DataDog
diff --git a/‎.apigentools-info
+4-4 b/‎.apigentools-info
+4-4
diff --git a/‎.generator/schemas/v2/openapi.yaml
+92 b/‎.generator/schemas/v2/openapi.yaml
+92
diff --git a/‎cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-type-application_security-returns-OK-response_4179263030/frozen.json
+1 b/‎cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-type-application_security-returns-OK-response_4179263030/frozen.json
+1
diff --git a/‎cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-type-application_security-returns-OK-response_4179263030/recording.har
+110 b/‎cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-type-application_security-returns-OK-response_4179263030/recording.har
+110
diff --git a/‎examples/v2/security-monitoring/CreateSecurityMonitoringRule_1965169892.ts
+59 b/‎examples/v2/security-monitoring/CreateSecurityMonitoringRule_1965169892.ts
+59
diff --git a/‎features/v2/security_monitoring.feature
+10 b/‎features/v2/security_monitoring.feature
+10
diff --git a/‎packages/datadog-api-client-v2/index.ts
+3 b/‎packages/datadog-api-client-v2/index.ts
+3
diff --git a/‎packages/datadog-api-client-v2/models/JobDefinition.ts
+8 b/‎packages/datadog-api-client-v2/models/JobDefinition.ts
+8
@@ -4,13 +4,13 @@
     "spec_versions": {
         "v1": {
             "apigentools_version": "1.6.6",
-            "regenerated": "2025-02-10 19:09:32.740537",
-            "spec_repo_commit": "824f78a1"
+            "regenerated": "2025-02-11 09:59:40.774900",
+            "spec_repo_commit": "b980d49f"
         },
         "v2": {
             "apigentools_version": "1.6.6",
-            "regenerated": "2025-02-10 19:09:32.756088",
-            "spec_repo_commit": "824f78a1"
+            "regenerated": "2025-02-11 09:59:40.793035",
+            "spec_repo_commit": "b980d49f"
         }
     }
 }
@@ -15657,6 +15657,15 @@ components:
           example: 1729843470000
           format: int64
           type: integer
+        groupSignalsBy:
+          description: Additional grouping to perform on top of the existing groups
+            in the query section. Must be a subset of the existing groups.
+          example:
+          - service
+          items:
+            description: Field to group by.
+            type: string
+          type: array
         index:
           description: Index used to load the data.
           example: cloud_siem
@@ -24242,6 +24251,11 @@ components:
     SecurityMonitoringRuleCase:
       description: Case when signal is generated.
       properties:
+        actions:
+          description: Action to perform for each rule case.
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringRuleCaseAction'
+          type: array
         condition:
           description: 'A rule case contains logical operations (`>`,`>=`, `&&`, `||`)
             to determine if a signal should be generated
@@ -24260,9 +24274,42 @@ components:
         status:
           $ref: '#/components/schemas/SecurityMonitoringRuleSeverity'
       type: object
+    SecurityMonitoringRuleCaseAction:
+      description: Action to perform when a signal is triggered. Only available for
+        Application Security rule type.
+      properties:
+        options:
+          $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionOptions'
+        type:
+          $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionType'
+      type: object
+    SecurityMonitoringRuleCaseActionOptions:
+      description: Options for the rule action
+      properties:
+        duration:
+          description: Duration of the action in seconds. 0 indicates no expiration.
+          example: 0
+          format: int64
+          minimum: 0
+          type: integer
+      type: object
+    SecurityMonitoringRuleCaseActionType:
+      description: The action type.
+      enum:
+      - block_ip
+      - block_user
+      type: string
+      x-enum-varnames:
+      - BLOCK_IP
+      - BLOCK_USER
     SecurityMonitoringRuleCaseCreate:
       description: Case when signal is generated.
       properties:
+        actions:
+          description: Action to perform for each rule case.
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringRuleCaseAction'
+          type: array
         condition:
           description: 'A case contains logical operations (`>`,`>=`, `&&`, `||`)
             to determine if a signal should be generated
@@ -24724,6 +24771,15 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringFilter'
           type: array
+        groupSignalsBy:
+          description: Additional grouping to perform on top of the existing groups
+            in the query section. Must be a subset of the existing groups.
+          example:
+          - service
+          items:
+            description: Field to group by.
+            type: string
+          type: array
         hasExtendedTitle:
           description: Whether the notifications include the triggering group-by values
             in their title.
@@ -25429,6 +25485,15 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringFilter'
           type: array
+        groupSignalsBy:
+          description: Additional grouping to perform on top of the existing groups
+            in the query section. Must be a subset of the existing groups.
+          example:
+          - service
+          items:
+            description: Field to group by.
+            type: string
+          type: array
         hasExtendedTitle:
           description: Whether the notifications include the triggering group-by values
             in their title.
@@ -25501,6 +25566,15 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringFilter'
           type: array
+        groupSignalsBy:
+          description: Additional grouping to perform on top of the existing groups
+            in the query section. Must be a subset of the existing groups.
+          example:
+          - service
+          items:
+            description: Field to group by.
+            type: string
+          type: array
         hasExtendedTitle:
           description: Whether the notifications include the triggering group-by values
             in their title.
@@ -25642,6 +25716,15 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringFilter'
           type: array
+        groupSignalsBy:
+          description: Additional grouping to perform on top of the existing groups
+            in the query section. Must be a subset of the existing groups.
+          example:
+          - service
+          items:
+            description: Field to group by.
+            type: string
+          type: array
         hasExtendedTitle:
           description: Whether the notifications include the triggering group-by values
             in their title.
@@ -25719,6 +25802,15 @@ components:
           items:
             $ref: '#/components/schemas/SecurityMonitoringFilter'
           type: array
+        groupSignalsBy:
+          description: Additional grouping to perform on top of the existing groups
+            in the query section. Must be a subset of the existing groups.
+          example:
+          - service
+          items:
+            description: Field to group by.
+            type: string
+          type: array
         hasExtendedTitle:
           description: Whether the notifications include the triggering group-by values
             in their title.
 
@@ -0,0 +1 @@
+"2025-02-06T16:50:39.787Z"
@@ -0,0 +1,110 @@
+{
+  "log": {
+    "_recordingName": "Security Monitoring/Create a detection rule with type 'application_security 'returns \"OK\" response",
+    "creator": {
+      "comment": "persister:fs",
+      "name": "Polly.JS",
+      "version": "6.0.5"
+    },
+    "entries": [
+      {
+        "_id": "e25ba2dd2cd854ae985a97cf9b520975",
+        "_order": 0,
+        "cache": {},
+        "request": {
+          "bodySize": 656,
+          "cookies": [],
+          "headers": [
+            {
+              "_fromType": "array",
+              "name": "accept",
+              "value": "application/json"
+            },
+            {
+              "_fromType": "array",
+              "name": "content-type",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 588,
+          "httpVersion": "HTTP/1.1",
+          "method": "POST",
+          "postData": {
+            "mimeType": "application/json",
+            "params": [],
+            "text": "{\"cases\":[{\"actions\":[{\"options\":{\"duration\":900},\"type\":\"block_ip\"}],\"condition\":\"a > 100000\",\"name\":\"\",\"notifications\":[],\"status\":\"info\"}],\"filters\":[],\"groupSignalsBy\":[\"service\"],\"isEnabled\":true,\"message\":\"Test rule\",\"name\":\"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1738860639_appsec_rule\",\"options\":{\"detectionMethod\":\"threshold\",\"evaluationWindow\":900,\"keepAlive\":3600,\"maxSignalDuration\":86400},\"queries\":[{\"aggregation\":\"count\",\"distinctFields\":[],\"groupByFields\":[\"service\",\"@http.client_ip\"],\"query\":\"@appsec.security_activity:business_logic.users.login.failure\"}],\"tags\":[],\"type\":\"application_security\"}"
+          },
+          "queryString": [],
+          "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules"
+        },
+        "response": {
+          "bodySize": 1153,
+          "content": {
+            "mimeType": "application/json",
+            "size": 1153,
+            "text": "{\"name\":\"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1738860639_appsec_rule\",\"createdAt\":1738860640426,\"isDefault\":false,\"isPartner\":false,\"isEnabled\":true,\"isBeta\":false,\"isDeleted\":false,\"isDeprecated\":false,\"queries\":[{\"query\":\"@appsec.security_activity:business_logic.users.login.failure\",\"groupByFields\":[\"service\",\"@http.client_ip\"],\"hasOptionalGroupByFields\":false,\"distinctFields\":[],\"aggregation\":\"count\",\"name\":\"\",\"dataSource\":\"app_sec_spans\"}],\"options\":{\"evaluationWindow\":900,\"detectionMethod\":\"threshold\",\"maxSignalDuration\":86400,\"keepAlive\":3600},\"cases\":[{\"name\":\"\",\"status\":\"info\",\"notifications\":[],\"condition\":\"a \\u003e 100000\",\"actions\":[{\"type\":\"block_ip\",\"options\":{\"duration\":900}}]}],\"message\":\"Test rule\",\"tags\":[],\"hasExtendedTitle\":false,\"type\":\"application_security\",\"filters\":[],\"version\":1,\"id\":\"rfn-h2v-udr\",\"blocking\":true,\"groupSignalsBy\":[\"service\"],\"casesActions\":[[{\"type\":\"block_ip\",\"options\":{\"duration\":900}}]],\"dependencies\":[\"business_logic.users.login.failure\"],\"metadata\":{\"entities\":null,\"sources\":null},\"creator\":{\"handle\":\"\",\"name\":\"\"},\"updater\":{\"handle\":\"\",\"name\":\"\"}}"
+          },
+          "cookies": [],
+          "headers": [
+            {
+              "name": "content-type",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 656,
+          "httpVersion": "HTTP/1.1",
+          "redirectURL": "",
+          "status": 200,
+          "statusText": "OK"
+        },
+        "startedDateTime": "2025-02-06T16:50:40.180Z",
+        "time": 287
+      },
+      {
+        "_id": "d0c7ee9e7178f2b7bb6ab84e899effed",
+        "_order": 0,
+        "cache": {},
+        "request": {
+          "bodySize": 0,
+          "cookies": [],
+          "headers": [
+            {
+              "_fromType": "array",
+              "name": "accept",
+              "value": "*/*"
+            }
+          ],
+          "headersSize": 536,
+          "httpVersion": "HTTP/1.1",
+          "method": "DELETE",
+          "queryString": [],
+          "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules/rfn-h2v-udr"
+        },
+        "response": {
+          "bodySize": 36,
+          "content": {
+            "mimeType": "application/json",
+            "size": 36,
+            "text": "{\"status\":\"404\",\"title\":\"Not Found\"}"
+          },
+          "cookies": [],
+          "headers": [
+            {
+              "name": "content-type",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 654,
+          "httpVersion": "HTTP/1.1",
+          "redirectURL": "",
+          "status": 404,
+          "statusText": "Not Found"
+        },
+        "startedDateTime": "2025-02-06T16:50:40.475Z",
+        "time": 127
+      }
+    ],
+    "pages": [],
+    "version": "1.2"
+  }
+}
@@ -0,0 +1,59 @@
+/**
+ * Create a detection rule with type 'application_security 'returns "OK" response
+ */
+
+import { client, v2 } from "@datadog/datadog-api-client";
+
+const configuration = client.createConfiguration();
+const apiInstance = new v2.SecurityMonitoringApi(configuration);
+
+const params: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest = {
+  body: {
+    type: "application_security",
+    name: "Example-Security-Monitoring_appsec_rule",
+    queries: [
+      {
+        query: "@appsec.security_activity:business_logic.users.login.failure",
+        aggregation: "count",
+        groupByFields: ["service", "@http.client_ip"],
+        distinctFields: [],
+      },
+    ],
+    filters: [],
+    cases: [
+      {
+        name: "",
+        status: "info",
+        notifications: [],
+        condition: "a > 100000",
+        actions: [
+          {
+            type: "block_ip",
+            options: {
+              duration: 900,
+            },
+          },
+        ],
+      },
+    ],
+    options: {
+      keepAlive: 3600,
+      maxSignalDuration: 86400,
+      evaluationWindow: 900,
+      detectionMethod: "threshold",
+    },
+    isEnabled: true,
+    message: "Test rule",
+    tags: [],
+    groupSignalsBy: ["service"],
+  },
+};
+
+apiInstance
+  .createSecurityMonitoringRule(params)
+  .then((data: v2.SecurityMonitoringRuleResponse) => {
+    console.log(
+      "API called successfully. Returned data: " + JSON.stringify(data)
+    );
+  })
+  .catch((error: any) => console.error(error));
@@ -200,6 +200,16 @@ Feature: Security Monitoring
     And the response "options.detectionMethod" is equal to "third_party"
     And the response "thirdPartyCases[0].query" is equal to "status:error"
 
+  @skip-validation @team:DataDog/k9-cloud-security-platform
+  Scenario: Create a detection rule with type 'application_security 'returns "OK" response
+    Given new "CreateSecurityMonitoringRule" request
+    And body with value {"type":"application_security","name":"{{unique}}_appsec_rule","queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","aggregation":"count","groupByFields":["service","@http.client_ip"],"distinctFields":[]}],"filters":[],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 100000","actions":[{"type":"block_ip","options":{"duration":900}}]}],"options":{"keepAlive":3600,"maxSignalDuration":86400,"evaluationWindow":900,"detectionMethod":"threshold"},"isEnabled":true,"message":"Test rule","tags":[],"groupSignalsBy":["service"]}
+    When the request is sent
+    Then the response status is 200 OK
+    And the response "name" is equal to "{{ unique }}_appsec_rule"
+    And the response "type" is equal to "application_security"
+    And the response "message" is equal to "Test rule"
+
   @skip-validation @team:DataDog/k9-cloud-security-platform
   Scenario: Create a detection rule with type 'impossible_travel' returns "OK" response
     Given new "CreateSecurityMonitoringRule" request
 
@@ -2146,6 +2146,9 @@ export { SecurityMonitoringFilterAction } from "./models/SecurityMonitoringFilte
 export { SecurityMonitoringListRulesResponse } from "./models/SecurityMonitoringListRulesResponse";
 export { SecurityMonitoringReferenceTable } from "./models/SecurityMonitoringReferenceTable";
 export { SecurityMonitoringRuleCase } from "./models/SecurityMonitoringRuleCase";
+export { SecurityMonitoringRuleCaseAction } from "./models/SecurityMonitoringRuleCaseAction";
+export { SecurityMonitoringRuleCaseActionOptions } from "./models/SecurityMonitoringRuleCaseActionOptions";
+export { SecurityMonitoringRuleCaseActionType } from "./models/SecurityMonitoringRuleCaseActionType";
 export { SecurityMonitoringRuleCaseCreate } from "./models/SecurityMonitoringRuleCaseCreate";
 export { SecurityMonitoringRuleConvertPayload } from "./models/SecurityMonitoringRuleConvertPayload";
 export { SecurityMonitoringRuleConvertResponse } from "./models/SecurityMonitoringRuleConvertResponse";
 
@@ -28,6 +28,10 @@ export class JobDefinition {
    * Starting time of data analyzed by the job.
    */
   "from": number;
+  /**
+   * Additional grouping to perform on top of the existing groups in the query section. Must be a subset of the existing groups.
+   */
+  "groupSignalsBy"?: Array<string>;
   /**
    * Index used to load the data.
    */
@@ -100,6 +104,10 @@ export class JobDefinition {
       required: true,
       format: "int64",
     },
+    groupSignalsBy: {
+      baseName: "groupSignalsBy",
+      type: "Array<string>",
+    },
     index: {
       baseName: "index",
       type: "string",
Original file line number	Diff line number	Diff line change
`@@ -4,13 +4,13 @@`
`4`	`4`	`"spec_versions": {`
`5`	`5`	`"v1": {`
`6`	`6`	`"apigentools_version": "1.6.6",`
`7`		`- "regenerated": "2025-02-10 19:09:32.740537",`
`8`		`- "spec_repo_commit": "824f78a1"`
	`7`	`+ "regenerated": "2025-02-11 09:59:40.774900",`
	`8`	`+ "spec_repo_commit": "b980d49f"`
`9`	`9`	`},`
`10`	`10`	`"v2": {`
`11`	`11`	`"apigentools_version": "1.6.6",`
`12`		`- "regenerated": "2025-02-10 19:09:32.756088",`
`13`		`- "spec_repo_commit": "824f78a1"`
	`12`	`+ "regenerated": "2025-02-11 09:59:40.793035",`
	`13`	`+ "spec_repo_commit": "b980d49f"`
`14`	`14`	`}`
`15`	`15`	`}`
`16`	`16`	`}`