Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Security Monitoring rule test endpoint #1983

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions .apigentools-info
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,13 @@
"spec_versions": {
"v1": {
"apigentools_version": "1.6.6",
"regenerated": "2024-05-23 19:28:57.806361",
"spec_repo_commit": "b9b11fda"
"regenerated": "2024-05-28 16:29:25.422563",
"spec_repo_commit": "9445af96"
},
"v2": {
"apigentools_version": "1.6.6",
"regenerated": "2024-05-23 19:28:57.823164",
"spec_repo_commit": "b9b11fda"
"regenerated": "2024-05-28 16:29:25.439213",
"spec_repo_commit": "9445af96"
}
}
}
140 changes: 140 additions & 0 deletions .generator/schemas/v2/openapi.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17407,6 +17407,47 @@ components:
- GEO_DATA
- EVENT_COUNT
- NONE
SecurityMonitoringRuleQueryPayload:
description: Payload to test a rule query with the expected result.
properties:
expectedResult:
description: Expected result of the test.
example: true
type: boolean
index:
description: Index of the query under test.
example: 0
format: int64
minimum: 0
type: integer
payload:
$ref: '#/components/schemas/SecurityMonitoringRuleQueryPayloadData'
type: object
SecurityMonitoringRuleQueryPayloadData:
additionalProperties: {}
description: Payload used to test the rule query.
properties:
ddsource:
description: Source of the payload.
example: nginx
type: string
ddtags:
description: Tags associated with your data.
example: env:staging,version:5.1
type: string
hostname:
description: The name of the originating host of the log.
example: i-012345678
type: string
message:
description: The message of the payload.
example: 2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World
type: string
service:
description: The name of the application or service generating the data.
example: payment
type: string
type: object
SecurityMonitoringRuleResponse:
description: Create a new rule.
oneOf:
Expand All @@ -17428,6 +17469,31 @@ components:
- MEDIUM
- HIGH
- CRITICAL
SecurityMonitoringRuleTestRequest:
description: Test the rule queries of a rule.
properties:
rule:
$ref: '#/components/schemas/SecurityMonitoringRuleCreatePayload'
ruleQueryPayloads:
description: Data payloads used to test rules query with the expected result.
items:
$ref: '#/components/schemas/SecurityMonitoringRuleQueryPayload'
type: array
type: object
SecurityMonitoringRuleTestResponse:
description: Result of the test of the rule queries.
properties:
results:
description: 'Assert results are returned in the same order as the rule
query payloads.

For each payload, it returns True if the result matched the expected result,

False otherwise.'
items:
type: boolean
type: array
type: object
SecurityMonitoringRuleThirdPartyOptions:
description: Options on third party rules.
properties:
Expand Down Expand Up @@ -32551,6 +32617,42 @@ paths:
tags:
- Security Monitoring
x-codegen-request-body-name: body
/api/v2/security_monitoring/rules/test:
post:
description: Test a rule.
operationId: TestSecurityMonitoringRule
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/SecurityMonitoringRuleTestRequest'
required: true
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/SecurityMonitoringRuleTestResponse'
description: OK
'400':
$ref: '#/components/responses/BadRequestResponse'
'401':
$ref: '#/components/responses/ConcurrentModificationResponse'
'403':
$ref: '#/components/responses/NotAuthorizedResponse'
'404':
$ref: '#/components/responses/NotFoundResponse'
'429':
$ref: '#/components/responses/TooManyRequestsResponse'
security:
- apiKeyAuth: []
appKeyAuth: []
- AuthZ:
- security_monitoring_rules_write
summary: Test a rule
tags:
- Security Monitoring
x-codegen-request-body-name: body
/api/v2/security_monitoring/rules/validation:
post:
description: Validate a detection rule.
Expand Down Expand Up @@ -32672,6 +32774,44 @@ paths:
tags:
- Security Monitoring
x-codegen-request-body-name: body
/api/v2/security_monitoring/rules/{rule_id}/test:
post:
description: Test an existing rule.
operationId: TestExistingSecurityMonitoringRule
parameters:
- $ref: '#/components/parameters/SecurityMonitoringRuleID'
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/SecurityMonitoringRuleTestRequest'
required: true
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/SecurityMonitoringRuleTestResponse'
description: OK
'400':
$ref: '#/components/responses/BadRequestResponse'
'401':
$ref: '#/components/responses/ConcurrentModificationResponse'
'403':
$ref: '#/components/responses/NotAuthorizedResponse'
'404':
$ref: '#/components/responses/NotFoundResponse'
'429':
$ref: '#/components/responses/TooManyRequestsResponse'
security:
- apiKeyAuth: []
appKeyAuth: []
- AuthZ:
- security_monitoring_rules_write
summary: Test an existing rule
tags:
- Security Monitoring
x-codegen-request-body-name: body
/api/v2/security_monitoring/signals:
get:
description: 'The list endpoint returns security signals that match a search
Expand Down
28 changes: 28 additions & 0 deletions docs/datadog_api_client.v2.model.rst
Original file line number Diff line number Diff line change
Expand Up @@ -7862,6 +7862,20 @@ security\_monitoring\_rule\_query\_aggregation
:members:
:show-inheritance:

security\_monitoring\_rule\_query\_payload
------------------------------------------

.. automodule:: datadog_api_client.v2.model.security_monitoring_rule_query_payload
:members:
:show-inheritance:

security\_monitoring\_rule\_query\_payload\_data
------------------------------------------------

.. automodule:: datadog_api_client.v2.model.security_monitoring_rule_query_payload_data
:members:
:show-inheritance:

security\_monitoring\_rule\_response
------------------------------------

Expand All @@ -7876,6 +7890,20 @@ security\_monitoring\_rule\_severity
:members:
:show-inheritance:

security\_monitoring\_rule\_test\_request
-----------------------------------------

.. automodule:: datadog_api_client.v2.model.security_monitoring_rule_test_request
:members:
:show-inheritance:

security\_monitoring\_rule\_test\_response
------------------------------------------

.. automodule:: datadog_api_client.v2.model.security_monitoring_rule_test_response
:members:
:show-inheritance:

security\_monitoring\_rule\_third\_party\_options
-------------------------------------------------

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
"""
Test an existing rule returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_query_payload import SecurityMonitoringRuleQueryPayload
from datadog_api_client.v2.model.security_monitoring_rule_query_payload_data import (
SecurityMonitoringRuleQueryPayloadData,
)
from datadog_api_client.v2.model.security_monitoring_rule_test_request import SecurityMonitoringRuleTestRequest

body = SecurityMonitoringRuleTestRequest(
rule_query_payloads=[
SecurityMonitoringRuleQueryPayload(
expected_result=True,
index=0,
payload=SecurityMonitoringRuleQueryPayloadData(
ddsource="nginx",
ddtags="env:staging,version:5.1",
hostname="i-012345678",
message="2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",
service="payment",
),
),
],
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.test_existing_security_monitoring_rule(rule_id="rule_id", body=body)

print(response)
91 changes: 91 additions & 0 deletions examples/v2/security-monitoring/TestSecurityMonitoringRule.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
"""
Test a rule returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
SecurityMonitoringRuleEvaluationWindow,
)
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
SecurityMonitoringRuleMaxSignalDuration,
)
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
SecurityMonitoringRuleQueryAggregation,
)
from datadog_api_client.v2.model.security_monitoring_rule_query_payload import SecurityMonitoringRuleQueryPayload
from datadog_api_client.v2.model.security_monitoring_rule_query_payload_data import (
SecurityMonitoringRuleQueryPayloadData,
)
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
from datadog_api_client.v2.model.security_monitoring_rule_test_request import SecurityMonitoringRuleTestRequest
from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
from datadog_api_client.v2.model.security_monitoring_standard_rule_create_payload import (
SecurityMonitoringStandardRuleCreatePayload,
)
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery

body = SecurityMonitoringRuleTestRequest(
rule=SecurityMonitoringStandardRuleCreatePayload(
cases=[
SecurityMonitoringRuleCaseCreate(
name="",
status=SecurityMonitoringRuleSeverity.INFO,
notifications=[],
condition="a > 0",
),
],
has_extended_title=True,
is_enabled=True,
message="My security monitoring rule message.",
name="My security monitoring rule.",
options=SecurityMonitoringRuleOptions(
decrease_criticality_based_on_env=False,
detection_method=SecurityMonitoringRuleDetectionMethod.THRESHOLD,
evaluation_window=SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES,
keep_alive=SecurityMonitoringRuleKeepAlive.ZERO_MINUTES,
max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ZERO_MINUTES,
),
queries=[
SecurityMonitoringStandardRuleQuery(
query="source:source_here",
group_by_fields=[
"@userIdentity.assumed_role",
],
distinct_fields=[],
aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
name="",
),
],
tags=[
"env:prod",
"team:security",
],
type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
),
rule_query_payloads=[
SecurityMonitoringRuleQueryPayload(
expected_result=True,
index=0,
payload=SecurityMonitoringRuleQueryPayloadData(
ddsource="source_here",
ddtags="env:staging,version:5.1",
hostname="i-012345678",
message="2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World",
service="payment",
user_identity=dict([("assumed_role", "fake assumed_role")]),
),
),
],
)

configuration = Configuration()
with ApiClient(configuration) as api_client:
api_instance = SecurityMonitoringApi(api_client)
response = api_instance.test_security_monitoring_rule(body=body)

print(response)
Loading
Loading