DataDog · api-clients-generation-pipeline · Sep 19, 2025 · Sep 19, 2025
@@ -20470,6 +20470,8 @@ components:
           $ref: '#/components/schemas/SecurityMonitoringRuleMaxSignalDuration'
         newValueOptions:
           $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptions'
+        sequenceDetectionOptions:
+          $ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionOptions'
         thirdPartyRuleOptions:
           $ref: '#/components/schemas/SecurityMonitoringRuleThirdPartyOptions'
       type: object
@@ -40786,6 +40788,7 @@ components:
       - hardcoded
       - third_party
       - anomaly_threshold
+      - sequence_detection
       type: string
       x-enum-varnames:
       - THRESHOLD
@@ -40795,6 +40798,7 @@ components:
       - HARDCODED
       - THIRD_PARTY
       - ANOMALY_THRESHOLD
+      - SEQUENCE_DETECTION
     SecurityMonitoringRuleEvaluationWindow:
       description: 'A time window is specified to match when at least one of the cases
         matches true. This is a sliding window
@@ -41008,6 +41012,8 @@ components:
           $ref: '#/components/schemas/SecurityMonitoringRuleMaxSignalDuration'
         newValueOptions:
           $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptions'
+        sequenceDetectionOptions:
+          $ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionOptions'
         thirdPartyRuleOptions:
           $ref: '#/components/schemas/SecurityMonitoringRuleThirdPartyOptions'
       type: object
@@ -41083,6 +41089,47 @@ components:
       oneOf:
       - $ref: '#/components/schemas/SecurityMonitoringStandardRuleResponse'
       - $ref: '#/components/schemas/SecurityMonitoringSignalRuleResponse'
+    SecurityMonitoringRuleSequenceDetectionOptions:
+      description: Options on sequence detection method.
+      properties:
+        stepTransitions:
+          description: Transitions defining the allowed order of steps and their evaluation
+            windows.
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionStepTransition'
+          type: array
+        steps:
+          description: Steps that define the conditions to be matched in sequence.
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionStep'
+          type: array
+      type: object
+    SecurityMonitoringRuleSequenceDetectionStep:
+      description: Step definition for sequence detection containing the step name,
+        condition, and evaluation window.
+      properties:
+        condition:
+          description: Condition referencing rule queries (e.g., `a > 0`).
+          type: string
+        evaluationWindow:
+          $ref: '#/components/schemas/SecurityMonitoringRuleEvaluationWindow'
+        name:
+          description: Unique name identifying the step.
+          type: string
+      type: object
+    SecurityMonitoringRuleSequenceDetectionStepTransition:
+      description: Transition from a parent step to a child step within a sequence
+        detection rule.
+      properties:
+        child:
+          description: Name of the child step.
+          type: string
+        evaluationWindow:
+          $ref: '#/components/schemas/SecurityMonitoringRuleEvaluationWindow'
+        parent:
+          description: Name of the parent step.
+          type: string
+      type: object
     SecurityMonitoringRuleSeverity:
       description: Severity of the Security Signal.
       enum:

@@ -18183,6 +18183,27 @@ datadog\_api\_client.v2.model.security\_monitoring\_rule\_response module
    :members:
    :show-inheritance:
 
+datadog\_api\_client.v2.model.security\_monitoring\_rule\_sequence\_detection\_options module
+---------------------------------------------------------------------------------------------
+
+.. automodule:: datadog_api_client.v2.model.security_monitoring_rule_sequence_detection_options
+   :members:
+   :show-inheritance:
+
+datadog\_api\_client.v2.model.security\_monitoring\_rule\_sequence\_detection\_step module
+------------------------------------------------------------------------------------------
+
+.. automodule:: datadog_api_client.v2.model.security_monitoring_rule_sequence_detection_step
+   :members:
+   :show-inheritance:
+
+datadog\_api\_client.v2.model.security\_monitoring\_rule\_sequence\_detection\_step\_transition module
+------------------------------------------------------------------------------------------------------
+
+.. automodule:: datadog_api_client.v2.model.security_monitoring_rule_sequence_detection_step_transition
+   :members:
+   :show-inheritance:
+
 datadog\_api\_client.v2.model.security\_monitoring\_rule\_severity module
 -------------------------------------------------------------------------
 

@@ -0,0 +1,105 @@
+"""
+Create a detection rule with detection method 'sequence_detection' returns "OK" response
+"""
+
+from datadog_api_client import ApiClient, Configuration
+from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
+from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
+from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod
+from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
+    SecurityMonitoringRuleEvaluationWindow,
+)
+from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
+from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
+    SecurityMonitoringRuleMaxSignalDuration,
+)
+from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
+from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
+    SecurityMonitoringRuleQueryAggregation,
+)
+from datadog_api_client.v2.model.security_monitoring_rule_sequence_detection_options import (
+    SecurityMonitoringRuleSequenceDetectionOptions,
+)
+from datadog_api_client.v2.model.security_monitoring_rule_sequence_detection_step import (
+    SecurityMonitoringRuleSequenceDetectionStep,
+)
+from datadog_api_client.v2.model.security_monitoring_rule_sequence_detection_step_transition import (
+    SecurityMonitoringRuleSequenceDetectionStepTransition,
+)
+from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
+from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
+from datadog_api_client.v2.model.security_monitoring_standard_data_source import SecurityMonitoringStandardDataSource
+from datadog_api_client.v2.model.security_monitoring_standard_rule_create_payload import (
+    SecurityMonitoringStandardRuleCreatePayload,
+)
+from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery
+
+body = SecurityMonitoringStandardRuleCreatePayload(
+    name="Example-Security-Monitoring",
+    type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
+    is_enabled=True,
+    queries=[
+        SecurityMonitoringStandardRuleQuery(
+            aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
+            data_source=SecurityMonitoringStandardDataSource.LOGS,
+            distinct_fields=[],
+            group_by_fields=[],
+            has_optional_group_by_fields=False,
+            name="",
+            query="service:logs-rule-reducer source:paul test2",
+        ),
+        SecurityMonitoringStandardRuleQuery(
+            aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
+            data_source=SecurityMonitoringStandardDataSource.LOGS,
+            distinct_fields=[],
+            group_by_fields=[],
+            has_optional_group_by_fields=False,
+            name="",
+            query="service:logs-rule-reducer source:paul test1",
+        ),
+    ],
+    cases=[
+        SecurityMonitoringRuleCaseCreate(
+            name="",
+            status=SecurityMonitoringRuleSeverity.INFO,
+            notifications=[],
+            condition="step_b > 0",
+        ),
+    ],
+    message="Logs and signals asdf",
+    options=SecurityMonitoringRuleOptions(
+        detection_method=SecurityMonitoringRuleDetectionMethod.SEQUENCE_DETECTION,
+        evaluation_window=SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES,
+        keep_alive=SecurityMonitoringRuleKeepAlive.FIVE_MINUTES,
+        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.TEN_MINUTES,
+        sequence_detection_options=SecurityMonitoringRuleSequenceDetectionOptions(
+            step_transitions=[
+                SecurityMonitoringRuleSequenceDetectionStepTransition(
+                    child="step_b",
+                    evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,
+                    parent="step_a",
+                ),
+            ],
+            steps=[
+                SecurityMonitoringRuleSequenceDetectionStep(
+                    condition="a > 0",
+                    evaluation_window=SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE,
+                    name="step_a",
+                ),
+                SecurityMonitoringRuleSequenceDetectionStep(
+                    condition="b > 0",
+                    evaluation_window=SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE,
+                    name="step_b",
+                ),
+            ],
+        ),
+    ),
+    tags=[],
+)
+
+configuration = Configuration()
+with ApiClient(configuration) as api_client:
+    api_instance = SecurityMonitoringApi(api_client)
+    response = api_instance.create_security_monitoring_rule(body=body)
+
+    print(response)
@@ -0,0 +1,102 @@
+"""
+Validate a detection rule with detection method 'sequence_detection' returns "OK" response
+"""
+
+from datadog_api_client import ApiClient, Configuration
+from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
+from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
+from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod
+from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
+    SecurityMonitoringRuleEvaluationWindow,
+)
+from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
+from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
+    SecurityMonitoringRuleMaxSignalDuration,
+)
+from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
+from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
+    SecurityMonitoringRuleQueryAggregation,
+)
+from datadog_api_client.v2.model.security_monitoring_rule_sequence_detection_options import (
+    SecurityMonitoringRuleSequenceDetectionOptions,
+)
+from datadog_api_client.v2.model.security_monitoring_rule_sequence_detection_step import (
+    SecurityMonitoringRuleSequenceDetectionStep,
+)
+from datadog_api_client.v2.model.security_monitoring_rule_sequence_detection_step_transition import (
+    SecurityMonitoringRuleSequenceDetectionStepTransition,
+)
+from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
+from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
+from datadog_api_client.v2.model.security_monitoring_standard_rule_payload import SecurityMonitoringStandardRulePayload
+from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery
+
+body = SecurityMonitoringStandardRulePayload(
+    cases=[
+        SecurityMonitoringRuleCaseCreate(
+            name="",
+            status=SecurityMonitoringRuleSeverity.INFO,
+            notifications=[],
+            condition="step_b > 0",
+        ),
+    ],
+    has_extended_title=True,
+    is_enabled=True,
+    message="My security monitoring rule",
+    name="My security monitoring rule",
+    options=SecurityMonitoringRuleOptions(
+        evaluation_window=SecurityMonitoringRuleEvaluationWindow.ZERO_MINUTES,
+        keep_alive=SecurityMonitoringRuleKeepAlive.FIVE_MINUTES,
+        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.TEN_MINUTES,
+        detection_method=SecurityMonitoringRuleDetectionMethod.SEQUENCE_DETECTION,
+        sequence_detection_options=SecurityMonitoringRuleSequenceDetectionOptions(
+            step_transitions=[
+                SecurityMonitoringRuleSequenceDetectionStepTransition(
+                    child="step_b",
+                    evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,
+                    parent="step_a",
+                ),
+            ],
+            steps=[
+                SecurityMonitoringRuleSequenceDetectionStep(
+                    condition="a > 0",
+                    evaluation_window=SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE,
+                    name="step_a",
+                ),
+                SecurityMonitoringRuleSequenceDetectionStep(
+                    condition="b > 0",
+                    evaluation_window=SecurityMonitoringRuleEvaluationWindow.ONE_MINUTE,
+                    name="step_b",
+                ),
+            ],
+        ),
+    ),
+    queries=[
+        SecurityMonitoringStandardRuleQuery(
+            query="source:source_here",
+            group_by_fields=[
+                "@userIdentity.assumed_role",
+            ],
+            distinct_fields=[],
+            aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
+            name="",
+        ),
+        SecurityMonitoringStandardRuleQuery(
+            query="source:source_here2",
+            group_by_fields=[],
+            distinct_fields=[],
+            aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
+            name="",
+        ),
+    ],
+    tags=[
+        "env:prod",
+        "team:security",
+    ],
+    type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
+)
+
+configuration = Configuration()
+with ApiClient(configuration) as api_client:
+    api_instance = SecurityMonitoringApi(api_client)
+    api_instance.validate_security_monitoring_rule(body=body)
@@ -30,6 +30,9 @@
     from datadog_api_client.v2.model.security_monitoring_rule_new_value_options import (
         SecurityMonitoringRuleNewValueOptions,
     )
+    from datadog_api_client.v2.model.security_monitoring_rule_sequence_detection_options import (
+        SecurityMonitoringRuleSequenceDetectionOptions,
+    )
     from datadog_api_client.v2.model.security_monitoring_rule_third_party_options import (
         SecurityMonitoringRuleThirdPartyOptions,
     )
@@ -54,6 +57,9 @@ def openapi_types(_):
         from datadog_api_client.v2.model.security_monitoring_rule_new_value_options import (
             SecurityMonitoringRuleNewValueOptions,
         )
+        from datadog_api_client.v2.model.security_monitoring_rule_sequence_detection_options import (
+            SecurityMonitoringRuleSequenceDetectionOptions,
+        )
         from datadog_api_client.v2.model.security_monitoring_rule_third_party_options import (
             SecurityMonitoringRuleThirdPartyOptions,
         )
@@ -65,6 +71,7 @@ def openapi_types(_):
             "keep_alive": (SecurityMonitoringRuleKeepAlive,),
             "max_signal_duration": (SecurityMonitoringRuleMaxSignalDuration,),
             "new_value_options": (SecurityMonitoringRuleNewValueOptions,),
+            "sequence_detection_options": (SecurityMonitoringRuleSequenceDetectionOptions,),
             "third_party_rule_options": (SecurityMonitoringRuleThirdPartyOptions,),
         }
 
@@ -75,6 +82,7 @@ def openapi_types(_):
         "keep_alive": "keepAlive",
         "max_signal_duration": "maxSignalDuration",
         "new_value_options": "newValueOptions",
+        "sequence_detection_options": "sequenceDetectionOptions",
         "third_party_rule_options": "thirdPartyRuleOptions",
     }
 
@@ -86,6 +94,7 @@ def __init__(
         keep_alive: Union[SecurityMonitoringRuleKeepAlive, UnsetType] = unset,
         max_signal_duration: Union[SecurityMonitoringRuleMaxSignalDuration, UnsetType] = unset,
         new_value_options: Union[SecurityMonitoringRuleNewValueOptions, UnsetType] = unset,
+        sequence_detection_options: Union[SecurityMonitoringRuleSequenceDetectionOptions, UnsetType] = unset,
         third_party_rule_options: Union[SecurityMonitoringRuleThirdPartyOptions, UnsetType] = unset,
         **kwargs,
     ):
@@ -113,6 +122,9 @@ def __init__(
         :param new_value_options: Options on new value detection method.
         :type new_value_options: SecurityMonitoringRuleNewValueOptions, optional
 
+        :param sequence_detection_options: Options on sequence detection method.
+        :type sequence_detection_options: SecurityMonitoringRuleSequenceDetectionOptions, optional
+
         :param third_party_rule_options: Options on third party detection method.
         :type third_party_rule_options: SecurityMonitoringRuleThirdPartyOptions, optional
         """
@@ -128,6 +140,8 @@ def __init__(
             kwargs["max_signal_duration"] = max_signal_duration
         if new_value_options is not unset:
             kwargs["new_value_options"] = new_value_options
+        if sequence_detection_options is not unset:
+            kwargs["sequence_detection_options"] = sequence_detection_options
         if third_party_rule_options is not unset:
             kwargs["third_party_rule_options"] = third_party_rule_options
         super().__init__(kwargs)