From c01b36a68b124d639ecfdf9245918c669f2562b1 Mon Sep 17 00:00:00 2001 From: "ci.datadog-api-spec" Date: Tue, 16 Jun 2026 18:35:15 +0000 Subject: [PATCH] Regenerate client from commit afba0de of spec repo --- .generator/schemas/v2/openapi.yaml | 234 ++++++++++++++++++ docs/datadog_api_client.v2.model.rst | 56 +++++ .../AttachServiceNowTicket.py | 1 + .../CreateIoCTriageState.py | 28 +++ .../CreateServiceNowTickets.py | 1 + .../GetIndicatorOfCompromise.py | 3 +- src/datadog_api_client/configuration.py | 3 + .../v2/api/security_monitoring_api.py | 126 ++++++++++ .../v2/model/io_c_indicator.py | 26 ++ .../v2/model/io_c_indicator_detailed.py | 36 +++ .../v2/model/io_c_triage_event.py | 63 +++++ .../v2/model/io_c_triage_state.py | 38 +++ .../v2/model/io_c_triage_write_request.py | 40 +++ .../io_c_triage_write_request_attributes.py | 46 ++++ .../model/io_c_triage_write_request_data.py | 47 ++++ .../v2/model/io_c_triage_write_response.py | 42 ++++ .../io_c_triage_write_response_attributes.py | 79 ++++++ .../model/io_c_triage_write_response_data.py | 62 +++++ src/datadog_api_client/v2/models/__init__.py | 16 ++ ..._state_returns_bad_request_response.frozen | 1 + ...ge_state_returns_bad_request_response.yaml | 20 ++ ...iage_state_returns_created_response.frozen | 1 + ...triage_state_returns_created_response.yaml | 20 ++ ...r_of_compromise_returns_ok_response.frozen | 2 +- ...tor_of_compromise_returns_ok_response.yaml | 8 +- ...s_of_compromise_returns_ok_response.frozen | 2 +- ...ors_of_compromise_returns_ok_response.yaml | 5 +- tests/v2/features/security_monitoring.feature | 37 ++- tests/v2/features/undo.json | 6 + 29 files changed, 1031 insertions(+), 18 deletions(-) create mode 100644 examples/v2/security-monitoring/CreateIoCTriageState.py create mode 100644 src/datadog_api_client/v2/model/io_c_triage_event.py create mode 100644 src/datadog_api_client/v2/model/io_c_triage_state.py create mode 100644 src/datadog_api_client/v2/model/io_c_triage_write_request.py create mode 100644 src/datadog_api_client/v2/model/io_c_triage_write_request_attributes.py create mode 100644 src/datadog_api_client/v2/model/io_c_triage_write_request_data.py create mode 100644 src/datadog_api_client/v2/model/io_c_triage_write_response.py create mode 100644 src/datadog_api_client/v2/model/io_c_triage_write_response_attributes.py create mode 100644 src/datadog_api_client/v2/model/io_c_triage_write_response_data.py create mode 100644 tests/v2/cassettes/test_scenarios/test_create_or_update_an_indicator_triage_state_returns_bad_request_response.frozen create mode 100644 tests/v2/cassettes/test_scenarios/test_create_or_update_an_indicator_triage_state_returns_bad_request_response.yaml create mode 100644 tests/v2/cassettes/test_scenarios/test_create_or_update_an_indicator_triage_state_returns_created_response.frozen create mode 100644 tests/v2/cassettes/test_scenarios/test_create_or_update_an_indicator_triage_state_returns_created_response.yaml diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml index 842f6f5c46..c5035a1dc5 100644 --- a/.generator/schemas/v2/openapi.yaml +++ b/.generator/schemas/v2/openapi.yaml @@ -45707,6 +45707,15 @@ components: items: type: string type: array + triage_state: + $ref: "#/components/schemas/IoCTriageState" + triaged_at: + description: Timestamp when the indicator was last triaged. + format: date-time + type: string + triaged_by: + description: UUID of the user who last triaged the indicator. + type: string type: object IoCIndicatorDetailed: description: An indicator of compromise with extended context from your environment. @@ -45825,6 +45834,20 @@ components: items: type: string type: array + triage_history: + description: Full triage history timeline. Returned only when `include_triage_history` is true. + items: + $ref: "#/components/schemas/IoCTriageEvent" + type: array + triage_state: + $ref: "#/components/schemas/IoCTriageState" + triaged_at: + description: Timestamp when the indicator was last triaged. + format: date-time + type: string + triaged_by: + description: UUID of the user who last triaged the indicator. + type: string users: additionalProperties: description: List of user identifiers in this category. @@ -45863,6 +45886,103 @@ components: description: Name of the threat intelligence source. type: string type: object + IoCTriageEvent: + description: A single entry in an indicator's triage history timeline. + properties: + triage_state: + $ref: "#/components/schemas/IoCTriageState" + triaged_at: + description: Timestamp when this triage action occurred. + format: date-time + type: string + triaged_by: + description: UUID of the user who performed this triage action. + type: string + type: object + IoCTriageState: + description: Current triage state of the indicator. + enum: + - not_reviewed + - reviewed + example: not_reviewed + type: string + x-enum-varnames: + - NOT_REVIEWED + - REVIEWED + IoCTriageWriteRequest: + description: Request body for creating or updating an indicator triage state. + properties: + data: + $ref: "#/components/schemas/IoCTriageWriteRequestData" + required: + - data + type: object + IoCTriageWriteRequestAttributes: + description: Attributes for setting an indicator's triage state. + properties: + indicator: + description: The indicator value to triage (for example, an IP address or domain). + example: "192.0.2.1" + type: string + triage_state: + $ref: "#/components/schemas/IoCTriageState" + required: + - indicator + - triage_state + type: object + IoCTriageWriteRequestData: + description: Data object for the triage write request. + properties: + attributes: + $ref: "#/components/schemas/IoCTriageWriteRequestAttributes" + type: + default: ioc_triage_state + description: Triage state resource type. + example: ioc_triage_state + type: string + required: + - type + - attributes + type: object + IoCTriageWriteResponse: + description: Response for the create indicator triage state endpoint. + properties: + data: + $ref: "#/components/schemas/IoCTriageWriteResponseData" + type: object + IoCTriageWriteResponseAttributes: + description: Attributes of a created or updated triage state. + properties: + created_at: + description: Timestamp when the triage record was created. + format: date-time + type: string + indicator: + description: The indicator value that was triaged. + type: string + triage_state: + $ref: "#/components/schemas/IoCTriageState" + triaged_at: + description: Timestamp when the triage state was set. + format: date-time + type: string + triaged_by: + description: UUID of the user who set the triage state. + type: string + type: object + IoCTriageWriteResponseData: + description: Data object of the triage write response. + properties: + attributes: + $ref: "#/components/schemas/IoCTriageWriteResponseAttributes" + id: + description: Unique identifier for the triage state record. + type: string + type: + default: ioc_triage_state + description: Triage state resource type. + type: string + type: object Issue: description: The issue matching the request. properties: @@ -166859,6 +166979,9 @@ paths: permissions: - security_monitoring_findings_write - appsec_vm_write + x-unstable: |- + **Note**: This endpoint is in preview and is subject to change. + If you have any feedback, contact [Datadog support](https://docs.datadoghq.com/help/). post: description: >- Create ServiceNow tickets for security findings. @@ -166929,6 +167052,9 @@ paths: permissions: - security_monitoring_findings_write - appsec_vm_write + x-unstable: |- + **Note**: This endpoint is in preview and is subject to change. + If you have any feedback, contact [Datadog support](https://docs.datadoghq.com/help/). /api/v2/security/sboms: get: description: |- @@ -167323,6 +167449,25 @@ paths: schema: default: desc type: string + - description: When true, return only OCSF field-based matches. When false, return regex/message-based matches. + in: query + name: ocsf + required: false + schema: + default: true + type: boolean + - description: Filter indicators whose triage state was updated by a specific user UUID. + in: query + name: worked_by + required: false + schema: + type: string + - description: Filter by triage state. + in: query + name: triage_state + required: false + schema: + $ref: "#/components/schemas/IoCTriageState" responses: "200": content: @@ -167374,6 +167519,39 @@ paths: required: true schema: type: string + - description: When true, return only OCSF field-based matches. When false, return regex/message-based matches. + in: query + name: ocsf + required: false + schema: + default: true + type: boolean + - description: Include full triage history for the indicator. + in: query + name: include_triage_history + required: false + schema: + default: false + type: boolean + - description: Maximum number of triage history events returned. Only applied when `include_triage_history` is true. + in: query + name: triage_history_limit + required: false + schema: + default: 50 + format: int32 + maximum: 1000 + minimum: 1 + type: integer + - description: Pagination offset into the triage history. Only applied when `include_triage_history` is true. + in: query + name: triage_history_offset + required: false + schema: + default: 0 + format: int32 + maximum: 2147483647 + type: integer responses: "200": content: @@ -167411,6 +167589,62 @@ paths: x-unstable: |- **Note**: This endpoint is in beta and may be subject to changes. Please check the documentation regularly for updates. + /api/v2/security/siem/ioc-explorer/triage: + post: + description: |- + Set the triage state of an indicator of compromise (IoC). This creates or + updates the triage state for the indicator in your organization. + operationId: CreateIoCTriageState + requestBody: + content: + "application/json": + examples: + default: + value: + data: + attributes: + indicator: "192.0.2.1" + triage_state: reviewed + type: ioc_triage_state + schema: + $ref: "#/components/schemas/IoCTriageWriteRequest" + description: The triage state to set for the indicator. + required: true + responses: + "201": + content: + "application/json": + examples: + default: + value: + data: + attributes: + created_at: "2026-06-04T12:00:00Z" + indicator: "192.0.2.1" + triage_state: reviewed + triaged_at: "2026-06-04T12:00:00Z" + triaged_by: 11111111-2222-3333-4444-555555555555 + id: abc-123 + type: ioc_triage_state + schema: + $ref: "#/components/schemas/IoCTriageWriteResponse" + description: Created + "400": + $ref: "#/components/responses/BadRequestResponse" + "403": + $ref: "#/components/responses/NotAuthorizedResponse" + "429": + $ref: "#/components/responses/TooManyRequestsResponse" + security: + - apiKeyAuth: [] + appKeyAuth: [] + - AuthZ: + - security_monitoring_signals_write + summary: Create or update an indicator triage state + tags: ["Security Monitoring"] + x-unstable: |- + **Note**: This endpoint is in beta and may be subject to changes. + Please check the documentation regularly for updates. /api/v2/security/signals/notification_rules: get: description: Returns the list of notification rules for security signals. diff --git a/docs/datadog_api_client.v2.model.rst b/docs/datadog_api_client.v2.model.rst index 8213eb3aa0..0b76a67394 100644 --- a/docs/datadog_api_client.v2.model.rst +++ b/docs/datadog_api_client.v2.model.rst @@ -18687,6 +18687,62 @@ datadog\_api\_client.v2.model.io\_c\_source module :members: :show-inheritance: +datadog\_api\_client.v2.model.io\_c\_triage\_event module +--------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.io_c_triage_event + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.io\_c\_triage\_state module +--------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.io_c_triage_state + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.io\_c\_triage\_write\_request module +------------------------------------------------------------------ + +.. automodule:: datadog_api_client.v2.model.io_c_triage_write_request + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.io\_c\_triage\_write\_request\_attributes module +------------------------------------------------------------------------------ + +.. automodule:: datadog_api_client.v2.model.io_c_triage_write_request_attributes + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.io\_c\_triage\_write\_request\_data module +------------------------------------------------------------------------ + +.. automodule:: datadog_api_client.v2.model.io_c_triage_write_request_data + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.io\_c\_triage\_write\_response module +------------------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.io_c_triage_write_response + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.io\_c\_triage\_write\_response\_attributes module +------------------------------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.io_c_triage_write_response_attributes + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.io\_c\_triage\_write\_response\_data module +------------------------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.io_c_triage_write_response_data + :members: + :show-inheritance: + datadog\_api\_client.v2.model.ios\_sourcemap\_attributes module --------------------------------------------------------------- diff --git a/examples/v2/security-monitoring/AttachServiceNowTicket.py b/examples/v2/security-monitoring/AttachServiceNowTicket.py index a2e0eefec9..dbefef8ce3 100644 --- a/examples/v2/security-monitoring/AttachServiceNowTicket.py +++ b/examples/v2/security-monitoring/AttachServiceNowTicket.py @@ -46,6 +46,7 @@ ) configuration = Configuration() +configuration.unstable_operations["attach_service_now_ticket"] = True with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.attach_service_now_ticket(body=body) diff --git a/examples/v2/security-monitoring/CreateIoCTriageState.py b/examples/v2/security-monitoring/CreateIoCTriageState.py new file mode 100644 index 0000000000..74953d8901 --- /dev/null +++ b/examples/v2/security-monitoring/CreateIoCTriageState.py @@ -0,0 +1,28 @@ +""" +Create or update an indicator triage state returns "Created" response +""" + +from datadog_api_client import ApiClient, Configuration +from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi +from datadog_api_client.v2.model.io_c_triage_state import IoCTriageState +from datadog_api_client.v2.model.io_c_triage_write_request import IoCTriageWriteRequest +from datadog_api_client.v2.model.io_c_triage_write_request_attributes import IoCTriageWriteRequestAttributes +from datadog_api_client.v2.model.io_c_triage_write_request_data import IoCTriageWriteRequestData + +body = IoCTriageWriteRequest( + data=IoCTriageWriteRequestData( + attributes=IoCTriageWriteRequestAttributes( + indicator="192.0.2.1", + triage_state=IoCTriageState.REVIEWED, + ), + type="ioc_triage_state", + ), +) + +configuration = Configuration() +configuration.unstable_operations["create_io_c_triage_state"] = True +with ApiClient(configuration) as api_client: + api_instance = SecurityMonitoringApi(api_client) + response = api_instance.create_io_c_triage_state(body=body) + + print(response) diff --git a/examples/v2/security-monitoring/CreateServiceNowTickets.py b/examples/v2/security-monitoring/CreateServiceNowTickets.py index 8db7022aed..10ba5ea57a 100644 --- a/examples/v2/security-monitoring/CreateServiceNowTickets.py +++ b/examples/v2/security-monitoring/CreateServiceNowTickets.py @@ -52,6 +52,7 @@ ) configuration = Configuration() +configuration.unstable_operations["create_service_now_tickets"] = True with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.create_service_now_tickets(body=body) diff --git a/examples/v2/security-monitoring/GetIndicatorOfCompromise.py b/examples/v2/security-monitoring/GetIndicatorOfCompromise.py index 0e44580585..56aba2d0ff 100644 --- a/examples/v2/security-monitoring/GetIndicatorOfCompromise.py +++ b/examples/v2/security-monitoring/GetIndicatorOfCompromise.py @@ -10,7 +10,8 @@ with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.get_indicator_of_compromise( - indicator="masscan/1.3 (https://github.com/robertdavidgraham/masscan)", + indicator="192.0.2.1", + include_triage_history=True, ) print(response) diff --git a/src/datadog_api_client/configuration.py b/src/datadog_api_client/configuration.py index 5b19af83d6..50c8e49d60 100644 --- a/src/datadog_api_client/configuration.py +++ b/src/datadog_api_client/configuration.py @@ -395,15 +395,18 @@ def __init__( "v2.get_aws_cloud_auth_persona_mapping": False, "v2.list_aws_cloud_auth_persona_mappings": False, "v2.activate_content_pack": False, + "v2.attach_service_now_ticket": False, "v2.batch_get_security_monitoring_dataset_dependencies": False, "v2.bulk_create_sample_log_generation_subscriptions": False, "v2.bulk_export_security_monitoring_terraform_resources": False, "v2.cancel_historical_job": False, "v2.convert_job_result_to_signal": False, "v2.convert_security_monitoring_terraform_resource": False, + "v2.create_io_c_triage_state": False, "v2.create_sample_log_generation_subscription": False, "v2.create_security_monitoring_dataset": False, "v2.create_security_monitoring_integration_config": False, + "v2.create_service_now_tickets": False, "v2.create_static_analysis_ast": False, "v2.create_static_analysis_server_analysis": False, "v2.deactivate_content_pack": False, diff --git a/src/datadog_api_client/v2/api/security_monitoring_api.py b/src/datadog_api_client/v2/api/security_monitoring_api.py index 01451d6f91..80b2175a5e 100644 --- a/src/datadog_api_client/v2/api/security_monitoring_api.py +++ b/src/datadog_api_client/v2/api/security_monitoring_api.py @@ -61,7 +61,10 @@ from datadog_api_client.v2.model.scanned_assets_metadata import ScannedAssetsMetadata from datadog_api_client.v2.model.cloud_asset_type import CloudAssetType from datadog_api_client.v2.model.io_c_explorer_list_response import IoCExplorerListResponse +from datadog_api_client.v2.model.io_c_triage_state import IoCTriageState from datadog_api_client.v2.model.get_io_c_indicator_response import GetIoCIndicatorResponse +from datadog_api_client.v2.model.io_c_triage_write_response import IoCTriageWriteResponse +from datadog_api_client.v2.model.io_c_triage_write_request import IoCTriageWriteRequest from datadog_api_client.v2.model.notification_rules_list_response import NotificationRulesListResponse from datadog_api_client.v2.model.notification_rule_response import NotificationRuleResponse from datadog_api_client.v2.model.create_notification_rule_parameters import CreateNotificationRuleParameters @@ -699,6 +702,26 @@ def __init__(self, api_client=None): api_client=api_client, ) + self._create_io_c_triage_state_endpoint = _Endpoint( + settings={ + "response_type": (IoCTriageWriteResponse,), + "auth": ["apiKeyAuth", "appKeyAuth", "AuthZ"], + "endpoint_path": "/api/v2/security/siem/ioc-explorer/triage", + "operation_id": "create_io_c_triage_state", + "http_method": "POST", + "version": "v2", + }, + params_map={ + "body": { + "required": True, + "openapi_types": (IoCTriageWriteRequest,), + "location": "body", + }, + }, + headers_map={"accept": ["application/json"], "content_type": ["application/json"]}, + api_client=api_client, + ) + self._create_jira_issues_endpoint = _Endpoint( settings={ "response_type": (FindingCaseResponseArray,), @@ -1579,6 +1602,33 @@ def __init__(self, api_client=None): "attribute": "indicator", "location": "query", }, + "ocsf": { + "openapi_types": (bool,), + "attribute": "ocsf", + "location": "query", + }, + "include_triage_history": { + "openapi_types": (bool,), + "attribute": "include_triage_history", + "location": "query", + }, + "triage_history_limit": { + "validation": { + "inclusive_maximum": 1000, + "inclusive_minimum": 1, + }, + "openapi_types": (int,), + "attribute": "triage_history_limit", + "location": "query", + }, + "triage_history_offset": { + "validation": { + "inclusive_maximum": 2147483647, + }, + "openapi_types": (int,), + "attribute": "triage_history_offset", + "location": "query", + }, }, headers_map={ "accept": ["application/json"], @@ -2617,6 +2667,21 @@ def __init__(self, api_client=None): "attribute": "sort[order]", "location": "query", }, + "ocsf": { + "openapi_types": (bool,), + "attribute": "ocsf", + "location": "query", + }, + "worked_by": { + "openapi_types": (str,), + "attribute": "worked_by", + "location": "query", + }, + "triage_state": { + "openapi_types": (IoCTriageState,), + "attribute": "triage_state", + "location": "query", + }, }, headers_map={ "accept": ["application/json"], @@ -4363,6 +4428,24 @@ def create_custom_framework( return self._create_custom_framework_endpoint.call_with_http_info(**kwargs) + def create_io_c_triage_state( + self, + body: IoCTriageWriteRequest, + ) -> IoCTriageWriteResponse: + """Create or update an indicator triage state. + + Set the triage state of an indicator of compromise (IoC). This creates or + updates the triage state for the indicator in your organization. + + :param body: The triage state to set for the indicator. + :type body: IoCTriageWriteRequest + :rtype: IoCTriageWriteResponse + """ + kwargs: Dict[str, Any] = {} + kwargs["body"] = body + + return self._create_io_c_triage_state_endpoint.call_with_http_info(**kwargs) + def create_jira_issues( self, body: CreateJiraIssueRequestArray, @@ -5097,6 +5180,11 @@ def get_historical_job( def get_indicator_of_compromise( self, indicator: str, + *, + ocsf: Union[bool, UnsetType] = unset, + include_triage_history: Union[bool, UnsetType] = unset, + triage_history_limit: Union[int, UnsetType] = unset, + triage_history_offset: Union[int, UnsetType] = unset, ) -> GetIoCIndicatorResponse: """Get an indicator of compromise. @@ -5104,11 +5192,31 @@ def get_indicator_of_compromise( :param indicator: The indicator value to look up (for example, an IP address or domain). :type indicator: str + :param ocsf: When true, return only OCSF field-based matches. When false, return regex/message-based matches. + :type ocsf: bool, optional + :param include_triage_history: Include full triage history for the indicator. + :type include_triage_history: bool, optional + :param triage_history_limit: Maximum number of triage history events returned. Only applied when ``include_triage_history`` is true. + :type triage_history_limit: int, optional + :param triage_history_offset: Pagination offset into the triage history. Only applied when ``include_triage_history`` is true. + :type triage_history_offset: int, optional :rtype: GetIoCIndicatorResponse """ kwargs: Dict[str, Any] = {} kwargs["indicator"] = indicator + if ocsf is not unset: + kwargs["ocsf"] = ocsf + + if include_triage_history is not unset: + kwargs["include_triage_history"] = include_triage_history + + if triage_history_limit is not unset: + kwargs["triage_history_limit"] = triage_history_limit + + if triage_history_offset is not unset: + kwargs["triage_history_offset"] = triage_history_offset + return self._get_indicator_of_compromise_endpoint.call_with_http_info(**kwargs) def get_investigation_log_queries_matching_signal( @@ -6153,6 +6261,9 @@ def list_indicators_of_compromise( query: Union[str, UnsetType] = unset, sort_column: Union[str, UnsetType] = unset, sort_order: Union[str, UnsetType] = unset, + ocsf: Union[bool, UnsetType] = unset, + worked_by: Union[str, UnsetType] = unset, + triage_state: Union[IoCTriageState, UnsetType] = unset, ) -> IoCExplorerListResponse: """List indicators of compromise. @@ -6168,6 +6279,12 @@ def list_indicators_of_compromise( :type sort_column: str, optional :param sort_order: Sort order: asc or desc. :type sort_order: str, optional + :param ocsf: When true, return only OCSF field-based matches. When false, return regex/message-based matches. + :type ocsf: bool, optional + :param worked_by: Filter indicators whose triage state was updated by a specific user UUID. + :type worked_by: str, optional + :param triage_state: Filter by triage state. + :type triage_state: IoCTriageState, optional :rtype: IoCExplorerListResponse """ kwargs: Dict[str, Any] = {} @@ -6186,6 +6303,15 @@ def list_indicators_of_compromise( if sort_order is not unset: kwargs["sort_order"] = sort_order + if ocsf is not unset: + kwargs["ocsf"] = ocsf + + if worked_by is not unset: + kwargs["worked_by"] = worked_by + + if triage_state is not unset: + kwargs["triage_state"] = triage_state + return self._list_indicators_of_compromise_endpoint.call_with_http_info(**kwargs) def list_multiple_rulesets( diff --git a/src/datadog_api_client/v2/model/io_c_indicator.py b/src/datadog_api_client/v2/model/io_c_indicator.py index 1b4a7d2704..ca76c57d28 100644 --- a/src/datadog_api_client/v2/model/io_c_indicator.py +++ b/src/datadog_api_client/v2/model/io_c_indicator.py @@ -19,6 +19,7 @@ from datadog_api_client.v2.model.io_c_geo_location import IoCGeoLocation from datadog_api_client.v2.model.io_c_source import IoCSource from datadog_api_client.v2.model.io_c_score_effect import IoCScoreEffect + from datadog_api_client.v2.model.io_c_triage_state import IoCTriageState class IoCIndicator(ModelNormal): @@ -27,6 +28,7 @@ def openapi_types(_): from datadog_api_client.v2.model.io_c_geo_location import IoCGeoLocation from datadog_api_client.v2.model.io_c_source import IoCSource from datadog_api_client.v2.model.io_c_score_effect import IoCScoreEffect + from datadog_api_client.v2.model.io_c_triage_state import IoCTriageState return { "as_geo": (IoCGeoLocation,), @@ -50,6 +52,9 @@ def openapi_types(_): "signal_tier": (int,), "suspicious_sources": ([IoCSource], none_type), "tags": ([str],), + "triage_state": (IoCTriageState,), + "triaged_at": (datetime,), + "triaged_by": (str,), } attribute_map = { @@ -74,6 +79,9 @@ def openapi_types(_): "signal_tier": "signal_tier", "suspicious_sources": "suspicious_sources", "tags": "tags", + "triage_state": "triage_state", + "triaged_at": "triaged_at", + "triaged_by": "triaged_by", } def __init__( @@ -99,6 +107,9 @@ def __init__( signal_tier: Union[int, UnsetType] = unset, suspicious_sources: Union[List[IoCSource], none_type, UnsetType] = unset, tags: Union[List[str], UnsetType] = unset, + triage_state: Union[IoCTriageState, UnsetType] = unset, + triaged_at: Union[datetime, UnsetType] = unset, + triaged_by: Union[str, UnsetType] = unset, **kwargs, ): """ @@ -166,6 +177,15 @@ def __init__( :param tags: Tags associated with the indicator. :type tags: [str], optional + + :param triage_state: Current triage state of the indicator. + :type triage_state: IoCTriageState, optional + + :param triaged_at: Timestamp when the indicator was last triaged. + :type triaged_at: datetime, optional + + :param triaged_by: UUID of the user who last triaged the indicator. + :type triaged_by: str, optional """ if as_geo is not unset: kwargs["as_geo"] = as_geo @@ -209,4 +229,10 @@ def __init__( kwargs["suspicious_sources"] = suspicious_sources if tags is not unset: kwargs["tags"] = tags + if triage_state is not unset: + kwargs["triage_state"] = triage_state + if triaged_at is not unset: + kwargs["triaged_at"] = triaged_at + if triaged_by is not unset: + kwargs["triaged_by"] = triaged_by super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/io_c_indicator_detailed.py b/src/datadog_api_client/v2/model/io_c_indicator_detailed.py index dfed28097f..8cb3efdfdb 100644 --- a/src/datadog_api_client/v2/model/io_c_indicator_detailed.py +++ b/src/datadog_api_client/v2/model/io_c_indicator_detailed.py @@ -22,6 +22,8 @@ from datadog_api_client.v2.model.io_c_source import IoCSource from datadog_api_client.v2.model.io_c_score_effect import IoCScoreEffect from datadog_api_client.v2.model.io_c_signal_severity_count import IoCSignalSeverityCount + from datadog_api_client.v2.model.io_c_triage_event import IoCTriageEvent + from datadog_api_client.v2.model.io_c_triage_state import IoCTriageState class IoCIndicatorDetailed(ModelNormal): @@ -31,6 +33,8 @@ def openapi_types(_): from datadog_api_client.v2.model.io_c_source import IoCSource from datadog_api_client.v2.model.io_c_score_effect import IoCScoreEffect from datadog_api_client.v2.model.io_c_signal_severity_count import IoCSignalSeverityCount + from datadog_api_client.v2.model.io_c_triage_event import IoCTriageEvent + from datadog_api_client.v2.model.io_c_triage_state import IoCTriageState return { "additional_data": ( @@ -78,6 +82,10 @@ def openapi_types(_): "signal_tier": (int,), "suspicious_sources": ([IoCSource], none_type), "tags": ([str],), + "triage_history": ([IoCTriageEvent],), + "triage_state": (IoCTriageState,), + "triaged_at": (datetime,), + "triaged_by": (str,), "users": ({str: ([str],)},), } @@ -112,6 +120,10 @@ def openapi_types(_): "signal_tier": "signal_tier", "suspicious_sources": "suspicious_sources", "tags": "tags", + "triage_history": "triage_history", + "triage_state": "triage_state", + "triaged_at": "triaged_at", + "triaged_by": "triaged_by", "users": "users", } @@ -147,6 +159,10 @@ def __init__( signal_tier: Union[int, UnsetType] = unset, suspicious_sources: Union[List[IoCSource], none_type, UnsetType] = unset, tags: Union[List[str], UnsetType] = unset, + triage_history: Union[List[IoCTriageEvent], UnsetType] = unset, + triage_state: Union[IoCTriageState, UnsetType] = unset, + triaged_at: Union[datetime, UnsetType] = unset, + triaged_by: Union[str, UnsetType] = unset, users: Union[Dict[str, List[str]], UnsetType] = unset, **kwargs, ): @@ -243,6 +259,18 @@ def __init__( :param tags: Tags associated with the indicator. :type tags: [str], optional + :param triage_history: Full triage history timeline. Returned only when ``include_triage_history`` is true. + :type triage_history: [IoCTriageEvent], optional + + :param triage_state: Current triage state of the indicator. + :type triage_state: IoCTriageState, optional + + :param triaged_at: Timestamp when the indicator was last triaged. + :type triaged_at: datetime, optional + + :param triaged_by: UUID of the user who last triaged the indicator. + :type triaged_by: str, optional + :param users: Users associated with this indicator, grouped by category. :type users: {str: ([str],)}, optional """ @@ -306,6 +334,14 @@ def __init__( kwargs["suspicious_sources"] = suspicious_sources if tags is not unset: kwargs["tags"] = tags + if triage_history is not unset: + kwargs["triage_history"] = triage_history + if triage_state is not unset: + kwargs["triage_state"] = triage_state + if triaged_at is not unset: + kwargs["triaged_at"] = triaged_at + if triaged_by is not unset: + kwargs["triaged_by"] = triaged_by if users is not unset: kwargs["users"] = users super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/io_c_triage_event.py b/src/datadog_api_client/v2/model/io_c_triage_event.py new file mode 100644 index 0000000000..f21d1f025a --- /dev/null +++ b/src/datadog_api_client/v2/model/io_c_triage_event.py @@ -0,0 +1,63 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import Union, TYPE_CHECKING + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + datetime, + unset, + UnsetType, +) + + +if TYPE_CHECKING: + from datadog_api_client.v2.model.io_c_triage_state import IoCTriageState + + +class IoCTriageEvent(ModelNormal): + @cached_property + def openapi_types(_): + from datadog_api_client.v2.model.io_c_triage_state import IoCTriageState + + return { + "triage_state": (IoCTriageState,), + "triaged_at": (datetime,), + "triaged_by": (str,), + } + + attribute_map = { + "triage_state": "triage_state", + "triaged_at": "triaged_at", + "triaged_by": "triaged_by", + } + + def __init__( + self_, + triage_state: Union[IoCTriageState, UnsetType] = unset, + triaged_at: Union[datetime, UnsetType] = unset, + triaged_by: Union[str, UnsetType] = unset, + **kwargs, + ): + """ + A single entry in an indicator's triage history timeline. + + :param triage_state: Current triage state of the indicator. + :type triage_state: IoCTriageState, optional + + :param triaged_at: Timestamp when this triage action occurred. + :type triaged_at: datetime, optional + + :param triaged_by: UUID of the user who performed this triage action. + :type triaged_by: str, optional + """ + if triage_state is not unset: + kwargs["triage_state"] = triage_state + if triaged_at is not unset: + kwargs["triaged_at"] = triaged_at + if triaged_by is not unset: + kwargs["triaged_by"] = triaged_by + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/io_c_triage_state.py b/src/datadog_api_client/v2/model/io_c_triage_state.py new file mode 100644 index 0000000000..7291bd4108 --- /dev/null +++ b/src/datadog_api_client/v2/model/io_c_triage_state.py @@ -0,0 +1,38 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + + +from datadog_api_client.model_utils import ( + ModelSimple, + cached_property, +) + +from typing import ClassVar + + +class IoCTriageState(ModelSimple): + """ + Current triage state of the indicator. + + :param value: Must be one of ["not_reviewed", "reviewed"]. + :type value: str + """ + + allowed_values = { + "not_reviewed", + "reviewed", + } + NOT_REVIEWED: ClassVar["IoCTriageState"] + REVIEWED: ClassVar["IoCTriageState"] + + @cached_property + def openapi_types(_): + return { + "value": (str,), + } + + +IoCTriageState.NOT_REVIEWED = IoCTriageState("not_reviewed") +IoCTriageState.REVIEWED = IoCTriageState("reviewed") diff --git a/src/datadog_api_client/v2/model/io_c_triage_write_request.py b/src/datadog_api_client/v2/model/io_c_triage_write_request.py new file mode 100644 index 0000000000..55f9562c9c --- /dev/null +++ b/src/datadog_api_client/v2/model/io_c_triage_write_request.py @@ -0,0 +1,40 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import TYPE_CHECKING + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, +) + + +if TYPE_CHECKING: + from datadog_api_client.v2.model.io_c_triage_write_request_data import IoCTriageWriteRequestData + + +class IoCTriageWriteRequest(ModelNormal): + @cached_property + def openapi_types(_): + from datadog_api_client.v2.model.io_c_triage_write_request_data import IoCTriageWriteRequestData + + return { + "data": (IoCTriageWriteRequestData,), + } + + attribute_map = { + "data": "data", + } + + def __init__(self_, data: IoCTriageWriteRequestData, **kwargs): + """ + Request body for creating or updating an indicator triage state. + + :param data: Data object for the triage write request. + :type data: IoCTriageWriteRequestData + """ + super().__init__(kwargs) + + self_.data = data diff --git a/src/datadog_api_client/v2/model/io_c_triage_write_request_attributes.py b/src/datadog_api_client/v2/model/io_c_triage_write_request_attributes.py new file mode 100644 index 0000000000..6bdffda568 --- /dev/null +++ b/src/datadog_api_client/v2/model/io_c_triage_write_request_attributes.py @@ -0,0 +1,46 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import TYPE_CHECKING + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, +) + + +if TYPE_CHECKING: + from datadog_api_client.v2.model.io_c_triage_state import IoCTriageState + + +class IoCTriageWriteRequestAttributes(ModelNormal): + @cached_property + def openapi_types(_): + from datadog_api_client.v2.model.io_c_triage_state import IoCTriageState + + return { + "indicator": (str,), + "triage_state": (IoCTriageState,), + } + + attribute_map = { + "indicator": "indicator", + "triage_state": "triage_state", + } + + def __init__(self_, indicator: str, triage_state: IoCTriageState, **kwargs): + """ + Attributes for setting an indicator's triage state. + + :param indicator: The indicator value to triage (for example, an IP address or domain). + :type indicator: str + + :param triage_state: Current triage state of the indicator. + :type triage_state: IoCTriageState + """ + super().__init__(kwargs) + + self_.indicator = indicator + self_.triage_state = triage_state diff --git a/src/datadog_api_client/v2/model/io_c_triage_write_request_data.py b/src/datadog_api_client/v2/model/io_c_triage_write_request_data.py new file mode 100644 index 0000000000..2f9a056d57 --- /dev/null +++ b/src/datadog_api_client/v2/model/io_c_triage_write_request_data.py @@ -0,0 +1,47 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import TYPE_CHECKING + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, +) + + +if TYPE_CHECKING: + from datadog_api_client.v2.model.io_c_triage_write_request_attributes import IoCTriageWriteRequestAttributes + + +class IoCTriageWriteRequestData(ModelNormal): + @cached_property + def openapi_types(_): + from datadog_api_client.v2.model.io_c_triage_write_request_attributes import IoCTriageWriteRequestAttributes + + return { + "attributes": (IoCTriageWriteRequestAttributes,), + "type": (str,), + } + + attribute_map = { + "attributes": "attributes", + "type": "type", + } + + def __init__(self_, attributes: IoCTriageWriteRequestAttributes, **kwargs): + """ + Data object for the triage write request. + + :param attributes: Attributes for setting an indicator's triage state. + :type attributes: IoCTriageWriteRequestAttributes + + :param type: Triage state resource type. + :type type: str + """ + super().__init__(kwargs) + type = kwargs.get("type", "ioc_triage_state") + + self_.attributes = attributes + self_.type = type diff --git a/src/datadog_api_client/v2/model/io_c_triage_write_response.py b/src/datadog_api_client/v2/model/io_c_triage_write_response.py new file mode 100644 index 0000000000..b26905e832 --- /dev/null +++ b/src/datadog_api_client/v2/model/io_c_triage_write_response.py @@ -0,0 +1,42 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import Union, TYPE_CHECKING + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + unset, + UnsetType, +) + + +if TYPE_CHECKING: + from datadog_api_client.v2.model.io_c_triage_write_response_data import IoCTriageWriteResponseData + + +class IoCTriageWriteResponse(ModelNormal): + @cached_property + def openapi_types(_): + from datadog_api_client.v2.model.io_c_triage_write_response_data import IoCTriageWriteResponseData + + return { + "data": (IoCTriageWriteResponseData,), + } + + attribute_map = { + "data": "data", + } + + def __init__(self_, data: Union[IoCTriageWriteResponseData, UnsetType] = unset, **kwargs): + """ + Response for the create indicator triage state endpoint. + + :param data: Data object of the triage write response. + :type data: IoCTriageWriteResponseData, optional + """ + if data is not unset: + kwargs["data"] = data + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/io_c_triage_write_response_attributes.py b/src/datadog_api_client/v2/model/io_c_triage_write_response_attributes.py new file mode 100644 index 0000000000..b7179835ec --- /dev/null +++ b/src/datadog_api_client/v2/model/io_c_triage_write_response_attributes.py @@ -0,0 +1,79 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import Union, TYPE_CHECKING + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + datetime, + unset, + UnsetType, +) + + +if TYPE_CHECKING: + from datadog_api_client.v2.model.io_c_triage_state import IoCTriageState + + +class IoCTriageWriteResponseAttributes(ModelNormal): + @cached_property + def openapi_types(_): + from datadog_api_client.v2.model.io_c_triage_state import IoCTriageState + + return { + "created_at": (datetime,), + "indicator": (str,), + "triage_state": (IoCTriageState,), + "triaged_at": (datetime,), + "triaged_by": (str,), + } + + attribute_map = { + "created_at": "created_at", + "indicator": "indicator", + "triage_state": "triage_state", + "triaged_at": "triaged_at", + "triaged_by": "triaged_by", + } + + def __init__( + self_, + created_at: Union[datetime, UnsetType] = unset, + indicator: Union[str, UnsetType] = unset, + triage_state: Union[IoCTriageState, UnsetType] = unset, + triaged_at: Union[datetime, UnsetType] = unset, + triaged_by: Union[str, UnsetType] = unset, + **kwargs, + ): + """ + Attributes of a created or updated triage state. + + :param created_at: Timestamp when the triage record was created. + :type created_at: datetime, optional + + :param indicator: The indicator value that was triaged. + :type indicator: str, optional + + :param triage_state: Current triage state of the indicator. + :type triage_state: IoCTriageState, optional + + :param triaged_at: Timestamp when the triage state was set. + :type triaged_at: datetime, optional + + :param triaged_by: UUID of the user who set the triage state. + :type triaged_by: str, optional + """ + if created_at is not unset: + kwargs["created_at"] = created_at + if indicator is not unset: + kwargs["indicator"] = indicator + if triage_state is not unset: + kwargs["triage_state"] = triage_state + if triaged_at is not unset: + kwargs["triaged_at"] = triaged_at + if triaged_by is not unset: + kwargs["triaged_by"] = triaged_by + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/io_c_triage_write_response_data.py b/src/datadog_api_client/v2/model/io_c_triage_write_response_data.py new file mode 100644 index 0000000000..c7961ef645 --- /dev/null +++ b/src/datadog_api_client/v2/model/io_c_triage_write_response_data.py @@ -0,0 +1,62 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import Union, TYPE_CHECKING + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + unset, + UnsetType, +) + + +if TYPE_CHECKING: + from datadog_api_client.v2.model.io_c_triage_write_response_attributes import IoCTriageWriteResponseAttributes + + +class IoCTriageWriteResponseData(ModelNormal): + @cached_property + def openapi_types(_): + from datadog_api_client.v2.model.io_c_triage_write_response_attributes import IoCTriageWriteResponseAttributes + + return { + "attributes": (IoCTriageWriteResponseAttributes,), + "id": (str,), + "type": (str,), + } + + attribute_map = { + "attributes": "attributes", + "id": "id", + "type": "type", + } + + def __init__( + self_, + attributes: Union[IoCTriageWriteResponseAttributes, UnsetType] = unset, + id: Union[str, UnsetType] = unset, + type: Union[str, UnsetType] = unset, + **kwargs, + ): + """ + Data object of the triage write response. + + :param attributes: Attributes of a created or updated triage state. + :type attributes: IoCTriageWriteResponseAttributes, optional + + :param id: Unique identifier for the triage state record. + :type id: str, optional + + :param type: Triage state resource type. + :type type: str, optional + """ + if attributes is not unset: + kwargs["attributes"] = attributes + if id is not unset: + kwargs["id"] = id + if type is not unset: + kwargs["type"] = type + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/models/__init__.py b/src/datadog_api_client/v2/models/__init__.py index c17d47b424..4090c128b1 100644 --- a/src/datadog_api_client/v2/models/__init__.py +++ b/src/datadog_api_client/v2/models/__init__.py @@ -3492,6 +3492,14 @@ from datadog_api_client.v2.model.io_c_score_effect import IoCScoreEffect from datadog_api_client.v2.model.io_c_signal_severity_count import IoCSignalSeverityCount from datadog_api_client.v2.model.io_c_source import IoCSource +from datadog_api_client.v2.model.io_c_triage_event import IoCTriageEvent +from datadog_api_client.v2.model.io_c_triage_state import IoCTriageState +from datadog_api_client.v2.model.io_c_triage_write_request import IoCTriageWriteRequest +from datadog_api_client.v2.model.io_c_triage_write_request_attributes import IoCTriageWriteRequestAttributes +from datadog_api_client.v2.model.io_c_triage_write_request_data import IoCTriageWriteRequestData +from datadog_api_client.v2.model.io_c_triage_write_response import IoCTriageWriteResponse +from datadog_api_client.v2.model.io_c_triage_write_response_attributes import IoCTriageWriteResponseAttributes +from datadog_api_client.v2.model.io_c_triage_write_response_data import IoCTriageWriteResponseData from datadog_api_client.v2.model.issue import Issue from datadog_api_client.v2.model.issue_assignee_relationship import IssueAssigneeRelationship from datadog_api_client.v2.model.issue_attributes import IssueAttributes @@ -11937,6 +11945,14 @@ "IoCScoreEffect", "IoCSignalSeverityCount", "IoCSource", + "IoCTriageEvent", + "IoCTriageState", + "IoCTriageWriteRequest", + "IoCTriageWriteRequestAttributes", + "IoCTriageWriteRequestData", + "IoCTriageWriteResponse", + "IoCTriageWriteResponseAttributes", + "IoCTriageWriteResponseData", "Issue", "IssueAssigneeRelationship", "IssueAttributes", diff --git a/tests/v2/cassettes/test_scenarios/test_create_or_update_an_indicator_triage_state_returns_bad_request_response.frozen b/tests/v2/cassettes/test_scenarios/test_create_or_update_an_indicator_triage_state_returns_bad_request_response.frozen new file mode 100644 index 0000000000..d6a26ed39d --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_create_or_update_an_indicator_triage_state_returns_bad_request_response.frozen @@ -0,0 +1 @@ +2026-06-05T12:20:47.940Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_create_or_update_an_indicator_triage_state_returns_bad_request_response.yaml b/tests/v2/cassettes/test_scenarios/test_create_or_update_an_indicator_triage_state_returns_bad_request_response.yaml new file mode 100644 index 0000000000..6926fb6cda --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_create_or_update_an_indicator_triage_state_returns_bad_request_response.yaml @@ -0,0 +1,20 @@ +interactions: +- request: + body: '{"data":{"attributes":{"indicator":"192.0.2.1","triage_state":"invalid_state"},"type":"ioc_triage_state"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/security/siem/ioc-explorer/triage + response: + body: + string: '{"errors":[{"title":"Generic Error","detail":"invalid triage_state"}]}' + headers: + content-type: + - application/vnd.api+json + status: + code: 400 + message: Bad Request +version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_create_or_update_an_indicator_triage_state_returns_created_response.frozen b/tests/v2/cassettes/test_scenarios/test_create_or_update_an_indicator_triage_state_returns_created_response.frozen new file mode 100644 index 0000000000..0ac630dda1 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_create_or_update_an_indicator_triage_state_returns_created_response.frozen @@ -0,0 +1 @@ +2026-06-05T12:22:26.137Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_create_or_update_an_indicator_triage_state_returns_created_response.yaml b/tests/v2/cassettes/test_scenarios/test_create_or_update_an_indicator_triage_state_returns_created_response.yaml new file mode 100644 index 0000000000..1fa5b65e90 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_create_or_update_an_indicator_triage_state_returns_created_response.yaml @@ -0,0 +1,20 @@ +interactions: +- request: + body: '{"data":{"attributes":{"indicator":"192.0.2.1","triage_state":"reviewed"},"type":"ioc_triage_state"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/security/siem/ioc-explorer/triage + response: + body: + string: '{"data":{"id":"2e6eff68-4ffa-4cab-b9bb-d9ce1ef3b42a","type":"ioc_triage_state","attributes":{"created_at":"2026-06-05T12:22:26.488248Z","indicator":"192.0.2.1","triage_state":"reviewed","triaged_at":"2026-06-05T12:22:26.488248Z","triaged_by":"dc6535c4-0b70-47aa-9c6a-9b0fc0be3f19"}}}' + headers: + content-type: + - application/vnd.api+json + status: + code: 201 + message: Created +version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_get_an_indicator_of_compromise_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_get_an_indicator_of_compromise_returns_ok_response.frozen index fc8ed109ad..3dc6b0aa0a 100644 --- a/tests/v2/cassettes/test_scenarios/test_get_an_indicator_of_compromise_returns_ok_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_get_an_indicator_of_compromise_returns_ok_response.frozen @@ -1 +1 @@ -2026-04-14T18:22:29.733Z \ No newline at end of file +2026-06-05T12:58:33.985Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_get_an_indicator_of_compromise_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_get_an_indicator_of_compromise_returns_ok_response.yaml index 67802c5892..e198205210 100644 --- a/tests/v2/cassettes/test_scenarios/test_get_an_indicator_of_compromise_returns_ok_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_get_an_indicator_of_compromise_returns_ok_response.yaml @@ -5,13 +5,11 @@ interactions: accept: - application/json method: GET - uri: https://api.datadoghq.com/api/v2/security/siem/ioc-explorer/indicator?indicator=masscan%2F1.3%20%28https%3A%2F%2Fgithub.com%2Frobertdavidgraham%2Fmasscan%29 + uri: https://api.datadoghq.com/api/v2/security/siem/ioc-explorer/indicator?indicator=192.0.2.1&include_triage_history=true response: body: - string: '{"data":{"id":"65a31893-cc59-4125-9424-44f7ba083e53","type":"get_indicator_response","attributes":{"data":{"id":"masscan/1.3 - (https://github.com/robertdavidgraham/masscan)","indicator":"masscan/1.3 (https://github.com/robertdavidgraham/masscan)","indicator_type":"User - Agent","score":4,"as_type":"hosting","malicious_sources":null,"suspicious_sources":[{"name":"Datadog - Threat Research"}],"benign_sources":null,"categories":["scanner"],"tags":[],"signal_matches":0,"log_matches":45,"first_seen":"2025-01-08T23:24:45Z","last_seen":"2026-04-10T14:36:20Z","signal_tier":0,"max_trust_score":"RAISE_SCORE","m_sources":"NO_EFFECT","m_persistence":"RAISE_SCORE","m_signal":"NO_EFFECT","m_as_type":"NO_EFFECT","log_sources":[],"services":[],"signal_severity":[],"users":{},"critical_assets":[],"hosts":[],"as_number":"","as_organization":"","as_cidr_block":""}}}}' + string: '{"data":{"id":"b38eb8e1-61c8-470f-be58-f41531a7c134","type":"get_indicator_response","attributes":{"data":{"id":"192.0.2.1","indicator":"192.0.2.1","indicator_type":"IP + Address","score":4,"as_type":"hosting","malicious_sources":null,"suspicious_sources":[{"name":"SOURCE1"}],"benign_sources":null,"categories":["hosting_proxy"],"tags":[],"signal_matches":1,"log_matches":7,"signal_tier":0,"max_trust_score":"RAISE_SCORE","m_sources":"NO_EFFECT","m_persistence":"NO_EFFECT","m_signal":"NO_EFFECT","m_as_type":"NO_EFFECT","triage_state":"reviewed","triaged_at":"2026-06-03T18:55:42.108938Z","triaged_by":"00000000-0000-0000-0000-000000000000","log_sources":[],"services":[],"signal_severity":[{"severity":"info","count":1}],"users":{},"critical_assets":[],"hosts":[],"additional_data":{},"triage_history":[{"triaged_at":"2026-06-03T18:55:42.108938Z","triaged_by":"00000000-0000-0000-0000-000000000000","triage_state":"reviewed"},{"triaged_at":"2026-06-03T13:32:14.735424Z","triaged_by":"00000000-0000-0000-0000-000000000000","triage_state":"reviewed"}]}}}}' headers: content-type: - application/vnd.api+json diff --git a/tests/v2/cassettes/test_scenarios/test_list_indicators_of_compromise_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_list_indicators_of_compromise_returns_ok_response.frozen index 5814ac627e..b1bf7726a1 100644 --- a/tests/v2/cassettes/test_scenarios/test_list_indicators_of_compromise_returns_ok_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_list_indicators_of_compromise_returns_ok_response.frozen @@ -1 +1 @@ -2026-04-14T18:22:48.392Z \ No newline at end of file +2026-06-05T12:32:21.136Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_list_indicators_of_compromise_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_list_indicators_of_compromise_returns_ok_response.yaml index 4f6ed05ab2..6639fae697 100644 --- a/tests/v2/cassettes/test_scenarios/test_list_indicators_of_compromise_returns_ok_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_list_indicators_of_compromise_returns_ok_response.yaml @@ -8,9 +8,8 @@ interactions: uri: https://api.datadoghq.com/api/v2/security/siem/ioc-explorer?limit=1 response: body: - string: '{"data":{"id":"a4e3b616-e180-4b47-a379-43da9c5b300e","type":"ioc_explorer_response","attributes":{"data":[{"id":"43.228.157.121","indicator":"43.228.157.121","indicator_type":"IP - Address","score":8,"as_type":"hosting","malicious_sources":[{"name":"threatfox"}],"suspicious_sources":[{"name":"tor"},{"name":"SPUR"}],"benign_sources":null,"categories":["malware","tor","hosting_proxy"],"tags":[],"signal_matches":0,"log_matches":14,"signal_tier":0,"max_trust_score":"RAISE_SCORE","m_sources":"RAISE_SCORE","m_persistence":"NO_EFFECT","m_signal":"NO_EFFECT","m_as_type":"NO_EFFECT","as_geo":{"city":"Frankfurt - am Main","country_code":"DE","country_name":"Germany"}}],"metadata":{"count":25091},"paging":{"offset":1}}}}' + string: '{"data":{"id":"22b62903-4053-42ed-9448-c750da2ecd81","type":"ioc_explorer_response","attributes":{"data":[{"id":"192.0.2.1","indicator":"192.0.2.1","indicator_type":"IP + Address","score":4,"as_type":"hosting","malicious_sources":null,"suspicious_sources":[{"name":"SOURCE1"}],"benign_sources":null,"categories":["hosting_proxy"],"tags":[],"signal_matches":1,"log_matches":7,"signal_tier":0,"max_trust_score":"RAISE_SCORE","m_sources":"NO_EFFECT","m_persistence":"NO_EFFECT","m_signal":"NO_EFFECT","m_as_type":"NO_EFFECT","triage_state":"reviewed","triaged_at":"2026-06-03T18:55:42.108938Z","triaged_by":"00000000-0000-0000-0000-000000000000"}],"metadata":{"count":585},"paging":{"offset":1}}}}' headers: content-type: - application/vnd.api+json diff --git a/tests/v2/features/security_monitoring.feature b/tests/v2/features/security_monitoring.feature index 40957727ee..dd064c2a4a 100644 --- a/tests/v2/features/security_monitoring.feature +++ b/tests/v2/features/security_monitoring.feature @@ -113,21 +113,24 @@ Feature: Security Monitoring @generated @skip @team:DataDog/k9-investigation Scenario: Attach security findings to a ServiceNow ticket returns "Bad Request" response - Given new "AttachServiceNowTicket" request + Given operation "AttachServiceNowTicket" enabled + And new "AttachServiceNowTicket" request And body with value {"data": {"attributes": {"servicenow_ticket_url": "https://example.service-now.com/now/nav/ui/classic/params/target/incident.do?sys_id=abcdef0123456789abcdef0123456789"}, "relationships": {"findings": {"data": [{"id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==", "type": "findings"}]}, "project": {"data": {"id": "aeadc05e-98a8-11ec-ac2c-da7ad0900001", "type": "projects"}}}, "type": "servicenow_tickets"}} When the request is sent Then the response status is 400 Bad Request @generated @skip @team:DataDog/k9-investigation Scenario: Attach security findings to a ServiceNow ticket returns "Not Found" response - Given new "AttachServiceNowTicket" request + Given operation "AttachServiceNowTicket" enabled + And new "AttachServiceNowTicket" request And body with value {"data": {"attributes": {"servicenow_ticket_url": "https://example.service-now.com/now/nav/ui/classic/params/target/incident.do?sys_id=abcdef0123456789abcdef0123456789"}, "relationships": {"findings": {"data": [{"id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==", "type": "findings"}]}, "project": {"data": {"id": "aeadc05e-98a8-11ec-ac2c-da7ad0900001", "type": "projects"}}}, "type": "servicenow_tickets"}} When the request is sent Then the response status is 404 Not Found @generated @skip @team:DataDog/k9-investigation Scenario: Attach security findings to a ServiceNow ticket returns "OK" response - Given new "AttachServiceNowTicket" request + Given operation "AttachServiceNowTicket" enabled + And new "AttachServiceNowTicket" request And body with value {"data": {"attributes": {"servicenow_ticket_url": "https://example.service-now.com/now/nav/ui/classic/params/target/incident.do?sys_id=abcdef0123456789abcdef0123456789"}, "relationships": {"findings": {"data": [{"id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==", "type": "findings"}]}, "project": {"data": {"id": "aeadc05e-98a8-11ec-ac2c-da7ad0900001", "type": "projects"}}}, "type": "servicenow_tickets"}} When the request is sent Then the response status is 200 OK @@ -529,21 +532,24 @@ Feature: Security Monitoring @generated @skip @team:DataDog/k9-investigation Scenario: Create ServiceNow tickets for security findings returns "Bad Request" response - Given new "CreateServiceNowTickets" request + Given operation "CreateServiceNowTickets" enabled + And new "CreateServiceNowTickets" request And body with value {"data": [{"attributes": {"assignee_id": "f315bdaf-9ee7-4808-a9c1-99c15bf0f4d0", "description": "A description of the ServiceNow ticket.", "priority": "NOT_DEFINED", "title": "A title for the ServiceNow ticket."}, "relationships": {"findings": {"data": [{"id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==", "type": "findings"}]}, "project": {"data": {"id": "aeadc05e-98a8-11ec-ac2c-da7ad0900001", "type": "projects"}}}, "type": "servicenow_tickets"}]} When the request is sent Then the response status is 400 Bad Request @generated @skip @team:DataDog/k9-investigation Scenario: Create ServiceNow tickets for security findings returns "Created" response - Given new "CreateServiceNowTickets" request + Given operation "CreateServiceNowTickets" enabled + And new "CreateServiceNowTickets" request And body with value {"data": [{"attributes": {"assignee_id": "f315bdaf-9ee7-4808-a9c1-99c15bf0f4d0", "description": "A description of the ServiceNow ticket.", "priority": "NOT_DEFINED", "title": "A title for the ServiceNow ticket."}, "relationships": {"findings": {"data": [{"id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==", "type": "findings"}]}, "project": {"data": {"id": "aeadc05e-98a8-11ec-ac2c-da7ad0900001", "type": "projects"}}}, "type": "servicenow_tickets"}]} When the request is sent Then the response status is 201 Created @generated @skip @team:DataDog/k9-investigation Scenario: Create ServiceNow tickets for security findings returns "Not Found" response - Given new "CreateServiceNowTickets" request + Given operation "CreateServiceNowTickets" enabled + And new "CreateServiceNowTickets" request And body with value {"data": [{"attributes": {"assignee_id": "f315bdaf-9ee7-4808-a9c1-99c15bf0f4d0", "description": "A description of the ServiceNow ticket.", "priority": "NOT_DEFINED", "title": "A title for the ServiceNow ticket."}, "relationships": {"findings": {"data": [{"id": "ZGVmLTAwcC1pZXJ-aS0wZjhjNjMyZDNmMzRlZTgzNw==", "type": "findings"}]}, "project": {"data": {"id": "aeadc05e-98a8-11ec-ac2c-da7ad0900001", "type": "projects"}}}, "type": "servicenow_tickets"}]} When the request is sent Then the response status is 404 Not Found @@ -948,6 +954,22 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found + @replay-only @skip-terraform-config @team:DataDog/k9-cloud-siem + Scenario: Create or update an indicator triage state returns "Bad Request" response + Given operation "CreateIoCTriageState" enabled + And new "CreateIoCTriageState" request + And body with value {"data": {"attributes": {"indicator": "192.0.2.1", "triage_state": "invalid_state"}, "type": "ioc_triage_state"}} + When the request is sent + Then the response status is 400 Bad Request + + @replay-only @skip-terraform-config @team:DataDog/k9-cloud-siem + Scenario: Create or update an indicator triage state returns "Created" response + Given operation "CreateIoCTriageState" enabled + And new "CreateIoCTriageState" request + And body with value {"data": {"attributes": {"indicator": "192.0.2.1", "triage_state": "reviewed"}, "type": "ioc_triage_state"}} + When the request is sent + Then the response status is 201 Created + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Deactivate content pack returns "Accepted" response Given operation "DeactivateContentPack" enabled @@ -1748,7 +1770,8 @@ Feature: Security Monitoring Scenario: Get an indicator of compromise returns "OK" response Given operation "GetIndicatorOfCompromise" enabled And new "GetIndicatorOfCompromise" request - And request contains "indicator" parameter with value "masscan/1.3 (https://github.com/robertdavidgraham/masscan)" + And request contains "indicator" parameter with value "192.0.2.1" + And request contains "include_triage_history" parameter with value true When the request is sent Then the response status is 200 OK diff --git a/tests/v2/features/undo.json b/tests/v2/features/undo.json index 3f66e97af8..8205dd34c1 100644 --- a/tests/v2/features/undo.json +++ b/tests/v2/features/undo.json @@ -7012,6 +7012,12 @@ "type": "safe" } }, + "CreateIoCTriageState": { + "tag": "Security Monitoring", + "undo": { + "type": "safe" + } + }, "GetSignalNotificationRules": { "tag": "Security Monitoring", "undo": {