Add user behavior case actions in API spec (#2796)

Co-authored-by: ci.datadog-api-spec <[email protected]>

Author: api-clients-generation-pipeline[bot]

.apigentools-info

@@ -4,13 +4,13 @@
     "spec_versions": {
         "v1": {
             "apigentools_version": "1.6.6",
-            "regenerated": "2025-04-10 11:41:55.216291",
-            "spec_repo_commit": "7f98e0a9"
+            "regenerated": "2025-04-10 18:01:22.406444",
+            "spec_repo_commit": "c0a45137"
         },
         "v2": {
             "apigentools_version": "1.6.6",
-            "regenerated": "2025-04-10 11:41:55.232985",
-            "spec_repo_commit": "7f98e0a9"
+            "regenerated": "2025-04-10 18:01:22.422014",
+            "spec_repo_commit": "c0a45137"
         }
     }
 }

.generator/schemas/v2/openapi.yaml

@@ -27215,6 +27215,7 @@ components:
           $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionType'
       type: object
     SecurityMonitoringRuleCaseActionOptions:
+      additionalProperties: {}
       description: Options for the rule action
       properties:
         duration:
@@ -27223,16 +27224,24 @@ components:
           format: int64
           minimum: 0
           type: integer
+        userBehaviorName:
+          $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionOptionsUserBehaviorName'
       type: object
+    SecurityMonitoringRuleCaseActionOptionsUserBehaviorName:
+      description: Used with the case action of type 'user_behavior'. The value specified
+        in this field is applied as a risk tag to all users affected by the rule.
+      type: string
     SecurityMonitoringRuleCaseActionType:
       description: The action type.
       enum:
       - block_ip
       - block_user
+      - user_behavior
       type: string
       x-enum-varnames:
       - BLOCK_IP
       - BLOCK_USER
+      - USER_BEHAVIOR
     SecurityMonitoringRuleCaseCreate:
       description: Case when signal is generated.
       properties:

examples/v2/security-monitoring/CreateSecurityMonitoringRule_1965169892.java

@@ -45,12 +45,17 @@ public static void main(String[] args) {
                             .status(SecurityMonitoringRuleSeverity.INFO)
                             .condition("a > 100000")
                             .actions(
-                                Collections.singletonList(
+                                Arrays.asList(
                                     new SecurityMonitoringRuleCaseAction()
                                         .type(SecurityMonitoringRuleCaseActionType.BLOCK_IP)
                                         .options(
                                             new SecurityMonitoringRuleCaseActionOptions()
-                                                .duration(900L))))))
+                                                .duration(900L)),
+                                    new SecurityMonitoringRuleCaseAction()
+                                        .type(SecurityMonitoringRuleCaseActionType.USER_BEHAVIOR)
+                                        .options(
+                                            new SecurityMonitoringRuleCaseActionOptions()
+                                                .userBehaviorName("behavior"))))))
                 .options(
                     new SecurityMonitoringRuleOptions()
                         .keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR)

src/main/java/com/datadog/api/client/v2/model/SecurityMonitoringRuleCaseActionOptions.java

@@ -17,14 +17,20 @@
 import java.util.Objects;
 
 /** Options for the rule action */
-@JsonPropertyOrder({SecurityMonitoringRuleCaseActionOptions.JSON_PROPERTY_DURATION})
+@JsonPropertyOrder({
+  SecurityMonitoringRuleCaseActionOptions.JSON_PROPERTY_DURATION,
+  SecurityMonitoringRuleCaseActionOptions.JSON_PROPERTY_USER_BEHAVIOR_NAME
+})
 @jakarta.annotation.Generated(
     value = "https://github.com/DataDog/datadog-api-client-java/blob/master/.generator")
 public class SecurityMonitoringRuleCaseActionOptions {
   @JsonIgnore public boolean unparsed = false;
   public static final String JSON_PROPERTY_DURATION = "duration";
   private Long duration;
 
+  public static final String JSON_PROPERTY_USER_BEHAVIOR_NAME = "userBehaviorName";
+  private String userBehaviorName;
+
   public SecurityMonitoringRuleCaseActionOptions duration(Long duration) {
     this.duration = duration;
     return this;
@@ -46,6 +52,28 @@ public void setDuration(Long duration) {
     this.duration = duration;
   }
 
+  public SecurityMonitoringRuleCaseActionOptions userBehaviorName(String userBehaviorName) {
+    this.userBehaviorName = userBehaviorName;
+    return this;
+  }
+
+  /**
+   * Used with the case action of type 'user_behavior'. The value specified in this field is applied
+   * as a risk tag to all users affected by the rule.
+   *
+   * @return userBehaviorName
+   */
+  @jakarta.annotation.Nullable
+  @JsonProperty(JSON_PROPERTY_USER_BEHAVIOR_NAME)
+  @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS)
+  public String getUserBehaviorName() {
+    return userBehaviorName;
+  }
+
+  public void setUserBehaviorName(String userBehaviorName) {
+    this.userBehaviorName = userBehaviorName;
+  }
+
   /**
    * A container for additional, undeclared properties. This is a holder for any undeclared
    * properties as specified with the 'additionalProperties' keyword in the OAS document.
@@ -104,21 +132,24 @@ public boolean equals(Object o) {
     SecurityMonitoringRuleCaseActionOptions securityMonitoringRuleCaseActionOptions =
         (SecurityMonitoringRuleCaseActionOptions) o;
     return Objects.equals(this.duration, securityMonitoringRuleCaseActionOptions.duration)
+        && Objects.equals(
+            this.userBehaviorName, securityMonitoringRuleCaseActionOptions.userBehaviorName)
         && Objects.equals(
             this.additionalProperties,
             securityMonitoringRuleCaseActionOptions.additionalProperties);
   }
 
   @Override
   public int hashCode() {
-    return Objects.hash(duration, additionalProperties);
+    return Objects.hash(duration, userBehaviorName, additionalProperties);
   }
 
   @Override
   public String toString() {
     StringBuilder sb = new StringBuilder();
     sb.append("class SecurityMonitoringRuleCaseActionOptions {\n");
     sb.append("    duration: ").append(toIndentedString(duration)).append("\n");
+    sb.append("    userBehaviorName: ").append(toIndentedString(userBehaviorName)).append("\n");
     sb.append("    additionalProperties: ")
         .append(toIndentedString(additionalProperties))
         .append("\n");

src/main/java/com/datadog/api/client/v2/model/SecurityMonitoringRuleCaseActionType.java

@@ -25,12 +25,14 @@
 public class SecurityMonitoringRuleCaseActionType extends ModelEnum<String> {
 
   private static final Set<String> allowedValues =
-      new HashSet<String>(Arrays.asList("block_ip", "block_user"));
+      new HashSet<String>(Arrays.asList("block_ip", "block_user", "user_behavior"));
 
   public static final SecurityMonitoringRuleCaseActionType BLOCK_IP =
       new SecurityMonitoringRuleCaseActionType("block_ip");
   public static final SecurityMonitoringRuleCaseActionType BLOCK_USER =
       new SecurityMonitoringRuleCaseActionType("block_user");
+  public static final SecurityMonitoringRuleCaseActionType USER_BEHAVIOR =
+      new SecurityMonitoringRuleCaseActionType("user_behavior");
 
   SecurityMonitoringRuleCaseActionType(String value) {
     super(value, allowedValues);

src/test/resources/cassettes/features/v2/Create_a_detection_rule_with_type_application_security_returns_OK_response.freeze

@@ -1 +1 @@
-2025-02-06T16:50:39.787Z
+2025-04-09T15:02:05.047Z

src/test/resources/cassettes/features/v2/Create_a_detection_rule_with_type_application_security_returns_OK_response.json

@@ -3,7 +3,7 @@
     "httpRequest": {
       "body": {
         "type": "JSON",
-        "json": "{\"cases\":[{\"actions\":[{\"options\":{\"duration\":900},\"type\":\"block_ip\"}],\"condition\":\"a > 100000\",\"name\":\"\",\"notifications\":[],\"status\":\"info\"}],\"filters\":[],\"groupSignalsBy\":[\"service\"],\"isEnabled\":true,\"message\":\"Test rule\",\"name\":\"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1738860639_appsec_rule\",\"options\":{\"detectionMethod\":\"threshold\",\"evaluationWindow\":900,\"keepAlive\":3600,\"maxSignalDuration\":86400},\"queries\":[{\"aggregation\":\"count\",\"distinctFields\":[],\"groupByFields\":[\"service\",\"@http.client_ip\"],\"query\":\"@appsec.security_activity:business_logic.users.login.failure\"}],\"tags\":[],\"type\":\"application_security\"}"
+        "json": "{\"cases\":[{\"actions\":[{\"options\":{\"duration\":900},\"type\":\"block_ip\"},{\"options\":{\"userBehaviorName\":\"behavior\"},\"type\":\"user_behavior\"}],\"condition\":\"a > 100000\",\"name\":\"\",\"notifications\":[],\"status\":\"info\"}],\"filters\":[],\"groupSignalsBy\":[\"service\"],\"isEnabled\":true,\"message\":\"Test rule\",\"name\":\"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1744210925_appsec_rule\",\"options\":{\"detectionMethod\":\"threshold\",\"evaluationWindow\":900,\"keepAlive\":3600,\"maxSignalDuration\":86400},\"queries\":[{\"aggregation\":\"count\",\"distinctFields\":[],\"groupByFields\":[\"service\",\"@http.client_ip\"],\"query\":\"@appsec.security_activity:business_logic.users.login.failure\"}],\"tags\":[],\"type\":\"application_security\"}"
       },
       "headers": {},
       "method": "POST",
@@ -12,7 +12,7 @@
       "secure": true
     },
     "httpResponse": {
-      "body": "{\"name\":\"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1738860639_appsec_rule\",\"createdAt\":1738860640426,\"isDefault\":false,\"isPartner\":false,\"isEnabled\":true,\"isBeta\":false,\"isDeleted\":false,\"isDeprecated\":false,\"queries\":[{\"query\":\"@appsec.security_activity:business_logic.users.login.failure\",\"groupByFields\":[\"service\",\"@http.client_ip\"],\"hasOptionalGroupByFields\":false,\"distinctFields\":[],\"aggregation\":\"count\",\"name\":\"\",\"dataSource\":\"app_sec_spans\"}],\"options\":{\"evaluationWindow\":900,\"detectionMethod\":\"threshold\",\"maxSignalDuration\":86400,\"keepAlive\":3600},\"cases\":[{\"name\":\"\",\"status\":\"info\",\"notifications\":[],\"condition\":\"a \\u003e 100000\",\"actions\":[{\"type\":\"block_ip\",\"options\":{\"duration\":900}}]}],\"message\":\"Test rule\",\"tags\":[],\"hasExtendedTitle\":false,\"type\":\"application_security\",\"filters\":[],\"version\":1,\"id\":\"rfn-h2v-udr\",\"blocking\":true,\"groupSignalsBy\":[\"service\"],\"casesActions\":[[{\"type\":\"block_ip\",\"options\":{\"duration\":900}}]],\"dependencies\":[\"business_logic.users.login.failure\"],\"metadata\":{\"entities\":null,\"sources\":null},\"creator\":{\"handle\":\"\",\"name\":\"\"},\"updater\":{\"handle\":\"\",\"name\":\"\"}}",
+      "body": "{\"name\":\"Test-Create_a_detection_rule_with_type_application_security_returns_OK_response-1744210925_appsec_rule\",\"createdAt\":1744210925675,\"isDefault\":false,\"isPartner\":false,\"isEnabled\":true,\"isBeta\":false,\"isDeleted\":false,\"isDeprecated\":false,\"queries\":[{\"query\":\"@appsec.security_activity:business_logic.users.login.failure\",\"groupByFields\":[\"service\",\"@http.client_ip\"],\"hasOptionalGroupByFields\":false,\"distinctFields\":[],\"aggregation\":\"count\",\"name\":\"\",\"dataSource\":\"app_sec_spans\"}],\"options\":{\"evaluationWindow\":900,\"detectionMethod\":\"threshold\",\"maxSignalDuration\":86400,\"keepAlive\":3600},\"cases\":[{\"name\":\"\",\"status\":\"info\",\"notifications\":[],\"condition\":\"a \\u003e 100000\",\"actions\":[{\"type\":\"block_ip\",\"options\":{\"duration\":900}},{\"type\":\"user_behavior\",\"options\":{\"userBehaviorName\":\"behavior\"}}]}],\"message\":\"Test rule\",\"tags\":[],\"hasExtendedTitle\":false,\"type\":\"application_security\",\"filters\":[],\"version\":1,\"id\":\"lfr-zxg-fyc\",\"blocking\":true,\"groupSignalsBy\":[\"service\"],\"dependencies\":[\"business_logic.users.login.failure\"],\"metadata\":{\"entities\":null,\"sources\":null},\"creationAuthorId\":2320499,\"creator\":{\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\",\"name\":\"CI Account\"},\"updater\":{\"handle\":\"\",\"name\":\"\"}}",
       "headers": {
         "Content-Type": [
           "application/json"
@@ -27,32 +27,27 @@
     "timeToLive": {
       "unlimited": true
     },
-    "id": "e25ba2dd-2cd8-54ae-985a-97cf9b520975"
+    "id": "2f689fb3-a0a5-4f45-bf36-37e6331a9f25"
   },
   {
     "httpRequest": {
       "headers": {},
       "method": "DELETE",
-      "path": "/api/v2/security_monitoring/rules/rfn-h2v-udr",
+      "path": "/api/v2/security_monitoring/rules/lfr-zxg-fyc",
       "keepAlive": false,
       "secure": true
     },
     "httpResponse": {
-      "body": "{\"status\":\"404\",\"title\":\"Not Found\"}",
-      "headers": {
-        "Content-Type": [
-          "application/json"
-        ]
-      },
-      "statusCode": 404,
-      "reasonPhrase": "Not Found"
+      "headers": {},
+      "statusCode": 204,
+      "reasonPhrase": "No Content"
     },
     "times": {
       "remainingTimes": 1
     },
     "timeToLive": {
       "unlimited": true
     },
-    "id": "d0c7ee9e-7178-f2b7-bb6a-b84e899effed"
+    "id": "a32045c8-5c74-ebb2-99fe-6584f15ea321"
   }
 ]

src/test/resources/com/datadog/api/client/v2/api/security_monitoring.feature

@@ -203,7 +203,7 @@ Feature: Security Monitoring
   @skip-validation @team:DataDog/k9-cloud-security-platform
   Scenario: Create a detection rule with type 'application_security 'returns "OK" response
     Given new "CreateSecurityMonitoringRule" request
-    And body with value {"type":"application_security","name":"{{unique}}_appsec_rule","queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","aggregation":"count","groupByFields":["service","@http.client_ip"],"distinctFields":[]}],"filters":[],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 100000","actions":[{"type":"block_ip","options":{"duration":900}}]}],"options":{"keepAlive":3600,"maxSignalDuration":86400,"evaluationWindow":900,"detectionMethod":"threshold"},"isEnabled":true,"message":"Test rule","tags":[],"groupSignalsBy":["service"]}
+    And body with value {"type":"application_security","name":"{{unique}}_appsec_rule","queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","aggregation":"count","groupByFields":["service","@http.client_ip"],"distinctFields":[]}],"filters":[],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 100000","actions":[{"type":"block_ip","options":{"duration":900}}, {"type":"user_behavior","options":{"userBehaviorName":"behavior"}}]}],"options":{"keepAlive":3600,"maxSignalDuration":86400,"evaluationWindow":900,"detectionMethod":"threshold"},"isEnabled":true,"message":"Test rule","tags":[],"groupSignalsBy":["service"]}
     When the request is sent
     Then the response status is 200 OK
     And the response "name" is equal to "{{ unique }}_appsec_rule"