From 6d6d8ae95a6581bd9210c323dfa8329afd781976 Mon Sep 17 00:00:00 2001 From: "ci.datadog-api-spec" Date: Tue, 30 Jun 2026 15:04:46 +0000 Subject: [PATCH] Regenerate client from commit 6526c87 of spec repo --- .generator/schemas/v2/openapi.yaml | 49 +- .../ValidatePipeline_3345949653.java | 104 ++++ .../ValidatePipeline_3928499240.java | 106 ++++ ...servabilityPipelineParseGrokProcessor.java | 54 +- ...PipelineParseGrokProcessorIncludeRule.java | 242 ++++++++ ...ityPipelineParseGrokProcessorRuleItem.java | 329 +++++++++++ ...r_include_rules_returns_OK_response.freeze | 1 + ...sor_include_rules_returns_OK_response.json | 32 ++ ...or_source_rules_returns_OK_response.freeze | 1 + ...ssor_source_rules_returns_OK_response.json | 32 ++ .../client/v1/api/security_monitoring.feature | 18 +- .../v2/api/observability_pipelines.feature | 16 + .../client/v2/api/security_monitoring.feature | 522 +++++++++--------- 13 files changed, 1224 insertions(+), 282 deletions(-) create mode 100644 examples/v2/observability-pipelines/ValidatePipeline_3345949653.java create mode 100644 examples/v2/observability-pipelines/ValidatePipeline_3928499240.java create mode 100644 src/main/java/com/datadog/api/client/v2/model/ObservabilityPipelineParseGrokProcessorIncludeRule.java create mode 100644 src/main/java/com/datadog/api/client/v2/model/ObservabilityPipelineParseGrokProcessorRuleItem.java create mode 100644 src/test/resources/cassettes/features/v2/Validate_an_observability_pipeline_with_parse_grok_processor_include_rules_returns_OK_response.freeze create mode 100644 src/test/resources/cassettes/features/v2/Validate_an_observability_pipeline_with_parse_grok_processor_include_rules_returns_OK_response.json create mode 100644 src/test/resources/cassettes/features/v2/Validate_an_observability_pipeline_with_parse_grok_processor_source_rules_returns_OK_response.freeze create mode 100644 src/test/resources/cassettes/features/v2/Validate_an_observability_pipeline_with_parse_grok_processor_source_rules_returns_OK_response.json diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml index 2b56734419e..56e26f54ef5 100644 --- a/.generator/schemas/v2/openapi.yaml +++ b/.generator/schemas/v2/openapi.yaml @@ -67693,6 +67693,10 @@ components: The `parse_grok` processor extracts structured fields from unstructured log messages using Grok patterns. **Supported pipeline types:** logs + example: + id: "parse-grok-processor" + include: "service:my-service" + type: "parse_grok" properties: disable_library_rules: default: false @@ -67705,6 +67709,11 @@ components: description: Indicates whether the processor is enabled. example: true type: boolean + field: + default: "message" + description: The log field to parse with the Grok rules. + example: "message" + type: string id: description: A unique identifier for this processor. example: "parse-grok-processor" @@ -67714,9 +67723,9 @@ components: example: "service:my-service" type: string rules: - description: The list of Grok parsing rules. If multiple matching rules are provided, they are evaluated in order. The first successful match is applied. + description: The list of Grok parsing rules selected by either source field or include query. items: - $ref: "#/components/schemas/ObservabilityPipelineParseGrokProcessorRule" + $ref: "#/components/schemas/ObservabilityPipelineParseGrokProcessorRuleItem" type: array type: $ref: "#/components/schemas/ObservabilityPipelineParseGrokProcessorType" @@ -67728,6 +67737,37 @@ components: - enabled type: object x-pipeline-types: [logs] + ObservabilityPipelineParseGrokProcessorIncludeRule: + description: |- + A Grok parsing rule selected using the `include` query. Each rule defines how to extract structured fields + from logs matching a Datadog search query. + properties: + include: + description: A Datadog search query used to determine which logs this Grok rule targets. + example: "service:my-service" + type: string + match_rules: + description: |- + A list of Grok parsing rules that define how to extract fields from matching logs. + Each rule must contain a name and a valid Grok pattern. + example: + - name: "MyParsingRule" + rule: '%{word:user} connected on %{date("MM/dd/yyyy"):date}' + items: + $ref: "#/components/schemas/ObservabilityPipelineParseGrokProcessorRuleMatchRule" + type: array + support_rules: + description: A list of Grok helper rules that can be referenced by the parsing rules. + example: + - name: "user" + rule: "%{word:user.name}" + items: + $ref: "#/components/schemas/ObservabilityPipelineParseGrokProcessorRuleSupportRule" + type: array + required: + - include + - match_rules + type: object ObservabilityPipelineParseGrokProcessorRule: description: |- A Grok parsing rule used in the `parse_grok` processor. Each rule defines how to extract structured fields @@ -67760,6 +67800,11 @@ components: - source - match_rules type: object + ObservabilityPipelineParseGrokProcessorRuleItem: + description: A single Grok parsing rule, selected by either source field or include query. + oneOf: + - $ref: "#/components/schemas/ObservabilityPipelineParseGrokProcessorRule" + - $ref: "#/components/schemas/ObservabilityPipelineParseGrokProcessorIncludeRule" ObservabilityPipelineParseGrokProcessorRuleMatchRule: description: |- Defines a Grok parsing rule, which extracts structured fields from log content using named Grok patterns. diff --git a/examples/v2/observability-pipelines/ValidatePipeline_3345949653.java b/examples/v2/observability-pipelines/ValidatePipeline_3345949653.java new file mode 100644 index 00000000000..bdc7cfec015 --- /dev/null +++ b/examples/v2/observability-pipelines/ValidatePipeline_3345949653.java @@ -0,0 +1,104 @@ +// Validate an observability pipeline with parse grok processor source rules returns "OK" response + +import com.datadog.api.client.ApiClient; +import com.datadog.api.client.ApiException; +import com.datadog.api.client.v2.api.ObservabilityPipelinesApi; +import com.datadog.api.client.v2.model.ObservabilityPipelineConfig; +import com.datadog.api.client.v2.model.ObservabilityPipelineConfigDestinationItem; +import com.datadog.api.client.v2.model.ObservabilityPipelineConfigProcessorGroup; +import com.datadog.api.client.v2.model.ObservabilityPipelineConfigProcessorItem; +import com.datadog.api.client.v2.model.ObservabilityPipelineConfigSourceItem; +import com.datadog.api.client.v2.model.ObservabilityPipelineDataAttributes; +import com.datadog.api.client.v2.model.ObservabilityPipelineDatadogAgentSource; +import com.datadog.api.client.v2.model.ObservabilityPipelineDatadogAgentSourceType; +import com.datadog.api.client.v2.model.ObservabilityPipelineDatadogLogsDestination; +import com.datadog.api.client.v2.model.ObservabilityPipelineDatadogLogsDestinationType; +import com.datadog.api.client.v2.model.ObservabilityPipelineParseGrokProcessor; +import com.datadog.api.client.v2.model.ObservabilityPipelineParseGrokProcessorRule; +import com.datadog.api.client.v2.model.ObservabilityPipelineParseGrokProcessorRuleItem; +import com.datadog.api.client.v2.model.ObservabilityPipelineParseGrokProcessorRuleMatchRule; +import com.datadog.api.client.v2.model.ObservabilityPipelineParseGrokProcessorType; +import com.datadog.api.client.v2.model.ObservabilityPipelineSpec; +import com.datadog.api.client.v2.model.ObservabilityPipelineSpecData; +import com.datadog.api.client.v2.model.ValidationResponse; +import java.util.Collections; + +public class Example { + public static void main(String[] args) { + ApiClient defaultClient = ApiClient.getDefaultApiClient(); + ObservabilityPipelinesApi apiInstance = new ObservabilityPipelinesApi(defaultClient); + + ObservabilityPipelineSpec body = + new ObservabilityPipelineSpec() + .data( + new ObservabilityPipelineSpecData() + .attributes( + new ObservabilityPipelineDataAttributes() + .config( + new ObservabilityPipelineConfig() + .destinations( + Collections.singletonList( + new ObservabilityPipelineConfigDestinationItem( + new ObservabilityPipelineDatadogLogsDestination() + .id("datadog-logs-destination") + .inputs( + Collections.singletonList( + "my-processor-group")) + .type( + ObservabilityPipelineDatadogLogsDestinationType + .DATADOG_LOGS)))) + .processorGroups( + Collections.singletonList( + new ObservabilityPipelineConfigProcessorGroup() + .enabled(true) + .id("my-processor-group") + .include("service:my-service") + .inputs( + Collections.singletonList( + "datadog-agent-source")) + .processors( + Collections.singletonList( + new ObservabilityPipelineConfigProcessorItem( + new ObservabilityPipelineParseGrokProcessor() + .enabled(true) + .id("parse-grok-processor") + .include("*") + .type( + ObservabilityPipelineParseGrokProcessorType + .PARSE_GROK) + .rules( + Collections.singletonList( + new ObservabilityPipelineParseGrokProcessorRuleItem( + new ObservabilityPipelineParseGrokProcessorRule() + .source("message") + .matchRules( + Collections + .singletonList( + new ObservabilityPipelineParseGrokProcessorRuleMatchRule() + .name( + "MyParsingRule") + .rule( + "%{word:user}"))))))))))) + .sources( + Collections.singletonList( + new ObservabilityPipelineConfigSourceItem( + new ObservabilityPipelineDatadogAgentSource() + .id("datadog-agent-source") + .type( + ObservabilityPipelineDatadogAgentSourceType + .DATADOG_AGENT))))) + .name("Pipeline with Parse Grok Source Rules")) + .type("pipelines")); + + try { + ValidationResponse result = apiInstance.validatePipeline(body); + System.out.println(result); + } catch (ApiException e) { + System.err.println("Exception when calling ObservabilityPipelinesApi#validatePipeline"); + System.err.println("Status code: " + e.getCode()); + System.err.println("Reason: " + e.getResponseBody()); + System.err.println("Response headers: " + e.getResponseHeaders()); + e.printStackTrace(); + } + } +} diff --git a/examples/v2/observability-pipelines/ValidatePipeline_3928499240.java b/examples/v2/observability-pipelines/ValidatePipeline_3928499240.java new file mode 100644 index 00000000000..04316fdea6b --- /dev/null +++ b/examples/v2/observability-pipelines/ValidatePipeline_3928499240.java @@ -0,0 +1,106 @@ +// Validate an observability pipeline with parse grok processor include rules returns "OK" response + +import com.datadog.api.client.ApiClient; +import com.datadog.api.client.ApiException; +import com.datadog.api.client.v2.api.ObservabilityPipelinesApi; +import com.datadog.api.client.v2.model.ObservabilityPipelineConfig; +import com.datadog.api.client.v2.model.ObservabilityPipelineConfigDestinationItem; +import com.datadog.api.client.v2.model.ObservabilityPipelineConfigProcessorGroup; +import com.datadog.api.client.v2.model.ObservabilityPipelineConfigProcessorItem; +import com.datadog.api.client.v2.model.ObservabilityPipelineConfigSourceItem; +import com.datadog.api.client.v2.model.ObservabilityPipelineDataAttributes; +import com.datadog.api.client.v2.model.ObservabilityPipelineDatadogAgentSource; +import com.datadog.api.client.v2.model.ObservabilityPipelineDatadogAgentSourceType; +import com.datadog.api.client.v2.model.ObservabilityPipelineDatadogLogsDestination; +import com.datadog.api.client.v2.model.ObservabilityPipelineDatadogLogsDestinationType; +import com.datadog.api.client.v2.model.ObservabilityPipelineParseGrokProcessor; +import com.datadog.api.client.v2.model.ObservabilityPipelineParseGrokProcessorIncludeRule; +import com.datadog.api.client.v2.model.ObservabilityPipelineParseGrokProcessorRuleItem; +import com.datadog.api.client.v2.model.ObservabilityPipelineParseGrokProcessorRuleMatchRule; +import com.datadog.api.client.v2.model.ObservabilityPipelineParseGrokProcessorType; +import com.datadog.api.client.v2.model.ObservabilityPipelineSpec; +import com.datadog.api.client.v2.model.ObservabilityPipelineSpecData; +import com.datadog.api.client.v2.model.ValidationResponse; +import java.util.Collections; + +public class Example { + public static void main(String[] args) { + ApiClient defaultClient = ApiClient.getDefaultApiClient(); + ObservabilityPipelinesApi apiInstance = new ObservabilityPipelinesApi(defaultClient); + + ObservabilityPipelineSpec body = + new ObservabilityPipelineSpec() + .data( + new ObservabilityPipelineSpecData() + .attributes( + new ObservabilityPipelineDataAttributes() + .config( + new ObservabilityPipelineConfig() + .destinations( + Collections.singletonList( + new ObservabilityPipelineConfigDestinationItem( + new ObservabilityPipelineDatadogLogsDestination() + .id("datadog-logs-destination") + .inputs( + Collections.singletonList( + "my-processor-group")) + .type( + ObservabilityPipelineDatadogLogsDestinationType + .DATADOG_LOGS)))) + .processorGroups( + Collections.singletonList( + new ObservabilityPipelineConfigProcessorGroup() + .enabled(true) + .id("my-processor-group") + .include("service:my-service") + .inputs( + Collections.singletonList( + "datadog-agent-source")) + .processors( + Collections.singletonList( + new ObservabilityPipelineConfigProcessorItem( + new ObservabilityPipelineParseGrokProcessor() + .enabled(true) + .id("parse-grok-processor") + .include("*") + .type( + ObservabilityPipelineParseGrokProcessorType + .PARSE_GROK) + .field("content") + .rules( + Collections.singletonList( + new ObservabilityPipelineParseGrokProcessorRuleItem( + new ObservabilityPipelineParseGrokProcessorIncludeRule() + .include( + "service:foo") + .matchRules( + Collections + .singletonList( + new ObservabilityPipelineParseGrokProcessorRuleMatchRule() + .name( + "MyParsingRule") + .rule( + "%{word:user}"))))))))))) + .sources( + Collections.singletonList( + new ObservabilityPipelineConfigSourceItem( + new ObservabilityPipelineDatadogAgentSource() + .id("datadog-agent-source") + .type( + ObservabilityPipelineDatadogAgentSourceType + .DATADOG_AGENT))))) + .name("Pipeline with Parse Grok Include Rules")) + .type("pipelines")); + + try { + ValidationResponse result = apiInstance.validatePipeline(body); + System.out.println(result); + } catch (ApiException e) { + System.err.println("Exception when calling ObservabilityPipelinesApi#validatePipeline"); + System.err.println("Status code: " + e.getCode()); + System.err.println("Reason: " + e.getResponseBody()); + System.err.println("Response headers: " + e.getResponseHeaders()); + e.printStackTrace(); + } + } +} diff --git a/src/main/java/com/datadog/api/client/v2/model/ObservabilityPipelineParseGrokProcessor.java b/src/main/java/com/datadog/api/client/v2/model/ObservabilityPipelineParseGrokProcessor.java index b78feb5c58d..bf33fb9b6e1 100644 --- a/src/main/java/com/datadog/api/client/v2/model/ObservabilityPipelineParseGrokProcessor.java +++ b/src/main/java/com/datadog/api/client/v2/model/ObservabilityPipelineParseGrokProcessor.java @@ -29,6 +29,7 @@ ObservabilityPipelineParseGrokProcessor.JSON_PROPERTY_DISABLE_LIBRARY_RULES, ObservabilityPipelineParseGrokProcessor.JSON_PROPERTY_DISPLAY_NAME, ObservabilityPipelineParseGrokProcessor.JSON_PROPERTY_ENABLED, + ObservabilityPipelineParseGrokProcessor.JSON_PROPERTY_FIELD, ObservabilityPipelineParseGrokProcessor.JSON_PROPERTY_ID, ObservabilityPipelineParseGrokProcessor.JSON_PROPERTY_INCLUDE, ObservabilityPipelineParseGrokProcessor.JSON_PROPERTY_RULES, @@ -47,6 +48,9 @@ public class ObservabilityPipelineParseGrokProcessor { public static final String JSON_PROPERTY_ENABLED = "enabled"; private Boolean enabled; + public static final String JSON_PROPERTY_FIELD = "field"; + private String field = "message"; + public static final String JSON_PROPERTY_ID = "id"; private String id; @@ -54,7 +58,7 @@ public class ObservabilityPipelineParseGrokProcessor { private String include; public static final String JSON_PROPERTY_RULES = "rules"; - private List rules = new ArrayList<>(); + private List rules = new ArrayList<>(); public static final String JSON_PROPERTY_TYPE = "type"; private ObservabilityPipelineParseGrokProcessorType type = @@ -68,7 +72,7 @@ public ObservabilityPipelineParseGrokProcessor( @JsonProperty(required = true, value = JSON_PROPERTY_ID) String id, @JsonProperty(required = true, value = JSON_PROPERTY_INCLUDE) String include, @JsonProperty(required = true, value = JSON_PROPERTY_RULES) - List rules, + List rules, @JsonProperty(required = true, value = JSON_PROPERTY_TYPE) ObservabilityPipelineParseGrokProcessorType type) { this.enabled = enabled; @@ -141,6 +145,27 @@ public void setEnabled(Boolean enabled) { this.enabled = enabled; } + public ObservabilityPipelineParseGrokProcessor field(String field) { + this.field = field; + return this; + } + + /** + * The log field to parse with the Grok rules. + * + * @return field + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_FIELD) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public String getField() { + return field; + } + + public void setField(String field) { + this.field = field; + } + public ObservabilityPipelineParseGrokProcessor id(String id) { this.id = id; return this; @@ -182,34 +207,33 @@ public void setInclude(String include) { } public ObservabilityPipelineParseGrokProcessor rules( - List rules) { + List rules) { this.rules = rules; - for (ObservabilityPipelineParseGrokProcessorRule item : rules) { + for (ObservabilityPipelineParseGrokProcessorRuleItem item : rules) { this.unparsed |= item.unparsed; } return this; } public ObservabilityPipelineParseGrokProcessor addRulesItem( - ObservabilityPipelineParseGrokProcessorRule rulesItem) { + ObservabilityPipelineParseGrokProcessorRuleItem rulesItem) { this.rules.add(rulesItem); this.unparsed |= rulesItem.unparsed; return this; } /** - * The list of Grok parsing rules. If multiple matching rules are provided, they are evaluated in - * order. The first successful match is applied. + * The list of Grok parsing rules selected by either source field or include query. * * @return rules */ @JsonProperty(JSON_PROPERTY_RULES) @JsonInclude(value = JsonInclude.Include.ALWAYS) - public List getRules() { + public List getRules() { return rules; } - public void setRules(List rules) { + public void setRules(List rules) { this.rules = rules; } @@ -299,6 +323,7 @@ public boolean equals(Object o) { this.disableLibraryRules, observabilityPipelineParseGrokProcessor.disableLibraryRules) && Objects.equals(this.displayName, observabilityPipelineParseGrokProcessor.displayName) && Objects.equals(this.enabled, observabilityPipelineParseGrokProcessor.enabled) + && Objects.equals(this.field, observabilityPipelineParseGrokProcessor.field) && Objects.equals(this.id, observabilityPipelineParseGrokProcessor.id) && Objects.equals(this.include, observabilityPipelineParseGrokProcessor.include) && Objects.equals(this.rules, observabilityPipelineParseGrokProcessor.rules) @@ -311,7 +336,15 @@ public boolean equals(Object o) { @Override public int hashCode() { return Objects.hash( - disableLibraryRules, displayName, enabled, id, include, rules, type, additionalProperties); + disableLibraryRules, + displayName, + enabled, + field, + id, + include, + rules, + type, + additionalProperties); } @Override @@ -323,6 +356,7 @@ public String toString() { .append("\n"); sb.append(" displayName: ").append(toIndentedString(displayName)).append("\n"); sb.append(" enabled: ").append(toIndentedString(enabled)).append("\n"); + sb.append(" field: ").append(toIndentedString(field)).append("\n"); sb.append(" id: ").append(toIndentedString(id)).append("\n"); sb.append(" include: ").append(toIndentedString(include)).append("\n"); sb.append(" rules: ").append(toIndentedString(rules)).append("\n"); diff --git a/src/main/java/com/datadog/api/client/v2/model/ObservabilityPipelineParseGrokProcessorIncludeRule.java b/src/main/java/com/datadog/api/client/v2/model/ObservabilityPipelineParseGrokProcessorIncludeRule.java new file mode 100644 index 00000000000..ae3b35a1b0f --- /dev/null +++ b/src/main/java/com/datadog/api/client/v2/model/ObservabilityPipelineParseGrokProcessorIncludeRule.java @@ -0,0 +1,242 @@ +/* + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2019-Present Datadog, Inc. + */ + +package com.datadog.api.client.v2.model; + +import com.fasterxml.jackson.annotation.JsonAnyGetter; +import com.fasterxml.jackson.annotation.JsonAnySetter; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonIgnore; +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonPropertyOrder; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Objects; + +/** + * A Grok parsing rule selected using the include query. Each rule defines how to + * extract structured fields from logs matching a Datadog search query. + */ +@JsonPropertyOrder({ + ObservabilityPipelineParseGrokProcessorIncludeRule.JSON_PROPERTY_INCLUDE, + ObservabilityPipelineParseGrokProcessorIncludeRule.JSON_PROPERTY_MATCH_RULES, + ObservabilityPipelineParseGrokProcessorIncludeRule.JSON_PROPERTY_SUPPORT_RULES +}) +@jakarta.annotation.Generated( + value = "https://github.com/DataDog/datadog-api-client-java/blob/master/.generator") +public class ObservabilityPipelineParseGrokProcessorIncludeRule { + @JsonIgnore public boolean unparsed = false; + public static final String JSON_PROPERTY_INCLUDE = "include"; + private String include; + + public static final String JSON_PROPERTY_MATCH_RULES = "match_rules"; + private List matchRules = new ArrayList<>(); + + public static final String JSON_PROPERTY_SUPPORT_RULES = "support_rules"; + private List supportRules = null; + + public ObservabilityPipelineParseGrokProcessorIncludeRule() {} + + @JsonCreator + public ObservabilityPipelineParseGrokProcessorIncludeRule( + @JsonProperty(required = true, value = JSON_PROPERTY_INCLUDE) String include, + @JsonProperty(required = true, value = JSON_PROPERTY_MATCH_RULES) + List matchRules) { + this.include = include; + this.matchRules = matchRules; + } + + public ObservabilityPipelineParseGrokProcessorIncludeRule include(String include) { + this.include = include; + return this; + } + + /** + * A Datadog search query used to determine which logs this Grok rule targets. + * + * @return include + */ + @JsonProperty(JSON_PROPERTY_INCLUDE) + @JsonInclude(value = JsonInclude.Include.ALWAYS) + public String getInclude() { + return include; + } + + public void setInclude(String include) { + this.include = include; + } + + public ObservabilityPipelineParseGrokProcessorIncludeRule matchRules( + List matchRules) { + this.matchRules = matchRules; + for (ObservabilityPipelineParseGrokProcessorRuleMatchRule item : matchRules) { + this.unparsed |= item.unparsed; + } + return this; + } + + public ObservabilityPipelineParseGrokProcessorIncludeRule addMatchRulesItem( + ObservabilityPipelineParseGrokProcessorRuleMatchRule matchRulesItem) { + this.matchRules.add(matchRulesItem); + this.unparsed |= matchRulesItem.unparsed; + return this; + } + + /** + * A list of Grok parsing rules that define how to extract fields from matching logs. Each rule + * must contain a name and a valid Grok pattern. + * + * @return matchRules + */ + @JsonProperty(JSON_PROPERTY_MATCH_RULES) + @JsonInclude(value = JsonInclude.Include.ALWAYS) + public List getMatchRules() { + return matchRules; + } + + public void setMatchRules(List matchRules) { + this.matchRules = matchRules; + } + + public ObservabilityPipelineParseGrokProcessorIncludeRule supportRules( + List supportRules) { + this.supportRules = supportRules; + for (ObservabilityPipelineParseGrokProcessorRuleSupportRule item : supportRules) { + this.unparsed |= item.unparsed; + } + return this; + } + + public ObservabilityPipelineParseGrokProcessorIncludeRule addSupportRulesItem( + ObservabilityPipelineParseGrokProcessorRuleSupportRule supportRulesItem) { + if (this.supportRules == null) { + this.supportRules = new ArrayList<>(); + } + this.supportRules.add(supportRulesItem); + this.unparsed |= supportRulesItem.unparsed; + return this; + } + + /** + * A list of Grok helper rules that can be referenced by the parsing rules. + * + * @return supportRules + */ + @jakarta.annotation.Nullable + @JsonProperty(JSON_PROPERTY_SUPPORT_RULES) + @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS) + public List getSupportRules() { + return supportRules; + } + + public void setSupportRules( + List supportRules) { + this.supportRules = supportRules; + } + + /** + * A container for additional, undeclared properties. This is a holder for any undeclared + * properties as specified with the 'additionalProperties' keyword in the OAS document. + */ + private Map additionalProperties; + + /** + * Set the additional (undeclared) property with the specified name and value. If the property + * does not already exist, create it otherwise replace it. + * + * @param key The arbitrary key to set + * @param value The associated value + * @return ObservabilityPipelineParseGrokProcessorIncludeRule + */ + @JsonAnySetter + public ObservabilityPipelineParseGrokProcessorIncludeRule putAdditionalProperty( + String key, Object value) { + if (this.additionalProperties == null) { + this.additionalProperties = new HashMap(); + } + this.additionalProperties.put(key, value); + return this; + } + + /** + * Return the additional (undeclared) property. + * + * @return The additional properties + */ + @JsonAnyGetter + public Map getAdditionalProperties() { + return additionalProperties; + } + + /** + * Return the additional (undeclared) property with the specified name. + * + * @param key The arbitrary key to get + * @return The specific additional property for the given key + */ + public Object getAdditionalProperty(String key) { + if (this.additionalProperties == null) { + return null; + } + return this.additionalProperties.get(key); + } + + /** + * Return true if this ObservabilityPipelineParseGrokProcessorIncludeRule object is equal to o. + */ + @Override + public boolean equals(Object o) { + if (this == o) { + return true; + } + if (o == null || getClass() != o.getClass()) { + return false; + } + ObservabilityPipelineParseGrokProcessorIncludeRule + observabilityPipelineParseGrokProcessorIncludeRule = + (ObservabilityPipelineParseGrokProcessorIncludeRule) o; + return Objects.equals(this.include, observabilityPipelineParseGrokProcessorIncludeRule.include) + && Objects.equals( + this.matchRules, observabilityPipelineParseGrokProcessorIncludeRule.matchRules) + && Objects.equals( + this.supportRules, observabilityPipelineParseGrokProcessorIncludeRule.supportRules) + && Objects.equals( + this.additionalProperties, + observabilityPipelineParseGrokProcessorIncludeRule.additionalProperties); + } + + @Override + public int hashCode() { + return Objects.hash(include, matchRules, supportRules, additionalProperties); + } + + @Override + public String toString() { + StringBuilder sb = new StringBuilder(); + sb.append("class ObservabilityPipelineParseGrokProcessorIncludeRule {\n"); + sb.append(" include: ").append(toIndentedString(include)).append("\n"); + sb.append(" matchRules: ").append(toIndentedString(matchRules)).append("\n"); + sb.append(" supportRules: ").append(toIndentedString(supportRules)).append("\n"); + sb.append(" additionalProperties: ") + .append(toIndentedString(additionalProperties)) + .append("\n"); + sb.append('}'); + return sb.toString(); + } + + /** + * Convert the given object to string with each line indented by 4 spaces (except the first line). + */ + private String toIndentedString(Object o) { + if (o == null) { + return "null"; + } + return o.toString().replace("\n", "\n "); + } +} diff --git a/src/main/java/com/datadog/api/client/v2/model/ObservabilityPipelineParseGrokProcessorRuleItem.java b/src/main/java/com/datadog/api/client/v2/model/ObservabilityPipelineParseGrokProcessorRuleItem.java new file mode 100644 index 00000000000..d0a4eed51fe --- /dev/null +++ b/src/main/java/com/datadog/api/client/v2/model/ObservabilityPipelineParseGrokProcessorRuleItem.java @@ -0,0 +1,329 @@ +/* + * Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + * This product includes software developed at Datadog (https://www.datadoghq.com/). + * Copyright 2019-Present Datadog, Inc. + */ + +package com.datadog.api.client.v2.model; + +import com.datadog.api.client.AbstractOpenApiSchema; +import com.datadog.api.client.JSON; +import com.datadog.api.client.UnparsedObject; +import com.fasterxml.jackson.annotation.JsonIgnore; +import com.fasterxml.jackson.core.JsonGenerator; +import com.fasterxml.jackson.core.JsonParser; +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.core.JsonToken; +import com.fasterxml.jackson.core.type.TypeReference; +import com.fasterxml.jackson.databind.DeserializationContext; +import com.fasterxml.jackson.databind.JsonMappingException; +import com.fasterxml.jackson.databind.JsonNode; +import com.fasterxml.jackson.databind.MapperFeature; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.fasterxml.jackson.databind.SerializerProvider; +import com.fasterxml.jackson.databind.annotation.JsonDeserialize; +import com.fasterxml.jackson.databind.annotation.JsonSerialize; +import com.fasterxml.jackson.databind.deser.std.StdDeserializer; +import com.fasterxml.jackson.databind.ser.std.StdSerializer; +import jakarta.ws.rs.core.GenericType; +import java.io.IOException; +import java.util.Collections; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Map; +import java.util.logging.Level; +import java.util.logging.Logger; + +@jakarta.annotation.Generated( + value = "https://github.com/DataDog/datadog-api-client-java/blob/master/.generator") +@JsonDeserialize( + using = + ObservabilityPipelineParseGrokProcessorRuleItem + .ObservabilityPipelineParseGrokProcessorRuleItemDeserializer.class) +@JsonSerialize( + using = + ObservabilityPipelineParseGrokProcessorRuleItem + .ObservabilityPipelineParseGrokProcessorRuleItemSerializer.class) +public class ObservabilityPipelineParseGrokProcessorRuleItem extends AbstractOpenApiSchema { + private static final Logger log = + Logger.getLogger(ObservabilityPipelineParseGrokProcessorRuleItem.class.getName()); + + @JsonIgnore public boolean unparsed = false; + + public static class ObservabilityPipelineParseGrokProcessorRuleItemSerializer + extends StdSerializer { + public ObservabilityPipelineParseGrokProcessorRuleItemSerializer( + Class t) { + super(t); + } + + public ObservabilityPipelineParseGrokProcessorRuleItemSerializer() { + this(null); + } + + @Override + public void serialize( + ObservabilityPipelineParseGrokProcessorRuleItem value, + JsonGenerator jgen, + SerializerProvider provider) + throws IOException, JsonProcessingException { + jgen.writeObject(value.getActualInstance()); + } + } + + public static class ObservabilityPipelineParseGrokProcessorRuleItemDeserializer + extends StdDeserializer { + public ObservabilityPipelineParseGrokProcessorRuleItemDeserializer() { + this(ObservabilityPipelineParseGrokProcessorRuleItem.class); + } + + public ObservabilityPipelineParseGrokProcessorRuleItemDeserializer(Class vc) { + super(vc); + } + + @Override + public ObservabilityPipelineParseGrokProcessorRuleItem deserialize( + JsonParser jp, DeserializationContext ctxt) throws IOException, JsonProcessingException { + JsonNode tree = jp.readValueAsTree(); + Object deserialized = null; + Object tmp = null; + boolean typeCoercion = ctxt.isEnabled(MapperFeature.ALLOW_COERCION_OF_SCALARS); + int match = 0; + JsonToken token = tree.traverse(jp.getCodec()).nextToken(); + // deserialize ObservabilityPipelineParseGrokProcessorRule + try { + boolean attemptParsing = true; + // ensure that we respect type coercion as set on the client ObjectMapper + if (ObservabilityPipelineParseGrokProcessorRule.class.equals(Integer.class) + || ObservabilityPipelineParseGrokProcessorRule.class.equals(Long.class) + || ObservabilityPipelineParseGrokProcessorRule.class.equals(Float.class) + || ObservabilityPipelineParseGrokProcessorRule.class.equals(Double.class) + || ObservabilityPipelineParseGrokProcessorRule.class.equals(Boolean.class) + || ObservabilityPipelineParseGrokProcessorRule.class.equals(String.class)) { + attemptParsing = typeCoercion; + if (!attemptParsing) { + attemptParsing |= + ((ObservabilityPipelineParseGrokProcessorRule.class.equals(Integer.class) + || ObservabilityPipelineParseGrokProcessorRule.class.equals(Long.class)) + && token == JsonToken.VALUE_NUMBER_INT); + attemptParsing |= + ((ObservabilityPipelineParseGrokProcessorRule.class.equals(Float.class) + || ObservabilityPipelineParseGrokProcessorRule.class.equals(Double.class)) + && (token == JsonToken.VALUE_NUMBER_FLOAT + || token == JsonToken.VALUE_NUMBER_INT)); + attemptParsing |= + (ObservabilityPipelineParseGrokProcessorRule.class.equals(Boolean.class) + && (token == JsonToken.VALUE_FALSE || token == JsonToken.VALUE_TRUE)); + attemptParsing |= + (ObservabilityPipelineParseGrokProcessorRule.class.equals(String.class) + && token == JsonToken.VALUE_STRING); + } + } + if (attemptParsing) { + tmp = + tree.traverse(jp.getCodec()) + .readValueAs(ObservabilityPipelineParseGrokProcessorRule.class); + // TODO: there is no validation against JSON schema constraints + // (min, max, enum, pattern...), this does not perform a strict JSON + // validation, which means the 'match' count may be higher than it should be. + if (!((ObservabilityPipelineParseGrokProcessorRule) tmp).unparsed) { + deserialized = tmp; + match++; + } + log.log( + Level.FINER, + "Input data matches schema 'ObservabilityPipelineParseGrokProcessorRule'"); + } + } catch (Exception e) { + // deserialization failed, continue + log.log( + Level.FINER, + "Input data does not match schema 'ObservabilityPipelineParseGrokProcessorRule'", + e); + } + + // deserialize ObservabilityPipelineParseGrokProcessorIncludeRule + try { + boolean attemptParsing = true; + // ensure that we respect type coercion as set on the client ObjectMapper + if (ObservabilityPipelineParseGrokProcessorIncludeRule.class.equals(Integer.class) + || ObservabilityPipelineParseGrokProcessorIncludeRule.class.equals(Long.class) + || ObservabilityPipelineParseGrokProcessorIncludeRule.class.equals(Float.class) + || ObservabilityPipelineParseGrokProcessorIncludeRule.class.equals(Double.class) + || ObservabilityPipelineParseGrokProcessorIncludeRule.class.equals(Boolean.class) + || ObservabilityPipelineParseGrokProcessorIncludeRule.class.equals(String.class)) { + attemptParsing = typeCoercion; + if (!attemptParsing) { + attemptParsing |= + ((ObservabilityPipelineParseGrokProcessorIncludeRule.class.equals(Integer.class) + || ObservabilityPipelineParseGrokProcessorIncludeRule.class.equals( + Long.class)) + && token == JsonToken.VALUE_NUMBER_INT); + attemptParsing |= + ((ObservabilityPipelineParseGrokProcessorIncludeRule.class.equals(Float.class) + || ObservabilityPipelineParseGrokProcessorIncludeRule.class.equals( + Double.class)) + && (token == JsonToken.VALUE_NUMBER_FLOAT + || token == JsonToken.VALUE_NUMBER_INT)); + attemptParsing |= + (ObservabilityPipelineParseGrokProcessorIncludeRule.class.equals(Boolean.class) + && (token == JsonToken.VALUE_FALSE || token == JsonToken.VALUE_TRUE)); + attemptParsing |= + (ObservabilityPipelineParseGrokProcessorIncludeRule.class.equals(String.class) + && token == JsonToken.VALUE_STRING); + } + } + if (attemptParsing) { + tmp = + tree.traverse(jp.getCodec()) + .readValueAs(ObservabilityPipelineParseGrokProcessorIncludeRule.class); + // TODO: there is no validation against JSON schema constraints + // (min, max, enum, pattern...), this does not perform a strict JSON + // validation, which means the 'match' count may be higher than it should be. + if (!((ObservabilityPipelineParseGrokProcessorIncludeRule) tmp).unparsed) { + deserialized = tmp; + match++; + } + log.log( + Level.FINER, + "Input data matches schema 'ObservabilityPipelineParseGrokProcessorIncludeRule'"); + } + } catch (Exception e) { + // deserialization failed, continue + log.log( + Level.FINER, + "Input data does not match schema 'ObservabilityPipelineParseGrokProcessorIncludeRule'", + e); + } + + ObservabilityPipelineParseGrokProcessorRuleItem ret = + new ObservabilityPipelineParseGrokProcessorRuleItem(); + if (match == 1) { + ret.setActualInstance(deserialized); + } else { + Map res = + new ObjectMapper() + .readValue( + tree.traverse(jp.getCodec()).readValueAsTree().toString(), + new TypeReference>() {}); + ret.setActualInstance(new UnparsedObject(res)); + } + return ret; + } + + /** Handle deserialization of the 'null' value. */ + @Override + public ObservabilityPipelineParseGrokProcessorRuleItem getNullValue(DeserializationContext ctxt) + throws JsonMappingException { + throw new JsonMappingException( + ctxt.getParser(), "ObservabilityPipelineParseGrokProcessorRuleItem cannot be null"); + } + } + + // store a list of schema names defined in oneOf + public static final Map schemas = new HashMap(); + + public ObservabilityPipelineParseGrokProcessorRuleItem() { + super("oneOf", Boolean.FALSE); + } + + public ObservabilityPipelineParseGrokProcessorRuleItem( + ObservabilityPipelineParseGrokProcessorRule o) { + super("oneOf", Boolean.FALSE); + setActualInstance(o); + } + + public ObservabilityPipelineParseGrokProcessorRuleItem( + ObservabilityPipelineParseGrokProcessorIncludeRule o) { + super("oneOf", Boolean.FALSE); + setActualInstance(o); + } + + static { + schemas.put( + "ObservabilityPipelineParseGrokProcessorRule", + new GenericType() {}); + schemas.put( + "ObservabilityPipelineParseGrokProcessorIncludeRule", + new GenericType() {}); + JSON.registerDescendants( + ObservabilityPipelineParseGrokProcessorRuleItem.class, + Collections.unmodifiableMap(schemas)); + } + + @Override + public Map getSchemas() { + return ObservabilityPipelineParseGrokProcessorRuleItem.schemas; + } + + /** + * Set the instance that matches the oneOf child schema, check the instance parameter is valid + * against the oneOf child schemas: ObservabilityPipelineParseGrokProcessorRule, + * ObservabilityPipelineParseGrokProcessorIncludeRule + * + *

It could be an instance of the 'oneOf' schemas. The oneOf child schemas may themselves be a + * composed schema (allOf, anyOf, oneOf). + */ + @Override + public void setActualInstance(Object instance) { + if (JSON.isInstanceOf( + ObservabilityPipelineParseGrokProcessorRule.class, instance, new HashSet>())) { + super.setActualInstance(instance); + return; + } + if (JSON.isInstanceOf( + ObservabilityPipelineParseGrokProcessorIncludeRule.class, + instance, + new HashSet>())) { + super.setActualInstance(instance); + return; + } + + if (JSON.isInstanceOf(UnparsedObject.class, instance, new HashSet>())) { + super.setActualInstance(instance); + return; + } + throw new RuntimeException( + "Invalid instance type. Must be ObservabilityPipelineParseGrokProcessorRule," + + " ObservabilityPipelineParseGrokProcessorIncludeRule"); + } + + /** + * Get the actual instance, which can be the following: + * ObservabilityPipelineParseGrokProcessorRule, ObservabilityPipelineParseGrokProcessorIncludeRule + * + * @return The actual instance (ObservabilityPipelineParseGrokProcessorRule, + * ObservabilityPipelineParseGrokProcessorIncludeRule) + */ + @Override + public Object getActualInstance() { + return super.getActualInstance(); + } + + /** + * Get the actual instance of `ObservabilityPipelineParseGrokProcessorRule`. If the actual + * instance is not `ObservabilityPipelineParseGrokProcessorRule`, the ClassCastException will be + * thrown. + * + * @return The actual instance of `ObservabilityPipelineParseGrokProcessorRule` + * @throws ClassCastException if the instance is not `ObservabilityPipelineParseGrokProcessorRule` + */ + public ObservabilityPipelineParseGrokProcessorRule + getObservabilityPipelineParseGrokProcessorRule() throws ClassCastException { + return (ObservabilityPipelineParseGrokProcessorRule) super.getActualInstance(); + } + + /** + * Get the actual instance of `ObservabilityPipelineParseGrokProcessorIncludeRule`. If the actual + * instance is not `ObservabilityPipelineParseGrokProcessorIncludeRule`, the ClassCastException + * will be thrown. + * + * @return The actual instance of `ObservabilityPipelineParseGrokProcessorIncludeRule` + * @throws ClassCastException if the instance is not + * `ObservabilityPipelineParseGrokProcessorIncludeRule` + */ + public ObservabilityPipelineParseGrokProcessorIncludeRule + getObservabilityPipelineParseGrokProcessorIncludeRule() throws ClassCastException { + return (ObservabilityPipelineParseGrokProcessorIncludeRule) super.getActualInstance(); + } +} diff --git a/src/test/resources/cassettes/features/v2/Validate_an_observability_pipeline_with_parse_grok_processor_include_rules_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Validate_an_observability_pipeline_with_parse_grok_processor_include_rules_returns_OK_response.freeze new file mode 100644 index 00000000000..985fe4f60ae --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Validate_an_observability_pipeline_with_parse_grok_processor_include_rules_returns_OK_response.freeze @@ -0,0 +1 @@ +2026-06-29T20:01:05.978Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Validate_an_observability_pipeline_with_parse_grok_processor_include_rules_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Validate_an_observability_pipeline_with_parse_grok_processor_include_rules_returns_OK_response.json new file mode 100644 index 00000000000..2d0834165e1 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Validate_an_observability_pipeline_with_parse_grok_processor_include_rules_returns_OK_response.json @@ -0,0 +1,32 @@ +[ + { + "httpRequest": { + "body": { + "type": "JSON", + "json": "{\"data\":{\"attributes\":{\"config\":{\"destinations\":[{\"id\":\"datadog-logs-destination\",\"inputs\":[\"my-processor-group\"],\"type\":\"datadog_logs\"}],\"processor_groups\":[{\"enabled\":true,\"id\":\"my-processor-group\",\"include\":\"service:my-service\",\"inputs\":[\"datadog-agent-source\"],\"processors\":[{\"enabled\":true,\"field\":\"content\",\"id\":\"parse-grok-processor\",\"include\":\"*\",\"rules\":[{\"include\":\"service:foo\",\"match_rules\":[{\"name\":\"MyParsingRule\",\"rule\":\"%{word:user}\"}]}],\"type\":\"parse_grok\"}]}],\"sources\":[{\"id\":\"datadog-agent-source\",\"type\":\"datadog_agent\"}]},\"name\":\"Pipeline with Parse Grok Include Rules\"},\"type\":\"pipelines\"}}" + }, + "headers": {}, + "method": "POST", + "path": "/api/v2/obs-pipelines/pipelines/validate", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"errors\":[]}\n", + "headers": { + "Content-Type": [ + "application/vnd.api+json" + ] + }, + "statusCode": 200, + "reasonPhrase": "OK" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "b8062fd7-f4ed-ed7f-70d1-6663f84d35bf" + } +] \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Validate_an_observability_pipeline_with_parse_grok_processor_source_rules_returns_OK_response.freeze b/src/test/resources/cassettes/features/v2/Validate_an_observability_pipeline_with_parse_grok_processor_source_rules_returns_OK_response.freeze new file mode 100644 index 00000000000..4db9a90b937 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Validate_an_observability_pipeline_with_parse_grok_processor_source_rules_returns_OK_response.freeze @@ -0,0 +1 @@ +2026-06-29T18:24:15.839Z \ No newline at end of file diff --git a/src/test/resources/cassettes/features/v2/Validate_an_observability_pipeline_with_parse_grok_processor_source_rules_returns_OK_response.json b/src/test/resources/cassettes/features/v2/Validate_an_observability_pipeline_with_parse_grok_processor_source_rules_returns_OK_response.json new file mode 100644 index 00000000000..18cd691c843 --- /dev/null +++ b/src/test/resources/cassettes/features/v2/Validate_an_observability_pipeline_with_parse_grok_processor_source_rules_returns_OK_response.json @@ -0,0 +1,32 @@ +[ + { + "httpRequest": { + "body": { + "type": "JSON", + "json": "{\"data\":{\"attributes\":{\"config\":{\"destinations\":[{\"id\":\"datadog-logs-destination\",\"inputs\":[\"my-processor-group\"],\"type\":\"datadog_logs\"}],\"processor_groups\":[{\"enabled\":true,\"id\":\"my-processor-group\",\"include\":\"service:my-service\",\"inputs\":[\"datadog-agent-source\"],\"processors\":[{\"enabled\":true,\"id\":\"parse-grok-processor\",\"include\":\"*\",\"rules\":[{\"match_rules\":[{\"name\":\"MyParsingRule\",\"rule\":\"%{word:user}\"}],\"source\":\"message\"}],\"type\":\"parse_grok\"}]}],\"sources\":[{\"id\":\"datadog-agent-source\",\"type\":\"datadog_agent\"}]},\"name\":\"Pipeline with Parse Grok Source Rules\"},\"type\":\"pipelines\"}}" + }, + "headers": {}, + "method": "POST", + "path": "/api/v2/obs-pipelines/pipelines/validate", + "keepAlive": false, + "secure": true + }, + "httpResponse": { + "body": "{\"errors\":[]}\n", + "headers": { + "Content-Type": [ + "application/vnd.api+json" + ] + }, + "statusCode": 200, + "reasonPhrase": "OK" + }, + "times": { + "remainingTimes": 1 + }, + "timeToLive": { + "unlimited": true + }, + "id": "bca7a00b-7717-b67f-4393-6397923b1e3c" + } +] \ No newline at end of file diff --git a/src/test/resources/com/datadog/api/client/v1/api/security_monitoring.feature b/src/test/resources/com/datadog/api/client/v1/api/security_monitoring.feature index ce9090d171e..34fddb3dc12 100644 --- a/src/test/resources/com/datadog/api/client/v1/api/security_monitoring.feature +++ b/src/test/resources/com/datadog/api/client/v1/api/security_monitoring.feature @@ -9,7 +9,7 @@ Feature: Security Monitoring And a valid "appKeyAuth" key in the system And an instance of "SecurityMonitoring" API - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Add a security signal to an incident returns "Bad Request" response Given new "AddSecurityMonitoringSignalToIncident" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -17,7 +17,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Add a security signal to an incident returns "Not Found" response Given new "AddSecurityMonitoringSignalToIncident" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -25,7 +25,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @replay-only @team:DataDog/cloud-siem + @replay-only @team:DataDog/k9-cloud-siem Scenario: Add a security signal to an incident returns "OK" response Given new "AddSecurityMonitoringSignalToIncident" request And request contains "signal_id" parameter with value "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE" @@ -34,7 +34,7 @@ Feature: Security Monitoring Then the response status is 200 OK And the response "status" is equal to "done" - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Change the triage state of a security signal returns "Bad Request" response Given new "EditSecurityMonitoringSignalState" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -42,7 +42,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Change the triage state of a security signal returns "Not Found" response Given new "EditSecurityMonitoringSignalState" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -50,7 +50,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @replay-only @team:DataDog/cloud-siem + @replay-only @team:DataDog/k9-cloud-siem Scenario: Change the triage state of a security signal returns "OK" response Given new "EditSecurityMonitoringSignalState" request And request contains "signal_id" parameter with value "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE" @@ -59,7 +59,7 @@ Feature: Security Monitoring Then the response status is 200 OK And the response "status" is equal to "done" - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Modify the triage assignee of a security signal returns "Bad Request" response Given new "EditSecurityMonitoringSignalAssignee" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -67,7 +67,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Modify the triage assignee of a security signal returns "Not Found" response Given new "EditSecurityMonitoringSignalAssignee" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -75,7 +75,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @replay-only @team:DataDog/cloud-siem + @replay-only @team:DataDog/k9-cloud-siem Scenario: Modify the triage assignee of a security signal returns "OK" response Given new "EditSecurityMonitoringSignalAssignee" request And request contains "signal_id" parameter with value "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE" diff --git a/src/test/resources/com/datadog/api/client/v2/api/observability_pipelines.feature b/src/test/resources/com/datadog/api/client/v2/api/observability_pipelines.feature index e42bbd7b033..8aa6ef36159 100644 --- a/src/test/resources/com/datadog/api/client/v2/api/observability_pipelines.feature +++ b/src/test/resources/com/datadog/api/client/v2/api/observability_pipelines.feature @@ -295,6 +295,22 @@ Feature: Observability Pipelines Then the response status is 200 OK And the response "errors" has length 0 + @team:DataDog/observability-pipelines + Scenario: Validate an observability pipeline with parse grok processor include rules returns "OK" response + Given new "ValidatePipeline" request + And body with value {"data": {"attributes": {"config": {"destinations": [{"id": "datadog-logs-destination", "inputs": ["my-processor-group"], "type": "datadog_logs"}], "processor_groups": [{"enabled": true, "id": "my-processor-group", "include": "service:my-service", "inputs": ["datadog-agent-source"], "processors": [{"enabled": true, "id": "parse-grok-processor", "include": "*", "type": "parse_grok", "field": "content", "rules": [{"include": "service:foo", "match_rules": [{"name": "MyParsingRule", "rule": "%{word:user}"}]}]}]}], "sources": [{"id": "datadog-agent-source", "type": "datadog_agent"}]}, "name": "Pipeline with Parse Grok Include Rules"}, "type": "pipelines"}} + When the request is sent + Then the response status is 200 OK + And the response "errors" has length 0 + + @team:DataDog/observability-pipelines + Scenario: Validate an observability pipeline with parse grok processor source rules returns "OK" response + Given new "ValidatePipeline" request + And body with value {"data": {"attributes": {"config": {"destinations": [{"id": "datadog-logs-destination", "inputs": ["my-processor-group"], "type": "datadog_logs"}], "processor_groups": [{"enabled": true, "id": "my-processor-group", "include": "service:my-service", "inputs": ["datadog-agent-source"], "processors": [{"enabled": true, "id": "parse-grok-processor", "include": "*", "type": "parse_grok", "rules": [{"source": "message", "match_rules": [{"name": "MyParsingRule", "rule": "%{word:user}"}]}]}]}], "sources": [{"id": "datadog-agent-source", "type": "datadog_agent"}]}, "name": "Pipeline with Parse Grok Source Rules"}, "type": "pipelines"}} + When the request is sent + Then the response status is 200 OK + And the response "errors" has length 0 + @team:DataDog/observability-pipelines Scenario: Validate an observability pipeline with source secret key returns "OK" response Given new "ValidatePipeline" request diff --git a/src/test/resources/com/datadog/api/client/v2/api/security_monitoring.feature b/src/test/resources/com/datadog/api/client/v2/api/security_monitoring.feature index 3fbf1712541..3ec8e88ce32 100644 --- a/src/test/resources/com/datadog/api/client/v2/api/security_monitoring.feature +++ b/src/test/resources/com/datadog/api/client/v2/api/security_monitoring.feature @@ -9,7 +9,7 @@ Feature: Security Monitoring And a valid "appKeyAuth" key in the system And an instance of "SecurityMonitoring" API - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Activate content pack returns "Accepted" response Given operation "ActivateContentPack" enabled And new "ActivateContentPack" request @@ -17,7 +17,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 202 Accepted - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Activate content pack returns "Not Found" response Given operation "ActivateContentPack" enabled And new "ActivateContentPack" request @@ -163,63 +163,63 @@ Feature: Security Monitoring And the response "data.attributes.insights" has item with field "resource_id" with value "ZGZhMDI3ZjdjMDM3YjJmNzcxNTlhZGMwMjdmZWNiNTZ-MTVlYTNmYWU3NjNlOTNlYTE2YjM4N2JmZmI4Yjk5N2Y=" And the response "data.attributes.insights" has item with field "resource_id" with value "MmUzMzZkODQ2YTI3NDU0OTk4NDk3NzhkOTY5YjU2Zjh-YWJjZGI1ODI4OTYzNWM3ZmUwZTBlOWRkYTRiMGUyOGQ=" - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Bulk convert rules to Terraform returns "Bad Request" response Given new "BulkConvertExistingSecurityMonitoringRules" request And body with value {"data": {"attributes": {"ruleIds": ["def-000-u7q", "def-000-7dd"]}, "id": "convert_bulk", "type": "security_monitoring_rules_convert_bulk"}} When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Bulk convert rules to Terraform returns "Not Found" response Given new "BulkConvertExistingSecurityMonitoringRules" request And body with value {"data": {"attributes": {"ruleIds": ["def-000-u7q", "def-000-7dd"]}, "id": "convert_bulk", "type": "security_monitoring_rules_convert_bulk"}} When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Bulk convert rules to Terraform returns "OK" response Given new "BulkConvertExistingSecurityMonitoringRules" request And body with value {"data": {"attributes": {"ruleIds": ["def-000-u7q", "def-000-7dd"]}, "id": "convert_bulk", "type": "security_monitoring_rules_convert_bulk"}} When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Bulk delete security monitoring rules returns "Bad Request" response Given new "BulkDeleteSecurityMonitoringRules" request And body with value {"data": {"attributes": {"ruleIds": ["abc-000-u7q", "abc-000-7dd"]}, "type": "bulk_delete_rules"}} When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Bulk delete security monitoring rules returns "Not Found" response Given new "BulkDeleteSecurityMonitoringRules" request And body with value {"data": {"attributes": {"ruleIds": ["abc-000-u7q", "abc-000-7dd"]}, "type": "bulk_delete_rules"}} When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Bulk delete security monitoring rules returns "OK" response Given new "BulkDeleteSecurityMonitoringRules" request And body with value {"data": {"attributes": {"ruleIds": ["abc-000-u7q", "abc-000-7dd"]}, "type": "bulk_delete_rules"}} When the request is sent Then the response status is 200 OK - @skip @team:DataDog/cloud-siem + @skip @team:DataDog/k9-cloud-siem Scenario: Bulk export security monitoring rules returns "Bad Request" response Given new "BulkExportSecurityMonitoringRules" request And body with value {"data": {"attributes": {"ruleIds": []}, "type": "security_monitoring_rules_bulk_export"}} When the request is sent Then the response status is 400 Bad Request - @skip @team:DataDog/cloud-siem + @skip @team:DataDog/k9-cloud-siem Scenario: Bulk export security monitoring rules returns "Not Found" response Given new "BulkExportSecurityMonitoringRules" request And body with value {"data": {"attributes": {"ruleIds": ["non-existent-rule-id"]}, "type": "security_monitoring_rules_bulk_export"}} When the request is sent Then the response status is 404 Not Found - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Bulk export security monitoring rules returns "OK" response Given there is a valid "security_rule" in the system And new "BulkExportSecurityMonitoringRules" request @@ -227,7 +227,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Bulk subscribe to sample log generation returns "Bad Request" response Given operation "BulkCreateSampleLogGenerationSubscriptions" enabled And new "BulkCreateSampleLogGenerationSubscriptions" request @@ -235,7 +235,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Bulk subscribe to sample log generation returns "OK" response Given operation "BulkCreateSampleLogGenerationSubscriptions" enabled And new "BulkCreateSampleLogGenerationSubscriptions" request @@ -243,21 +243,21 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @skip @team:DataDog/cloud-siem + @skip @team:DataDog/k9-cloud-siem Scenario: Bulk update security signals returns "Bad Request" response Given new "BulkEditSecurityMonitoringSignals" request And body with value {"data": [{"attributes": {"archive_reason": "none", "assignee": {"uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"}, "state": "open"}, "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA", "type": "signal"}]} When the request is sent Then the response status is 400 Bad Request - @skip @team:DataDog/cloud-siem + @skip @team:DataDog/k9-cloud-siem Scenario: Bulk update security signals returns "OK" response Given new "BulkEditSecurityMonitoringSignals" request And body with value {"data": [{"attributes": {"archive_reason": "none", "assignee": {"uuid": "773b045d-ccf8-4808-bd3b-955ef6a8c940"}, "state": "open"}, "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA", "type": "signal"}]} When the request is sent Then the response status is 200 OK - @skip @team:DataDog/cloud-siem + @skip @team:DataDog/k9-cloud-siem Scenario: Bulk update triage assignee of security signals returns "Bad Request" response Given operation "BulkEditSecurityMonitoringSignalsAssignee" enabled And new "BulkEditSecurityMonitoringSignalsAssignee" request @@ -265,14 +265,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Bulk update triage assignee of security signals returns "OK" response Given new "BulkEditSecurityMonitoringSignalsAssignee" request And body with value {"data": [{"attributes": {"assignee": "773b045d-ccf8-4808-bd3b-955ef6a8c940"}, "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA", "type": "signal"}]} When the request is sent Then the response status is 200 OK - @skip @team:DataDog/cloud-siem + @skip @team:DataDog/k9-cloud-siem Scenario: Bulk update triage state of security signals returns "Bad Request" response Given operation "BulkEditSecurityMonitoringSignalsState" enabled And new "BulkEditSecurityMonitoringSignalsState" request @@ -280,14 +280,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Bulk update triage state of security signals returns "OK" response Given new "BulkEditSecurityMonitoringSignalsState" request And body with value {"data": [{"attributes": {"archive_reason": "none", "state": "open"}, "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA", "type": "signal"}]} When the request is sent Then the response status is 200 OK - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Cancel a historical job returns "Bad Request" response Given operation "CancelHistoricalJob" enabled And new "CancelHistoricalJob" request @@ -295,7 +295,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Cancel a historical job returns "Conflict" response Given operation "CancelHistoricalJob" enabled And new "CancelHistoricalJob" request @@ -303,7 +303,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 409 Conflict - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Cancel a historical job returns "Not Found" response Given operation "CancelHistoricalJob" enabled And new "CancelHistoricalJob" request @@ -311,7 +311,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Cancel a historical job returns "OK" response Given operation "CancelHistoricalJob" enabled And operation "RunHistoricalJob" enabled @@ -321,7 +321,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 204 No Content - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Change the related incidents of a security signal returns "Bad Request" response Given new "EditSecurityMonitoringSignalIncidents" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -329,7 +329,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Change the related incidents of a security signal returns "Not Found" response Given new "EditSecurityMonitoringSignalIncidents" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -337,7 +337,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @replay-only @team:DataDog/cloud-siem + @replay-only @team:DataDog/k9-cloud-siem Scenario: Change the related incidents of a security signal returns "OK" response Given new "EditSecurityMonitoringSignalIncidents" request And request contains "signal_id" parameter with value "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE" @@ -345,7 +345,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Change the triage state of a security signal returns "Bad Request" response Given new "EditSecurityMonitoringSignalState" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -353,7 +353,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Change the triage state of a security signal returns "Not Found" response Given new "EditSecurityMonitoringSignalState" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -361,7 +361,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @replay-only @team:DataDog/cloud-siem + @replay-only @team:DataDog/k9-cloud-siem Scenario: Change the triage state of a security signal returns "OK" response Given new "EditSecurityMonitoringSignalState" request And request contains "signal_id" parameter with value "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE" @@ -369,7 +369,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Convert a job result to a signal returns "Bad Request" response Given operation "ConvertJobResultToSignal" enabled And new "ConvertJobResultToSignal" request @@ -377,7 +377,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Convert a job result to a signal returns "Not Found" response Given operation "ConvertJobResultToSignal" enabled And new "ConvertJobResultToSignal" request @@ -385,7 +385,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Convert a job result to a signal returns "OK" response Given operation "ConvertJobResultToSignal" enabled And new "ConvertJobResultToSignal" request @@ -393,21 +393,21 @@ Feature: Security Monitoring When the request is sent Then the response status is 204 OK - @skip @team:DataDog/cloud-siem + @skip @team:DataDog/k9-cloud-siem Scenario: Convert a rule from JSON to Terraform returns "Bad Request" response Given new "ConvertSecurityMonitoringRuleFromJSONToTerraform" request And body with value {"name":"{{ unique }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"metric":""}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type":"log_detection"} When the request is sent Then the response status is 400 Bad Request - @skip @team:DataDog/cloud-siem + @skip @team:DataDog/k9-cloud-siem Scenario: Convert a rule from JSON to Terraform returns "Not Found" response Given new "ConvertSecurityMonitoringRuleFromJSONToTerraform" request And body with value {"name":"{{ unique }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"metric":""}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type":"log_detection"} When the request is sent Then the response status is 404 Not Found - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Convert a rule from JSON to Terraform returns "OK" response Given new "ConvertSecurityMonitoringRuleFromJSONToTerraform" request And body with value {"name":"_{{ unique_hash }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"metric":""}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type":"log_detection"} @@ -415,21 +415,21 @@ Feature: Security Monitoring Then the response status is 200 OK And the response "terraformContent" is equal to "resource \"datadog_security_monitoring_rule\" \"_{{ unique_hash }}\" {\n\tname = \"_{{ unique_hash }}\"\n\tenabled = true\n\tquery {\n\t\tquery = \"@test:true\"\n\t\tgroup_by_fields = []\n\t\thas_optional_group_by_fields = false\n\t\tdistinct_fields = []\n\t\taggregation = \"count\"\n\t\tname = \"\"\n\t\tdata_source = \"logs\"\n\t}\n\toptions {\n\t\tkeep_alive = 3600\n\t\tmax_signal_duration = 86400\n\t\tdetection_method = \"threshold\"\n\t\tevaluation_window = 900\n\t}\n\tcase {\n\t\tname = \"\"\n\t\tstatus = \"info\"\n\t\tnotifications = []\n\t\tcondition = \"a > 0\"\n\t}\n\tmessage = \"Test rule\"\n\ttags = []\n\thas_extended_title = false\n\ttype = \"log_detection\"\n}\n" - @skip @team:DataDog/cloud-siem + @skip @team:DataDog/k9-cloud-siem Scenario: Convert an existing rule from JSON to Terraform returns "Bad Request" response Given new "ConvertExistingSecurityMonitoringRule" request And request contains "rule_id" parameter from "REPLACE.ME" When the request is sent Then the response status is 400 Bad Request - @skip @team:DataDog/cloud-siem + @skip @team:DataDog/k9-cloud-siem Scenario: Convert an existing rule from JSON to Terraform returns "Not Found" response Given new "ConvertExistingSecurityMonitoringRule" request And request contains "rule_id" parameter from "REPLACE.ME" When the request is sent Then the response status is 404 Not Found - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Convert an existing rule from JSON to Terraform returns "OK" response Given new "ConvertExistingSecurityMonitoringRule" request And there is a valid "security_rule_hash" in the system @@ -438,7 +438,7 @@ Feature: Security Monitoring Then the response status is 200 OK And the response "terraformContent" is equal to "resource \"datadog_security_monitoring_rule\" \"_{{ unique_hash }}\" {\n\tname = \"_{{ unique_hash }}\"\n\tenabled = true\n\tquery {\n\t\tquery = \"@test:true\"\n\t\tgroup_by_fields = []\n\t\thas_optional_group_by_fields = false\n\t\tdistinct_fields = []\n\t\taggregation = \"count\"\n\t\tname = \"\"\n\t\tdata_source = \"logs\"\n\t}\n\toptions {\n\t\tkeep_alive = 3600\n\t\tmax_signal_duration = 86400\n\t\tdetection_method = \"threshold\"\n\t\tevaluation_window = 900\n\t}\n\tcase {\n\t\tname = \"\"\n\t\tstatus = \"info\"\n\t\tnotifications = []\n\t\tcondition = \"a > 0\"\n\t}\n\tmessage = \"Test rule\"\n\ttags = []\n\thas_extended_title = false\n\ttype = \"log_detection\"\n}\n" - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Convert security monitoring resource to Terraform returns "Bad Request" response Given operation "ConvertSecurityMonitoringTerraformResource" enabled And new "ConvertSecurityMonitoringTerraformResource" request @@ -447,7 +447,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @replay-only @team:DataDog/cloud-siem + @replay-only @team:DataDog/k9-cloud-siem Scenario: Convert security monitoring resource to Terraform returns "OK" response Given operation "ConvertSecurityMonitoringTerraformResource" enabled And new "ConvertSecurityMonitoringTerraformResource" request @@ -554,7 +554,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/cloud-siem + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Create a cloud_configuration rule returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"type":"cloud_configuration","name":"{{ unique }}_cloud","isEnabled":false,"cases":[{"status":"info","notifications":["channel"]}],"options":{"complianceRuleOptions":{"resourceType":"gcp_compute_disk","complexRule": false,"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_disk"]}}},"message":"ddd","tags":["my:tag"],"complianceSignalOptions":{"userActivationStatus":true,"userGroupByFields":["@account_id"]},"filters":[{"action":"require","query":"resource_id:helo*"},{"action":"suppress","query":"control:helo*"}]} @@ -565,21 +565,21 @@ Feature: Security Monitoring And the response "message" is equal to "ddd" And the response "options.complianceRuleOptions.resourceType" is equal to "gcp_compute_disk" - @skip @team:DataDog/cloud-siem + @skip @team:DataDog/k9-cloud-siem Scenario: Create a critical asset returns "Bad Request" response Given new "CreateSecurityMonitoringCriticalAsset" request And body with value {"data": {"type": "critical_assets", "attributes": {"query": "host:test"}}} When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Create a critical asset returns "Conflict" response Given new "CreateSecurityMonitoringCriticalAsset" request And body with value {"data": {"attributes": {"enabled": true, "query": "security:monitoring", "rule_query": "type:(log_detection OR signal_correlation OR workload_security OR application_security) source:cloudtrail", "severity": "increase", "tags": ["team:database", "source:cloudtrail"]}, "type": "critical_assets"}} When the request is sent Then the response status is 409 Conflict - @skip-validation @team:DataDog/cloud-siem + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Create a critical asset returns "OK" response Given new "CreateSecurityMonitoringCriticalAsset" request And body with value {"data": {"type": "critical_assets", "attributes": {"query": "host:{{ unique_lower_alnum }}", "rule_query": "type:(log_detection OR signal_correlation OR workload_security OR application_security) source:cloudtrail", "severity": "decrease", "tags": ["team:security", "env:test"]}}} @@ -588,14 +588,14 @@ Feature: Security Monitoring And the response "data.type" is equal to "critical_assets" And the response "data.attributes.severity" is equal to "decrease" - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Create a custom framework returns "Bad Request" response Given new "CreateCustomFramework" request And body with value {"data":{"type":"custom_framework","attributes":{"name":"name","handle":"","version":"10","icon_url":"test-url","requirements":[{"name":"requirement","controls":[{"name":"control","rules_id":["def-000-be9"]}]}]}}} When the request is sent Then the response status is 400 Bad Request - @replay-only @skip-terraform-config @team:DataDog/cloud-siem + @replay-only @skip-terraform-config @team:DataDog/k9-cloud-siem Scenario: Create a custom framework returns "Conflict" response Given there is a valid "custom_framework" in the system And new "CreateCustomFramework" request @@ -603,14 +603,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 409 Conflict - @replay-only @skip-terraform-config @team:DataDog/cloud-siem + @replay-only @skip-terraform-config @team:DataDog/k9-cloud-siem Scenario: Create a custom framework returns "OK" response Given new "CreateCustomFramework" request And body with value {"data":{"type":"custom_framework","attributes":{"name":"name","handle":"create-framework-new","version":"10","icon_url":"test-url","requirements":[{"name":"requirement","controls":[{"name":"control","rules_id":["def-000-be9"]}]}]}}} When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Create a dataset returns "Bad Request" response Given operation "CreateSecurityMonitoringDataset" enabled And new "CreateSecurityMonitoringDataset" request @@ -618,7 +618,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Create a dataset returns "Conflict" response Given operation "CreateSecurityMonitoringDataset" enabled And new "CreateSecurityMonitoringDataset" request @@ -626,7 +626,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 409 Conflict - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Create a dataset returns "Created" response Given operation "CreateSecurityMonitoringDataset" enabled And new "CreateSecurityMonitoringDataset" request @@ -634,14 +634,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 201 Created - @skip @team:DataDog/cloud-siem + @skip @team:DataDog/k9-cloud-siem Scenario: Create a detection rule returns "Bad Request" response Given new "CreateSecurityMonitoringRule" request And body with value {"name":"{{ unique }}", "queries":[{"query":""}],"cases":[{"status":"info"}],"options":{},"message":"Test rule","tags":[],"isEnabled":true} When the request is sent Then the response status is 400 Bad Request - @skip-validation @team:DataDog/cloud-siem + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Create a detection rule returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"name":"{{ unique }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"metric":""}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type":"log_detection", "referenceTables":[{"tableName": "synthetics_test_reference_table_dont_delete", "columnName": "value", "logFieldPath":"testtag", "checkPresence":true, "ruleQueryName":"a"}]} @@ -652,7 +652,7 @@ Feature: Security Monitoring And the response "message" is equal to "Test rule" And the response "referenceTables" is equal to [{"tableName": "synthetics_test_reference_table_dont_delete", "columnName": "value", "logFieldPath":"testtag", "checkPresence":true, "ruleQueryName":"a"}] - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Create a detection rule with detection method 'anomaly_detection' returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"name":"{{ unique }}","type":"log_detection","isEnabled":true,"queries":[{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":["@usr.email","@network.client.ip"],"hasOptionalGroupByFields":false,"name":"","query":"service:app status:error"}],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 0.995"}],"message":"An anomaly detection rule","options":{"detectionMethod":"anomaly_detection","evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400,"anomalyDetectionOptions":{"bucketDuration":300,"learningDuration":24,"detectionTolerance":3,"learningPeriodBaseline":10}},"tags":[],"filters":[]} @@ -666,7 +666,7 @@ Feature: Security Monitoring And the response "options.anomalyDetectionOptions.learningPeriodBaseline" is equal to 10 And the response "options.anomalyDetectionOptions.detectionTolerance" is equal to 3 - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Create a detection rule with detection method 'anomaly_detection' with enabled feature 'instantaneousBaseline' returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"name":"{{ unique }}","type":"log_detection","isEnabled":true,"queries":[{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":["@usr.email","@network.client.ip"],"hasOptionalGroupByFields":false,"name":"","query":"service:app status:error"}],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 0.995"}],"message":"An anomaly detection rule","options":{"detectionMethod":"anomaly_detection","evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400,"anomalyDetectionOptions":{"bucketDuration":300,"learningDuration":24,"detectionTolerance":3,"instantaneousBaseline":true}},"tags":[],"filters":[]} @@ -677,7 +677,7 @@ Feature: Security Monitoring And the response "options.detectionMethod" is equal to "anomaly_detection" And the response "options.anomalyDetectionOptions.instantaneousBaseline" is equal to true - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Create a detection rule with detection method 'sequence_detection' returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"name":"{{ unique }}","type":"log_detection","isEnabled":true,"queries":[{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":[],"hasOptionalGroupByFields":false,"name":"","query":"service:logs-rule-reducer source:paul test2"},{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":[],"hasOptionalGroupByFields":false,"name":"","query":"service:logs-rule-reducer source:paul test1"}],"cases":[{"name":"","status":"info","notifications":[],"condition":"step_b > 0"}],"message":"Logs and signals asdf","options":{"detectionMethod":"sequence_detection","evaluationWindow":0,"keepAlive":300,"maxSignalDuration":600,"sequenceDetectionOptions":{"stepTransitions":[{"child":"step_b","evaluationWindow":900,"parent":"step_a"}],"steps":[{"condition":"a > 0","evaluationWindow":60,"name":"step_a"},{"condition":"b > 0","evaluationWindow":60,"name":"step_b"}]}},"tags":[]} @@ -687,7 +687,7 @@ Feature: Security Monitoring And the response "type" is equal to "log_detection" And the response "options.detectionMethod" is equal to "sequence_detection" - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Create a detection rule with detection method 'third_party' returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"name":"{{ unique }}","type":"log_detection","isEnabled":true,"thirdPartyCases":[{"query":"status:error","name":"high","status":"high"},{"query":"status:info","name":"low","status":"low"}],"queries":[],"cases":[],"message":"This is a third party rule","options":{"detectionMethod":"third_party","keepAlive":0,"maxSignalDuration":600,"thirdPartyRuleOptions":{"defaultStatus":"info","rootQueries":[{"query":"source:guardduty @details.alertType:*EC2*", "groupByFields":["instance-id"]},{"query":"source:guardduty", "groupByFields":[]}]}}} @@ -698,7 +698,7 @@ Feature: Security Monitoring And the response "options.detectionMethod" is equal to "third_party" And the response "thirdPartyCases[0].query" is equal to "status:error" - @skip-validation @team:DataDog/cloud-siem + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Create a detection rule with type 'application_security 'returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"type":"application_security","name":"{{unique}}_appsec_rule","queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","aggregation":"count","groupByFields":["service","@http.client_ip"],"distinctFields":[]}],"filters":[],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 100000","actions":[{"type":"block_ip","options":{"duration":900}}, {"type":"user_behavior","options":{"userBehaviorName":"behavior"}}, {"type":"flag_ip","options":{"flaggedIPType":"FLAGGED"}}]}],"options":{"keepAlive":3600,"maxSignalDuration":86400,"evaluationWindow":900,"detectionMethod":"threshold"},"isEnabled":true,"message":"Test rule","tags":[],"groupSignalsBy":["service"]} @@ -708,7 +708,7 @@ Feature: Security Monitoring And the response "type" is equal to "application_security" And the response "message" is equal to "Test rule" - @skip-validation @team:DataDog/cloud-siem + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Create a detection rule with type 'impossible_travel' and baselineUserLocationsDuration returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"queries":[{"aggregation":"geo_data","groupByFields":["@usr.id"],"distinctFields":[],"metric":"@network.client.geoip","query":"*"}],"cases":[{"name":"","status":"info","notifications":[]}],"hasExtendedTitle":true,"message":"test","isEnabled":true,"options":{"maxSignalDuration":86400,"evaluationWindow":900,"keepAlive":3600,"detectionMethod":"impossible_travel","impossibleTravelOptions":{"baselineUserLocations":true,"baselineUserLocationsDuration":7}},"name":"{{ unique }}","type":"log_detection","tags":[],"filters":[]} @@ -721,7 +721,7 @@ Feature: Security Monitoring And the response "options.impossibleTravelOptions.baselineUserLocations" is equal to true And the response "options.impossibleTravelOptions.baselineUserLocationsDuration" is equal to 7 - @skip-validation @team:DataDog/cloud-siem + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Create a detection rule with type 'impossible_travel' returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"queries":[{"aggregation":"geo_data","groupByFields":["@usr.id"],"distinctFields":[],"metric":"@network.client.geoip","query":"*"}],"cases":[{"name":"","status":"info","notifications":[]}],"hasExtendedTitle":true,"message":"test","isEnabled":true,"options":{"maxSignalDuration":86400,"evaluationWindow":900,"keepAlive":3600,"detectionMethod":"impossible_travel","impossibleTravelOptions":{"baselineUserLocations":false}},"name":"{{ unique }}","type":"log_detection","tags":[],"filters":[]} @@ -732,7 +732,7 @@ Feature: Security Monitoring And the response "message" is equal to "test" And the response "options.detectionMethod" is equal to "impossible_travel" - @skip-validation @team:DataDog/cloud-siem + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Create a detection rule with type 'signal_correlation' returns "OK" response Given there is a valid "security_rule" in the system And there is a valid "security_rule_bis" in the system @@ -745,7 +745,7 @@ Feature: Security Monitoring And the response "message" is equal to "Test signal correlation rule" And the response "isEnabled" is equal to true - @skip-validation @team:DataDog/cloud-siem + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Create a detection rule with type 'workload_security' returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"name":"{{ unique }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"metric":""}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type": "workload_security"} @@ -845,7 +845,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 201 Successfully created the notification rule. - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Create a scheduled detection rule returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"name":"{{ unique }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"indexes":["main"]}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type":"log_detection", "schedulingOptions": {"rrule": "FREQ=HOURLY;INTERVAL=2;", "start": "2025-06-18T12:00:00", "timezone": "Europe/Paris"}} @@ -856,28 +856,28 @@ Feature: Security Monitoring And the response "message" is equal to "Test rule" And the response "schedulingOptions" is equal to {"rrule": "FREQ=HOURLY;INTERVAL=2;", "start": "2025-06-18T12:00:00", "timezone": "Europe/Paris"} - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Create a scheduled rule without rrule returns "Bad Request" response Given new "CreateSecurityMonitoringRule" request And body with value {"name":"{{ unique }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"indexes":["main"]}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type":"log_detection", "schedulingOptions": {"start": "2025-06-18T12:00:00", "timezone": "Europe/Paris"}} When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Create a security filter returns "Bad Request" response Given new "CreateSecurityFilter" request And body with value {"data": {"attributes": {"exclusion_filters": [{"name": "Exclude staging", "query": "source:staging"}], "filtered_data_type": "logs", "is_enabled": true, "name": "Custom security filter", "query": "service:api"}, "type": "security_filters"}} When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Create a security filter returns "Conflict" response Given new "CreateSecurityFilter" request And body with value {"data": {"attributes": {"exclusion_filters": [{"name": "Exclude staging", "query": "source:staging"}], "filtered_data_type": "logs", "is_enabled": true, "name": "Custom security filter", "query": "service:api"}, "type": "security_filters"}} When the request is sent Then the response status is 409 Conflict - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Create a security filter returns "OK" response Given new "CreateSecurityFilter" request And body with value {"data": {"attributes": {"exclusion_filters": [{"name": "Exclude staging", "query": "source:staging"}], "filtered_data_type": "logs", "is_enabled": true, "name": "{{ unique }}", "query": "service:{{ unique_alnum }}"}, "type": "security_filters"}} @@ -889,21 +889,21 @@ Feature: Security Monitoring And the response "data.attributes.exclusion_filters[0].name" is equal to "Exclude staging" And the response "data.attributes.exclusion_filters[0].query" is equal to "source:staging" - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Create a suppression rule returns "Bad Request" response Given new "CreateSecurityMonitoringSuppression" request And body with value {"data": {"attributes": {"data_exclusion_query": "source:cloudtrail account_id:12345", "description": "This rule suppresses low-severity signals in staging environments.", "enabled": true, "expiration_date": 1703187336000, "name": "Custom suppression", "rule_query": "type:log_detection source:cloudtrail", "start_date": 1703187336000, "suppression_query": "env:staging status:low", "tags": ["technique:T1110-brute-force", "source:cloudtrail"]}, "type": "suppressions"}} When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Create a suppression rule returns "Conflict" response Given new "CreateSecurityMonitoringSuppression" request And body with value {"data": {"attributes": {"data_exclusion_query": "source:cloudtrail account_id:12345", "description": "This rule suppresses low-severity signals in staging environments.", "enabled": true, "expiration_date": 1703187336000, "name": "Custom suppression", "rule_query": "type:log_detection source:cloudtrail", "start_date": 1703187336000, "suppression_query": "env:staging status:low", "tags": ["technique:T1110-brute-force", "source:cloudtrail"]}, "type": "suppressions"}} When the request is sent Then the response status is 409 Conflict - @skip-validation @team:DataDog/cloud-siem + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Create a suppression rule returns "OK" response Given new "CreateSecurityMonitoringSuppression" request And body with value {"data": {"attributes": {"description": "This rule suppresses low-severity signals in staging environments.", "enabled": true, "start_date": {{ timestamp('now + 10d') }}000, "expiration_date": {{ timestamp('now + 21d') }}000, "name": "{{ unique }}", "rule_query": "type:log_detection source:cloudtrail", "suppression_query": "env:staging status:low", "tags": ["technique:T1110-brute-force", "source:cloudtrail"]}, "type": "suppressions"}} @@ -913,7 +913,7 @@ Feature: Security Monitoring And the response "data.attributes.enabled" is equal to true And the response "data.attributes.rule_query" is equal to "type:log_detection source:cloudtrail" - @skip-validation @team:DataDog/cloud-siem + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Create a suppression rule with an exclusion query returns "OK" response Given new "CreateSecurityMonitoringSuppression" request And body with value {"data": {"attributes": {"description": "This rule suppresses low-severity signals in staging environments.", "enabled": true, "start_date": {{ timestamp('now + 10d') }}000, "expiration_date": {{ timestamp('now + 21d') }}000, "name": "{{ unique }}", "rule_query": "type:log_detection source:cloudtrail", "data_exclusion_query": "account_id:12345"}, "type": "suppressions"}} @@ -951,7 +951,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 422 Unprocessable Entity - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Create an entity context sync configuration returns "Bad Request" response Given operation "CreateSecurityMonitoringIntegrationConfig" enabled And new "CreateSecurityMonitoringIntegrationConfig" request @@ -959,7 +959,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Create an entity context sync configuration returns "OK" response Given operation "CreateSecurityMonitoringIntegrationConfig" enabled And new "CreateSecurityMonitoringIntegrationConfig" request @@ -1035,7 +1035,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @replay-only @skip-terraform-config @team:DataDog/cloud-siem + @replay-only @skip-terraform-config @team:DataDog/k9-cloud-siem Scenario: Create or update an indicator triage state returns "Bad Request" response Given operation "CreateIoCTriageState" enabled And new "CreateIoCTriageState" request @@ -1043,7 +1043,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @replay-only @skip-terraform-config @team:DataDog/cloud-siem + @replay-only @skip-terraform-config @team:DataDog/k9-cloud-siem Scenario: Create or update an indicator triage state returns "Created" response Given operation "CreateIoCTriageState" enabled And new "CreateIoCTriageState" request @@ -1051,7 +1051,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 201 Created - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Deactivate content pack returns "Accepted" response Given operation "DeactivateContentPack" enabled And new "DeactivateContentPack" request @@ -1059,7 +1059,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 202 Accepted - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Deactivate content pack returns "Not Found" response Given operation "DeactivateContentPack" enabled And new "DeactivateContentPack" request @@ -1067,14 +1067,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Delete a critical asset returns "Not Found" response Given new "DeleteSecurityMonitoringCriticalAsset" request And request contains "critical_asset_id" parameter with value "00000000-0000-0000-0000-000000000000" When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/cloud-siem + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Delete a critical asset returns "OK" response Given there is a valid "critical_asset" in the system And new "DeleteSecurityMonitoringCriticalAsset" request @@ -1082,7 +1082,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 204 OK - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Delete a custom framework returns "Bad Request" response Given new "DeleteCustomFramework" request And request contains "handle" parameter with value "handle-does-not-exist" @@ -1090,7 +1090,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @replay-only @team:DataDog/cloud-siem + @replay-only @team:DataDog/k9-cloud-siem Scenario: Delete a custom framework returns "OK" response Given there is a valid "custom_framework" in the system And new "DeleteCustomFramework" request @@ -1099,7 +1099,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Delete a dataset returns "Bad Request" response Given operation "DeleteSecurityMonitoringDataset" enabled And new "DeleteSecurityMonitoringDataset" request @@ -1107,7 +1107,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Delete a dataset returns "No Content" response Given operation "DeleteSecurityMonitoringDataset" enabled And new "DeleteSecurityMonitoringDataset" request @@ -1115,7 +1115,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 204 No Content - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Delete a dataset returns "Not Found" response Given operation "DeleteSecurityMonitoringDataset" enabled And new "DeleteSecurityMonitoringDataset" request @@ -1157,14 +1157,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 204 Rule successfully deleted. - @skip @team:DataDog/cloud-siem + @skip @team:DataDog/k9-cloud-siem Scenario: Delete a non existing rule returns "Not Found" response Given new "DeleteSecurityMonitoringRule" request And request contains "rule_id" parameter with value "ThisRuleIdProbablyDoesntExist" When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/cloud-siem + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Delete a security filter returns "No Content" response Given there is a valid "security_filter" in the system And new "DeleteSecurityFilter" request @@ -1172,14 +1172,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 204 No Content - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Delete a security filter returns "Not Found" response Given new "DeleteSecurityFilter" request And request contains "security_filter_id" parameter from "REPLACE.ME" When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Delete a security filter returns "OK" response Given new "DeleteSecurityFilter" request And request contains "security_filter_id" parameter from "REPLACE.ME" @@ -1201,14 +1201,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 204 Rule successfully deleted. - @skip @team:DataDog/cloud-siem + @skip @team:DataDog/k9-cloud-siem Scenario: Delete a suppression rule returns "Not Found" response Given new "DeleteSecurityMonitoringSuppression" request And request contains "suppression_id" parameter with value "does-not-exist" When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/cloud-siem + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Delete a suppression rule returns "OK" response Given there is a valid "suppression" in the system And new "DeleteSecurityMonitoringSuppression" request @@ -1248,7 +1248,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 204 Rule successfully deleted. - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Delete an entity context sync configuration returns "Not Found" response Given operation "DeleteSecurityMonitoringIntegrationConfig" enabled And new "DeleteSecurityMonitoringIntegrationConfig" request @@ -1256,7 +1256,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Delete an entity context sync configuration returns "OK" response Given operation "DeleteSecurityMonitoringIntegrationConfig" enabled And new "DeleteSecurityMonitoringIntegrationConfig" request @@ -1264,7 +1264,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 204 OK - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Delete an existing job returns "Bad Request" response Given operation "DeleteHistoricalJob" enabled And new "DeleteHistoricalJob" request @@ -1272,7 +1272,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Delete an existing job returns "Conflict" response Given operation "DeleteHistoricalJob" enabled And new "DeleteHistoricalJob" request @@ -1280,7 +1280,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 409 Conflict - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Delete an existing job returns "Not Found" response Given operation "DeleteHistoricalJob" enabled And new "DeleteHistoricalJob" request @@ -1288,7 +1288,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Delete an existing job returns "OK" response Given operation "DeleteHistoricalJob" enabled And new "DeleteHistoricalJob" request @@ -1296,14 +1296,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 204 OK - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Delete an existing rule returns "Not Found" response Given new "DeleteSecurityMonitoringRule" request And request contains "rule_id" parameter from "REPLACE.ME" When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/cloud-siem + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Delete an existing rule returns "OK" response Given there is a valid "security_rule" in the system And new "DeleteSecurityMonitoringRule" request @@ -1332,7 +1332,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Export security monitoring resource to Terraform returns "Not Found" response Given operation "ExportSecurityMonitoringTerraformResource" enabled And new "ExportSecurityMonitoringTerraformResource" request @@ -1341,7 +1341,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @replay-only @team:DataDog/cloud-siem + @replay-only @team:DataDog/k9-cloud-siem Scenario: Export security monitoring resource to Terraform returns "OK" response Given operation "ExportSecurityMonitoringTerraformResource" enabled And there is a valid "suppression" in the system @@ -1353,7 +1353,7 @@ Feature: Security Monitoring And the response "data.attributes.type_name" is equal to "datadog_security_monitoring_suppression" And the response "data.attributes.resource_id" has the same value as "suppression.data.id" - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Export security monitoring resources to Terraform returns "Bad Request" response Given operation "BulkExportSecurityMonitoringTerraformResources" enabled And new "BulkExportSecurityMonitoringTerraformResources" request @@ -1362,7 +1362,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Export security monitoring resources to Terraform returns "Not Found" response Given operation "BulkExportSecurityMonitoringTerraformResources" enabled And new "BulkExportSecurityMonitoringTerraformResources" request @@ -1371,7 +1371,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @replay-only @team:DataDog/cloud-siem + @replay-only @team:DataDog/k9-cloud-siem Scenario: Export security monitoring resources to Terraform returns "OK" response Given operation "BulkExportSecurityMonitoringTerraformResources" enabled And there is a valid "suppression" in the system @@ -1445,7 +1445,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @skip-validation @team:DataDog/cloud-siem + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Get a cloud configuration rule's details returns "OK" response Given there is a valid "cloud_configuration_rule" in the system And new "GetSecurityMonitoringRule" request @@ -1455,14 +1455,14 @@ Feature: Security Monitoring And the response "name" is equal to "{{ unique }}_cloud" And the response "id" has the same value as "cloud_configuration_rule.id" - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Get a critical asset returns "Not Found" response Given new "GetSecurityMonitoringCriticalAsset" request And request contains "critical_asset_id" parameter with value "00000000-0000-0000-0000-000000000000" When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/cloud-siem + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Get a critical asset returns "OK" response Given new "GetSecurityMonitoringCriticalAsset" request And there is a valid "critical_asset" in the system @@ -1472,7 +1472,7 @@ Feature: Security Monitoring And the response "data.attributes.rule_query" has the same value as "critical_asset.data.attributes.rule_query" And the response "data.attributes.severity" is equal to "medium" - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Get a custom framework returns "Bad Request" response Given new "GetCustomFramework" request And request contains "handle" parameter with value "frame-does-not-exist" @@ -1480,7 +1480,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @replay-only @team:DataDog/cloud-siem + @replay-only @team:DataDog/k9-cloud-siem Scenario: Get a custom framework returns "OK" response Given there is a valid "custom_framework" in the system And new "GetCustomFramework" request @@ -1489,7 +1489,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a dataset at a specific version returns "Bad Request" response Given operation "GetSecurityMonitoringDatasetByVersion" enabled And new "GetSecurityMonitoringDatasetByVersion" request @@ -1498,7 +1498,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a dataset at a specific version returns "Not Found" response Given operation "GetSecurityMonitoringDatasetByVersion" enabled And new "GetSecurityMonitoringDatasetByVersion" request @@ -1507,7 +1507,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a dataset at a specific version returns "OK" response Given operation "GetSecurityMonitoringDatasetByVersion" enabled And new "GetSecurityMonitoringDatasetByVersion" request @@ -1516,7 +1516,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a dataset returns "Bad Request" response Given operation "GetSecurityMonitoringDataset" enabled And new "GetSecurityMonitoringDataset" request @@ -1524,7 +1524,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a dataset returns "Not Found" response Given operation "GetSecurityMonitoringDataset" enabled And new "GetSecurityMonitoringDataset" request @@ -1532,7 +1532,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a dataset returns "OK" response Given operation "GetSecurityMonitoringDataset" enabled And new "GetSecurityMonitoringDataset" request @@ -1584,7 +1584,7 @@ Feature: Security Monitoring Then the response status is 200 OK And the response "data.attributes.evaluation" is equal to "pass" - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a hist signal's details returns "Bad Request" response Given operation "GetSecurityMonitoringHistsignal" enabled And new "GetSecurityMonitoringHistsignal" request @@ -1592,7 +1592,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a hist signal's details returns "Not Found" response Given operation "GetSecurityMonitoringHistsignal" enabled And new "GetSecurityMonitoringHistsignal" request @@ -1600,7 +1600,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a hist signal's details returns "OK" response Given operation "GetSecurityMonitoringHistsignal" enabled And new "GetSecurityMonitoringHistsignal" request @@ -1608,7 +1608,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Get a job's details returns "Bad Request" response Given operation "GetHistoricalJob" enabled And new "GetHistoricalJob" request @@ -1616,7 +1616,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Get a job's details returns "Not Found" response Given operation "GetHistoricalJob" enabled And new "GetHistoricalJob" request @@ -1624,7 +1624,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Get a job's details returns "OK" response Given operation "GetHistoricalJob" enabled And operation "RunHistoricalJob" enabled @@ -1634,7 +1634,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a job's hist signals returns "Bad Request" response Given operation "GetSecurityMonitoringHistsignalsByJobId" enabled And new "GetSecurityMonitoringHistsignalsByJobId" request @@ -1642,7 +1642,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a job's hist signals returns "Not Found" response Given operation "GetSecurityMonitoringHistsignalsByJobId" enabled And new "GetSecurityMonitoringHistsignalsByJobId" request @@ -1650,7 +1650,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a job's hist signals returns "OK" response Given operation "GetSecurityMonitoringHistsignalsByJobId" enabled And new "GetSecurityMonitoringHistsignalsByJobId" request @@ -1658,21 +1658,21 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a list of security signals returns "Bad Request" response Given new "SearchSecurityMonitoringSignals" request And body with value {"filter": {"from": "2019-01-02T09:42:36.320Z", "query": "security:attack status:high", "to": "2019-01-03T09:42:36.320Z"}, "page": {"cursor": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==", "limit": 25}, "sort": "timestamp"} When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a list of security signals returns "OK" response Given new "SearchSecurityMonitoringSignals" request And body with value {"filter": {"from": "2019-01-02T09:42:36.320Z", "query": "security:attack status:high", "to": "2019-01-03T09:42:36.320Z"}, "page": {"cursor": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==", "limit": 25}, "sort": "timestamp"} When the request is sent Then the response status is 200 OK - @replay-only @skip-validation @team:DataDog/cloud-siem @with-pagination + @replay-only @skip-validation @team:DataDog/k9-cloud-siem @with-pagination Scenario: Get a list of security signals returns "OK" response with pagination Given new "SearchSecurityMonitoringSignals" request And body with value {"filter": {"from": "{{ timeISO("now-15m") }}", "query": "security:attack status:high", "to": "{{ timeISO("now") }}"}, "page": {"limit": 2}, "sort": "timestamp"} @@ -1699,19 +1699,19 @@ Feature: Security Monitoring And the response "data.id" is equal to "{{ valid_mute_rule.data.id }}" And the response "data.type" is equal to "mute_rules" - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a quick list of security signals returns "Bad Request" response Given new "ListSecurityMonitoringSignals" request When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a quick list of security signals returns "OK" response Given new "ListSecurityMonitoringSignals" request When the request is sent Then the response status is 200 OK - @replay-only @skip-validation @team:DataDog/cloud-siem @with-pagination + @replay-only @skip-validation @team:DataDog/k9-cloud-siem @with-pagination Scenario: Get a quick list of security signals returns "OK" response with pagination Given new "ListSecurityMonitoringSignals" request And request contains "page[limit]" parameter with value 2 @@ -1719,14 +1719,14 @@ Feature: Security Monitoring Then the response status is 200 OK And the response has 3 items - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Get a rule's details returns "Not Found" response Given new "GetSecurityMonitoringRule" request And request contains "rule_id" parameter with value "abcde-12345" When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/cloud-siem + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Get a rule's details returns "OK" response Given new "GetSecurityMonitoringRule" request And there is a valid "security_rule" in the system @@ -1736,7 +1736,7 @@ Feature: Security Monitoring And the response "name" is equal to "{{ unique }}" And the response "id" has the same value as "security_rule.id" - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a rule's version history returns "Bad Request" response Given operation "GetRuleVersionHistory" enabled And new "GetRuleVersionHistory" request @@ -1744,7 +1744,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a rule's version history returns "Not Found" response Given operation "GetRuleVersionHistory" enabled And new "GetRuleVersionHistory" request @@ -1752,7 +1752,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a rule's version history returns "OK" response Given operation "GetRuleVersionHistory" enabled And new "GetRuleVersionHistory" request @@ -1760,14 +1760,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a security filter returns "Not Found" response Given new "GetSecurityFilter" request And request contains "security_filter_id" parameter from "REPLACE.ME" When the request is sent Then the response status is 404 Not Found - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Get a security filter returns "OK" response Given there is a valid "security_filter" in the system And new "GetSecurityFilter" request @@ -1780,21 +1780,21 @@ Feature: Security Monitoring And the response "data.attributes.exclusion_filters[0].name" is equal to "Exclude logs from staging" And the response "data.attributes.exclusion_filters[0].query" is equal to "source:staging" - @replay-only @team:DataDog/cloud-siem + @replay-only @team:DataDog/k9-cloud-siem Scenario: Get a signal's details returns "Not Found" response Given new "GetSecurityMonitoringSignal" request And request contains "signal_id" parameter with value "AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptCL3QUEm3nt2" When the request is sent Then the response status is 404 Not Found - @replay-only @team:DataDog/cloud-siem + @replay-only @team:DataDog/k9-cloud-siem Scenario: Get a signal's details returns "OK" response Given new "GetSecurityMonitoringSignal" request And request contains "signal_id" parameter with value "AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE" When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a single entity context returns "Bad Request" response Given operation "GetSingleEntityContext" enabled And new "GetSingleEntityContext" request @@ -1802,7 +1802,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a single entity context returns "Not Found" response Given operation "GetSingleEntityContext" enabled And new "GetSingleEntityContext" request @@ -1810,7 +1810,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a single entity context returns "OK" response Given operation "GetSingleEntityContext" enabled And new "GetSingleEntityContext" request @@ -1818,14 +1818,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @skip-validation @team:DataDog/cloud-siem + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Get a suppression rule returns "Not Found" response Given new "GetSecurityMonitoringSuppression" request And request contains "suppression_id" parameter with value "this-does-not-exist" When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/cloud-siem + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Get a suppression rule returns "OK" response Given new "GetSecurityMonitoringSuppression" request And there is a valid "suppression" in the system @@ -1835,14 +1835,14 @@ Feature: Security Monitoring And the response "data.attributes.rule_query" has the same value as "suppression.data.attributes.rule_query" And the response "data.attributes.suppression_query" is equal to "env:test" - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Get a suppression's version history returns "Not Found" response Given new "GetSuppressionVersionHistory" request And request contains "suppression_id" parameter with value "this-does-not-exist" When the request is sent Then the response status is 404 Not Found - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Get a suppression's version history returns "OK" response Given new "GetSuppressionVersionHistory" request And there is a valid "suppression" in the system @@ -1869,7 +1869,7 @@ Feature: Security Monitoring And the response "data.id" is equal to "{{ valid_ticket_creation_rule.data.id }}" And the response "data.type" is equal to "ticket_creation_rules" - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Get all critical assets returns "OK" response Given new "ListSecurityMonitoringCriticalAssets" request When the request is sent @@ -1893,7 +1893,7 @@ Feature: Security Monitoring Then the response status is 200 Successfully retrieved the list of mute rules And the response "data" has item with field "id" with value "{{ valid_mute_rule.data.id }}" - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Get all security filters returns "OK" response Given new "ListSecurityFilters" request When the request is sent @@ -1901,13 +1901,13 @@ Feature: Security Monitoring And the response "data" has item with field "attributes.filtered_data_type" with value "logs" And the response "data" has item with field "attributes.is_builtin" with value true - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get all suppression rules returns "OK" response Given new "ListSecurityMonitoringSuppressions" request When the request is sent Then the response status is 200 OK - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Get all suppression rules returns "OK" response with pagination Given new "ListSecurityMonitoringSuppressions" request And there is a valid "suppression" in the system @@ -1919,7 +1919,7 @@ Feature: Security Monitoring Then the response status is 200 OK And the response "data" has length 1 - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Get all suppression rules returns "OK" response with sort ascending Given new "ListSecurityMonitoringSuppressions" request And there is a valid "suppression" in the system @@ -1930,7 +1930,7 @@ Feature: Security Monitoring Then the response status is 200 OK And the response "data[0].attributes.name" is equal to "suppression {{ unique_hash }}" - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Get all suppression rules returns "OK" response with sort descending Given new "ListSecurityMonitoringSuppressions" request And there is a valid "suppression" in the system @@ -1950,7 +1950,7 @@ Feature: Security Monitoring Then the response status is 200 Successfully retrieved the list of ticket creation rules And the response "data" has item with field "id" with value "{{ valid_ticket_creation_rule.data.id }}" - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get an entity context sync configuration returns "Not Found" response Given operation "GetSecurityMonitoringIntegrationConfig" enabled And new "GetSecurityMonitoringIntegrationConfig" request @@ -1958,7 +1958,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get an entity context sync configuration returns "OK" response Given operation "GetSecurityMonitoringIntegrationConfig" enabled And new "GetSecurityMonitoringIntegrationConfig" request @@ -1966,7 +1966,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get an indicator of compromise returns "Bad Request" response Given operation "GetIndicatorOfCompromise" enabled And new "GetIndicatorOfCompromise" request @@ -1974,7 +1974,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @replay-only @skip-terraform-config @team:DataDog/cloud-siem + @replay-only @skip-terraform-config @team:DataDog/k9-cloud-siem Scenario: Get an indicator of compromise returns "Not Found" response Given operation "GetIndicatorOfCompromise" enabled And new "GetIndicatorOfCompromise" request @@ -1982,7 +1982,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @replay-only @skip-terraform-config @team:DataDog/cloud-siem + @replay-only @skip-terraform-config @team:DataDog/k9-cloud-siem Scenario: Get an indicator of compromise returns "OK" response Given operation "GetIndicatorOfCompromise" enabled And new "GetIndicatorOfCompromise" request @@ -1991,28 +1991,28 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get content pack states returns "Not Found" response Given operation "GetContentPacksStates" enabled And new "GetContentPacksStates" request When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get content pack states returns "OK" response Given operation "GetContentPacksStates" enabled And new "GetContentPacksStates" request When the request is sent Then the response status is 200 OK - @skip @team:DataDog/cloud-siem + @skip @team:DataDog/k9-cloud-siem Scenario: Get critical assets affecting a specific rule returns "Not Found" response Given new "GetCriticalAssetsAffectingRule" request And request contains "rule_id" parameter with value "aaa-bbb-ccc-ddd" When the request is sent Then the response status is 404 Not Found - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Get critical assets affecting a specific rule returns "OK" response Given new "GetCriticalAssetsAffectingRule" request And there is a valid "security_rule" in the system @@ -2020,7 +2020,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get dataset dependencies returns "Bad Request" response Given operation "BatchGetSecurityMonitoringDatasetDependencies" enabled And new "BatchGetSecurityMonitoringDatasetDependencies" request @@ -2028,7 +2028,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get dataset dependencies returns "OK" response Given operation "BatchGetSecurityMonitoringDatasetDependencies" enabled And new "BatchGetSecurityMonitoringDatasetDependencies" request @@ -2096,7 +2096,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 Notification rule details. - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get entities related to a signal returns "Bad Request" response Given operation "GetSignalEntities" enabled And new "GetSignalEntities" request @@ -2104,7 +2104,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get entities related to a signal returns "Not Found" response Given operation "GetSignalEntities" enabled And new "GetSignalEntities" request @@ -2112,7 +2112,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get entities related to a signal returns "OK" response Given operation "GetSignalEntities" enabled And new "GetSignalEntities" request @@ -2120,28 +2120,28 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get entity context returns "Bad Request" response Given operation "GetEntityContext" enabled And new "GetEntityContext" request When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get entity context returns "OK" response Given operation "GetEntityContext" enabled And new "GetEntityContext" request When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get investigation queries for a signal returns "Not Found" response Given new "GetInvestigationLogQueriesMatchingSignal" request And request contains "signal_id" parameter from "REPLACE.ME" When the request is sent Then the response status is 404 Not Found - @skip @team:DataDog/cloud-siem + @skip @team:DataDog/k9-cloud-siem Scenario: Get investigation queries for a signal returns "OK" response Given new "GetInvestigationLogQueriesMatchingSignal" request And request contains "signal_id" parameter with value "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE" @@ -2169,7 +2169,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @skip-go @skip-java @skip-ruby @team:DataDog/cloud-siem + @skip-go @skip-java @skip-ruby @team:DataDog/k9-cloud-siem Scenario: Get rule version history returns "OK" response Given operation "GetRuleVersionHistory" enabled And new "GetRuleVersionHistory" request @@ -2182,28 +2182,28 @@ Feature: Security Monitoring And the response "data.attributes.count" is equal to 1 And the response "data.attributes.data[1].rule.name" has the same value as "security_rule.name" - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get sample log generation subscriptions returns "Bad Request" response Given operation "ListSampleLogGenerationSubscriptions" enabled And new "ListSampleLogGenerationSubscriptions" request When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get sample log generation subscriptions returns "OK" response Given operation "ListSampleLogGenerationSubscriptions" enabled And new "ListSampleLogGenerationSubscriptions" request When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get suggested actions for a signal returns "Not Found" response Given new "GetSuggestedActionsMatchingSignal" request And request contains "signal_id" parameter from "REPLACE.ME" When the request is sent Then the response status is 404 Not Found - @skip @team:DataDog/cloud-siem + @skip @team:DataDog/k9-cloud-siem Scenario: Get suggested actions for a signal returns "OK" response Given new "GetSuggestedActionsMatchingSignal" request And request contains "signal_id" parameter with value "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE" @@ -2219,14 +2219,14 @@ Feature: Security Monitoring And the response "data[1].attributes" has field "title" And the response "data[1].attributes" has field "url" - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Get suppressions affecting a specific rule returns "Not Found" response Given new "GetSuppressionsAffectingRule" request And request contains "rule_id" parameter with value "aaa-bbb-ccc-ddd" When the request is sent Then the response status is 404 Not Found - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Get suppressions affecting a specific rule returns "OK" response Given new "GetSuppressionsAffectingRule" request And there is a valid "security_rule" in the system @@ -2234,14 +2234,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Get suppressions affecting future rule returns "Bad Request" response Given new "GetSuppressionsAffectingFutureRule" request And body with value {"invalid_key":"invalid_value"} When the request is sent Then the response status is 400 Bad Request - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Get suppressions affecting future rule returns "OK" response Given new "GetSuppressionsAffectingFutureRule" request And body from file "security_monitoring_future_rule_suppression_payload.json" @@ -2262,7 +2262,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 The list of notification rules. - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get the version history of a dataset returns "Bad Request" response Given operation "GetSecurityMonitoringDatasetVersionHistory" enabled And new "GetSecurityMonitoringDatasetVersionHistory" request @@ -2270,7 +2270,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get the version history of a dataset returns "Not Found" response Given operation "GetSecurityMonitoringDatasetVersionHistory" enabled And new "GetSecurityMonitoringDatasetVersionHistory" request @@ -2278,7 +2278,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get the version history of a dataset returns "OK" response Given operation "GetSecurityMonitoringDatasetVersionHistory" enabled And new "GetSecurityMonitoringDatasetVersionHistory" request @@ -2286,7 +2286,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get the version history of security filters returns "OK" response Given new "ListSecurityFilterVersions" request When the request is sent @@ -2366,21 +2366,21 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: List datasets returns "Bad Request" response Given operation "ListSecurityMonitoringDatasets" enabled And new "ListSecurityMonitoringDatasets" request When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: List datasets returns "OK" response Given operation "ListSecurityMonitoringDatasets" enabled And new "ListSecurityMonitoringDatasets" request When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: List entity context sync configurations returns "OK" response Given operation "ListSecurityMonitoringIntegrationConfigs" enabled And new "ListSecurityMonitoringIntegrationConfigs" request @@ -2432,42 +2432,42 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: List hist signals returns "Bad Request" response Given operation "ListSecurityMonitoringHistsignals" enabled And new "ListSecurityMonitoringHistsignals" request When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: List hist signals returns "Not Found" response Given operation "ListSecurityMonitoringHistsignals" enabled And new "ListSecurityMonitoringHistsignals" request When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: List hist signals returns "OK" response Given operation "ListSecurityMonitoringHistsignals" enabled And new "ListSecurityMonitoringHistsignals" request When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: List historical jobs returns "Bad Request" response Given operation "ListHistoricalJobs" enabled And new "ListHistoricalJobs" request When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: List historical jobs returns "OK" response Given operation "ListHistoricalJobs" enabled And new "ListHistoricalJobs" request When the request is sent Then the response status is 200 OK - @replay-only @skip-terraform-config @team:DataDog/cloud-siem + @replay-only @skip-terraform-config @team:DataDog/k9-cloud-siem Scenario: List indicators of compromise returns "Bad Request" response Given operation "ListIndicatorsOfCompromise" enabled And new "ListIndicatorsOfCompromise" request @@ -2475,7 +2475,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @replay-only @skip-terraform-config @team:DataDog/cloud-siem + @replay-only @skip-terraform-config @team:DataDog/k9-cloud-siem Scenario: List indicators of compromise returns "OK" response Given operation "ListIndicatorsOfCompromise" enabled And new "ListIndicatorsOfCompromise" request @@ -2483,14 +2483,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: List resource filters returns "Bad Request" response Given new "GetResourceEvaluationFilters" request And request contains "account_id" parameter with value "123456789" When the request is sent Then the response status is 400 Bad Request - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: List resource filters returns "OK" response Given new "GetResourceEvaluationFilters" request And request contains "cloud_provider" parameter with value "aws" @@ -2498,13 +2498,13 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: List rules returns "Bad Request" response Given new "ListSecurityMonitoringRules" request When the request is sent Then the response status is 400 Bad Request - @skip-validation @team:DataDog/cloud-siem + @skip-validation @team:DataDog/k9-cloud-siem Scenario: List rules returns "OK" response Given new "ListSecurityMonitoringRules" request When the request is sent @@ -2608,7 +2608,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Modify the triage assignee of a security signal returns "Bad Request" response Given new "EditSecurityMonitoringSignalAssignee" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -2616,7 +2616,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Modify the triage assignee of a security signal returns "Not Found" response Given new "EditSecurityMonitoringSignalAssignee" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -2624,7 +2624,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @replay-only @team:DataDog/cloud-siem + @replay-only @team:DataDog/k9-cloud-siem Scenario: Modify the triage assignee of a security signal returns "OK" response Given new "EditSecurityMonitoringSignalAssignee" request And request contains "signal_id" parameter with value "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE" @@ -2824,7 +2824,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 422 Unprocessable Entity - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Restore a rule to a historical version returns "Bad Request" response Given operation "RestoreSecurityMonitoringRule" enabled And new "RestoreSecurityMonitoringRule" request @@ -2833,7 +2833,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Restore a rule to a historical version returns "Conflict" response Given operation "RestoreSecurityMonitoringRule" enabled And there is a valid "security_rule" in the system @@ -2844,7 +2844,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 409 Conflict - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Restore a rule to a historical version returns "Not Found" response Given operation "RestoreSecurityMonitoringRule" enabled And there is a valid "security_rule" in the system @@ -2854,7 +2854,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/cloud-siem + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Restore a rule to a historical version returns "OK" response Given operation "RestoreSecurityMonitoringRule" enabled And there is a valid "security_rule" in the system @@ -2881,7 +2881,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Run a historical job returns "Bad Request" response Given operation "RunHistoricalJob" enabled And new "RunHistoricalJob" request @@ -2889,7 +2889,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Run a historical job returns "Not Found" response Given operation "RunHistoricalJob" enabled And new "RunHistoricalJob" request @@ -2897,7 +2897,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Run a historical job returns "Status created" response Given operation "RunHistoricalJob" enabled And new "RunHistoricalJob" request @@ -2905,7 +2905,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 201 Status created - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Search hist signals returns "Bad Request" response Given operation "SearchSecurityMonitoringHistsignals" enabled And new "SearchSecurityMonitoringHistsignals" request @@ -2913,7 +2913,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Search hist signals returns "Not Found" response Given operation "SearchSecurityMonitoringHistsignals" enabled And new "SearchSecurityMonitoringHistsignals" request @@ -2921,7 +2921,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Search hist signals returns "OK" response Given operation "SearchSecurityMonitoringHistsignals" enabled And new "SearchSecurityMonitoringHistsignals" request @@ -2953,7 +2953,7 @@ Feature: Security Monitoring And the response "meta.page" has field "after" And the response "links" has field "next" - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Subscribe to sample log generation returns "Bad Request" response Given operation "CreateSampleLogGenerationSubscription" enabled And new "CreateSampleLogGenerationSubscription" request @@ -2961,7 +2961,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Subscribe to sample log generation returns "OK" response Given operation "CreateSampleLogGenerationSubscription" enabled And new "CreateSampleLogGenerationSubscription" request @@ -2969,35 +2969,35 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Test a notification rule returns "Bad Request" response Given new "SendSecurityMonitoringNotificationPreview" request And body with value {"data": {"attributes": {"enabled": true, "name": "Rule 1", "routing": {"mode": "manual"}, "selectors": {"query": "(source:production_service OR env:prod)", "rule_types": ["misconfiguration", "attack_path"], "severities": ["critical"], "trigger_source": "security_findings"}, "targets": ["@john.doe@email.com"], "time_aggregation": 86400}, "type": "notification_rules"}} When the request is sent Then the response status is 400 Bad Request - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Test a notification rule returns "OK" response Given new "SendSecurityMonitoringNotificationPreview" request And body with value {"data": {"attributes": {"enabled": true, "name": "Rule 1", "selectors": {"query": "env:prod", "rule_types": ["log_detection"], "severities": ["critical"], "trigger_source": "security_signals"}, "targets": ["@john.doe@email.com"]}, "type": "notification_rules"}} When the request is sent Then the response status is 200 OK - @skip @team:DataDog/cloud-siem + @skip @team:DataDog/k9-cloud-siem Scenario: Test a rule returns "Bad Request" response Given new "TestSecurityMonitoringRule" request And body with value {"rule": {"cases": [], "filters": [{"action": "require"}], "hasExtendedTitle": true, "isEnabled": true, "message": "", "name": "My security monitoring rule.", "options": {"decreaseCriticalityBasedOnEnv": false, "detectionMethod": "threshold", "evaluationWindow": 0, "hardcodedEvaluatorType": "log4shell", "impossibleTravelOptions": {"baselineUserLocations": true}, "keepAlive": 0, "maxSignalDuration": 0, "newValueOptions": {"forgetAfter": 1, "learningDuration": 0, "learningMethod": "duration", "learningThreshold": 0}, "thirdPartyRuleOptions": {"defaultNotifications": [], "defaultStatus": "critical", "rootQueries": [{"groupByFields": [], "query": "source:cloudtrail"}]}}, "queries": [], "tags": ["env:prod", "team:security"], "thirdPartyCases": [], "type": "application_security"}, "ruleQueryPayloads": [{"expectedResult": true, "index": 0, "payload": {"ddsource": "nginx", "ddtags": "env:staging,version:5.1", "hostname": "i-012345678", "message": "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World", "service": "payment"}}]} When the request is sent Then the response status is 400 Bad Request - @skip @team:DataDog/cloud-siem + @skip @team:DataDog/k9-cloud-siem Scenario: Test a rule returns "Not Found" response Given new "TestSecurityMonitoringRule" request And body with value {"rule": {"cases": [], "filters": [{"action": "require"}], "hasExtendedTitle": true, "isEnabled": true, "message": "", "name": "My security monitoring rule.", "options": {"decreaseCriticalityBasedOnEnv": false, "detectionMethod": "threshold", "evaluationWindow": 0, "hardcodedEvaluatorType": "log4shell", "impossibleTravelOptions": {"baselineUserLocations": true}, "keepAlive": 0, "maxSignalDuration": 0, "newValueOptions": {"forgetAfter": 1, "learningDuration": 0, "learningMethod": "duration", "learningThreshold": 0}, "thirdPartyRuleOptions": {"defaultNotifications": [], "defaultStatus": "critical", "rootQueries": [{"groupByFields": [], "query": "source:cloudtrail"}]}}, "queries": [], "tags": ["env:prod", "team:security"], "thirdPartyCases": [], "type": "application_security"}, "ruleQueryPayloads": [{"expectedResult": true, "index": 0, "payload": {"ddsource": "nginx", "ddtags": "env:staging,version:5.1", "hostname": "i-012345678", "message": "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World", "service": "payment"}}]} When the request is sent Then the response status is 404 Not Found - @skip-go @skip-java @skip-ruby @skip-typescript @team:DataDog/cloud-siem + @skip-go @skip-java @skip-ruby @skip-typescript @team:DataDog/k9-cloud-siem Scenario: Test a rule returns "OK" response Given new "TestSecurityMonitoringRule" request And body with value {"rule": {"cases": [{"name": "","status": "info","notifications": [],"condition": "a > 0"}],"hasExtendedTitle": true,"isEnabled": true,"message": "My security monitoring rule message.","name": "My security monitoring rule.","options": {"decreaseCriticalityBasedOnEnv": false,"detectionMethod": "threshold","evaluationWindow": 0,"keepAlive": 0,"maxSignalDuration": 0},"queries": [{"query": "source:source_here","groupByFields": ["@userIdentity.assumed_role"],"distinctFields": [],"aggregation": "count","name": ""}],"tags": ["env:prod", "team:security"],"type": "log_detection"}, "ruleQueryPayloads": [{"expectedResult": true,"index": 0,"payload": {"ddsource": "source_here","ddtags": "env:staging,version:5.1","hostname": "i-012345678","message": "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World","service": "payment","userIdentity": {"assumed_role" : "fake assumed_role"}}}]} @@ -3005,7 +3005,7 @@ Feature: Security Monitoring Then the response status is 200 OK And the response "results[0]" is equal to true - @skip @team:DataDog/cloud-siem + @skip @team:DataDog/k9-cloud-siem Scenario: Test an existing rule returns "Bad Request" response Given new "TestExistingSecurityMonitoringRule" request And request contains "rule_id" parameter from "REPLACE.ME" @@ -3013,7 +3013,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @skip @team:DataDog/cloud-siem + @skip @team:DataDog/k9-cloud-siem Scenario: Test an existing rule returns "Not Found" response Given new "TestExistingSecurityMonitoringRule" request And request contains "rule_id" parameter from "REPLACE.ME" @@ -3021,7 +3021,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @skip @team:DataDog/cloud-siem + @skip @team:DataDog/k9-cloud-siem Scenario: Test an existing rule returns "OK" response Given new "TestExistingSecurityMonitoringRule" request And request contains "rule_id" parameter from "REPLACE.ME" @@ -3050,7 +3050,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 422 Unprocessable Entity - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Unsubscribe from sample log generation returns "Bad Request" response Given operation "DeleteSampleLogGenerationSubscription" enabled And new "DeleteSampleLogGenerationSubscription" request @@ -3058,7 +3058,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Unsubscribe from sample log generation returns "OK" response Given operation "DeleteSampleLogGenerationSubscription" enabled And new "DeleteSampleLogGenerationSubscription" request @@ -3066,7 +3066,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @skip-validation @team:DataDog/cloud-siem + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Update a cloud configuration rule's details returns "OK" response Given new "UpdateSecurityMonitoringRule" request And there is a valid "cloud_configuration_rule" in the system @@ -3077,7 +3077,7 @@ Feature: Security Monitoring And the response "name" is equal to "{{ unique }}_cloud_updated" And the response "id" has the same value as "cloud_configuration_rule.id" - @skip @team:DataDog/cloud-siem + @skip @team:DataDog/k9-cloud-siem Scenario: Update a critical asset returns "Bad Request" response Given new "UpdateSecurityMonitoringCriticalAsset" request And request contains "critical_asset_id" parameter with value "00000000-0000-0000-0000-000000000000" @@ -3085,7 +3085,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Update a critical asset returns "Concurrent Modification" response Given new "UpdateSecurityMonitoringCriticalAsset" request And request contains "critical_asset_id" parameter from "REPLACE.ME" @@ -3093,7 +3093,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 409 Concurrent Modification - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Update a critical asset returns "Not Found" response Given new "UpdateSecurityMonitoringCriticalAsset" request And request contains "critical_asset_id" parameter with value "00000000-0000-0000-0000-000000000001" @@ -3101,7 +3101,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/cloud-siem + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Update a critical asset returns "OK" response Given new "UpdateSecurityMonitoringCriticalAsset" request And there is a valid "critical_asset" in the system @@ -3114,7 +3114,7 @@ Feature: Security Monitoring And the response "data.attributes.enabled" is equal to false And the response "data.attributes.version" is equal to 2 - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Update a custom framework returns "Bad Request" response Given new "UpdateCustomFramework" request And request contains "handle" parameter with value "create-framework-new" @@ -3123,7 +3123,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @replay-only @team:DataDog/cloud-siem + @replay-only @team:DataDog/k9-cloud-siem Scenario: Update a custom framework returns "OK" response Given there is a valid "custom_framework" in the system And new "UpdateCustomFramework" request @@ -3133,7 +3133,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Update a dataset returns "Bad Request" response Given operation "UpdateSecurityMonitoringDataset" enabled And new "UpdateSecurityMonitoringDataset" request @@ -3142,7 +3142,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Update a dataset returns "Conflict" response Given operation "UpdateSecurityMonitoringDataset" enabled And new "UpdateSecurityMonitoringDataset" request @@ -3151,7 +3151,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 409 Conflict - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Update a dataset returns "No Content" response Given operation "UpdateSecurityMonitoringDataset" enabled And new "UpdateSecurityMonitoringDataset" request @@ -3160,7 +3160,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 204 No Content - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Update a dataset returns "Not Found" response Given operation "UpdateSecurityMonitoringDataset" enabled And new "UpdateSecurityMonitoringDataset" request @@ -3247,7 +3247,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 422 Unprocessable Entity - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Update a security filter returns "Bad Request" response Given new "UpdateSecurityFilter" request And request contains "security_filter_id" parameter from "REPLACE.ME" @@ -3255,7 +3255,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Update a security filter returns "Concurrent Modification" response Given new "UpdateSecurityFilter" request And request contains "security_filter_id" parameter from "REPLACE.ME" @@ -3263,7 +3263,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 409 Concurrent Modification - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Update a security filter returns "Not Found" response Given new "UpdateSecurityFilter" request And request contains "security_filter_id" parameter from "REPLACE.ME" @@ -3271,7 +3271,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Update a security filter returns "OK" response Given new "UpdateSecurityFilter" request And there is a valid "security_filter" in the system @@ -3283,7 +3283,7 @@ Feature: Security Monitoring And the response "data.attributes.filtered_data_type" is equal to "logs" And the response "data.attributes.name" is equal to "{{ unique }}" - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Update a suppression rule returns "Bad Request" response Given new "UpdateSecurityMonitoringSuppression" request And request contains "suppression_id" parameter from "REPLACE.ME" @@ -3291,7 +3291,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Update a suppression rule returns "Concurrent Modification" response Given new "UpdateSecurityMonitoringSuppression" request And request contains "suppression_id" parameter from "REPLACE.ME" @@ -3299,7 +3299,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 409 Concurrent Modification - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Update a suppression rule returns "Not Found" response Given new "UpdateSecurityMonitoringSuppression" request And request contains "suppression_id" parameter from "REPLACE.ME" @@ -3307,7 +3307,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/cloud-siem + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Update a suppression rule returns "OK" response Given new "UpdateSecurityMonitoringSuppression" request And there is a valid "suppression" in the system @@ -3358,7 +3358,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 422 Unprocessable Entity - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Update an entity context sync configuration returns "Bad Request" response Given operation "UpdateSecurityMonitoringIntegrationConfig" enabled And new "UpdateSecurityMonitoringIntegrationConfig" request @@ -3367,7 +3367,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Update an entity context sync configuration returns "Not Found" response Given operation "UpdateSecurityMonitoringIntegrationConfig" enabled And new "UpdateSecurityMonitoringIntegrationConfig" request @@ -3376,7 +3376,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Update an entity context sync configuration returns "OK" response Given operation "UpdateSecurityMonitoringIntegrationConfig" enabled And new "UpdateSecurityMonitoringIntegrationConfig" request @@ -3385,7 +3385,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @skip-validation @team:DataDog/cloud-siem + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Update an existing rule returns "Bad Request" response Given new "UpdateSecurityMonitoringRule" request And there is a valid "security_rule" in the system @@ -3394,7 +3394,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Update an existing rule returns "Not Found" response Given new "UpdateSecurityMonitoringRule" request And request contains "rule_id" parameter with value "abcde-12345" @@ -3402,7 +3402,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/cloud-siem + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Update an existing rule returns "OK" response Given new "UpdateSecurityMonitoringRule" request And there is a valid "security_rule" in the system @@ -3413,21 +3413,21 @@ Feature: Security Monitoring And the response "name" is equal to "{{ unique }}-Updated" And the response "id" has the same value as "security_rule.id" - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Update resource filters returns "Bad Request" response Given new "UpdateResourceEvaluationFilters" request And body with value {"data": {"attributes": {"cloud_provider": {"invalid": {"aws_account_id": ["tag1:v1"]}}}, "id": "csm_resource_filter", "type": "csm_resource_filter"}} When the request is sent Then the response status is 400 Bad Request - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Update resource filters returns "OK" response Given new "UpdateResourceEvaluationFilters" request And body with value {"data": {"attributes": {"cloud_provider": {"aws": {"aws_account_id": ["tag1:v1"]}}}, "id": "csm_resource_filter", "type": "csm_resource_filter"}} When the request is sent Then the response status is 201 OK - @skip @team:DataDog/cloud-siem + @skip @team:DataDog/k9-cloud-siem Scenario: Update security signal triage state or assignee returns "Bad Request" response Given new "EditSecurityMonitoringSignal" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -3435,7 +3435,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @skip @team:DataDog/cloud-siem + @skip @team:DataDog/k9-cloud-siem Scenario: Update security signal triage state or assignee returns "Not Found" response Given new "EditSecurityMonitoringSignal" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -3443,7 +3443,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @skip @team:DataDog/cloud-siem + @skip @team:DataDog/k9-cloud-siem Scenario: Update security signal triage state or assignee returns "OK" response Given new "EditSecurityMonitoringSignal" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -3451,49 +3451,49 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @skip-go @skip-java @skip-python @skip-ruby @skip-rust @skip-typescript @skip-validation @team:DataDog/cloud-siem + @skip-go @skip-java @skip-python @skip-ruby @skip-rust @skip-typescript @skip-validation @team:DataDog/k9-cloud-siem Scenario: Validate a detection rule returns "Bad Request" response Given new "ValidateSecurityMonitoringRule" request And body with value {"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 0"}],"hasExtendedTitle":true,"isEnabled":true,"message":"My security monitoring rule","name":"My security monitoring rule","options":{"evaluationWindow":1800,"keepAlive":999999,"maxSignalDuration":1800,"detectionMethod":"threshold"},"queries":[{"query":"source:source_here","groupByFields":["@userIdentity.assumed_role"],"distinctFields":[],"aggregation":"count","name":""}],"tags":["env:prod","team:security"],"type":"log_detection"} When the request is sent Then the response status is 400 Bad Request - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Validate a detection rule returns "OK" response Given new "ValidateSecurityMonitoringRule" request And body with value {"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 0"}],"hasExtendedTitle":true,"isEnabled":true,"message":"My security monitoring rule","name":"My security monitoring rule","options":{"evaluationWindow":1800,"keepAlive":1800,"maxSignalDuration":1800,"detectionMethod":"threshold"},"queries":[{"query":"source:source_here","groupByFields":["@userIdentity.assumed_role"],"distinctFields":[],"aggregation":"count","name":""}],"tags":["env:prod","team:security"],"type":"log_detection"} When the request is sent Then the response status is 204 OK - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Validate a detection rule with detection method 'new_value' with enabled feature 'instantaneousBaseline' returns "OK" response Given new "ValidateSecurityMonitoringRule" request And body with value {"cases":[{"name":"","status":"info","notifications":[]}],"hasExtendedTitle":true,"isEnabled":true,"message":"My security monitoring rule","name":"My security monitoring rule","options":{"evaluationWindow":0,"keepAlive":300,"maxSignalDuration":600,"detectionMethod":"new_value","newValueOptions":{"forgetAfter":7,"instantaneousBaseline":true,"learningDuration":1,"learningThreshold":0,"learningMethod":"duration"}},"queries":[{"query":"source:source_here","groupByFields":["@userIdentity.assumed_role"],"distinctFields":[],"metric":"name","metrics":["name"],"aggregation":"new_value","name":"","dataSource":"logs"}],"tags":["env:prod","team:security"],"type":"log_detection"} When the request is sent Then the response status is 204 OK - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Validate a detection rule with detection method 'sequence_detection' returns "OK" response Given new "ValidateSecurityMonitoringRule" request And body with value {"cases":[{"name":"","status":"info","notifications":[],"condition":"step_b > 0"}],"hasExtendedTitle":true,"isEnabled":true,"message":"My security monitoring rule","name":"My security monitoring rule","options":{"evaluationWindow":0,"keepAlive":300,"maxSignalDuration":600,"detectionMethod":"sequence_detection","sequenceDetectionOptions":{"stepTransitions":[{"child":"step_b","evaluationWindow":900,"parent":"step_a"}],"steps":[{"condition":"a > 0","evaluationWindow":60,"name":"step_a"},{"condition":"b > 0","evaluationWindow":60,"name":"step_b"}]}},"queries":[{"query":"source:source_here","groupByFields":["@userIdentity.assumed_role"],"distinctFields":[],"aggregation":"count","name":""},{"query":"source:source_here2","groupByFields":[],"distinctFields":[],"aggregation":"count","name":""}],"tags":["env:prod","team:security"],"type":"log_detection"} When the request is sent Then the response status is 204 OK - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Validate a suppression rule returns "Bad Request" response Given new "ValidateSecurityMonitoringSuppression" request And body with value {"data": {"attributes": {"name" : "cold_harbour", "enabled": false, "rule_query":"rule:[A-Invalid", "data_exclusion_query": "not enough attributes"}, "type": "suppressions"}} When the request is sent Then the response status is 400 Bad Request - @team:DataDog/cloud-siem + @team:DataDog/k9-cloud-siem Scenario: Validate a suppression rule returns "OK" response Given new "ValidateSecurityMonitoringSuppression" request And body with value {"data": {"attributes": {"data_exclusion_query": "source:cloudtrail account_id:12345", "description": "This rule suppresses low-severity signals in staging environments.", "enabled": true, "name": "Custom suppression", "rule_query": "type:log_detection source:cloudtrail"}, "type": "suppressions"}} When the request is sent Then the response status is 204 OK - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Validate an entity context sync configuration returns "Bad Request" response Given operation "ValidateSecurityMonitoringIntegrationConfig" enabled And new "ValidateSecurityMonitoringIntegrationConfig" request @@ -3501,7 +3501,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Validate an entity context sync configuration returns "Not Found" response Given operation "ValidateSecurityMonitoringIntegrationConfig" enabled And new "ValidateSecurityMonitoringIntegrationConfig" request @@ -3509,7 +3509,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Validate an entity context sync configuration returns "OK" response Given operation "ValidateSecurityMonitoringIntegrationConfig" enabled And new "ValidateSecurityMonitoringIntegrationConfig" request @@ -3517,7 +3517,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Validate entity context sync credentials returns "Bad Request" response Given operation "ValidateSecurityMonitoringIntegrationCredentials" enabled And new "ValidateSecurityMonitoringIntegrationCredentials" request @@ -3525,7 +3525,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/cloud-siem + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Validate entity context sync credentials returns "OK" response Given operation "ValidateSecurityMonitoringIntegrationCredentials" enabled And new "ValidateSecurityMonitoringIntegrationCredentials" request