMonitoringRuleAnomalyDetectionOptions anomalyDetectionOptions) { + this.anomalyDetectionOptions = anomalyDetectionOptions; + } + public SecurityMonitoringRuleOptions complianceRuleOptions( CloudConfigurationComplianceRuleOptions complianceRuleOptions) { this.complianceRuleOptions = complianceRuleOptions; @@ -406,6 +434,8 @@ public boolean equals(Object o) { } SecurityMonitoringRuleOptions securityMonitoringRuleOptions = (SecurityMonitoringRuleOptions) o; return Objects.equals( + this.anomalyDetectionOptions, securityMonitoringRuleOptions.anomalyDetectionOptions) + && Objects.equals( this.complianceRuleOptions, securityMonitoringRuleOptions.complianceRuleOptions) && Objects.equals( this.decreaseCriticalityBasedOnEnv, @@ -430,6 +460,7 @@ public boolean equals(Object o) { @Override public int hashCode() { return Objects.hash( + anomalyDetectionOptions, complianceRuleOptions, decreaseCriticalityBasedOnEnv, detectionMethod, @@ -448,6 +479,9 @@ public int hashCode() { public String toString() { StringBuilder sb = new StringBuilder(); sb.append("class SecurityMonitoringRuleOptions {\n"); + sb.append(" anomalyDetectionOptions: ") + .append(toIndentedString(anomalyDetectionOptions)) + .append("\n"); sb.append(" complianceRuleOptions: ") .append(toIndentedString(complianceRuleOptions)) .append("\n"); diff --git a/src/main/java/com/datadog/api/client/v2/model/ThreatHuntingJobOptions.java b/src/main/java/com/datadog/api/client/v2/model/ThreatHuntingJobOptions.java index 9a4a7b8961a..2adb2ecc8ce 100644 --- a/src/main/java/com/datadog/api/client/v2/model/ThreatHuntingJobOptions.java +++ b/src/main/java/com/datadog/api/client/v2/model/ThreatHuntingJobOptions.java @@ -18,6 +18,7 @@ /** Job options. */ @JsonPropertyOrder({ + ThreatHuntingJobOptions.JSON_PROPERTY_ANOMALY_DETECTION_OPTIONS, ThreatHuntingJobOptions.JSON_PROPERTY_DETECTION_METHOD, ThreatHuntingJobOptions.JSON_PROPERTY_EVALUATION_WINDOW, ThreatHuntingJobOptions.JSON_PROPERTY_IMPOSSIBLE_TRAVEL_OPTIONS, @@ -31,6 +32,9 @@ value = "https://github.com/DataDog/datadog-api-client-java/blob/master/.generator") public class ThreatHuntingJobOptions { @JsonIgnore public boolean unparsed = false; + public static final String JSON_PROPERTY_ANOMALY_DETECTION_OPTIONS = "anomalyDetectionOptions"; + private SecurityMonitoringRuleAnomalyDetectionOptions anomalyDetectionOptions; + public static final String JSON_PROPERTY_DETECTION_METHOD = "detectionMethod"; private SecurityMonitoringRuleDetectionMethod detectionMethod; @@ -55,6 +59,30 @@ public class ThreatHuntingJobOptions { public static final String JSON_PROPERTY_THIRD_PARTY_RULE_OPTIONS = "thirdPartyRuleOptions"; private SecurityMonitoringRuleThirdPartyOptions thirdPartyRuleOptions; + public ThreatHuntingJobOptions anomalyDetectionOptions( + SecurityMonitoringRuleAnomalyDetectionOptions anomalyDetectionOptions) { + this.anomalyDetectionOptions = anomalyDetectionOptions; + this.unparsed |= anomalyDetectionOptions.unparsed; + return this; + } + + /** + * Options on anomaly detection method. + * + * @return anomalyDetectionOptions + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_ANOMALY_DETECTION_OPTIONS) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public SecurityMonitoringRuleAnomalyDetectionOptions getAnomalyDetectionOptions() { + return anomalyDetectionOptions; + } + + public void setAnomalyDetectionOptions( + SecurityMonitoringRuleAnomalyDetectionOptions anomalyDetectionOptions) { + this.anomalyDetectionOptions = anomalyDetectionOptions; + } + public ThreatHuntingJobOptions detectionMethod( SecurityMonitoringRuleDetectionMethod detectionMethod) { this.detectionMethod = detectionMethod; @@ -313,7 +341,9 @@ public boolean equals(Object o) { return false; } ThreatHuntingJobOptions threatHuntingJobOptions = (ThreatHuntingJobOptions) o; - return Objects.equals(this.detectionMethod, threatHuntingJobOptions.detectionMethod) + return Objects.equals( + this.anomalyDetectionOptions, threatHuntingJobOptions.anomalyDetectionOptions) + && Objects.equals(this.detectionMethod, threatHuntingJobOptions.detectionMethod) && Objects.equals(this.evaluationWindow, threatHuntingJobOptions.evaluationWindow) && Objects.equals( this.impossibleTravelOptions, threatHuntingJobOptions.impossibleTravelOptions) @@ -329,6 +359,7 @@ public boolean equals(Object o) { @Override public int hashCode() { return Objects.hash( + anomalyDetectionOptions, detectionMethod, evaluationWindow, impossibleTravelOptions, @@ -344,6 +375,9 @@ public int hashCode() { public String toString() { StringBuilder sb = new StringBuilder(); sb.append("class ThreatHuntingJobOptions {\n"); + sb.append(" anomalyDetectionOptions: ") + .append(toIndentedString(anomalyDetectionOptions)) + .append("\n"); sb.append(" detectionMethod: ").append(toIndentedString(detectionMethod)).append("\n"); sb.append(" evaluationWindow: ").append(toIndentedString(evaluationWindow)).append("\n"); sb.append(" impossibleTravelOptions: ") diff --git a/src/test/resources/cassettes/features/v2/Create_a_detection_rule_with_detection_method_anomaly_detection_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Create_a_detection_rule_with_detection_method_anomaly_detection_returns_OK_response.freeze new file mode 100644 index 00000000000..d0c938a563a --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Create_a_detection_rule_with_detection_method_anomaly_detection_returns_OK_response.freeze @@ -0,0 +1 @@ +2025-12-16T15:19:00.493Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Create_a_detection_rule_with_detection_method_anomaly_detection_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Create_a_detection_rule_with_detection_method_anomaly_detection_returns_OK_response.json new file mode 100644 index 00000000000..640c57807f2 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Create_a_detection_rule_with_detection_method_anomaly_detection_returns_OK_response.json @@ -0,0 +1,53 @@ +[ + { + "httpRequest": { + "body": { + "type": "JSON", + "json": "{\"cases\":[{\"condition\":\"a > 0.995\",\"name\":\"\",\"notifications\":[],\"status\":\"info\"}],\"filters\":[],\"isEnabled\":true,\"message\":\"An anomaly detection rule\",\"name\":\"Test-Create_a_detection_rule_with_detection_method_anomaly_detection_returns_OK_response-1765898340\",\"options\":{\"anomalyDetectionOptions\":{\"bucketDuration\":300,\"detectionTolerance\":3,\"learningDuration\":24,\"learningPeriodBaseline\":10},\"detectionMethod\":\"anomaly_detection\",\"evaluationWindow\":900,\"keepAlive\":3600,\"maxSignalDuration\":86400},\"queries\":[{\"aggregation\":\"count\",\"dataSource\":\"logs\",\"distinctFields\":[],\"groupByFields\":[\"@usr.email\",\"@network.client.ip\"],\"hasOptionalGroupByFields\":false,\"name\":\"\",\"query\":\"service:app status:error\"}],\"tags\":[],\"type\":\"log_detection\"}" + }, + "headers": {}, + "method": "POST", + "path": "/api/v2/security_monitoring/rules", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"name\":\"Test-Create_a_detection_rule_with_detection_method_anomaly_detection_returns_OK_response-1765898340\",\"createdAt\":1765898340611,\"isDefault\":false,\"isPartner\":false,\"isEnabled\":true,\"isBeta\":false,\"isDeleted\":false,\"isDeprecated\":false,\"queries\":[{\"query\":\"service:app status:error\",\"groupByFields\":[\"@usr.email\",\"@network.client.ip\"],\"hasOptionalGroupByFields\":false,\"distinctFields\":[],\"aggregation\":\"count\",\"name\":\"\",\"dataSource\":\"logs\"}],\"options\":{\"evaluationWindow\":1800,\"detectionMethod\":\"anomaly_detection\",\"maxSignalDuration\":86400,\"keepAlive\":3600,\"anomalyDetectionOptions\":{\"bucketDuration\":300,\"learningDuration\":24,\"detectionTolerance\":3,\"instantaneousBaseline\":false,\"instantaneousBaselineTimeoutMinutes\":30,\"learningPeriodBaseline\":10}},\"cases\":[{\"name\":\"\",\"status\":\"info\",\"notifications\":[],\"condition\":\"a \\u003e 0.995\"}],\"message\":\"An anomaly detection rule\",\"tags\":[],\"hasExtendedTitle\":false,\"type\":\"log_detection\",\"filters\":[],\"version\":1,\"id\":\"0vk-kph-3ri\",\"blocking\":false,\"metadata\":{\"entities\":null,\"sources\":null},\"creationAuthorId\":1445416,\"creator\":{\"handle\":\"frog@datadoghq.com\",\"name\":\"frog\"},\"updater\":{\"handle\":\"\",\"name\":\"\"}}", + "headers": { + "Content-Type": [ + "application/json" + ] + }, + "statusCode": 200, + "reasonPhrase": "OK" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "ceeb4640-e238-fd2d-faea-833262b811c7" + }, + { + "httpRequest": { + "headers": {}, + "method": "DELETE", + "path": "/api/v2/security_monitoring/rules/0vk-kph-3ri", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "headers": {}, + "statusCode": 204, + "reasonPhrase": "No Content" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "903a73a2-8dbe-ebf5-cd6c-473010faf924" + } +] \ No newline at end of file diff --git a/src/test/resources/com/datadog/api/client/v2/api/security_monitoring.feature b/src/test/resources/com/datadog/api/client/v2/api/security_monitoring.feature index e86aed12b31..b3955e02b34 100644 --- a/src/test/resources/com/datadog/api/client/v2/api/security_monitoring.feature +++ b/src/test/resources/com/datadog/api/client/v2/api/security_monitoring.feature @@ -333,6 +333,20 @@ Feature: Security Monitoring And the response "message" is equal to "Test rule" And the response "referenceTables" is equal to [{"tableName": "synthetics_test_reference_table_dont_delete", "columnName": "value", "logFieldPath":"testtag", "checkPresence":true, "ruleQueryName":"a"}] + @team:DataDog/k9-cloud-security-platform + Scenario: Create a detection rule with detection method 'anomaly_detection' returns "OK" response + Given new "CreateSecurityMonitoringRule" request + And body with value {"name":"{{ unique }}","type":"log_detection","isEnabled":true,"queries":[{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":["@usr.email","@network.client.ip"],"hasOptionalGroupByFields":false,"name":"","query":"service:app status:error"}],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 0.995"}],"message":"An anomaly detection rule","options":{"detectionMethod":"anomaly_detection","evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400,"anomalyDetectionOptions":{"bucketDuration":300,"learningDuration":24,"detectionTolerance":3,"learningPeriodBaseline":10}},"tags":[],"filters":[]} + When the request is sent + Then the response status is 200 OK + And the response "name" is equal to "{{ unique }}" + And the response "type" is equal to "log_detection" + And the response "options.detectionMethod" is equal to "anomaly_detection" + And the response "options.anomalyDetectionOptions.bucketDuration" is equal to 300 + And the response "options.anomalyDetectionOptions.learningDuration" is equal to 24 + And the response "options.anomalyDetectionOptions.learningPeriodBaseline" is equal to 10 + And the response "options.anomalyDetectionOptions.detectionTolerance" is equal to 3 + @team:DataDog/k9-cloud-security-platform Scenario: Create a detection rule with detection method 'sequence_detection' returns "OK" response Given new "CreateSecurityMonitoringRule" request