DataDog · api-clients-generation-pipeline · Sep 12, 2025
@@ -0,0 +1,62 @@
+{
+  "name": "Example-Security-Monitoring",
+  "type": "log_detection",
+  "isEnabled": true,
+  "queries": [
+    {
+      "aggregation": "count",
+      "dataSource": "logs",
+      "distinctFields": [],
+      "groupByFields": [],
+      "hasOptionalGroupByFields": false,
+      "name": "",
+      "query": "service:logs-rule-reducer source:paul test2"
+    },
+    {
+      "aggregation": "count",
+      "dataSource": "logs",
+      "distinctFields": [],
+      "groupByFields": [],
+      "hasOptionalGroupByFields": false,
+      "name": "",
+      "query": "service:logs-rule-reducer source:paul test1"
+    }
+  ],
+  "cases": [
+    {
+      "name": "",
+      "status": "info",
+      "notifications": [],
+      "condition": "step_b > 0"
+    }
+  ],
+  "message": "Logs and signals asdf",
+  "options": {
+    "detectionMethod": "sequence_detection",
+    "evaluationWindow": 0,
+    "keepAlive": 300,
+    "maxSignalDuration": 600,
+    "sequenceDetectionOptions": {
+      "stepTransitions": [
+        {
+          "child": "step_b",
+          "evaluationWindow": 900,
+          "parent": "step_a"
+        }
+      ],
+      "steps": [
+        {
+          "condition": "a > 0",
+          "evaluationWindow": 60,
+          "name": "step_a"
+        },
+        {
+          "condition": "b > 0",
+          "evaluationWindow": 60,
+          "name": "step_b"
+        }
+      ]
+    }
+  },
+  "tags": []
+}
@@ -0,0 +1,64 @@
+{
+  "cases": [
+    {
+      "name": "",
+      "status": "info",
+      "notifications": [],
+      "condition": "step_b > 0"
+    }
+  ],
+  "hasExtendedTitle": true,
+  "isEnabled": true,
+  "message": "My security monitoring rule",
+  "name": "My security monitoring rule",
+  "options": {
+    "evaluationWindow": 0,
+    "keepAlive": 300,
+    "maxSignalDuration": 600,
+    "detectionMethod": "sequence_detection",
+    "sequenceDetectionOptions": {
+      "stepTransitions": [
+        {
+          "child": "step_b",
+          "evaluationWindow": 900,
+          "parent": "step_a"
+        }
+      ],
+      "steps": [
+        {
+          "condition": "a > 0",
+          "evaluationWindow": 60,
+          "name": "step_a"
+        },
+        {
+          "condition": "b > 0",
+          "evaluationWindow": 60,
+          "name": "step_b"
+        }
+      ]
+    }
+  },
+  "queries": [
+    {
+      "query": "source:source_here",
+      "groupByFields": [
+        "@userIdentity.assumed_role"
+      ],
+      "distinctFields": [],
+      "aggregation": "count",
+      "name": ""
+    },
+    {
+      "query": "source:source_here2",
+      "groupByFields": [],
+      "distinctFields": [],
+      "aggregation": "count",
+      "name": ""
+    }
+  ],
+  "tags": [
+    "env:prod",
+    "team:security"
+  ],
+  "type": "log_detection"
+}
@@ -1301,6 +1301,11 @@
       "suffix": "",
       "description": "Create a detection rule returns \"OK\" response"
     },
+    {
+      "group": "security_monitoring",
+      "suffix": "_2899714190",
+      "description": "Create a detection rule with detection method 'sequence_detection' returns \"OK\" response"
+    },
     {
       "group": "security_monitoring",
       "suffix": "_3367706049",
@@ -1473,6 +1478,11 @@
       "group": "security_monitoring",
       "suffix": "",
       "description": "Validate a detection rule returns \"OK\" response"
+    },
+    {
+      "group": "security_monitoring",
+      "suffix": "_4152369508",
+      "description": "Validate a detection rule with detection method 'sequence_detection' returns \"OK\" response"
     }
   ],
   "ValidateSecurityMonitoringSuppression": [

@@ -19541,6 +19541,8 @@ components:
           $ref: '#/components/schemas/SecurityMonitoringRuleMaxSignalDuration'
         newValueOptions:
           $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptions'
+        sequenceDetectionOptions:
+          $ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionOptions'
         thirdPartyRuleOptions:
           $ref: '#/components/schemas/SecurityMonitoringRuleThirdPartyOptions'
       type: object
@@ -39719,6 +39721,7 @@ components:
       - hardcoded
       - third_party
       - anomaly_threshold
+      - sequence_detection
       type: string
       x-enum-varnames:
       - THRESHOLD
@@ -39728,6 +39731,7 @@ components:
       - HARDCODED
       - THIRD_PARTY
       - ANOMALY_THRESHOLD
+      - SEQUENCE_DETECTION
     SecurityMonitoringRuleEvaluationWindow:
       description: 'A time window is specified to match when at least one of the cases
         matches true. This is a sliding window
@@ -39941,6 +39945,8 @@ components:
           $ref: '#/components/schemas/SecurityMonitoringRuleMaxSignalDuration'
         newValueOptions:
           $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptions'
+        sequenceDetectionOptions:
+          $ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionOptions'
         thirdPartyRuleOptions:
           $ref: '#/components/schemas/SecurityMonitoringRuleThirdPartyOptions'
       type: object
@@ -40016,6 +40022,47 @@ components:
       oneOf:
       - $ref: '#/components/schemas/SecurityMonitoringStandardRuleResponse'
       - $ref: '#/components/schemas/SecurityMonitoringSignalRuleResponse'
+    SecurityMonitoringRuleSequenceDetectionOptions:
+      description: Options on sequence detection method.
+      properties:
+        stepTransitions:
+          description: Transitions defining the allowed order of steps and their evaluation
+            windows.
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionStepTransition'
+          type: array
+        steps:
+          description: Steps that define the conditions to be matched in sequence.
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionStep'
+          type: array
+      type: object
+    SecurityMonitoringRuleSequenceDetectionStep:
+      description: Step definition for sequence detection containing the step name,
+        condition, and evaluation window.
+      properties:
+        condition:
+          description: Condition referencing rule queries (e.g., `a > 0`).
+          type: string
+        evaluationWindow:
+          $ref: '#/components/schemas/SecurityMonitoringRuleEvaluationWindow'
+        name:
+          description: Unique name identifying the step.
+          type: string
+      type: object
+    SecurityMonitoringRuleSequenceDetectionStepTransition:
+      description: Transition from a parent step to a child step within a sequence
+        detection rule.
+      properties:
+        child:
+          description: Name of the child step.
+          type: string
+        evaluationWindow:
+          $ref: '#/components/schemas/SecurityMonitoringRuleEvaluationWindow'
+        parent:
+          description: Name of the parent step.
+          type: string
+      type: object
     SecurityMonitoringRuleSeverity:
       description: Severity of the Security Signal.
       enum: