Datadog v4.47.0, Mar 20 25

Datadog v4.47.0 published on Thursday, Mar 20, 2025 by Pulumi

datadog.getSecurityMonitoringRules

Explore with Pulumi AI

Datadog v4.47.0 published on Thursday, Mar 20, 2025 by Pulumi

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as datadog from "@pulumi/datadog";

const test = datadog.getSecurityMonitoringRules({
    nameFilter: "attack",
    tagsFilters: ["foo:bar"],
    defaultOnlyFilter: true,
});

import pulumi
import pulumi_datadog as datadog

test = datadog.get_security_monitoring_rules(name_filter="attack",
    tags_filters=["foo:bar"],
    default_only_filter=True)

package main

import (
	"github.com/pulumi/pulumi-datadog/sdk/v4/go/datadog"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := datadog.GetSecurityMonitoringRules(ctx, &datadog.GetSecurityMonitoringRulesArgs{
			NameFilter: pulumi.StringRef("attack"),
			TagsFilters: []string{
				"foo:bar",
			},
			DefaultOnlyFilter: pulumi.BoolRef(true),
		}, nil)
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Datadog = Pulumi.Datadog;

return await Deployment.RunAsync(() => 
{
    var test = Datadog.GetSecurityMonitoringRules.Invoke(new()
    {
        NameFilter = "attack",
        TagsFilters = new[]
        {
            "foo:bar",
        },
        DefaultOnlyFilter = true,
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.datadog.DatadogFunctions;
import com.pulumi.datadog.inputs.GetSecurityMonitoringRulesArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var test = DatadogFunctions.getSecurityMonitoringRules(GetSecurityMonitoringRulesArgs.builder()
            .nameFilter("attack")
            .tagsFilters("foo:bar")
            .defaultOnlyFilter(true)
            .build());

    }
}

variables:
  test:
    fn::invoke:
      function: datadog:getSecurityMonitoringRules
      arguments:
        nameFilter: attack
        tagsFilters:
          - foo:bar
        defaultOnlyFilter: true

Using getSecurityMonitoringRules

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getSecurityMonitoringRules(args: GetSecurityMonitoringRulesArgs, opts?: InvokeOptions): Promise<GetSecurityMonitoringRulesResult>
function getSecurityMonitoringRulesOutput(args: GetSecurityMonitoringRulesOutputArgs, opts?: InvokeOptions): Output<GetSecurityMonitoringRulesResult>

def get_security_monitoring_rules(default_only_filter: Optional[bool] = None,
                                  name_filter: Optional[str] = None,
                                  tags_filters: Optional[Sequence[str]] = None,
                                  user_only_filter: Optional[bool] = None,
                                  opts: Optional[InvokeOptions] = None) -> GetSecurityMonitoringRulesResult
def get_security_monitoring_rules_output(default_only_filter: Optional[pulumi.Input[bool]] = None,
                                  name_filter: Optional[pulumi.Input[str]] = None,
                                  tags_filters: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None,
                                  user_only_filter: Optional[pulumi.Input[bool]] = None,
                                  opts: Optional[InvokeOptions] = None) -> Output[GetSecurityMonitoringRulesResult]

func GetSecurityMonitoringRules(ctx *Context, args *GetSecurityMonitoringRulesArgs, opts ...InvokeOption) (*GetSecurityMonitoringRulesResult, error)
func GetSecurityMonitoringRulesOutput(ctx *Context, args *GetSecurityMonitoringRulesOutputArgs, opts ...InvokeOption) GetSecurityMonitoringRulesResultOutput

> Note: This function is named GetSecurityMonitoringRules in the Go SDK.

public static class GetSecurityMonitoringRules 
{
    public static Task<GetSecurityMonitoringRulesResult> InvokeAsync(GetSecurityMonitoringRulesArgs args, InvokeOptions? opts = null)
    public static Output<GetSecurityMonitoringRulesResult> Invoke(GetSecurityMonitoringRulesInvokeArgs args, InvokeOptions? opts = null)
}

public static CompletableFuture<GetSecurityMonitoringRulesResult> getSecurityMonitoringRules(GetSecurityMonitoringRulesArgs args, InvokeOptions options)
public static Output<GetSecurityMonitoringRulesResult> getSecurityMonitoringRules(GetSecurityMonitoringRulesArgs args, InvokeOptions options)

fn::invoke:
  function: datadog:index/getSecurityMonitoringRules:getSecurityMonitoringRules
  arguments:
    # arguments dictionary

The following arguments are supported:

DefaultOnlyFilter bool: Limit the search to default rules
NameFilter string: A rule name to limit the search
TagsFilters List<string>: A list of tags to limit the search
UserOnlyFilter bool: Limit the search to user rules

DefaultOnlyFilter bool: Limit the search to default rules
NameFilter string: A rule name to limit the search
TagsFilters []string: A list of tags to limit the search
UserOnlyFilter bool: Limit the search to user rules

defaultOnlyFilter Boolean: Limit the search to default rules
nameFilter String: A rule name to limit the search
tagsFilters List<String>: A list of tags to limit the search
userOnlyFilter Boolean: Limit the search to user rules

defaultOnlyFilter boolean: Limit the search to default rules
nameFilter string: A rule name to limit the search
tagsFilters string[]: A list of tags to limit the search
userOnlyFilter boolean: Limit the search to user rules

default_only_filter bool: Limit the search to default rules
name_filter str: A rule name to limit the search
tags_filters Sequence[str]: A list of tags to limit the search
user_only_filter bool: Limit the search to user rules

defaultOnlyFilter Boolean: Limit the search to default rules
nameFilter String: A rule name to limit the search
tagsFilters List<String>: A list of tags to limit the search
userOnlyFilter Boolean: Limit the search to user rules

getSecurityMonitoringRules Result

The following output properties are available:

Id string: The provider-assigned unique ID for this managed resource.
RuleIds List<string>: List of IDs of the matched rules.
Rules List<GetSecurityMonitoringRulesRule>: List of rules.
DefaultOnlyFilter bool: Limit the search to default rules
NameFilter string: A rule name to limit the search
TagsFilters List<string>: A list of tags to limit the search
UserOnlyFilter bool: Limit the search to user rules

Id string: The provider-assigned unique ID for this managed resource.
RuleIds []string: List of IDs of the matched rules.
Rules []GetSecurityMonitoringRulesRule: List of rules.
DefaultOnlyFilter bool: Limit the search to default rules
NameFilter string: A rule name to limit the search
TagsFilters []string: A list of tags to limit the search
UserOnlyFilter bool: Limit the search to user rules

id String: The provider-assigned unique ID for this managed resource.
ruleIds List<String>: List of IDs of the matched rules.
rules List<GetSecurityMonitoringRulesRule>: List of rules.
defaultOnlyFilter Boolean: Limit the search to default rules
nameFilter String: A rule name to limit the search
tagsFilters List<String>: A list of tags to limit the search
userOnlyFilter Boolean: Limit the search to user rules

id string: The provider-assigned unique ID for this managed resource.
ruleIds string[]: List of IDs of the matched rules.
rules GetSecurityMonitoringRulesRule[]: List of rules.
defaultOnlyFilter boolean: Limit the search to default rules
nameFilter string: A rule name to limit the search
tagsFilters string[]: A list of tags to limit the search
userOnlyFilter boolean: Limit the search to user rules

id str: The provider-assigned unique ID for this managed resource.
rule_ids Sequence[str]: List of IDs of the matched rules.
rules Sequence[GetSecurityMonitoringRulesRule]: List of rules.
default_only_filter bool: Limit the search to default rules
name_filter str: A rule name to limit the search
tags_filters Sequence[str]: A list of tags to limit the search
user_only_filter bool: Limit the search to user rules

id String: The provider-assigned unique ID for this managed resource.
ruleIds List<String>: List of IDs of the matched rules.
rules List<Property Map>: List of rules.
defaultOnlyFilter Boolean: Limit the search to default rules
nameFilter String: A rule name to limit the search
tagsFilters List<String>: A list of tags to limit the search
userOnlyFilter Boolean: Limit the search to user rules

Supporting Types

GetSecurityMonitoringRulesRule

Message string: Message for generated signals.
Name string: The name of the rule.
Cases List<GetSecurityMonitoringRulesRuleCase>: Cases for generating signals.
Enabled bool: Whether the rule is enabled.
Filters List<GetSecurityMonitoringRulesRuleFilter>: Additional queries to filter matched events before they are processed. Note: This field is deprecated for log detection, signal correlation, and workload security rules.
GroupSignalsBies List<string>: Additional grouping to perform on top of the query grouping.
HasExtendedTitle bool: Whether the notifications include the triggering group-by values in their title.
Options GetSecurityMonitoringRulesRuleOptions: Options on rules.
Queries List<GetSecurityMonitoringRulesRuleQuery>: Queries for selecting logs which are part of the rule.
ReferenceTables List<GetSecurityMonitoringRulesRuleReferenceTable>: Reference tables for filtering query results.
SignalQueries List<GetSecurityMonitoringRulesRuleSignalQuery>: Queries for selecting logs which are part of the rule.
Tags List<string>: Tags for generated signals.
ThirdPartyCases List<GetSecurityMonitoringRulesRuleThirdPartyCase>: Cases for generating signals for third-party rules. Only required and accepted for third-party rules
Type string: The rule type.

Message string: Message for generated signals.
Name string: The name of the rule.
Cases []GetSecurityMonitoringRulesRuleCase: Cases for generating signals.
Enabled bool: Whether the rule is enabled.
Filters []GetSecurityMonitoringRulesRuleFilter: Additional queries to filter matched events before they are processed. Note: This field is deprecated for log detection, signal correlation, and workload security rules.
GroupSignalsBies []string: Additional grouping to perform on top of the query grouping.
HasExtendedTitle bool: Whether the notifications include the triggering group-by values in their title.
Options GetSecurityMonitoringRulesRuleOptions: Options on rules.
Queries []GetSecurityMonitoringRulesRuleQuery: Queries for selecting logs which are part of the rule.
ReferenceTables []GetSecurityMonitoringRulesRuleReferenceTable: Reference tables for filtering query results.
SignalQueries []GetSecurityMonitoringRulesRuleSignalQuery: Queries for selecting logs which are part of the rule.
Tags []string: Tags for generated signals.
ThirdPartyCases []GetSecurityMonitoringRulesRuleThirdPartyCase: Cases for generating signals for third-party rules. Only required and accepted for third-party rules
Type string: The rule type.

message String: Message for generated signals.
name String: The name of the rule.
cases List<GetSecurityMonitoringRulesRuleCase>: Cases for generating signals.
enabled Boolean: Whether the rule is enabled.
filters List<GetSecurityMonitoringRulesRuleFilter>: Additional queries to filter matched events before they are processed. Note: This field is deprecated for log detection, signal correlation, and workload security rules.
groupSignalsBies List<String>: Additional grouping to perform on top of the query grouping.
hasExtendedTitle Boolean: Whether the notifications include the triggering group-by values in their title.
options GetSecurityMonitoringRulesRuleOptions: Options on rules.
queries List<GetSecurityMonitoringRulesRuleQuery>: Queries for selecting logs which are part of the rule.
referenceTables List<GetSecurityMonitoringRulesRuleReferenceTable>: Reference tables for filtering query results.
signalQueries List<GetSecurityMonitoringRulesRuleSignalQuery>: Queries for selecting logs which are part of the rule.
tags List<String>: Tags for generated signals.
thirdPartyCases List<GetSecurityMonitoringRulesRuleThirdPartyCase>: Cases for generating signals for third-party rules. Only required and accepted for third-party rules
type String: The rule type.

message string: Message for generated signals.
name string: The name of the rule.
cases GetSecurityMonitoringRulesRuleCase[]: Cases for generating signals.
enabled boolean: Whether the rule is enabled.
filters GetSecurityMonitoringRulesRuleFilter[]: Additional queries to filter matched events before they are processed. Note: This field is deprecated for log detection, signal correlation, and workload security rules.
groupSignalsBies string[]: Additional grouping to perform on top of the query grouping.
hasExtendedTitle boolean: Whether the notifications include the triggering group-by values in their title.
options GetSecurityMonitoringRulesRuleOptions: Options on rules.
queries GetSecurityMonitoringRulesRuleQuery[]: Queries for selecting logs which are part of the rule.
referenceTables GetSecurityMonitoringRulesRuleReferenceTable[]: Reference tables for filtering query results.
signalQueries GetSecurityMonitoringRulesRuleSignalQuery[]: Queries for selecting logs which are part of the rule.
tags string[]: Tags for generated signals.
thirdPartyCases GetSecurityMonitoringRulesRuleThirdPartyCase[]: Cases for generating signals for third-party rules. Only required and accepted for third-party rules
type string: The rule type.

message str: Message for generated signals.
name str: The name of the rule.
cases Sequence[GetSecurityMonitoringRulesRuleCase]: Cases for generating signals.
enabled bool: Whether the rule is enabled.
filters Sequence[GetSecurityMonitoringRulesRuleFilter]: Additional queries to filter matched events before they are processed. Note: This field is deprecated for log detection, signal correlation, and workload security rules.
group_signals_bies Sequence[str]: Additional grouping to perform on top of the query grouping.
has_extended_title bool: Whether the notifications include the triggering group-by values in their title.
options GetSecurityMonitoringRulesRuleOptions: Options on rules.
queries Sequence[GetSecurityMonitoringRulesRuleQuery]: Queries for selecting logs which are part of the rule.
reference_tables Sequence[GetSecurityMonitoringRulesRuleReferenceTable]: Reference tables for filtering query results.
signal_queries Sequence[GetSecurityMonitoringRulesRuleSignalQuery]: Queries for selecting logs which are part of the rule.
tags Sequence[str]: Tags for generated signals.
third_party_cases Sequence[GetSecurityMonitoringRulesRuleThirdPartyCase]: Cases for generating signals for third-party rules. Only required and accepted for third-party rules
type str: The rule type.

message String: Message for generated signals.
name String: The name of the rule.
cases List<Property Map>: Cases for generating signals.
enabled Boolean: Whether the rule is enabled.
filters List<Property Map>: Additional queries to filter matched events before they are processed. Note: This field is deprecated for log detection, signal correlation, and workload security rules.
groupSignalsBies List<String>: Additional grouping to perform on top of the query grouping.
hasExtendedTitle Boolean: Whether the notifications include the triggering group-by values in their title.
options Property Map: Options on rules.
queries List<Property Map>: Queries for selecting logs which are part of the rule.
referenceTables List<Property Map>: Reference tables for filtering query results.
signalQueries List<Property Map>: Queries for selecting logs which are part of the rule.
tags List<String>: Tags for generated signals.
thirdPartyCases List<Property Map>: Cases for generating signals for third-party rules. Only required and accepted for third-party rules
type String: The rule type.

GetSecurityMonitoringRulesRuleCase

Status string: Severity of the Security Signal.
Actions List<GetSecurityMonitoringRulesRuleCaseAction>: Action to perform when the case trigger
Condition string: A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.
Name string: Name of the case.
Notifications List<string>: Notification targets for each rule case.

Status string: Severity of the Security Signal.
Actions []GetSecurityMonitoringRulesRuleCaseAction: Action to perform when the case trigger
Condition string: A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.
Name string: Name of the case.
Notifications []string: Notification targets for each rule case.

status String: Severity of the Security Signal.
actions List<GetSecurityMonitoringRulesRuleCaseAction>: Action to perform when the case trigger
condition String: A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.
name String: Name of the case.
notifications List<String>: Notification targets for each rule case.

status string: Severity of the Security Signal.
actions GetSecurityMonitoringRulesRuleCaseAction[]: Action to perform when the case trigger
condition string: A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.
name string: Name of the case.
notifications string[]: Notification targets for each rule case.

status str: Severity of the Security Signal.
actions Sequence[GetSecurityMonitoringRulesRuleCaseAction]: Action to perform when the case trigger
condition str: A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.
name str: Name of the case.
notifications Sequence[str]: Notification targets for each rule case.

status String: Severity of the Security Signal.
actions List<Property Map>: Action to perform when the case trigger
condition String: A rule case contains logical operations (>,>=, &&, ||) to determine if a signal should be generated based on the event counts in the previously defined queries.
name String: Name of the case.
notifications List<String>: Notification targets for each rule case.

GetSecurityMonitoringRulesRuleCaseAction

Type string: Type of action to perform when the case triggers.
Options GetSecurityMonitoringRulesRuleCaseActionOptions: Options for the action.

Type string: Type of action to perform when the case triggers.
Options GetSecurityMonitoringRulesRuleCaseActionOptions: Options for the action.

type String: Type of action to perform when the case triggers.
options GetSecurityMonitoringRulesRuleCaseActionOptions: Options for the action.

type string: Type of action to perform when the case triggers.
options GetSecurityMonitoringRulesRuleCaseActionOptions: Options for the action.

type str: Type of action to perform when the case triggers.
options GetSecurityMonitoringRulesRuleCaseActionOptions: Options for the action.

type String: Type of action to perform when the case triggers.
options Property Map: Options for the action.

GetSecurityMonitoringRulesRuleCaseActionOptions

Duration int: Duration of the action in seconds.

Duration int: Duration of the action in seconds.

duration Integer: Duration of the action in seconds.

duration number: Duration of the action in seconds.

duration int: Duration of the action in seconds.

duration Number: Duration of the action in seconds.

GetSecurityMonitoringRulesRuleFilter

Action string: The type of filtering action.
Query string: Query for selecting logs to apply the filtering action.

Action string: The type of filtering action.
Query string: Query for selecting logs to apply the filtering action.

action String: The type of filtering action.
query String: Query for selecting logs to apply the filtering action.

action string: The type of filtering action.
query string: Query for selecting logs to apply the filtering action.

action str: The type of filtering action.
query str: Query for selecting logs to apply the filtering action.

action String: The type of filtering action.
query String: Query for selecting logs to apply the filtering action.

GetSecurityMonitoringRulesRuleOptions

DecreaseCriticalityBasedOnEnv bool: If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with staging, test, or dev. Only available when the rule type is log_detection.
DetectionMethod string: The detection method.
EvaluationWindow int: A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time.
ImpossibleTravelOptions GetSecurityMonitoringRulesRuleOptionsImpossibleTravelOptions: Options for rules using the impossible travel detection method.
KeepAlive int: Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds).
MaxSignalDuration int: A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp.
NewValueOptions GetSecurityMonitoringRulesRuleOptionsNewValueOptions: New value rules specific options.
ThirdPartyRuleOptions GetSecurityMonitoringRulesRuleOptionsThirdPartyRuleOptions: Options for rules using the third-party detection method.

DecreaseCriticalityBasedOnEnv bool: If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with staging, test, or dev. Only available when the rule type is log_detection.
DetectionMethod string: The detection method.
EvaluationWindow int: A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time.
ImpossibleTravelOptions GetSecurityMonitoringRulesRuleOptionsImpossibleTravelOptions: Options for rules using the impossible travel detection method.
KeepAlive int: Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds).
MaxSignalDuration int: A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp.
NewValueOptions GetSecurityMonitoringRulesRuleOptionsNewValueOptions: New value rules specific options.
ThirdPartyRuleOptions GetSecurityMonitoringRulesRuleOptionsThirdPartyRuleOptions: Options for rules using the third-party detection method.

decreaseCriticalityBasedOnEnv Boolean: If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with staging, test, or dev. Only available when the rule type is log_detection.
detectionMethod String: The detection method.
evaluationWindow Integer: A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time.
impossibleTravelOptions GetSecurityMonitoringRulesRuleOptionsImpossibleTravelOptions: Options for rules using the impossible travel detection method.
keepAlive Integer: Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds).
maxSignalDuration Integer: A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp.
newValueOptions GetSecurityMonitoringRulesRuleOptionsNewValueOptions: New value rules specific options.
thirdPartyRuleOptions GetSecurityMonitoringRulesRuleOptionsThirdPartyRuleOptions: Options for rules using the third-party detection method.

decreaseCriticalityBasedOnEnv boolean: If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with staging, test, or dev. Only available when the rule type is log_detection.
detectionMethod string: The detection method.
evaluationWindow number: A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time.
impossibleTravelOptions GetSecurityMonitoringRulesRuleOptionsImpossibleTravelOptions: Options for rules using the impossible travel detection method.
keepAlive number: Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds).
maxSignalDuration number: A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp.
newValueOptions GetSecurityMonitoringRulesRuleOptionsNewValueOptions: New value rules specific options.
thirdPartyRuleOptions GetSecurityMonitoringRulesRuleOptionsThirdPartyRuleOptions: Options for rules using the third-party detection method.

decrease_criticality_based_on_env bool: If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with staging, test, or dev. Only available when the rule type is log_detection.
detection_method str: The detection method.
evaluation_window int: A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time.
impossible_travel_options GetSecurityMonitoringRulesRuleOptionsImpossibleTravelOptions: Options for rules using the impossible travel detection method.
keep_alive int: Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds).
max_signal_duration int: A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp.
new_value_options GetSecurityMonitoringRulesRuleOptionsNewValueOptions: New value rules specific options.
third_party_rule_options GetSecurityMonitoringRulesRuleOptionsThirdPartyRuleOptions: Options for rules using the third-party detection method.

decreaseCriticalityBasedOnEnv Boolean: If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with staging, test, or dev. Only available when the rule type is log_detection.
detectionMethod String: The detection method.
evaluationWindow Number: A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time.
impossibleTravelOptions Property Map: Options for rules using the impossible travel detection method.
keepAlive Number: Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds).
maxSignalDuration Number: A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp.
newValueOptions Property Map: New value rules specific options.
thirdPartyRuleOptions Property Map: Options for rules using the third-party detection method.

GetSecurityMonitoringRulesRuleOptionsImpossibleTravelOptions

BaselineUserLocations bool: If true, signals are suppressed for the first 24 hours. During that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

BaselineUserLocations bool: If true, signals are suppressed for the first 24 hours. During that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

baselineUserLocations Boolean: If true, signals are suppressed for the first 24 hours. During that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

baselineUserLocations boolean: If true, signals are suppressed for the first 24 hours. During that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

baseline_user_locations bool: If true, signals are suppressed for the first 24 hours. During that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

baselineUserLocations Boolean: If true, signals are suppressed for the first 24 hours. During that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.

GetSecurityMonitoringRulesRuleOptionsNewValueOptions

ForgetAfter int: The duration in days after which a learned value is forgotten.
LearningDuration int: The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
LearningMethod string: The learning method used to determine when signals should be generated for values that weren't learned.
LearningThreshold int: A number of occurrences after which signals are generated for values that weren't learned.

ForgetAfter int: The duration in days after which a learned value is forgotten.
LearningDuration int: The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
LearningMethod string: The learning method used to determine when signals should be generated for values that weren't learned.
LearningThreshold int: A number of occurrences after which signals are generated for values that weren't learned.

forgetAfter Integer: The duration in days after which a learned value is forgotten.
learningDuration Integer: The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
learningMethod String: The learning method used to determine when signals should be generated for values that weren't learned.
learningThreshold Integer: A number of occurrences after which signals are generated for values that weren't learned.

forgetAfter number: The duration in days after which a learned value is forgotten.
learningDuration number: The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
learningMethod string: The learning method used to determine when signals should be generated for values that weren't learned.
learningThreshold number: A number of occurrences after which signals are generated for values that weren't learned.

forget_after int: The duration in days after which a learned value is forgotten.
learning_duration int: The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
learning_method str: The learning method used to determine when signals should be generated for values that weren't learned.
learning_threshold int: A number of occurrences after which signals are generated for values that weren't learned.

forgetAfter Number: The duration in days after which a learned value is forgotten.
learningDuration Number: The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
learningMethod String: The learning method used to determine when signals should be generated for values that weren't learned.
learningThreshold Number: A number of occurrences after which signals are generated for values that weren't learned.

GetSecurityMonitoringRulesRuleOptionsThirdPartyRuleOptions

DefaultStatus string: Severity of the default rule case, when none of the third-party cases match.
RootQueries List<GetSecurityMonitoringRulesRuleOptionsThirdPartyRuleOptionsRootQuery>: Queries to be combined with third-party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
DefaultNotifications List<string>: Notification targets for the default rule case, when none of the third-party cases match.
SignalTitleTemplate string: A template for the signal title; if omitted, the title is generated based on the case name.

DefaultStatus string: Severity of the default rule case, when none of the third-party cases match.
RootQueries []GetSecurityMonitoringRulesRuleOptionsThirdPartyRuleOptionsRootQuery: Queries to be combined with third-party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
DefaultNotifications []string: Notification targets for the default rule case, when none of the third-party cases match.
SignalTitleTemplate string: A template for the signal title; if omitted, the title is generated based on the case name.

defaultStatus String: Severity of the default rule case, when none of the third-party cases match.
rootQueries List<GetSecurityMonitoringRulesRuleOptionsThirdPartyRuleOptionsRootQuery>: Queries to be combined with third-party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
defaultNotifications List<String>: Notification targets for the default rule case, when none of the third-party cases match.
signalTitleTemplate String: A template for the signal title; if omitted, the title is generated based on the case name.

defaultStatus string: Severity of the default rule case, when none of the third-party cases match.
rootQueries GetSecurityMonitoringRulesRuleOptionsThirdPartyRuleOptionsRootQuery[]: Queries to be combined with third-party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
defaultNotifications string[]: Notification targets for the default rule case, when none of the third-party cases match.
signalTitleTemplate string: A template for the signal title; if omitted, the title is generated based on the case name.

default_status str: Severity of the default rule case, when none of the third-party cases match.
root_queries Sequence[GetSecurityMonitoringRulesRuleOptionsThirdPartyRuleOptionsRootQuery]: Queries to be combined with third-party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
default_notifications Sequence[str]: Notification targets for the default rule case, when none of the third-party cases match.
signal_title_template str: A template for the signal title; if omitted, the title is generated based on the case name.

defaultStatus String: Severity of the default rule case, when none of the third-party cases match.
rootQueries List<Property Map>: Queries to be combined with third-party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert.
defaultNotifications List<String>: Notification targets for the default rule case, when none of the third-party cases match.
signalTitleTemplate String: A template for the signal title; if omitted, the title is generated based on the case name.

GetSecurityMonitoringRulesRuleOptionsThirdPartyRuleOptionsRootQuery

Query string: Query to filter logs.
GroupByFields List<string>: Fields to group by. If empty, each log triggers a signal.

Query string: Query to filter logs.
GroupByFields []string: Fields to group by. If empty, each log triggers a signal.

query String: Query to filter logs.
groupByFields List<String>: Fields to group by. If empty, each log triggers a signal.

query string: Query to filter logs.
groupByFields string[]: Fields to group by. If empty, each log triggers a signal.

query str: Query to filter logs.
group_by_fields Sequence[str]: Fields to group by. If empty, each log triggers a signal.

query String: Query to filter logs.
groupByFields List<String>: Fields to group by. If empty, each log triggers a signal.

GetSecurityMonitoringRulesRuleQuery

Metrics List<string>: Group of target fields to aggregate over when using the sum, max, geo_data, or new_value aggregations. The sum, max, and geo_data aggregations only accept one value in this list, whereas the new_value aggregation accepts up to five values.
Query string: Query to run on logs.
AgentRules List<GetSecurityMonitoringRulesRuleQueryAgentRule>: Deprecated. It won't be applied anymore.
Deprecated: agent_rule has been deprecated in favor of new Agent Rule resource.
Aggregation string: The aggregation type. For Signal Correlation rules, it must be event_count.
DistinctFields List<string>: Field for which the cardinality is measured. Sent as an array.
GroupByFields List<string>: Fields to group by.
Metric string: The target field to aggregate over when using the sum, max, or geo_data aggregations.
Deprecated: Configure metrics instead. This attribute will be removed in the next major version of the provider.
Name string: Name of the query. Not compatible with new_value aggregations.

Metrics []string: Group of target fields to aggregate over when using the sum, max, geo_data, or new_value aggregations. The sum, max, and geo_data aggregations only accept one value in this list, whereas the new_value aggregation accepts up to five values.
Query string: Query to run on logs.
AgentRules []GetSecurityMonitoringRulesRuleQueryAgentRule: Deprecated. It won't be applied anymore.
Deprecated: agent_rule has been deprecated in favor of new Agent Rule resource.
Aggregation string: The aggregation type. For Signal Correlation rules, it must be event_count.
DistinctFields []string: Field for which the cardinality is measured. Sent as an array.
GroupByFields []string: Fields to group by.
Metric string: The target field to aggregate over when using the sum, max, or geo_data aggregations.
Deprecated: Configure metrics instead. This attribute will be removed in the next major version of the provider.
Name string: Name of the query. Not compatible with new_value aggregations.

metrics List<String>: Group of target fields to aggregate over when using the sum, max, geo_data, or new_value aggregations. The sum, max, and geo_data aggregations only accept one value in this list, whereas the new_value aggregation accepts up to five values.
query String: Query to run on logs.
agentRules List<GetSecurityMonitoringRulesRuleQueryAgentRule>: Deprecated. It won't be applied anymore.
Deprecated: agent_rule has been deprecated in favor of new Agent Rule resource.
aggregation String: The aggregation type. For Signal Correlation rules, it must be event_count.
distinctFields List<String>: Field for which the cardinality is measured. Sent as an array.
groupByFields List<String>: Fields to group by.
metric String: The target field to aggregate over when using the sum, max, or geo_data aggregations.
Deprecated: Configure metrics instead. This attribute will be removed in the next major version of the provider.
name String: Name of the query. Not compatible with new_value aggregations.

metrics string[]: Group of target fields to aggregate over when using the sum, max, geo_data, or new_value aggregations. The sum, max, and geo_data aggregations only accept one value in this list, whereas the new_value aggregation accepts up to five values.
query string: Query to run on logs.
agentRules GetSecurityMonitoringRulesRuleQueryAgentRule[]: Deprecated. It won't be applied anymore.
Deprecated: agent_rule has been deprecated in favor of new Agent Rule resource.
aggregation string: The aggregation type. For Signal Correlation rules, it must be event_count.
distinctFields string[]: Field for which the cardinality is measured. Sent as an array.
groupByFields string[]: Fields to group by.
metric string: The target field to aggregate over when using the sum, max, or geo_data aggregations.
Deprecated: Configure metrics instead. This attribute will be removed in the next major version of the provider.
name string: Name of the query. Not compatible with new_value aggregations.

metrics Sequence[str]: Group of target fields to aggregate over when using the sum, max, geo_data, or new_value aggregations. The sum, max, and geo_data aggregations only accept one value in this list, whereas the new_value aggregation accepts up to five values.
query str: Query to run on logs.
agent_rules Sequence[GetSecurityMonitoringRulesRuleQueryAgentRule]: Deprecated. It won't be applied anymore.
Deprecated: agent_rule has been deprecated in favor of new Agent Rule resource.
aggregation str: The aggregation type. For Signal Correlation rules, it must be event_count.
distinct_fields Sequence[str]: Field for which the cardinality is measured. Sent as an array.
group_by_fields Sequence[str]: Fields to group by.
metric str: The target field to aggregate over when using the sum, max, or geo_data aggregations.
Deprecated: Configure metrics instead. This attribute will be removed in the next major version of the provider.
name str: Name of the query. Not compatible with new_value aggregations.

metrics List<String>: Group of target fields to aggregate over when using the sum, max, geo_data, or new_value aggregations. The sum, max, and geo_data aggregations only accept one value in this list, whereas the new_value aggregation accepts up to five values.
query String: Query to run on logs.
agentRules List<Property Map>: Deprecated. It won't be applied anymore.
Deprecated: agent_rule has been deprecated in favor of new Agent Rule resource.
aggregation String: The aggregation type. For Signal Correlation rules, it must be event_count.
distinctFields List<String>: Field for which the cardinality is measured. Sent as an array.
groupByFields List<String>: Fields to group by.
metric String: The target field to aggregate over when using the sum, max, or geo_data aggregations.
Deprecated: Configure metrics instead. This attribute will be removed in the next major version of the provider.
name String: Name of the query. Not compatible with new_value aggregations.

GetSecurityMonitoringRulesRuleQueryAgentRule

AgentRuleId string: Deprecated. It won't be applied anymore.
Expression string: Deprecated. It won't be applied anymore.

AgentRuleId string: Deprecated. It won't be applied anymore.
Expression string: Deprecated. It won't be applied anymore.

agentRuleId String: Deprecated. It won't be applied anymore.
expression String: Deprecated. It won't be applied anymore.

agentRuleId string: Deprecated. It won't be applied anymore.
expression string: Deprecated. It won't be applied anymore.

agent_rule_id str: Deprecated. It won't be applied anymore.
expression str: Deprecated. It won't be applied anymore.

agentRuleId String: Deprecated. It won't be applied anymore.
expression String: Deprecated. It won't be applied anymore.

GetSecurityMonitoringRulesRuleReferenceTable

CheckPresence bool: Whether to include or exclude logs that match the reference table.
ColumnName string: The name of the column in the reference table.
LogFieldPath string: The field in the log that should be matched against the reference table.
RuleQueryName string: The name of the query to filter.
TableName string: The name of the reference table.

CheckPresence bool: Whether to include or exclude logs that match the reference table.
ColumnName string: The name of the column in the reference table.
LogFieldPath string: The field in the log that should be matched against the reference table.
RuleQueryName string: The name of the query to filter.
TableName string: The name of the reference table.

checkPresence Boolean: Whether to include or exclude logs that match the reference table.
columnName String: The name of the column in the reference table.
logFieldPath String: The field in the log that should be matched against the reference table.
ruleQueryName String: The name of the query to filter.
tableName String: The name of the reference table.

checkPresence boolean: Whether to include or exclude logs that match the reference table.
columnName string: The name of the column in the reference table.
logFieldPath string: The field in the log that should be matched against the reference table.
ruleQueryName string: The name of the query to filter.
tableName string: The name of the reference table.

check_presence bool: Whether to include or exclude logs that match the reference table.
column_name str: The name of the column in the reference table.
log_field_path str: The field in the log that should be matched against the reference table.
rule_query_name str: The name of the query to filter.
table_name str: The name of the reference table.

checkPresence Boolean: Whether to include or exclude logs that match the reference table.
columnName String: The name of the column in the reference table.
logFieldPath String: The field in the log that should be matched against the reference table.
ruleQueryName String: The name of the query to filter.
tableName String: The name of the reference table.

GetSecurityMonitoringRulesRuleSignalQuery

RuleId string: Rule ID of the signal to correlate.
Aggregation string: The aggregation type. For Signal Correlation rules, it must be event_count.
CorrelatedByFields List<string>: Fields to correlate by.
CorrelatedQueryIndex string: Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule.
DefaultRuleId string: Default Rule ID of the signal to correlate. This value is READ-ONLY.
Name string: Name of the query. Not compatible with new_value aggregations.

RuleId string: Rule ID of the signal to correlate.
Aggregation string: The aggregation type. For Signal Correlation rules, it must be event_count.
CorrelatedByFields []string: Fields to correlate by.
CorrelatedQueryIndex string: Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule.
DefaultRuleId string: Default Rule ID of the signal to correlate. This value is READ-ONLY.
Name string: Name of the query. Not compatible with new_value aggregations.

ruleId String: Rule ID of the signal to correlate.
aggregation String: The aggregation type. For Signal Correlation rules, it must be event_count.
correlatedByFields List<String>: Fields to correlate by.
correlatedQueryIndex String: Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule.
defaultRuleId String: Default Rule ID of the signal to correlate. This value is READ-ONLY.
name String: Name of the query. Not compatible with new_value aggregations.

ruleId string: Rule ID of the signal to correlate.
aggregation string: The aggregation type. For Signal Correlation rules, it must be event_count.
correlatedByFields string[]: Fields to correlate by.
correlatedQueryIndex string: Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule.
defaultRuleId string: Default Rule ID of the signal to correlate. This value is READ-ONLY.
name string: Name of the query. Not compatible with new_value aggregations.

rule_id str: Rule ID of the signal to correlate.
aggregation str: The aggregation type. For Signal Correlation rules, it must be event_count.
correlated_by_fields Sequence[str]: Fields to correlate by.
correlated_query_index str: Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule.
default_rule_id str: Default Rule ID of the signal to correlate. This value is READ-ONLY.
name str: Name of the query. Not compatible with new_value aggregations.

ruleId String: Rule ID of the signal to correlate.
aggregation String: The aggregation type. For Signal Correlation rules, it must be event_count.
correlatedByFields List<String>: Fields to correlate by.
correlatedQueryIndex String: Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule.
defaultRuleId String: Default Rule ID of the signal to correlate. This value is READ-ONLY.
name String: Name of the query. Not compatible with new_value aggregations.

GetSecurityMonitoringRulesRuleThirdPartyCase

Status string: Severity of the Security Signal.
Name string: Name of the case.
Notifications List<string>: Notification targets for each rule case.
Query string: A query to associate a third-party event to this case.

Status string: Severity of the Security Signal.
Name string: Name of the case.
Notifications []string: Notification targets for each rule case.
Query string: A query to associate a third-party event to this case.

status String: Severity of the Security Signal.
name String: Name of the case.
notifications List<String>: Notification targets for each rule case.
query String: A query to associate a third-party event to this case.

status string: Severity of the Security Signal.
name string: Name of the case.
notifications string[]: Notification targets for each rule case.
query string: A query to associate a third-party event to this case.

status str: Severity of the Security Signal.
name str: Name of the case.
notifications Sequence[str]: Notification targets for each rule case.
query str: A query to associate a third-party event to this case.

status String: Severity of the Security Signal.
name String: Name of the case.
notifications List<String>: Notification targets for each rule case.
query String: A query to associate a third-party event to this case.

Package Details

Repository: Datadog pulumi/pulumi-datadog
License: Apache-2.0
Notes: This Pulumi package is based on the datadog Terraform Provider.

Datadog v4.47.0 published on Thursday, Mar 20, 2025 by Pulumi

pulumi/pulumi-datadog

datadog.getSecurityMonitoringRules

On this page

On this page

Example Usage

Using getSecurityMonitoringRules

getSecurityMonitoringRules Result

Supporting Types

GetSecurityMonitoringRulesRule

GetSecurityMonitoringRulesRuleCase

GetSecurityMonitoringRulesRuleCaseAction

GetSecurityMonitoringRulesRuleCaseActionOptions

GetSecurityMonitoringRulesRuleFilter

GetSecurityMonitoringRulesRuleOptions

GetSecurityMonitoringRulesRuleOptionsImpossibleTravelOptions

GetSecurityMonitoringRulesRuleOptionsNewValueOptions

GetSecurityMonitoringRulesRuleOptionsThirdPartyRuleOptions

GetSecurityMonitoringRulesRuleOptionsThirdPartyRuleOptionsRootQuery

GetSecurityMonitoringRulesRuleQuery

GetSecurityMonitoringRulesRuleQueryAgentRule

GetSecurityMonitoringRulesRuleReferenceTable

GetSecurityMonitoringRulesRuleSignalQuery

GetSecurityMonitoringRulesRuleThirdPartyCase

Package Details

On this page

On this page