Add referenceTables field to security monitoring endpoints

.apigentools-info

@@ -4,13 +4,13 @@
     "spec_versions": {
         "v1": {
             "apigentools_version": "1.6.6",
-            "regenerated": "2024-09-30 14:37:35.409603",
-            "spec_repo_commit": "60bc9127"
+            "regenerated": "2024-09-30 19:44:25.066972",
+            "spec_repo_commit": "909e369c"
         },
         "v2": {
             "apigentools_version": "1.6.6",
-            "regenerated": "2024-09-30 14:37:35.426476",
-            "spec_repo_commit": "60bc9127"
+            "regenerated": "2024-09-30 19:44:25.080968",
+            "spec_repo_commit": "909e369c"
         }
     }
 }

.generator/schemas/v2/openapi.yaml

@@ -19089,6 +19089,25 @@ components:
         meta:
           $ref: '#/components/schemas/ResponseMetaAttributes'
       type: object
+    SecurityMonitoringReferenceTable:
+      description: Reference table for the rule.
+      properties:
+        checkPresence:
+          description: Whether to include or exclude the matched values.
+          type: boolean
+        columnName:
+          description: The name of the column in the reference table.
+          type: string
+        logFieldPath:
+          description: The field in the log to match against the reference table.
+          type: string
+        ruleQueryName:
+          description: The name of the rule query to apply the reference table to.
+          type: string
+        tableName:
+          description: The name of the reference table.
+          type: string
+      type: object
     SecurityMonitoringRuleCase:
       description: Case when signal is generated.
       properties:
@@ -19594,6 +19613,11 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringRuleQuery'
           type: array
+        referenceTables:
+          description: Reference tables for the rule.
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringReferenceTable'
+          type: array
         tags:
           description: Tags for generated signals.
           items:
@@ -20298,6 +20322,11 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringStandardRuleQuery'
           type: array
+        referenceTables:
+          description: Reference tables for the rule.
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringReferenceTable'
+          type: array
         tags:
           description: Tags for generated signals.
           example:
@@ -20365,6 +20394,11 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringStandardRuleQuery'
           type: array
+        referenceTables:
+          description: Reference tables for the rule.
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringReferenceTable'
+          type: array
         tags:
           description: Tags for generated signals.
           example:
@@ -20505,6 +20539,11 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringStandardRuleQuery'
           type: array
+        referenceTables:
+          description: Reference tables for the rule.
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringReferenceTable'
+          type: array
         tags:
           description: Tags for generated signals.
           items:
@@ -20569,6 +20608,11 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringStandardRuleQuery'
           type: array
+        referenceTables:
+          description: Reference tables for the rule.
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringReferenceTable'
+          type: array
         tags:
           description: Tags for generated signals.
           example:

cassettes/features/v2/security_monitoring/Create-a-detection-rule-returns-OK-response.frozen

@@ -1 +1 @@
-2024-05-10T16:34:28.650Z
+2024-09-11T18:14:46.491Z

examples/v2/security-monitoring/CreateSecurityMonitoringRule.rb

@@ -32,5 +32,14 @@
   tags: [],
   is_enabled: true,
   type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
+  reference_tables: [
+    DatadogAPIClient::V2::SecurityMonitoringReferenceTable.new({
+      table_name: "synthetics_test_reference_table_dont_delete",
+      column_name: "value",
+      log_field_path: "testtag",
+      check_presence: true,
+      rule_query_name: "a",
+    }),
+  ],
 })
 p api_instance.create_security_monitoring_rule(body)

features/v2/security_monitoring.feature

@@ -123,12 +123,13 @@ Feature: Security Monitoring
   @skip-validation @team:DataDog/k9-cloud-security-platform
   Scenario: Create a detection rule returns "OK" response
     Given new "CreateSecurityMonitoringRule" request
-    And body with value {"name":"{{ unique }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"metric":""}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type":"log_detection"}
+    And body with value {"name":"{{ unique }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"metric":""}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type":"log_detection", "referenceTables":[{"tableName": "synthetics_test_reference_table_dont_delete", "columnName": "value", "logFieldPath":"testtag", "checkPresence":true, "ruleQueryName":"a"}]}
     When the request is sent
     Then the response status is 200 OK
     And the response "name" is equal to "{{ unique }}"
     And the response "type" is equal to "log_detection"
     And the response "message" is equal to "Test rule"
+    And the response "referenceTables" is equal to [{"tableName": "synthetics_test_reference_table_dont_delete", "columnName": "value", "logFieldPath":"testtag", "checkPresence":true, "ruleQueryName":"a"}]
 
   @team:DataDog/k9-cloud-security-platform
   Scenario: Create a detection rule with detection method 'third_party' returns "OK" response

lib/datadog_api_client/inflector.rb

@@ -2079,6 +2079,7 @@ def overrides
           "v2.security_monitoring_filter" => "SecurityMonitoringFilter",
           "v2.security_monitoring_filter_action" => "SecurityMonitoringFilterAction",
           "v2.security_monitoring_list_rules_response" => "SecurityMonitoringListRulesResponse",
+          "v2.security_monitoring_reference_table" => "SecurityMonitoringReferenceTable",
           "v2.security_monitoring_rule_case" => "SecurityMonitoringRuleCase",
           "v2.security_monitoring_rule_case_create" => "SecurityMonitoringRuleCaseCreate",
           "v2.security_monitoring_rule_convert_payload" => "SecurityMonitoringRuleConvertPayload",

lib/datadog_api_client/v2/models/security_monitoring_reference_table.rb

@@ -0,0 +1,145 @@
+=begin
+#Datadog API V2 Collection
+
+#Collection of all Datadog Public endpoints.
+
+The version of the OpenAPI document: 1.0
+Contact: support@datadoghq.com
+Generated by: https://github.com/DataDog/datadog-api-client-ruby/tree/master/.generator
+
+ Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
+ This product includes software developed at Datadog (https://www.datadoghq.com/).
+ Copyright 2020-Present Datadog, Inc.
+
+=end
+
+require 'date'
+require 'time'
+
+module DatadogAPIClient::V2
+  # Reference table for the rule.
+  class SecurityMonitoringReferenceTable
+    include BaseGenericModel
+
+    # Whether to include or exclude the matched values.
+    attr_accessor :check_presence
+
+    # The name of the column in the reference table.
+    attr_accessor :column_name
+
+    # The field in the log to match against the reference table.
+    attr_accessor :log_field_path
+
+    # The name of the rule query to apply the reference table to.
+    attr_accessor :rule_query_name
+
+    # The name of the reference table.
+    attr_accessor :table_name
+
+    attr_accessor :additional_properties
+
+    # Attribute mapping from ruby-style variable name to JSON key.
+    # @!visibility private
+    def self.attribute_map
+      {
+        :'check_presence' => :'checkPresence',
+        :'column_name' => :'columnName',
+        :'log_field_path' => :'logFieldPath',
+        :'rule_query_name' => :'ruleQueryName',
+        :'table_name' => :'tableName'
+      }
+    end
+
+    # Attribute type mapping.
+    # @!visibility private
+    def self.openapi_types
+      {
+        :'check_presence' => :'Boolean',
+        :'column_name' => :'String',
+        :'log_field_path' => :'String',
+        :'rule_query_name' => :'String',
+        :'table_name' => :'String'
+      }
+    end
+
+    # Initializes the object
+    # @param attributes [Hash] Model attributes in the form of hash
+    # @!visibility private
+    def initialize(attributes = {})
+      if (!attributes.is_a?(Hash))
+        fail ArgumentError, "The input argument (attributes) must be a hash in `DatadogAPIClient::V2::SecurityMonitoringReferenceTable` initialize method"
+      end
+
+      self.additional_properties = {}
+      # check to see if the attribute exists and convert string to symbol for hash key
+      attributes = attributes.each_with_object({}) { |(k, v), h|
+        if (!self.class.attribute_map.key?(k.to_sym))
+          self.additional_properties[k.to_sym] = v
+        else
+          h[k.to_sym] = v
+        end
+      }
+
+      if attributes.key?(:'check_presence')
+        self.check_presence = attributes[:'check_presence']
+      end
+
+      if attributes.key?(:'column_name')
+        self.column_name = attributes[:'column_name']
+      end
+
+      if attributes.key?(:'log_field_path')
+        self.log_field_path = attributes[:'log_field_path']
+      end
+
+      if attributes.key?(:'rule_query_name')
+        self.rule_query_name = attributes[:'rule_query_name']
+      end
+
+      if attributes.key?(:'table_name')
+        self.table_name = attributes[:'table_name']
+      end
+    end
+
+    # Returns the object in the form of hash, with additionalProperties support.
+    # @return [Hash] Returns the object in the form of hash
+    # @!visibility private
+    def to_hash
+      hash = {}
+      self.class.attribute_map.each_pair do |attr, param|
+        value = self.send(attr)
+        if value.nil?
+          is_nullable = self.class.openapi_nullable.include?(attr)
+          next if !is_nullable || (is_nullable && !instance_variable_defined?(:"@#{attr}"))
+        end
+
+        hash[param] = _to_hash(value)
+      end
+      self.additional_properties.each_pair do |attr, value|
+        hash[attr] = value
+      end
+      hash
+    end
+
+    # Checks equality by comparing each attribute.
+    # @param o [Object] Object to be compared
+    # @!visibility private
+    def ==(o)
+      return true if self.equal?(o)
+      self.class == o.class &&
+          check_presence == o.check_presence &&
+          column_name == o.column_name &&
+          log_field_path == o.log_field_path &&
+          rule_query_name == o.rule_query_name &&
+          table_name == o.table_name
+          additional_properties == o.additional_properties
+    end
+
+    # Calculates hash code according to all attributes.
+    # @return [Integer] Hash code
+    # @!visibility private
+    def hash
+      [check_presence, column_name, log_field_path, rule_query_name, table_name].hash
+    end
+  end
+end

lib/datadog_api_client/v2/models/security_monitoring_rule_update_payload.rb

@@ -48,6 +48,9 @@ class SecurityMonitoringRuleUpdatePayload
     # Queries for selecting logs which are part of the rule.
     attr_accessor :queries
 
+    # Reference tables for the rule.
+    attr_accessor :reference_tables
+
     # Tags for generated signals.
     attr_accessor :tags
 
@@ -72,6 +75,7 @@ def self.attribute_map
         :'name' => :'name',
         :'options' => :'options',
         :'queries' => :'queries',
+        :'reference_tables' => :'referenceTables',
         :'tags' => :'tags',
         :'third_party_cases' => :'thirdPartyCases',
         :'version' => :'version'
@@ -91,6 +95,7 @@ def self.openapi_types
         :'name' => :'String',
         :'options' => :'SecurityMonitoringRuleOptions',
         :'queries' => :'Array<SecurityMonitoringRuleQuery>',
+        :'reference_tables' => :'Array<SecurityMonitoringReferenceTable>',
         :'tags' => :'Array<String>',
         :'third_party_cases' => :'Array<SecurityMonitoringThirdPartyRuleCase>',
         :'version' => :'Integer'
@@ -157,6 +162,12 @@ def initialize(attributes = {})
         end
       end
 
+      if attributes.key?(:'reference_tables')
+        if (value = attributes[:'reference_tables']).is_a?(Array)
+          self.reference_tables = value
+        end
+      end
+
       if attributes.key?(:'tags')
         if (value = attributes[:'tags']).is_a?(Array)
           self.tags = value
@@ -227,6 +238,7 @@ def ==(o)
           name == o.name &&
           options == o.options &&
           queries == o.queries &&
+          reference_tables == o.reference_tables &&
           tags == o.tags &&
           third_party_cases == o.third_party_cases &&
           version == o.version
@@ -237,7 +249,7 @@ def ==(o)
     # @return [Integer] Hash code
     # @!visibility private
     def hash
-      [cases, compliance_signal_options, filters, has_extended_title, is_enabled, message, name, options, queries, tags, third_party_cases, version].hash
+      [cases, compliance_signal_options, filters, has_extended_title, is_enabled, message, name, options, queries, reference_tables, tags, third_party_cases, version].hash
     end
   end
 end