Add user behavior case actions in API spec

.apigentools-info

@@ -4,13 +4,13 @@
     "spec_versions": {
         "v1": {
             "apigentools_version": "1.6.6",
-            "regenerated": "2025-04-10 11:41:51.981428",
-            "spec_repo_commit": "7f98e0a9"
+            "regenerated": "2025-04-10 18:01:28.069893",
+            "spec_repo_commit": "c0a45137"
         },
         "v2": {
             "apigentools_version": "1.6.6",
-            "regenerated": "2025-04-10 11:41:52.001570",
-            "spec_repo_commit": "7f98e0a9"
+            "regenerated": "2025-04-10 18:01:28.087415",
+            "spec_repo_commit": "c0a45137"
         }
     }
 }

.generator/schemas/v2/openapi.yaml

@@ -27215,6 +27215,7 @@ components:
           $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionType'
       type: object
     SecurityMonitoringRuleCaseActionOptions:
+      additionalProperties: {}
       description: Options for the rule action
       properties:
         duration:
@@ -27223,16 +27224,24 @@ components:
           format: int64
           minimum: 0
           type: integer
+        userBehaviorName:
+          $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionOptionsUserBehaviorName'
       type: object
+    SecurityMonitoringRuleCaseActionOptionsUserBehaviorName:
+      description: Used with the case action of type 'user_behavior'. The value specified
+        in this field is applied as a risk tag to all users affected by the rule.
+      type: string
     SecurityMonitoringRuleCaseActionType:
       description: The action type.
       enum:
       - block_ip
       - block_user
+      - user_behavior
       type: string
       x-enum-varnames:
       - BLOCK_IP
       - BLOCK_USER
+      - USER_BEHAVIOR
     SecurityMonitoringRuleCaseCreate:
       description: Case when signal is generated.
       properties:

examples/v2_security-monitoring_CreateSecurityMonitoringRule_1965169892.rs

@@ -24,9 +24,19 @@ async fn main() {
             SecurityMonitoringStandardRuleCreatePayload::new(
                 vec![
                     SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO)
-                        .actions(vec![SecurityMonitoringRuleCaseAction::new()
-                            .options(SecurityMonitoringRuleCaseActionOptions::new().duration(900))
-                            .type_(SecurityMonitoringRuleCaseActionType::BLOCK_IP)])
+                        .actions(vec![
+                            SecurityMonitoringRuleCaseAction::new()
+                                .options(
+                                    SecurityMonitoringRuleCaseActionOptions::new().duration(900),
+                                )
+                                .type_(SecurityMonitoringRuleCaseActionType::BLOCK_IP),
+                            SecurityMonitoringRuleCaseAction::new()
+                                .options(
+                                    SecurityMonitoringRuleCaseActionOptions::new()
+                                        .user_behavior_name("behavior".to_string()),
+                                )
+                                .type_(SecurityMonitoringRuleCaseActionType::USER_BEHAVIOR),
+                        ])
                         .condition("a > 100000".to_string())
                         .name("".to_string())
                         .notifications(vec![]),

src/datadogV2/model/model_security_monitoring_rule_case_action_options.rs

@@ -14,6 +14,9 @@ pub struct SecurityMonitoringRuleCaseActionOptions {
     /// Duration of the action in seconds. 0 indicates no expiration.
     #[serde(rename = "duration")]
     pub duration: Option<i64>,
+    /// Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
+    #[serde(rename = "userBehaviorName")]
+    pub user_behavior_name: Option<String>,
     #[serde(flatten)]
     pub additional_properties: std::collections::BTreeMap<String, serde_json::Value>,
     #[serde(skip)]
@@ -25,6 +28,7 @@ impl SecurityMonitoringRuleCaseActionOptions {
     pub fn new() -> SecurityMonitoringRuleCaseActionOptions {
         SecurityMonitoringRuleCaseActionOptions {
             duration: None,
+            user_behavior_name: None,
             additional_properties: std::collections::BTreeMap::new(),
             _unparsed: false,
         }
@@ -35,6 +39,11 @@ impl SecurityMonitoringRuleCaseActionOptions {
         self
     }
 
+    pub fn user_behavior_name(mut self, value: String) -> Self {
+        self.user_behavior_name = Some(value);
+        self
+    }
+
     pub fn additional_properties(
         mut self,
         value: std::collections::BTreeMap<String, serde_json::Value>,
@@ -68,6 +77,7 @@ impl<'de> Deserialize<'de> for SecurityMonitoringRuleCaseActionOptions {
                 M: MapAccess<'a>,
             {
                 let mut duration: Option<i64> = None;
+                let mut user_behavior_name: Option<String> = None;
                 let mut additional_properties: std::collections::BTreeMap<
                     String,
                     serde_json::Value,
@@ -82,6 +92,13 @@ impl<'de> Deserialize<'de> for SecurityMonitoringRuleCaseActionOptions {
                             }
                             duration = Some(serde_json::from_value(v).map_err(M::Error::custom)?);
                         }
+                        "userBehaviorName" => {
+                            if v.is_null() {
+                                continue;
+                            }
+                            user_behavior_name =
+                                Some(serde_json::from_value(v).map_err(M::Error::custom)?);
+                        }
                         &_ => {
                             if let Ok(value) = serde_json::from_value(v.clone()) {
                                 additional_properties.insert(k, value);
@@ -92,6 +109,7 @@ impl<'de> Deserialize<'de> for SecurityMonitoringRuleCaseActionOptions {
 
                 let content = SecurityMonitoringRuleCaseActionOptions {
                     duration,
+                    user_behavior_name,
                     additional_properties,
                     _unparsed,
                 };

src/datadogV2/model/model_security_monitoring_rule_case_action_type.rs

@@ -9,6 +9,7 @@ use serde::{Deserialize, Deserializer, Serialize, Serializer};
 pub enum SecurityMonitoringRuleCaseActionType {
     BLOCK_IP,
     BLOCK_USER,
+    USER_BEHAVIOR,
     UnparsedObject(crate::datadog::UnparsedObject),
 }
 
@@ -17,6 +18,7 @@ impl ToString for SecurityMonitoringRuleCaseActionType {
         match self {
             Self::BLOCK_IP => String::from("block_ip"),
             Self::BLOCK_USER => String::from("block_user"),
+            Self::USER_BEHAVIOR => String::from("user_behavior"),
             Self::UnparsedObject(v) => v.value.to_string(),
         }
     }
@@ -43,6 +45,7 @@ impl<'de> Deserialize<'de> for SecurityMonitoringRuleCaseActionType {
         Ok(match s.as_str() {
             "block_ip" => Self::BLOCK_IP,
             "block_user" => Self::BLOCK_USER,
+            "user_behavior" => Self::USER_BEHAVIOR,
             _ => Self::UnparsedObject(crate::datadog::UnparsedObject {
                 value: serde_json::Value::String(s.into()),
             }),

tests/scenarios/cassettes/v2/security_monitoring/Create-a-detection-rule-with-type-application-security-returns-OK-response.frozen

@@ -1 +1 @@
-2025-02-06T16:50:39.787Z
+2025-04-09T15:02:05.047Z

tests/scenarios/cassettes/v2/security_monitoring/Create-a-detection-rule-with-type-application-security-returns-OK-response.json

@@ -3,7 +3,7 @@
     {
       "request": {
         "body": {
-          "string": "{\"cases\":[{\"actions\":[{\"options\":{\"duration\":900},\"type\":\"block_ip\"}],\"condition\":\"a > 100000\",\"name\":\"\",\"notifications\":[],\"status\":\"info\"}],\"filters\":[],\"groupSignalsBy\":[\"service\"],\"isEnabled\":true,\"message\":\"Test rule\",\"name\":\"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1738860639_appsec_rule\",\"options\":{\"detectionMethod\":\"threshold\",\"evaluationWindow\":900,\"keepAlive\":3600,\"maxSignalDuration\":86400},\"queries\":[{\"aggregation\":\"count\",\"distinctFields\":[],\"groupByFields\":[\"service\",\"@http.client_ip\"],\"query\":\"@appsec.security_activity:business_logic.users.login.failure\"}],\"tags\":[],\"type\":\"application_security\"}",
+          "string": "{\"cases\":[{\"actions\":[{\"options\":{\"duration\":900},\"type\":\"block_ip\"},{\"options\":{\"userBehaviorName\":\"behavior\"},\"type\":\"user_behavior\"}],\"condition\":\"a > 100000\",\"name\":\"\",\"notifications\":[],\"status\":\"info\"}],\"filters\":[],\"groupSignalsBy\":[\"service\"],\"isEnabled\":true,\"message\":\"Test rule\",\"name\":\"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1744210925_appsec_rule\",\"options\":{\"detectionMethod\":\"threshold\",\"evaluationWindow\":900,\"keepAlive\":3600,\"maxSignalDuration\":86400},\"queries\":[{\"aggregation\":\"count\",\"distinctFields\":[],\"groupByFields\":[\"service\",\"@http.client_ip\"],\"query\":\"@appsec.security_activity:business_logic.users.login.failure\"}],\"tags\":[],\"type\":\"application_security\"}",
           "encoding": null
         },
         "headers": {
@@ -19,7 +19,7 @@
       },
       "response": {
         "body": {
-          "string": "{\"name\":\"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1738860639_appsec_rule\",\"createdAt\":1738860640426,\"isDefault\":false,\"isPartner\":false,\"isEnabled\":true,\"isBeta\":false,\"isDeleted\":false,\"isDeprecated\":false,\"queries\":[{\"query\":\"@appsec.security_activity:business_logic.users.login.failure\",\"groupByFields\":[\"service\",\"@http.client_ip\"],\"hasOptionalGroupByFields\":false,\"distinctFields\":[],\"aggregation\":\"count\",\"name\":\"\",\"dataSource\":\"app_sec_spans\"}],\"options\":{\"evaluationWindow\":900,\"detectionMethod\":\"threshold\",\"maxSignalDuration\":86400,\"keepAlive\":3600},\"cases\":[{\"name\":\"\",\"status\":\"info\",\"notifications\":[],\"condition\":\"a \\u003e 100000\",\"actions\":[{\"type\":\"block_ip\",\"options\":{\"duration\":900}}]}],\"message\":\"Test rule\",\"tags\":[],\"hasExtendedTitle\":false,\"type\":\"application_security\",\"filters\":[],\"version\":1,\"id\":\"rfn-h2v-udr\",\"blocking\":true,\"groupSignalsBy\":[\"service\"],\"casesActions\":[[{\"type\":\"block_ip\",\"options\":{\"duration\":900}}]],\"dependencies\":[\"business_logic.users.login.failure\"],\"metadata\":{\"entities\":null,\"sources\":null},\"creator\":{\"handle\":\"\",\"name\":\"\"},\"updater\":{\"handle\":\"\",\"name\":\"\"}}",
+          "string": "{\"name\":\"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1744210925_appsec_rule\",\"createdAt\":1744210925675,\"isDefault\":false,\"isPartner\":false,\"isEnabled\":true,\"isBeta\":false,\"isDeleted\":false,\"isDeprecated\":false,\"queries\":[{\"query\":\"@appsec.security_activity:business_logic.users.login.failure\",\"groupByFields\":[\"service\",\"@http.client_ip\"],\"hasOptionalGroupByFields\":false,\"distinctFields\":[],\"aggregation\":\"count\",\"name\":\"\",\"dataSource\":\"app_sec_spans\"}],\"options\":{\"evaluationWindow\":900,\"detectionMethod\":\"threshold\",\"maxSignalDuration\":86400,\"keepAlive\":3600},\"cases\":[{\"name\":\"\",\"status\":\"info\",\"notifications\":[],\"condition\":\"a \\u003e 100000\",\"actions\":[{\"type\":\"block_ip\",\"options\":{\"duration\":900}},{\"type\":\"user_behavior\",\"options\":{\"userBehaviorName\":\"behavior\"}}]}],\"message\":\"Test rule\",\"tags\":[],\"hasExtendedTitle\":false,\"type\":\"application_security\",\"filters\":[],\"version\":1,\"id\":\"lfr-zxg-fyc\",\"blocking\":true,\"groupSignalsBy\":[\"service\"],\"dependencies\":[\"business_logic.users.login.failure\"],\"metadata\":{\"entities\":null,\"sources\":null},\"creationAuthorId\":2320499,\"creator\":{\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"name\":\"CI Account\"},\"updater\":{\"handle\":\"\",\"name\":\"\"}}",
           "encoding": null
         },
         "headers": {
@@ -32,7 +32,7 @@
           "message": "OK"
         }
       },
-      "recorded_at": "Thu, 06 Feb 2025 16:50:39 GMT"
+      "recorded_at": "Wed, 09 Apr 2025 15:02:05 GMT"
     },
     {
       "request": {
@@ -43,24 +43,20 @@
           ]
         },
         "method": "delete",
-        "uri": "https://api.datadoghq.com/api/v2/security_monitoring/rules/rfn-h2v-udr"
+        "uri": "https://api.datadoghq.com/api/v2/security_monitoring/rules/lfr-zxg-fyc"
       },
       "response": {
         "body": {
-          "string": "{\"status\":\"404\",\"title\":\"Not Found\"}",
+          "string": "",
           "encoding": null
         },
-        "headers": {
-          "Content-Type": [
-            "application/json"
-          ]
-        },
+        "headers": {},
         "status": {
-          "code": 404,
-          "message": "Not Found"
+          "code": 204,
+          "message": "No Content"
         }
       },
-      "recorded_at": "Thu, 06 Feb 2025 16:50:39 GMT"
+      "recorded_at": "Wed, 09 Apr 2025 15:02:05 GMT"
     }
   ],
   "recorded_with": "VCR 6.0.0"

tests/scenarios/features/v2/security_monitoring.feature

@@ -203,7 +203,7 @@ Feature: Security Monitoring
   @skip-validation @team:DataDog/k9-cloud-security-platform
   Scenario: Create a detection rule with type 'application_security 'returns "OK" response
     Given new "CreateSecurityMonitoringRule" request
-    And body with value {"type":"application_security","name":"{{unique}}_appsec_rule","queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","aggregation":"count","groupByFields":["service","@http.client_ip"],"distinctFields":[]}],"filters":[],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 100000","actions":[{"type":"block_ip","options":{"duration":900}}]}],"options":{"keepAlive":3600,"maxSignalDuration":86400,"evaluationWindow":900,"detectionMethod":"threshold"},"isEnabled":true,"message":"Test rule","tags":[],"groupSignalsBy":["service"]}
+    And body with value {"type":"application_security","name":"{{unique}}_appsec_rule","queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","aggregation":"count","groupByFields":["service","@http.client_ip"],"distinctFields":[]}],"filters":[],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 100000","actions":[{"type":"block_ip","options":{"duration":900}}, {"type":"user_behavior","options":{"userBehaviorName":"behavior"}}]}],"options":{"keepAlive":3600,"maxSignalDuration":86400,"evaluationWindow":900,"detectionMethod":"threshold"},"isEnabled":true,"message":"Test rule","tags":[],"groupSignalsBy":["service"]}
     When the request is sent
     Then the response status is 200 OK
     And the response "name" is equal to "{{ unique }}_appsec_rule"