Update provider for detection method impossible travel

Updates the provider for security monitoring rules to accept rules with the new detection method `impossible_travel`. See also: - DataDog/documentation#13204 - DataDog/datadog-api-client-go#1357
DataDog · Apr 1, 2022 · 37827a9 · 37827a9
1 parent 3acceeb
commit 37827a9
Show file tree

Hide file tree

Showing 6 changed files with 387 additions and 1 deletion.
diff --git a/datadog/resource_datadog_security_monitoring_rule.go b/datadog/resource_datadog_security_monitoring_rule.go
@@ -147,6 +147,24 @@ func datadogSecurityMonitoringRuleSchema() map[string]*schema.Schema {
 							},
 						},
 					},
+
+					"impossible_travel_options": {
+						Type:        schema.TypeList,
+						Optional:    true,
+						MaxItems:    1,
+						Description: "Options for rules using the impossible travel detection method.",
+
+						Elem: &schema.Resource{
+							Schema: map[string]*schema.Schema{
+								"baseline_user_locations": {
+									Type:        schema.TypeBool,
+									Optional:    true,
+									Default:     false,
+									Description: "If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.",
+								},
+							},
+						},
+					},
 				},
 			},
 		},
@@ -373,9 +391,31 @@ func buildPayloadOptions(tfOptionsList []interface{}) *datadogV2.SecurityMonitor
 		}
 	}
 
+	if v, ok := tfOptions["impossible_travel_options"]; ok {
+		tfImpossibleTravelOptionsList := v.([]interface{})
+		if payloadImpossibleTravelOptions, ok := buildPayloadImpossibleTravelOptions(tfImpossibleTravelOptionsList); ok {
+			payloadOptions.ImpossibleTravelOptions = payloadImpossibleTravelOptions
+		}
+	}
+
 	return payloadOptions
 }
 
+func buildPayloadImpossibleTravelOptions(tfOptionsList []interface{}) (*datadogV2.SecurityMonitoringRuleImpossibleTravelOptions, bool) {
+	options := datadogV2.NewSecurityMonitoringRuleImpossibleTravelOptions()
+	tfOptions := extractMapFromInterface(tfOptionsList)
+
+	hasPayload := false
+
+	if v, ok := tfOptions["baseline_user_locations"]; ok {
+		hasPayload = true
+		shouldBaselineUserLocations := v.(bool)
+		options.BaselineUserLocations = &shouldBaselineUserLocations
+	}
+
+	return options, hasPayload
+}
+
 func buildPayloadNewValueOptions(tfOptionsList []interface{}) (*datadogV2.SecurityMonitoringRuleNewValueOptions, bool) {
 	payloadNewValueRulesOptions := datadogV2.NewSecurityMonitoringRuleNewValueOptions()
 	tfOptions := extractMapFromInterface(tfOptionsList)
@@ -593,6 +633,11 @@ func extractTfOptions(options datadogV2.SecurityMonitoringRuleOptions) map[strin
 		tfNewValueOptions["learning_duration"] = int(newValueOptions.GetLearningDuration())
 		tfOptions["new_value_options"] = []map[string]interface{}{tfNewValueOptions}
 	}
+	if impossibleTravelOptions, ok := options.GetImpossibleTravelOptionsOk(); ok {
+		tfImpossibleTravelOptions := make(map[string]interface{})
+		tfImpossibleTravelOptions["baseline_user_locations"] = impossibleTravelOptions.GetBaselineUserLocations()
+		tfOptions["impossible_travel_options"] = []map[string]interface{}{tfImpossibleTravelOptions}
+	}
 	return tfOptions
 }
 

diff --git a/datadog/tests/cassettes/TestAccDatadogSecurityMonitoringRule_ImpossibleTravelRule.freeze b/datadog/tests/cassettes/TestAccDatadogSecurityMonitoringRule_ImpossibleTravelRule.freeze
@@ -0,0 +1 @@
+2022-04-01T14:25:16.819597+02:00
diff --git a/datadog/tests/cassettes/TestAccDatadogSecurityMonitoringRule_ImpossibleTravelRule.yaml b/datadog/tests/cassettes/TestAccDatadogSecurityMonitoringRule_ImpossibleTravelRule.yaml
@@ -0,0 +1,153 @@
+---
+version: 1
+interactions:
+- request:
+    body: |
+      {"cases":[{"condition":"","name":"","notifications":["@user"],"status":"high"}],"hasExtendedTitle":false,"isEnabled":false,"message":"impossible travel rule triggered","name":"tf-TestAccDatadogSecurityMonitoringRule_ImpossibleTravelRule-local-1648815916","options":{"detectionMethod":"impossible_travel","evaluationWindow":0,"impossibleTravelOptions":{"baselineUserLocations":true},"keepAlive":600,"maxSignalDuration":900},"queries":[{"aggregation":"geo_data","distinctFields":[],"groupByFields":["@usr.handle"],"metric":"@usr.handle","name":"my_query","query":"*"}],"tags":["i:tomato","u:tomato"],"type":"log_detection"}
+    form: {}
+    headers:
+      Accept:
+      - application/json
+      Content-Type:
+      - application/json
+    url: https://api.datadoghq.com/api/v2/security_monitoring/rules
+    method: POST
+  response:
+    body: '{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":false,"message":"impossible travel rule triggered","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1648815924442,"filters":[],"queries":[{"distinctFields":[],"name":"my_query","metric":"@usr.handle","aggregation":"geo_data","groupByFields":["@usr.handle"],"query":"*"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"","condition":""}],"type":"log_detection","id":"t3n-fmu-mrn","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_ImpossibleTravelRule-local-1648815916"}'
+    headers:
+      Content-Type:
+      - application/json;charset=utf-8
+    status: 200 OK
+    code: 200
+    duration: ""
+- request:
+    body: ""
+    form: {}
+    headers:
+      Accept:
+      - application/json
+    url: https://api.datadoghq.com/api/v2/security_monitoring/rules/t3n-fmu-mrn
+    method: GET
+  response:
+    body: '{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":false,"message":"impossible travel rule triggered","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1648815924442,"filters":[],"queries":[{"distinctFields":[],"name":"my_query","metric":"@usr.handle","aggregation":"geo_data","groupByFields":["@usr.handle"],"query":"*"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"","condition":""}],"type":"log_detection","id":"t3n-fmu-mrn","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_ImpossibleTravelRule-local-1648815916"}'
+    headers:
+      Content-Type:
+      - application/json;charset=utf-8
+    status: 200 OK
+    code: 200
+    duration: ""
+- request:
+    body: ""
+    form: {}
+    headers:
+      Accept:
+      - application/json
+    url: https://api.datadoghq.com/api/v2/security_monitoring/rules/t3n-fmu-mrn
+    method: GET
+  response:
+    body: '{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":false,"message":"impossible travel rule triggered","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1648815924442,"filters":[],"queries":[{"distinctFields":[],"name":"my_query","metric":"@usr.handle","aggregation":"geo_data","groupByFields":["@usr.handle"],"query":"*"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"","condition":""}],"type":"log_detection","id":"t3n-fmu-mrn","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_ImpossibleTravelRule-local-1648815916"}'
+    headers:
+      Content-Type:
+      - application/json;charset=utf-8
+    status: 200 OK
+    code: 200
+    duration: ""
+- request:
+    body: ""
+    form: {}
+    headers:
+      Accept:
+      - application/json
+    url: https://api.datadoghq.com/api/v2/security_monitoring/rules/t3n-fmu-mrn
+    method: GET
+  response:
+    body: '{"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":false,"message":"impossible travel rule triggered","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":900,"keepAlive":600},"version":1,"createdAt":1648815924442,"filters":[],"queries":[{"distinctFields":[],"name":"my_query","metric":"@usr.handle","aggregation":"geo_data","groupByFields":["@usr.handle"],"query":"*"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"","condition":""}],"type":"log_detection","id":"t3n-fmu-mrn","isDefault":false,"name":"tf-TestAccDatadogSecurityMonitoringRule_ImpossibleTravelRule-local-1648815916"}'
+    headers:
+      Content-Type:
+      - application/json;charset=utf-8
+    status: 200 OK
+    code: 200
+    duration: ""
+- request:
+    body: |
+      {"cases":[{"condition":"","name":"new case name (updated)","notifications":["@user"],"status":"high"}],"hasExtendedTitle":false,"isEnabled":false,"message":"impossible travel rule triggered (updated)","name":"tf-TestAccDatadogSecurityMonitoringRule_ImpossibleTravelRule-local-1648815916","options":{"detectionMethod":"impossible_travel","evaluationWindow":0,"impossibleTravelOptions":{"baselineUserLocations":true},"keepAlive":600,"maxSignalDuration":900},"queries":[{"aggregation":"geo_data","distinctFields":[],"groupByFields":["@usr.handle"],"metric":"@usr.handle","name":"my_updated_query","query":"*"}],"tags":["i:tomato","u:tomato"]}
+    form: {}
+    headers:
+      Accept:
+      - application/json
+      Content-Type:
+      - application/json
+    url: https://api.datadoghq.com/api/v2/security_monitoring/rules/t3n-fmu-mrn
+    method: PUT
+  response:
+    body: '{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":false,"message":"impossible travel rule triggered (updated)","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":900,"keepAlive":600},"version":2,"isDefault":false,"filters":[],"queries":[{"distinctFields":[],"name":"my_updated_query","metric":"@usr.handle","aggregation":"geo_data","groupByFields":["@usr.handle"],"query":"*"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"new case name (updated)","condition":""}],"type":"log_detection","id":"t3n-fmu-mrn","createdAt":1648815924442,"name":"tf-TestAccDatadogSecurityMonitoringRule_ImpossibleTravelRule-local-1648815916"}'
+    headers:
+      Content-Type:
+      - application/json;charset=utf-8
+    status: 200 OK
+    code: 200
+    duration: ""
+- request:
+    body: ""
+    form: {}
+    headers:
+      Accept:
+      - application/json
+    url: https://api.datadoghq.com/api/v2/security_monitoring/rules/t3n-fmu-mrn
+    method: GET
+  response:
+    body: '{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":false,"message":"impossible travel rule triggered (updated)","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":900,"keepAlive":600},"version":2,"isDefault":false,"filters":[],"queries":[{"distinctFields":[],"name":"my_updated_query","metric":"@usr.handle","aggregation":"geo_data","groupByFields":["@usr.handle"],"query":"*"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"new case name (updated)","condition":""}],"type":"log_detection","id":"t3n-fmu-mrn","createdAt":1648815924442,"name":"tf-TestAccDatadogSecurityMonitoringRule_ImpossibleTravelRule-local-1648815916"}'
+    headers:
+      Content-Type:
+      - application/json;charset=utf-8
+    status: 200 OK
+    code: 200
+    duration: ""
+- request:
+    body: ""
+    form: {}
+    headers:
+      Accept:
+      - application/json
+    url: https://api.datadoghq.com/api/v2/security_monitoring/rules/t3n-fmu-mrn
+    method: GET
+  response:
+    body: '{"updateAuthorId":1445416,"creationAuthorId":1445416,"tags":["u:tomato","i:tomato"],"isEnabled":false,"hasExtendedTitle":false,"message":"impossible travel rule triggered (updated)","options":{"impossibleTravelOptions":{"baselineUserLocations":true},"detectionMethod":"impossible_travel","evaluationWindow":0,"maxSignalDuration":900,"keepAlive":600},"version":2,"isDefault":false,"filters":[],"queries":[{"distinctFields":[],"name":"my_updated_query","metric":"@usr.handle","aggregation":"geo_data","groupByFields":["@usr.handle"],"query":"*"}],"isDeleted":false,"cases":[{"status":"high","notifications":["@user"],"name":"new case name (updated)","condition":""}],"type":"log_detection","id":"t3n-fmu-mrn","createdAt":1648815924442,"name":"tf-TestAccDatadogSecurityMonitoringRule_ImpossibleTravelRule-local-1648815916"}'
+    headers:
+      Content-Type:
+      - application/json;charset=utf-8
+    status: 200 OK
+    code: 200
+    duration: ""
+- request:
+    body: ""
+    form: {}
+    headers:
+      Accept:
+      - '*/*'
+    url: https://api.datadoghq.com/api/v2/security_monitoring/rules/t3n-fmu-mrn
+    method: DELETE
+  response:
+    body: ""
+    headers:
+      Content-Type:
+      - application/json;charset=utf-8
+    status: 204 No Content
+    code: 204
+    duration: ""
+- request:
+    body: ""
+    form: {}
+    headers:
+      Accept:
+      - application/json
+    url: https://api.datadoghq.com/api/v2/security_monitoring/rules/t3n-fmu-mrn
+    method: GET
+  response:
+    body: '{"errors":["Threat detection rule not found: t3n-fmu-mrn"]}'
+    headers:
+      Content-Type:
+      - application/json
+    status: 404 Not Found
+    code: 404
+    duration: ""