Chilkat Online Tools

Python / Datadog API Collection / Create a detection rule

Back to Collection Items

import sys
import chilkat2

# This example assumes the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.

http = chilkat2.Http()

# Use this online tool to generate code from sample JSON: Generate Code to Create JSON

# The following JSON is sent in the request body.

# {
#   "name": "<string>",
#   "isEnabled": "<boolean>",
#   "queries": [
#     {
#       "aggregation": "count",
#       "distinctFields": [
#         "<string>",
#         "<string>"
#       ],
#       "groupByFields": [
#         "<string>",
#         "<string>"
#       ],
#       "metric": "<string>",
#       "metrics": [
#         "<string>",
#         "<string>"
#       ],
#       "name": "<string>",
#       "query": "<string>"
#     },
#     {
#       "aggregation": "count",
#       "distinctFields": [
#         "<string>",
#         "<string>"
#       ],
#       "groupByFields": [
#         "<string>",
#         "<string>"
#       ],
#       "metric": "<string>",
#       "metrics": [
#         "<string>",
#         "<string>"
#       ],
#       "name": "<string>",
#       "query": "<string>"
#     }
#   ],
#   "options": {
#     "complianceRuleOptions": {
#       "complexRule": "<boolean>",
#       "regoRule": {
#         "policy": "<string>",
#         "resourceTypes": [
#           "<string>",
#           "<string>"
#         ]
#       },
#       "resourceType": "<string>",
#       "incididuntfd5": {},
#       "Duis_3_": {},
#       "ipsum_965": {}
#     },
#     "decreaseCriticalityBasedOnEnv": "<boolean>",
#     "detectionMethod": "impossible_travel",
#     "evaluationWindow": 0,
#     "hardcodedEvaluatorType": "log4shell",
#     "impossibleTravelOptions": {
#       "baselineUserLocations": "<boolean>"
#     },
#     "keepAlive": 21600,
#     "maxSignalDuration": 21600,
#     "newValueOptions": {
#       "forgetAfter": 2,
#       "learningDuration": 0,
#       "learningMethod": "duration",
#       "learningThreshold": 0
#     }
#   },
#   "cases": [
#     {
#       "status": "critical",
#       "condition": "<string>",
#       "name": "<string>",
#       "notifications": [
#         "<string>",
#         "<string>"
#       ]
#     },
#     {
#       "status": "low",
#       "condition": "<string>",
#       "name": "<string>",
#       "notifications": [
#         "<string>",
#         "<string>"
#       ]
#     }
#   ],
#   "message": "<string>",
#   "filters": [
#     {
#       "action": "suppress",
#       "query": "<string>"
#     },
#     {
#       "action": "require",
#       "query": "<string>"
#     }
#   ],
#   "hasExtendedTitle": "<boolean>",
#   "tags": [
#     "<string>",
#     "<string>"
#   ],
#   "type": "workload_security"
# }

json = chilkat2.JsonObject()
json.UpdateString("name","<string>")
json.UpdateString("isEnabled","<boolean>")
json.UpdateString("queries[0].aggregation","count")
json.UpdateString("queries[0].distinctFields[0]","<string>")
json.UpdateString("queries[0].distinctFields[1]","<string>")
json.UpdateString("queries[0].groupByFields[0]","<string>")
json.UpdateString("queries[0].groupByFields[1]","<string>")
json.UpdateString("queries[0].metric","<string>")
json.UpdateString("queries[0].metrics[0]","<string>")
json.UpdateString("queries[0].metrics[1]","<string>")
json.UpdateString("queries[0].name","<string>")
json.UpdateString("queries[0].query","<string>")
json.UpdateString("queries[1].aggregation","count")
json.UpdateString("queries[1].distinctFields[0]","<string>")
json.UpdateString("queries[1].distinctFields[1]","<string>")
json.UpdateString("queries[1].groupByFields[0]","<string>")
json.UpdateString("queries[1].groupByFields[1]","<string>")
json.UpdateString("queries[1].metric","<string>")
json.UpdateString("queries[1].metrics[0]","<string>")
json.UpdateString("queries[1].metrics[1]","<string>")
json.UpdateString("queries[1].name","<string>")
json.UpdateString("queries[1].query","<string>")
json.UpdateString("options.complianceRuleOptions.complexRule","<boolean>")
json.UpdateString("options.complianceRuleOptions.regoRule.policy","<string>")
json.UpdateString("options.complianceRuleOptions.regoRule.resourceTypes[0]","<string>")
json.UpdateString("options.complianceRuleOptions.regoRule.resourceTypes[1]","<string>")
json.UpdateString("options.complianceRuleOptions.resourceType","<string>")
json.UpdateNewObject("options.complianceRuleOptions.incididuntfd5")
json.UpdateNewObject("options.complianceRuleOptions.Duis_3_")
json.UpdateNewObject("options.complianceRuleOptions.ipsum_965")
json.UpdateString("options.decreaseCriticalityBasedOnEnv","<boolean>")
json.UpdateString("options.detectionMethod","impossible_travel")
json.UpdateInt("options.evaluationWindow",0)
json.UpdateString("options.hardcodedEvaluatorType","log4shell")
json.UpdateString("options.impossibleTravelOptions.baselineUserLocations","<boolean>")
json.UpdateInt("options.keepAlive",21600)
json.UpdateInt("options.maxSignalDuration",21600)
json.UpdateInt("options.newValueOptions.forgetAfter",2)
json.UpdateInt("options.newValueOptions.learningDuration",0)
json.UpdateString("options.newValueOptions.learningMethod","duration")
json.UpdateInt("options.newValueOptions.learningThreshold",0)
json.UpdateString("cases[0].status","critical")
json.UpdateString("cases[0].condition","<string>")
json.UpdateString("cases[0].name","<string>")
json.UpdateString("cases[0].notifications[0]","<string>")
json.UpdateString("cases[0].notifications[1]","<string>")
json.UpdateString("cases[1].status","low")
json.UpdateString("cases[1].condition","<string>")
json.UpdateString("cases[1].name","<string>")
json.UpdateString("cases[1].notifications[0]","<string>")
json.UpdateString("cases[1].notifications[1]","<string>")
json.UpdateString("message","<string>")
json.UpdateString("filters[0].action","suppress")
json.UpdateString("filters[0].query","<string>")
json.UpdateString("filters[1].action","require")
json.UpdateString("filters[1].query","<string>")
json.UpdateString("hasExtendedTitle","<boolean>")
json.UpdateString("tags[0]","<string>")
json.UpdateString("tags[1]","<string>")
json.UpdateString("type","workload_security")

http.SetRequestHeader("Content-Type","application/json")
http.SetRequestHeader("Accept","application/json")

# resp is a CkHttpResponse
resp = http.PostJson3("https://api.app.ddog-gov.com/api/v2/security_monitoring/rules","application/json",json)
if (http.LastMethodSuccess == False):
    print(http.LastErrorText)
    sys.exit()

sbResponseBody = chilkat2.StringBuilder()
resp.GetBodySb(sbResponseBody)

jResp = chilkat2.JsonObject()
jResp.LoadSb(sbResponseBody)
jResp.EmitCompact = False

print("Response Body:")
print(jResp.Emit())

respStatusCode = resp.StatusCode
print("Response Status Code = " + str(respStatusCode))
if (respStatusCode >= 400):
    print("Response Header:")
    print(resp.Header)
    print("Failed.")

    sys.exit()

# Sample JSON response:
# (Sample code for parsing the JSON response is shown below)

# {
#   "cases": [
#     {
#       "condition": "<string>",
#       "name": "<string>",
#       "notifications": [
#         "<string>",
#         "<string>"
#       ],
#       "status": "medium"
#     },
#     {
#       "condition": "<string>",
#       "name": "<string>",
#       "notifications": [
#         "<string>",
#         "<string>"
#       ],
#       "status": "critical"
#     }
#   ],
#   "complianceSignalOptions": {
#     "defaultActivationStatus": "<boolean>",
#     "defaultGroupByFields": [
#       "<string>",
#       "<string>"
#     ],
#     "userActivationStatus": "<boolean>",
#     "userGroupByFields": [
#       "<string>",
#       "<string>"
#     ]
#   },
#   "createdAt": "<long>",
#   "creationAuthorId": "<long>",
#   "deprecationDate": "<long>",
#   "filters": [
#     {
#       "action": "suppress",
#       "query": "<string>"
#     },
#     {
#       "action": "require",
#       "query": "<string>"
#     }
#   ],
#   "hasExtendedTitle": "<boolean>",
#   "id": "<string>",
#   "isDefault": "<boolean>",
#   "isDeleted": "<boolean>",
#   "isEnabled": "<boolean>",
#   "message": "<string>",
#   "name": "<string>",
#   "options": {
#     "complianceRuleOptions": {
#       "complexRule": "<boolean>",
#       "regoRule": {
#         "policy": "<string>",
#         "resourceTypes": [
#           "<string>",
#           "<string>"
#         ]
#       },
#       "resourceType": "<string>"
#     },
#     "decreaseCriticalityBasedOnEnv": "<boolean>",
#     "detectionMethod": "third_party",
#     "evaluationWindow": 300,
#     "hardcodedEvaluatorType": "log4shell",
#     "impossibleTravelOptions": {
#       "baselineUserLocations": "<boolean>"
#     },
#     "keepAlive": 300,
#     "maxSignalDuration": 900,
#     "newValueOptions": {
#       "forgetAfter": 28,
#       "learningDuration": 0,
#       "learningMethod": "duration",
#       "learningThreshold": 0
#     }
#   },
#   "queries": [
#     {
#       "aggregation": "max",
#       "distinctFields": [
#         "<string>",
#         "<string>"
#       ],
#       "groupByFields": [
#         "<string>",
#         "<string>"
#       ],
#       "metric": "<string>",
#       "metrics": [
#         "<string>",
#         "<string>"
#       ],
#       "name": "<string>",
#       "query": "<string>"
#     },
#     {
#       "aggregation": "max",
#       "distinctFields": [
#         "<string>",
#         "<string>"
#       ],
#       "groupByFields": [
#         "<string>",
#         "<string>"
#       ],
#       "metric": "<string>",
#       "metrics": [
#         "<string>",
#         "<string>"
#       ],
#       "name": "<string>",
#       "query": "<string>"
#     }
#   ],
#   "tags": [
#     "<string>",
#     "<string>"
#   ],
#   "type": "application_security",
#   "updateAuthorId": "<long>",
#   "version": "<long>"
# }

# Sample code for parsing the JSON response...
# Use this online tool to generate parsing code from sample JSON: Generate JSON Parsing Code

DefaultActivationStatus = jResp.StringOf("complianceSignalOptions.defaultActivationStatus")
UserActivationStatus = jResp.StringOf("complianceSignalOptions.userActivationStatus")
createdAt = jResp.StringOf("createdAt")
creationAuthorId = jResp.StringOf("creationAuthorId")
deprecationDate = jResp.StringOf("deprecationDate")
hasExtendedTitle = jResp.StringOf("hasExtendedTitle")
id = jResp.StringOf("id")
isDefault = jResp.StringOf("isDefault")
isDeleted = jResp.StringOf("isDeleted")
isEnabled = jResp.StringOf("isEnabled")
message = jResp.StringOf("message")
name = jResp.StringOf("name")
ComplexRule = jResp.StringOf("options.complianceRuleOptions.complexRule")
Policy = jResp.StringOf("options.complianceRuleOptions.regoRule.policy")
ResourceType = jResp.StringOf("options.complianceRuleOptions.resourceType")
DecreaseCriticalityBasedOnEnv = jResp.StringOf("options.decreaseCriticalityBasedOnEnv")
DetectionMethod = jResp.StringOf("options.detectionMethod")
EvaluationWindow = jResp.IntOf("options.evaluationWindow")
HardcodedEvaluatorType = jResp.StringOf("options.hardcodedEvaluatorType")
BaselineUserLocations = jResp.StringOf("options.impossibleTravelOptions.baselineUserLocations")
KeepAlive = jResp.IntOf("options.keepAlive")
MaxSignalDuration = jResp.IntOf("options.maxSignalDuration")
ForgetAfter = jResp.IntOf("options.newValueOptions.forgetAfter")
LearningDuration = jResp.IntOf("options.newValueOptions.learningDuration")
LearningMethod = jResp.StringOf("options.newValueOptions.learningMethod")
LearningThreshold = jResp.IntOf("options.newValueOptions.learningThreshold")
v_type = jResp.StringOf("type")
updateAuthorId = jResp.StringOf("updateAuthorId")
version = jResp.StringOf("version")
i = 0
count_i = jResp.SizeOfArray("cases")
while i < count_i :
    jResp.I = i
    condition = jResp.StringOf("cases[i].condition")
    name = jResp.StringOf("cases[i].name")
    status = jResp.StringOf("cases[i].status")
    j = 0
    count_j = jResp.SizeOfArray("cases[i].notifications")
    while j < count_j :
        jResp.J = j
        strVal = jResp.StringOf("cases[i].notifications[j]")
        j = j + 1

    i = i + 1

i = 0
count_i = jResp.SizeOfArray("complianceSignalOptions.defaultGroupByFields")
while i < count_i :
    jResp.I = i
    strVal = jResp.StringOf("complianceSignalOptions.defaultGroupByFields[i]")
    i = i + 1

i = 0
count_i = jResp.SizeOfArray("complianceSignalOptions.userGroupByFields")
while i < count_i :
    jResp.I = i
    strVal = jResp.StringOf("complianceSignalOptions.userGroupByFields[i]")
    i = i + 1

i = 0
count_i = jResp.SizeOfArray("filters")
while i < count_i :
    jResp.I = i
    action = jResp.StringOf("filters[i].action")
    query = jResp.StringOf("filters[i].query")
    i = i + 1

i = 0
count_i = jResp.SizeOfArray("options.complianceRuleOptions.regoRule.resourceTypes")
while i < count_i :
    jResp.I = i
    strVal = jResp.StringOf("options.complianceRuleOptions.regoRule.resourceTypes[i]")
    i = i + 1

i = 0
count_i = jResp.SizeOfArray("queries")
while i < count_i :
    jResp.I = i
    aggregation = jResp.StringOf("queries[i].aggregation")
    metric = jResp.StringOf("queries[i].metric")
    name = jResp.StringOf("queries[i].name")
    query = jResp.StringOf("queries[i].query")
    j = 0
    count_j = jResp.SizeOfArray("queries[i].distinctFields")
    while j < count_j :
        jResp.J = j
        strVal = jResp.StringOf("queries[i].distinctFields[j]")
        j = j + 1

    j = 0
    count_j = jResp.SizeOfArray("queries[i].groupByFields")
    while j < count_j :
        jResp.J = j
        strVal = jResp.StringOf("queries[i].groupByFields[j]")
        j = j + 1

    j = 0
    count_j = jResp.SizeOfArray("queries[i].metrics")
    while j < count_j :
        jResp.J = j
        strVal = jResp.StringOf("queries[i].metrics[j]")
        j = j + 1

    i = i + 1

i = 0
count_i = jResp.SizeOfArray("tags")
while i < count_i :
    jResp.I = i
    strVal = jResp.StringOf("tags[i]")
    i = i + 1

Curl Command

curl -X POST
	-H "Content-Type: application/json"
	-H "Accept: application/json"
	-d '{
  "name": "<string>",
  "isEnabled": "<boolean>",
  "queries": [
    {
      "aggregation": "count",
      "distinctFields": [
        "<string>",
        "<string>"
      ],
      "groupByFields": [
        "<string>",
        "<string>"
      ],
      "metric": "<string>",
      "metrics": [
        "<string>",
        "<string>"
      ],
      "name": "<string>",
      "query": "<string>"
    },
    {
      "aggregation": "count",
      "distinctFields": [
        "<string>",
        "<string>"
      ],
      "groupByFields": [
        "<string>",
        "<string>"
      ],
      "metric": "<string>",
      "metrics": [
        "<string>",
        "<string>"
      ],
      "name": "<string>",
      "query": "<string>"
    }
  ],
  "options": {
    "complianceRuleOptions": {
      "complexRule": "<boolean>",
      "regoRule": {
        "policy": "<string>",
        "resourceTypes": [
          "<string>",
          "<string>"
        ]
      },
      "resourceType": "<string>",
      "incididuntfd5": {},
      "Duis_3_": {},
      "ipsum_965": {}
    },
    "decreaseCriticalityBasedOnEnv": "<boolean>",
    "detectionMethod": "impossible_travel",
    "evaluationWindow": 0,
    "hardcodedEvaluatorType": "log4shell",
    "impossibleTravelOptions": {
      "baselineUserLocations": "<boolean>"
    },
    "keepAlive": 21600,
    "maxSignalDuration": 21600,
    "newValueOptions": {
      "forgetAfter": 2,
      "learningDuration": 0,
      "learningMethod": "duration",
      "learningThreshold": 0
    }
  },
  "cases": [
    {
      "status": "critical",
      "condition": "<string>",
      "name": "<string>",
      "notifications": [
        "<string>",
        "<string>"
      ]
    },
    {
      "status": "low",
      "condition": "<string>",
      "name": "<string>",
      "notifications": [
        "<string>",
        "<string>"
      ]
    }
  ],
  "message": "<string>",
  "filters": [
    {
      "action": "suppress",
      "query": "<string>"
    },
    {
      "action": "require",
      "query": "<string>"
    }
  ],
  "hasExtendedTitle": "<boolean>",
  "tags": [
    "<string>",
    "<string>"
  ],
  "type": "workload_security"
}'
https://api.app.ddog-gov.com/api/v2/security_monitoring/rules

Postman Collection Item JSON

{
  "name": "Create a detection rule",
  "request": {
    "method": "POST",
    "header": [
      {
        "key": "Content-Type",
        "value": "application/json"
      },
      {
        "key": "Accept",
        "value": "application/json"
      }
    ],
    "body": {
      "mode": "raw",
      "raw": "{\n  \"name\": \"<string>\",\n  \"isEnabled\": \"<boolean>\",\n  \"queries\": [\n    {\n      \"aggregation\": \"count\",\n      \"distinctFields\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"groupByFields\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"metric\": \"<string>\",\n      \"metrics\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"name\": \"<string>\",\n      \"query\": \"<string>\"\n    },\n    {\n      \"aggregation\": \"count\",\n      \"distinctFields\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"groupByFields\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"metric\": \"<string>\",\n      \"metrics\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"name\": \"<string>\",\n      \"query\": \"<string>\"\n    }\n  ],\n  \"options\": {\n    \"complianceRuleOptions\": {\n      \"complexRule\": \"<boolean>\",\n      \"regoRule\": {\n        \"policy\": \"<string>\",\n        \"resourceTypes\": [\n          \"<string>\",\n          \"<string>\"\n        ]\n      },\n      \"resourceType\": \"<string>\",\n      \"incididuntfd5\": {},\n      \"Duis_3_\": {},\n      \"ipsum_965\": {}\n    },\n    \"decreaseCriticalityBasedOnEnv\": \"<boolean>\",\n    \"detectionMethod\": \"impossible_travel\",\n    \"evaluationWindow\": 0,\n    \"hardcodedEvaluatorType\": \"log4shell\",\n    \"impossibleTravelOptions\": {\n      \"baselineUserLocations\": \"<boolean>\"\n    },\n    \"keepAlive\": 21600,\n    \"maxSignalDuration\": 21600,\n    \"newValueOptions\": {\n      \"forgetAfter\": 2,\n      \"learningDuration\": 0,\n      \"learningMethod\": \"duration\",\n      \"learningThreshold\": 0\n    }\n  },\n  \"cases\": [\n    {\n      \"status\": \"critical\",\n      \"condition\": \"<string>\",\n      \"name\": \"<string>\",\n      \"notifications\": [\n        \"<string>\",\n        \"<string>\"\n      ]\n    },\n    {\n      \"status\": \"low\",\n      \"condition\": \"<string>\",\n      \"name\": \"<string>\",\n      \"notifications\": [\n        \"<string>\",\n        \"<string>\"\n      ]\n    }\n  ],\n  \"message\": \"<string>\",\n  \"filters\": [\n    {\n      \"action\": \"suppress\",\n      \"query\": \"<string>\"\n    },\n    {\n      \"action\": \"require\",\n      \"query\": \"<string>\"\n    }\n  ],\n  \"hasExtendedTitle\": \"<boolean>\",\n  \"tags\": [\n    \"<string>\",\n    \"<string>\"\n  ],\n  \"type\": \"workload_security\"\n}",
      "options": {
        "raw": {
          "headerFamily": "json",
          "language": "json"
        }
      }
    },
    "url": {
      "raw": "{{baseUrl}}/api/v2/security_monitoring/rules",
      "host": [
        "{{baseUrl}}"
      ],
      "path": [
        "api",
        "v2",
        "security_monitoring",
        "rules"
      ]
    },
    "description": "Create a detection rule."
  },
  "response": [
    {
      "name": "OK",
      "originalRequest": {
        "method": "POST",
        "header": [
          {
            "key": "Content-Type",
            "value": "application/json"
          },
          {
            "key": "Accept",
            "value": "application/json"
          },
          {
            "description": "Added as a part of security scheme: apikey",
            "key": "DD-API-KEY",
            "value": "<API Key>"
          }
        ],
        "body": {
          "mode": "raw",
          "raw": "{\n  \"name\": \"<string>\",\n  \"isEnabled\": \"<boolean>\",\n  \"queries\": [\n    {\n      \"aggregation\": \"count\",\n      \"distinctFields\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"groupByFields\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"metric\": \"<string>\",\n      \"metrics\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"name\": \"<string>\",\n      \"query\": \"<string>\"\n    },\n    {\n      \"aggregation\": \"count\",\n      \"distinctFields\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"groupByFields\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"metric\": \"<string>\",\n      \"metrics\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"name\": \"<string>\",\n      \"query\": \"<string>\"\n    }\n  ],\n  \"options\": {\n    \"complianceRuleOptions\": {\n      \"complexRule\": \"<boolean>\",\n      \"regoRule\": {\n        \"policy\": \"<string>\",\n        \"resourceTypes\": [\n          \"<string>\",\n          \"<string>\"\n        ]\n      },\n      \"resourceType\": \"<string>\",\n      \"incididuntfd5\": {},\n      \"Duis_3_\": {},\n      \"ipsum_965\": {}\n    },\n    \"decreaseCriticalityBasedOnEnv\": \"<boolean>\",\n    \"detectionMethod\": \"impossible_travel\",\n    \"evaluationWindow\": 0,\n    \"hardcodedEvaluatorType\": \"log4shell\",\n    \"impossibleTravelOptions\": {\n      \"baselineUserLocations\": \"<boolean>\"\n    },\n    \"keepAlive\": 21600,\n    \"maxSignalDuration\": 21600,\n    \"newValueOptions\": {\n      \"forgetAfter\": 2,\n      \"learningDuration\": 0,\n      \"learningMethod\": \"duration\",\n      \"learningThreshold\": 0\n    }\n  },\n  \"cases\": [\n    {\n      \"status\": \"critical\",\n      \"condition\": \"<string>\",\n      \"name\": \"<string>\",\n      \"notifications\": [\n        \"<string>\",\n        \"<string>\"\n      ]\n    },\n    {\n      \"status\": \"low\",\n      \"condition\": \"<string>\",\n      \"name\": \"<string>\",\n      \"notifications\": [\n        \"<string>\",\n        \"<string>\"\n      ]\n    }\n  ],\n  \"message\": \"<string>\",\n  \"filters\": [\n    {\n      \"action\": \"suppress\",\n      \"query\": \"<string>\"\n    },\n    {\n      \"action\": \"require\",\n      \"query\": \"<string>\"\n    }\n  ],\n  \"hasExtendedTitle\": \"<boolean>\",\n  \"tags\": [\n    \"<string>\",\n    \"<string>\"\n  ],\n  \"type\": \"workload_security\"\n}",
          "options": {
            "raw": {
              "headerFamily": "json",
              "language": "json"
            }
          }
        },
        "url": {
          "raw": "{{baseUrl}}/api/v2/security_monitoring/rules",
          "host": [
            "{{baseUrl}}"
          ],
          "path": [
            "api",
            "v2",
            "security_monitoring",
            "rules"
          ]
        }
      },
      "status": "OK",
      "code": 200,
      "_postman_previewlanguage": "json",
      "header": [
        {
          "key": "Content-Type",
          "value": "application/json"
        }
      ],
      "cookie": [
      ],
      "body": "{\n  \"cases\": [\n    {\n      \"condition\": \"<string>\",\n      \"name\": \"<string>\",\n      \"notifications\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"status\": \"medium\"\n    },\n    {\n      \"condition\": \"<string>\",\n      \"name\": \"<string>\",\n      \"notifications\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"status\": \"critical\"\n    }\n  ],\n  \"complianceSignalOptions\": {\n    \"defaultActivationStatus\": \"<boolean>\",\n    \"defaultGroupByFields\": [\n      \"<string>\",\n      \"<string>\"\n    ],\n    \"userActivationStatus\": \"<boolean>\",\n    \"userGroupByFields\": [\n      \"<string>\",\n      \"<string>\"\n    ]\n  },\n  \"createdAt\": \"<long>\",\n  \"creationAuthorId\": \"<long>\",\n  \"deprecationDate\": \"<long>\",\n  \"filters\": [\n    {\n      \"action\": \"suppress\",\n      \"query\": \"<string>\"\n    },\n    {\n      \"action\": \"require\",\n      \"query\": \"<string>\"\n    }\n  ],\n  \"hasExtendedTitle\": \"<boolean>\",\n  \"id\": \"<string>\",\n  \"isDefault\": \"<boolean>\",\n  \"isDeleted\": \"<boolean>\",\n  \"isEnabled\": \"<boolean>\",\n  \"message\": \"<string>\",\n  \"name\": \"<string>\",\n  \"options\": {\n    \"complianceRuleOptions\": {\n      \"complexRule\": \"<boolean>\",\n      \"regoRule\": {\n        \"policy\": \"<string>\",\n        \"resourceTypes\": [\n          \"<string>\",\n          \"<string>\"\n        ]\n      },\n      \"resourceType\": \"<string>\"\n    },\n    \"decreaseCriticalityBasedOnEnv\": \"<boolean>\",\n    \"detectionMethod\": \"third_party\",\n    \"evaluationWindow\": 300,\n    \"hardcodedEvaluatorType\": \"log4shell\",\n    \"impossibleTravelOptions\": {\n      \"baselineUserLocations\": \"<boolean>\"\n    },\n    \"keepAlive\": 300,\n    \"maxSignalDuration\": 900,\n    \"newValueOptions\": {\n      \"forgetAfter\": 28,\n      \"learningDuration\": 0,\n      \"learningMethod\": \"duration\",\n      \"learningThreshold\": 0\n    }\n  },\n  \"queries\": [\n    {\n      \"aggregation\": \"max\",\n      \"distinctFields\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"groupByFields\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"metric\": \"<string>\",\n      \"metrics\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"name\": \"<string>\",\n      \"query\": \"<string>\"\n    },\n    {\n      \"aggregation\": \"max\",\n      \"distinctFields\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"groupByFields\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"metric\": \"<string>\",\n      \"metrics\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"name\": \"<string>\",\n      \"query\": \"<string>\"\n    }\n  ],\n  \"tags\": [\n    \"<string>\",\n    \"<string>\"\n  ],\n  \"type\": \"application_security\",\n  \"updateAuthorId\": \"<long>\",\n  \"version\": \"<long>\"\n}"
    },
    {
      "name": "Bad Request",
      "originalRequest": {
        "method": "POST",
        "header": [
          {
            "key": "Content-Type",
            "value": "application/json"
          },
          {
            "key": "Accept",
            "value": "application/json"
          },
          {
            "description": "Added as a part of security scheme: apikey",
            "key": "DD-API-KEY",
            "value": "<API Key>"
          }
        ],
        "body": {
          "mode": "raw",
          "raw": "{\n  \"name\": \"<string>\",\n  \"isEnabled\": \"<boolean>\",\n  \"queries\": [\n    {\n      \"aggregation\": \"count\",\n      \"distinctFields\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"groupByFields\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"metric\": \"<string>\",\n      \"metrics\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"name\": \"<string>\",\n      \"query\": \"<string>\"\n    },\n    {\n      \"aggregation\": \"count\",\n      \"distinctFields\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"groupByFields\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"metric\": \"<string>\",\n      \"metrics\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"name\": \"<string>\",\n      \"query\": \"<string>\"\n    }\n  ],\n  \"options\": {\n    \"complianceRuleOptions\": {\n      \"complexRule\": \"<boolean>\",\n      \"regoRule\": {\n        \"policy\": \"<string>\",\n        \"resourceTypes\": [\n          \"<string>\",\n          \"<string>\"\n        ]\n      },\n      \"resourceType\": \"<string>\",\n      \"incididuntfd5\": {},\n      \"Duis_3_\": {},\n      \"ipsum_965\": {}\n    },\n    \"decreaseCriticalityBasedOnEnv\": \"<boolean>\",\n    \"detectionMethod\": \"impossible_travel\",\n    \"evaluationWindow\": 0,\n    \"hardcodedEvaluatorType\": \"log4shell\",\n    \"impossibleTravelOptions\": {\n      \"baselineUserLocations\": \"<boolean>\"\n    },\n    \"keepAlive\": 21600,\n    \"maxSignalDuration\": 21600,\n    \"newValueOptions\": {\n      \"forgetAfter\": 2,\n      \"learningDuration\": 0,\n      \"learningMethod\": \"duration\",\n      \"learningThreshold\": 0\n    }\n  },\n  \"cases\": [\n    {\n      \"status\": \"critical\",\n      \"condition\": \"<string>\",\n      \"name\": \"<string>\",\n      \"notifications\": [\n        \"<string>\",\n        \"<string>\"\n      ]\n    },\n    {\n      \"status\": \"low\",\n      \"condition\": \"<string>\",\n      \"name\": \"<string>\",\n      \"notifications\": [\n        \"<string>\",\n        \"<string>\"\n      ]\n    }\n  ],\n  \"message\": \"<string>\",\n  \"filters\": [\n    {\n      \"action\": \"suppress\",\n      \"query\": \"<string>\"\n    },\n    {\n      \"action\": \"require\",\n      \"query\": \"<string>\"\n    }\n  ],\n  \"hasExtendedTitle\": \"<boolean>\",\n  \"tags\": [\n    \"<string>\",\n    \"<string>\"\n  ],\n  \"type\": \"workload_security\"\n}",
          "options": {
            "raw": {
              "headerFamily": "json",
              "language": "json"
            }
          }
        },
        "url": {
          "raw": "{{baseUrl}}/api/v2/security_monitoring/rules",
          "host": [
            "{{baseUrl}}"
          ],
          "path": [
            "api",
            "v2",
            "security_monitoring",
            "rules"
          ]
        }
      },
      "status": "Bad Request",
      "code": 400,
      "_postman_previewlanguage": "json",
      "header": [
        {
          "key": "Content-Type",
          "value": "application/json"
        }
      ],
      "cookie": [
      ],
      "body": "{\n  \"errors\": [\n    \"<string>\",\n    \"<string>\"\n  ]\n}"
    },
    {
      "name": "Not Authorized",
      "originalRequest": {
        "method": "POST",
        "header": [
          {
            "key": "Content-Type",
            "value": "application/json"
          },
          {
            "key": "Accept",
            "value": "application/json"
          },
          {
            "description": "Added as a part of security scheme: apikey",
            "key": "DD-API-KEY",
            "value": "<API Key>"
          }
        ],
        "body": {
          "mode": "raw",
          "raw": "{\n  \"name\": \"<string>\",\n  \"isEnabled\": \"<boolean>\",\n  \"queries\": [\n    {\n      \"aggregation\": \"count\",\n      \"distinctFields\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"groupByFields\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"metric\": \"<string>\",\n      \"metrics\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"name\": \"<string>\",\n      \"query\": \"<string>\"\n    },\n    {\n      \"aggregation\": \"count\",\n      \"distinctFields\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"groupByFields\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"metric\": \"<string>\",\n      \"metrics\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"name\": \"<string>\",\n      \"query\": \"<string>\"\n    }\n  ],\n  \"options\": {\n    \"complianceRuleOptions\": {\n      \"complexRule\": \"<boolean>\",\n      \"regoRule\": {\n        \"policy\": \"<string>\",\n        \"resourceTypes\": [\n          \"<string>\",\n          \"<string>\"\n        ]\n      },\n      \"resourceType\": \"<string>\",\n      \"incididuntfd5\": {},\n      \"Duis_3_\": {},\n      \"ipsum_965\": {}\n    },\n    \"decreaseCriticalityBasedOnEnv\": \"<boolean>\",\n    \"detectionMethod\": \"impossible_travel\",\n    \"evaluationWindow\": 0,\n    \"hardcodedEvaluatorType\": \"log4shell\",\n    \"impossibleTravelOptions\": {\n      \"baselineUserLocations\": \"<boolean>\"\n    },\n    \"keepAlive\": 21600,\n    \"maxSignalDuration\": 21600,\n    \"newValueOptions\": {\n      \"forgetAfter\": 2,\n      \"learningDuration\": 0,\n      \"learningMethod\": \"duration\",\n      \"learningThreshold\": 0\n    }\n  },\n  \"cases\": [\n    {\n      \"status\": \"critical\",\n      \"condition\": \"<string>\",\n      \"name\": \"<string>\",\n      \"notifications\": [\n        \"<string>\",\n        \"<string>\"\n      ]\n    },\n    {\n      \"status\": \"low\",\n      \"condition\": \"<string>\",\n      \"name\": \"<string>\",\n      \"notifications\": [\n        \"<string>\",\n        \"<string>\"\n      ]\n    }\n  ],\n  \"message\": \"<string>\",\n  \"filters\": [\n    {\n      \"action\": \"suppress\",\n      \"query\": \"<string>\"\n    },\n    {\n      \"action\": \"require\",\n      \"query\": \"<string>\"\n    }\n  ],\n  \"hasExtendedTitle\": \"<boolean>\",\n  \"tags\": [\n    \"<string>\",\n    \"<string>\"\n  ],\n  \"type\": \"workload_security\"\n}",
          "options": {
            "raw": {
              "headerFamily": "json",
              "language": "json"
            }
          }
        },
        "url": {
          "raw": "{{baseUrl}}/api/v2/security_monitoring/rules",
          "host": [
            "{{baseUrl}}"
          ],
          "path": [
            "api",
            "v2",
            "security_monitoring",
            "rules"
          ]
        }
      },
      "status": "Forbidden",
      "code": 403,
      "_postman_previewlanguage": "json",
      "header": [
        {
          "key": "Content-Type",
          "value": "application/json"
        }
      ],
      "cookie": [
      ],
      "body": "{\n  \"errors\": [\n    \"<string>\",\n    \"<string>\"\n  ]\n}"
    },
    {
      "name": "Too many requests",
      "originalRequest": {
        "method": "POST",
        "header": [
          {
            "key": "Content-Type",
            "value": "application/json"
          },
          {
            "key": "Accept",
            "value": "application/json"
          },
          {
            "description": "Added as a part of security scheme: apikey",
            "key": "DD-API-KEY",
            "value": "<API Key>"
          }
        ],
        "body": {
          "mode": "raw",
          "raw": "{\n  \"name\": \"<string>\",\n  \"isEnabled\": \"<boolean>\",\n  \"queries\": [\n    {\n      \"aggregation\": \"count\",\n      \"distinctFields\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"groupByFields\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"metric\": \"<string>\",\n      \"metrics\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"name\": \"<string>\",\n      \"query\": \"<string>\"\n    },\n    {\n      \"aggregation\": \"count\",\n      \"distinctFields\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"groupByFields\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"metric\": \"<string>\",\n      \"metrics\": [\n        \"<string>\",\n        \"<string>\"\n      ],\n      \"name\": \"<string>\",\n      \"query\": \"<string>\"\n    }\n  ],\n  \"options\": {\n    \"complianceRuleOptions\": {\n      \"complexRule\": \"<boolean>\",\n      \"regoRule\": {\n        \"policy\": \"<string>\",\n        \"resourceTypes\": [\n          \"<string>\",\n          \"<string>\"\n        ]\n      },\n      \"resourceType\": \"<string>\",\n      \"incididuntfd5\": {},\n      \"Duis_3_\": {},\n      \"ipsum_965\": {}\n    },\n    \"decreaseCriticalityBasedOnEnv\": \"<boolean>\",\n    \"detectionMethod\": \"impossible_travel\",\n    \"evaluationWindow\": 0,\n    \"hardcodedEvaluatorType\": \"log4shell\",\n    \"impossibleTravelOptions\": {\n      \"baselineUserLocations\": \"<boolean>\"\n    },\n    \"keepAlive\": 21600,\n    \"maxSignalDuration\": 21600,\n    \"newValueOptions\": {\n      \"forgetAfter\": 2,\n      \"learningDuration\": 0,\n      \"learningMethod\": \"duration\",\n      \"learningThreshold\": 0\n    }\n  },\n  \"cases\": [\n    {\n      \"status\": \"critical\",\n      \"condition\": \"<string>\",\n      \"name\": \"<string>\",\n      \"notifications\": [\n        \"<string>\",\n        \"<string>\"\n      ]\n    },\n    {\n      \"status\": \"low\",\n      \"condition\": \"<string>\",\n      \"name\": \"<string>\",\n      \"notifications\": [\n        \"<string>\",\n        \"<string>\"\n      ]\n    }\n  ],\n  \"message\": \"<string>\",\n  \"filters\": [\n    {\n      \"action\": \"suppress\",\n      \"query\": \"<string>\"\n    },\n    {\n      \"action\": \"require\",\n      \"query\": \"<string>\"\n    }\n  ],\n  \"hasExtendedTitle\": \"<boolean>\",\n  \"tags\": [\n    \"<string>\",\n    \"<string>\"\n  ],\n  \"type\": \"workload_security\"\n}",
          "options": {
            "raw": {
              "headerFamily": "json",
              "language": "json"
            }
          }
        },
        "url": {
          "raw": "{{baseUrl}}/api/v2/security_monitoring/rules",
          "host": [
            "{{baseUrl}}"
          ],
          "path": [
            "api",
            "v2",
            "security_monitoring",
            "rules"
          ]
        }
      },
      "status": "Too Many Requests",
      "code": 429,
      "_postman_previewlanguage": "json",
      "header": [
        {
          "key": "Content-Type",
          "value": "application/json"
        }
      ],
      "cookie": [
      ],
      "body": "{\n  \"errors\": [\n    \"<string>\",\n    \"<string>\"\n  ]\n}"
    }
  ]
}