From c9409c7341be92cf170c4ce731bd2bb79ce80fb6 Mon Sep 17 00:00:00 2001 From: "ci.datadog-api-spec" Date: Fri, 3 Apr 2026 17:21:03 +0000 Subject: [PATCH] Regenerate client from commit a4c43fe of spec repo --- tests/v1/features/security_monitoring.feature | 18 +- tests/v2/features/csm_agents.feature | 4 +- .../v2/features/csm_coverage_analysis.feature | 6 +- tests/v2/features/csm_threats.feature | 80 ++-- tests/v2/features/security_monitoring.feature | 348 +++++++++--------- 5 files changed, 228 insertions(+), 228 deletions(-) diff --git a/tests/v1/features/security_monitoring.feature b/tests/v1/features/security_monitoring.feature index 4d4904e937..34fddb3dc1 100644 --- a/tests/v1/features/security_monitoring.feature +++ b/tests/v1/features/security_monitoring.feature @@ -9,7 +9,7 @@ Feature: Security Monitoring And a valid "appKeyAuth" key in the system And an instance of "SecurityMonitoring" API - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Add a security signal to an incident returns "Bad Request" response Given new "AddSecurityMonitoringSignalToIncident" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -17,7 +17,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Add a security signal to an incident returns "Not Found" response Given new "AddSecurityMonitoringSignalToIncident" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -25,7 +25,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @replay-only @team:DataDog/k9-cloud-security-platform + @replay-only @team:DataDog/k9-cloud-siem Scenario: Add a security signal to an incident returns "OK" response Given new "AddSecurityMonitoringSignalToIncident" request And request contains "signal_id" parameter with value "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE" @@ -34,7 +34,7 @@ Feature: Security Monitoring Then the response status is 200 OK And the response "status" is equal to "done" - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Change the triage state of a security signal returns "Bad Request" response Given new "EditSecurityMonitoringSignalState" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -42,7 +42,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Change the triage state of a security signal returns "Not Found" response Given new "EditSecurityMonitoringSignalState" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -50,7 +50,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @replay-only @team:DataDog/k9-cloud-security-platform + @replay-only @team:DataDog/k9-cloud-siem Scenario: Change the triage state of a security signal returns "OK" response Given new "EditSecurityMonitoringSignalState" request And request contains "signal_id" parameter with value "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE" @@ -59,7 +59,7 @@ Feature: Security Monitoring Then the response status is 200 OK And the response "status" is equal to "done" - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Modify the triage assignee of a security signal returns "Bad Request" response Given new "EditSecurityMonitoringSignalAssignee" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -67,7 +67,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Modify the triage assignee of a security signal returns "Not Found" response Given new "EditSecurityMonitoringSignalAssignee" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -75,7 +75,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @replay-only @team:DataDog/k9-cloud-security-platform + @replay-only @team:DataDog/k9-cloud-siem Scenario: Modify the triage assignee of a security signal returns "OK" response Given new "EditSecurityMonitoringSignalAssignee" request And request contains "signal_id" parameter with value "AQAAAYDiB_Ol8PbzFAAAAABBWURpQl9PbEFBQU0yeXhGTG9ZV2JnQUE" diff --git a/tests/v2/features/csm_agents.feature b/tests/v2/features/csm_agents.feature index 49cde30aa9..c5c25bb35e 100644 --- a/tests/v2/features/csm_agents.feature +++ b/tests/v2/features/csm_agents.feature @@ -12,13 +12,13 @@ Feature: CSM Agents And a valid "appKeyAuth" key in the system And an instance of "CSMAgents" API - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-misconfigs Scenario: Get all CSM Agents returns "OK" response Given new "ListAllCSMAgents" request When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-misconfigs Scenario: Get all CSM Serverless Agents returns "OK" response Given new "ListAllCSMServerlessAgents" request When the request is sent diff --git a/tests/v2/features/csm_coverage_analysis.feature b/tests/v2/features/csm_coverage_analysis.feature index 8c3689dbfa..a6c05b8dfc 100644 --- a/tests/v2/features/csm_coverage_analysis.feature +++ b/tests/v2/features/csm_coverage_analysis.feature @@ -12,19 +12,19 @@ Feature: CSM Coverage Analysis And a valid "appKeyAuth" key in the system And an instance of "CSMCoverageAnalysis" API - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-misconfigs Scenario: Get the CSM Cloud Accounts Coverage Analysis returns "OK" response Given new "GetCSMCloudAccountsCoverageAnalysis" request When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-misconfigs Scenario: Get the CSM Hosts and Containers Coverage Analysis returns "OK" response Given new "GetCSMHostsAndContainersCoverageAnalysis" request When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-misconfigs Scenario: Get the CSM Serverless Coverage Analysis returns "OK" response Given new "GetCSMServerlessCoverageAnalysis" request When the request is sent diff --git a/tests/v2/features/csm_threats.feature b/tests/v2/features/csm_threats.feature index fe2ddf85d8..2522d1efeb 100644 --- a/tests/v2/features/csm_threats.feature +++ b/tests/v2/features/csm_threats.feature @@ -13,7 +13,7 @@ Feature: CSM Threats And a valid "appKeyAuth" key in the system And an instance of "CSMThreats" API - @replay-only @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @replay-only @team:DataDog/k9-cws-backend Scenario: Create a Workload Protection agent rule (US1-FED) returns "Bad Request" response Given there is a valid "policy_rc" in the system And new "CreateCloudWorkloadSecurityAgentRule" request @@ -21,7 +21,7 @@ Feature: CSM Threats When the request is sent Then the response status is 400 Bad Request - @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @skip @team:DataDog/k9-cws-backend Scenario: Create a Workload Protection agent rule (US1-FED) returns "Conflict" response Given there is a valid "policy_rc" in the system And new "CreateCloudWorkloadSecurityAgentRule" request @@ -29,7 +29,7 @@ Feature: CSM Threats When the request is sent Then the response status is 409 Conflict - @replay-only @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @replay-only @team:DataDog/k9-cws-backend Scenario: Create a Workload Protection agent rule (US1-FED) returns "OK" response Given there is a valid "policy_rc" in the system And new "CreateCloudWorkloadSecurityAgentRule" request @@ -37,7 +37,7 @@ Feature: CSM Threats When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Create a Workload Protection agent rule returns "Bad Request" response Given there is a valid "policy_rc" in the system And new "CreateCSMThreatsAgentRule" request @@ -45,7 +45,7 @@ Feature: CSM Threats When the request is sent Then the response status is 400 Bad Request - @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @skip @team:DataDog/k9-cws-backend Scenario: Create a Workload Protection agent rule returns "Conflict" response Given there is a valid "policy_rc" in the system And new "CreateCSMThreatsAgentRule" request @@ -53,7 +53,7 @@ Feature: CSM Threats When the request is sent Then the response status is 409 Conflict - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Create a Workload Protection agent rule returns "OK" response Given there is a valid "policy_rc" in the system And new "CreateCSMThreatsAgentRule" request @@ -61,7 +61,7 @@ Feature: CSM Threats When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Create a Workload Protection agent rule with set action returns "OK" response Given there is a valid "policy_rc" in the system And new "CreateCSMThreatsAgentRule" request @@ -69,7 +69,7 @@ Feature: CSM Threats When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Create a Workload Protection agent rule with set action with expression returns "OK" response Given there is a valid "policy_rc" in the system And new "CreateCSMThreatsAgentRule" request @@ -77,35 +77,35 @@ Feature: CSM Threats When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Create a Workload Protection policy returns "Bad Request" response Given new "CreateCSMThreatsAgentPolicy" request And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": [], "hostTagsLists": [], "name": "test"}, "type": "policy"}} When the request is sent Then the response status is 400 Bad Request - @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @skip @team:DataDog/k9-cws-backend Scenario: Create a Workload Protection policy returns "Conflict" response Given new "CreateCSMThreatsAgentPolicy" request And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTags": [], "name": "my_agent_policy"}, "type": "policy"}} When the request is sent Then the response status is 409 Conflict - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Create a Workload Protection policy returns "OK" response Given new "CreateCSMThreatsAgentPolicy" request And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTagsLists": [["env:test"]], "name": "my_agent_policy_2"}, "type": "policy"}} When the request is sent Then the response status is 200 OK - @replay-only @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @replay-only @team:DataDog/k9-cws-backend Scenario: Delete a Workload Protection agent rule (US1-FED) returns "Not Found" response Given new "DeleteCloudWorkloadSecurityAgentRule" request And request contains "agent_rule_id" parameter with value "non-existent-rule-id" When the request is sent Then the response status is 404 Not Found - @replay-only @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @replay-only @team:DataDog/k9-cws-backend Scenario: Delete a Workload Protection agent rule (US1-FED) returns "OK" response Given there is a valid "agent_rule" in the system And new "DeleteCloudWorkloadSecurityAgentRule" request @@ -113,14 +113,14 @@ Feature: CSM Threats When the request is sent Then the response status is 204 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Delete a Workload Protection agent rule returns "Not Found" response Given new "DeleteCSMThreatsAgentRule" request And request contains "agent_rule_id" parameter with value "non-existent-rule-id" When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Delete a Workload Protection agent rule returns "OK" response Given there is a valid "policy_rc" in the system And there is a valid "agent_rule_rc" in the system @@ -130,14 +130,14 @@ Feature: CSM Threats When the request is sent Then the response status is 204 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Delete a Workload Protection policy returns "Not Found" response Given new "DeleteCSMThreatsAgentPolicy" request And request contains "policy_id" parameter with value "non-existent-policy-id" When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Delete a Workload Protection policy returns "OK" response Given there is a valid "policy_rc" in the system And new "DeleteCSMThreatsAgentPolicy" request @@ -145,26 +145,26 @@ Feature: CSM Threats When the request is sent Then the response status is 204 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Download the Workload Protection policy (US1-FED) returns "OK" response Given new "DownloadCloudWorkloadPolicyFile" request When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Download the Workload Protection policy returns "OK" response Given new "DownloadCSMThreatsPolicy" request When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Get a Workload Protection agent rule (US1-FED) returns "Not Found" response Given new "GetCloudWorkloadSecurityAgentRule" request And request contains "agent_rule_id" parameter with value "abc-def-ghi" When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Get a Workload Protection agent rule (US1-FED) returns "OK" response Given there is a valid "agent_rule" in the system And new "GetCloudWorkloadSecurityAgentRule" request @@ -172,14 +172,14 @@ Feature: CSM Threats When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Get a Workload Protection agent rule returns "Not Found" response Given new "GetCSMThreatsAgentRule" request And request contains "agent_rule_id" parameter with value "abc-def-ghi" When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Get a Workload Protection agent rule returns "OK" response Given there is a valid "policy_rc" in the system And there is a valid "agent_rule_rc" in the system @@ -189,14 +189,14 @@ Feature: CSM Threats When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Get a Workload Protection policy returns "Not Found" response Given new "GetCSMThreatsAgentPolicy" request And request contains "policy_id" parameter with value "non-existent-policy-id" When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Get a Workload Protection policy returns "OK" response Given there is a valid "policy_rc" in the system And new "GetCSMThreatsAgentPolicy" request @@ -204,25 +204,25 @@ Feature: CSM Threats When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Get all Workload Protection agent rules (US1-FED) returns "OK" response Given new "ListCloudWorkloadSecurityAgentRules" request When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Get all Workload Protection agent rules returns "OK" response Given new "ListCSMThreatsAgentRules" request When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Get all Workload Protection policies returns "OK" response Given new "ListCSMThreatsAgentPolicies" request When the request is sent Then the response status is 200 OK - @replay-only @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @replay-only @team:DataDog/k9-cws-backend Scenario: Update a Workload Protection agent rule (US1-FED) returns "Bad Request" response Given there is a valid "agent_rule" in the system And new "UpdateCloudWorkloadSecurityAgentRule" request @@ -231,7 +231,7 @@ Feature: CSM Threats When the request is sent Then the response status is 400 Bad Request - @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @skip @team:DataDog/k9-cws-backend Scenario: Update a Workload Protection agent rule (US1-FED) returns "Concurrent Modification" response Given there is a valid "agent_rule" in the system And new "UpdateCloudWorkloadSecurityAgentRule" request @@ -240,7 +240,7 @@ Feature: CSM Threats When the request is sent Then the response status is 409 Concurrent Modification - @replay-only @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @replay-only @team:DataDog/k9-cws-backend Scenario: Update a Workload Protection agent rule (US1-FED) returns "Not Found" response Given new "UpdateCloudWorkloadSecurityAgentRule" request And request contains "agent_rule_id" parameter with value "non-existent-rule-id" @@ -248,7 +248,7 @@ Feature: CSM Threats When the request is sent Then the response status is 404 Not Found - @replay-only @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @replay-only @team:DataDog/k9-cws-backend Scenario: Update a Workload Protection agent rule (US1-FED) returns "OK" response Given there is a valid "agent_rule" in the system And new "UpdateCloudWorkloadSecurityAgentRule" request @@ -257,7 +257,7 @@ Feature: CSM Threats When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Update a Workload Protection agent rule returns "Bad Request" response Given there is a valid "policy_rc" in the system And there is a valid "agent_rule_rc" in the system @@ -267,7 +267,7 @@ Feature: CSM Threats When the request is sent Then the response status is 400 Bad Request - @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @skip @team:DataDog/k9-cws-backend Scenario: Update a Workload Protection agent rule returns "Concurrent Modification" response Given there is a valid "agent_rule_rc" in the system And there is a valid "policy_rc" in the system @@ -277,7 +277,7 @@ Feature: CSM Threats When the request is sent Then the response status is 409 Concurrent Modification - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Update a Workload Protection agent rule returns "Not Found" response Given there is a valid "policy_rc" in the system And new "UpdateCSMThreatsAgentRule" request @@ -286,7 +286,7 @@ Feature: CSM Threats When the request is sent Then the response status is 404 Not Found - @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @skip @team:DataDog/k9-cws-backend Scenario: Update a Workload Protection agent rule returns "OK" response Given there is a valid "policy_rc" in the system And there is a valid "agent_rule_rc" in the system @@ -297,7 +297,7 @@ Feature: CSM Threats When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Update a Workload Protection policy returns "Bad Request" response Given there is a valid "policy_rc" in the system And new "UpdateCSMThreatsAgentPolicy" request @@ -306,7 +306,7 @@ Feature: CSM Threats When the request is sent Then the response status is 400 Bad Request - @skip @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @skip @team:DataDog/k9-cws-backend Scenario: Update a Workload Protection policy returns "Concurrent Modification" response Given there is a valid "policy_rc" in the system And new "UpdateCSMThreatsAgentPolicy" request @@ -315,7 +315,7 @@ Feature: CSM Threats When the request is sent Then the response status is 409 Concurrent Modification - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Update a Workload Protection policy returns "Not Found" response Given new "UpdateCSMThreatsAgentPolicy" request And request contains "policy_id" parameter with value "non-existent-policy-id" @@ -323,7 +323,7 @@ Feature: CSM Threats When the request is sent Then the response status is 404 Bad Request - @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + @team:DataDog/k9-cws-backend Scenario: Update a Workload Protection policy returns "OK" response Given there is a valid "policy_rc" in the system And new "UpdateCSMThreatsAgentPolicy" request diff --git a/tests/v2/features/security_monitoring.feature b/tests/v2/features/security_monitoring.feature index 791d52de64..afd6da263a 100644 --- a/tests/v2/features/security_monitoring.feature +++ b/tests/v2/features/security_monitoring.feature @@ -9,7 +9,7 @@ Feature: Security Monitoring And a valid "appKeyAuth" key in the system And an instance of "SecurityMonitoring" API - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Activate content pack returns "Accepted" response Given operation "ActivateContentPack" enabled And new "ActivateContentPack" request @@ -17,7 +17,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 202 Accepted - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Activate content pack returns "Not Found" response Given operation "ActivateContentPack" enabled And new "ActivateContentPack" request @@ -99,21 +99,21 @@ Feature: Security Monitoring And the response "data.attributes.insights" has item with field "resource_id" with value "ZGZhMDI3ZjdjMDM3YjJmNzcxNTlhZGMwMjdmZWNiNTZ-MTVlYTNmYWU3NjNlOTNlYTE2YjM4N2JmZmI4Yjk5N2Y=" And the response "data.attributes.insights" has item with field "resource_id" with value "MmUzMzZkODQ2YTI3NDU0OTk4NDk3NzhkOTY5YjU2Zjh-YWJjZGI1ODI4OTYzNWM3ZmUwZTBlOWRkYTRiMGUyOGQ=" - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Bulk export security monitoring rules returns "Bad Request" response Given new "BulkExportSecurityMonitoringRules" request And body with value {"data": {"attributes": {"ruleIds": []}, "type": "security_monitoring_rules_bulk_export"}} When the request is sent Then the response status is 400 Bad Request - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Bulk export security monitoring rules returns "Not Found" response Given new "BulkExportSecurityMonitoringRules" request And body with value {"data": {"attributes": {"ruleIds": ["non-existent-rule-id"]}, "type": "security_monitoring_rules_bulk_export"}} When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Bulk export security monitoring rules returns "OK" response Given there is a valid "security_rule" in the system And new "BulkExportSecurityMonitoringRules" request @@ -121,7 +121,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Bulk update triage assignee of security signals returns "Bad Request" response Given operation "BulkEditSecurityMonitoringSignalsAssignee" enabled And new "BulkEditSecurityMonitoringSignalsAssignee" request @@ -129,14 +129,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Bulk update triage assignee of security signals returns "OK" response Given new "BulkEditSecurityMonitoringSignalsAssignee" request And body with value {"data": [{"attributes": {"assignee": "773b045d-ccf8-4808-bd3b-955ef6a8c940"}, "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA", "type": "signal"}]} When the request is sent Then the response status is 200 OK - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Bulk update triage state of security signals returns "Bad Request" response Given operation "BulkEditSecurityMonitoringSignalsState" enabled And new "BulkEditSecurityMonitoringSignalsState" request @@ -144,14 +144,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Bulk update triage state of security signals returns "OK" response Given new "BulkEditSecurityMonitoringSignalsState" request And body with value {"data": [{"attributes": {"archive_reason": "none", "state": "open"}, "id": "AAAAAWgN8Xwgr1vKDQAAAABBV2dOOFh3ZzZobm1mWXJFYTR0OA", "type": "signal"}]} When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Cancel a historical job returns "Bad Request" response Given operation "CancelThreatHuntingJob" enabled And new "CancelThreatHuntingJob" request @@ -159,7 +159,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Cancel a historical job returns "Not Found" response Given operation "CancelThreatHuntingJob" enabled And new "CancelThreatHuntingJob" request @@ -167,7 +167,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Cancel a historical job returns "OK" response Given operation "CancelThreatHuntingJob" enabled And operation "RunThreatHuntingJob" enabled @@ -177,7 +177,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 204 No Content - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Cancel a threat hunting job returns "Bad Request" response Given operation "CancelThreatHuntingJob" enabled And new "CancelThreatHuntingJob" request @@ -185,7 +185,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Cancel a threat hunting job returns "Conflict" response Given operation "CancelThreatHuntingJob" enabled And new "CancelThreatHuntingJob" request @@ -193,7 +193,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 409 Conflict - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Cancel a threat hunting job returns "Not Found" response Given operation "CancelThreatHuntingJob" enabled And new "CancelThreatHuntingJob" request @@ -201,7 +201,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Cancel a threat hunting job returns "OK" response Given operation "CancelThreatHuntingJob" enabled And new "CancelThreatHuntingJob" request @@ -209,7 +209,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 204 OK - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Change the related incidents of a security signal returns "Bad Request" response Given new "EditSecurityMonitoringSignalIncidents" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -217,7 +217,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Change the related incidents of a security signal returns "Not Found" response Given new "EditSecurityMonitoringSignalIncidents" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -225,7 +225,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @replay-only @team:DataDog/k9-cloud-security-platform + @replay-only @team:DataDog/k9-cloud-siem Scenario: Change the related incidents of a security signal returns "OK" response Given new "EditSecurityMonitoringSignalIncidents" request And request contains "signal_id" parameter with value "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE" @@ -233,7 +233,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Change the triage state of a security signal returns "Bad Request" response Given new "EditSecurityMonitoringSignalState" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -241,7 +241,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Change the triage state of a security signal returns "Not Found" response Given new "EditSecurityMonitoringSignalState" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -249,7 +249,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @replay-only @team:DataDog/k9-cloud-security-platform + @replay-only @team:DataDog/k9-cloud-siem Scenario: Change the triage state of a security signal returns "OK" response Given new "EditSecurityMonitoringSignalState" request And request contains "signal_id" parameter with value "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE" @@ -257,7 +257,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Convert a job result to a signal returns "Bad Request" response Given operation "ConvertJobResultToSignal" enabled And new "ConvertJobResultToSignal" request @@ -265,7 +265,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Convert a job result to a signal returns "Not Found" response Given operation "ConvertJobResultToSignal" enabled And new "ConvertJobResultToSignal" request @@ -273,7 +273,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Convert a job result to a signal returns "OK" response Given operation "ConvertJobResultToSignal" enabled And new "ConvertJobResultToSignal" request @@ -281,21 +281,21 @@ Feature: Security Monitoring When the request is sent Then the response status is 204 OK - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Convert a rule from JSON to Terraform returns "Bad Request" response Given new "ConvertSecurityMonitoringRuleFromJSONToTerraform" request And body with value {"name":"{{ unique }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"metric":""}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type":"log_detection"} When the request is sent Then the response status is 400 Bad Request - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Convert a rule from JSON to Terraform returns "Not Found" response Given new "ConvertSecurityMonitoringRuleFromJSONToTerraform" request And body with value {"name":"{{ unique }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"metric":""}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type":"log_detection"} When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Convert a rule from JSON to Terraform returns "OK" response Given new "ConvertSecurityMonitoringRuleFromJSONToTerraform" request And body with value {"name":"_{{ unique_hash }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"metric":""}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type":"log_detection"} @@ -303,21 +303,21 @@ Feature: Security Monitoring Then the response status is 200 OK And the response "terraformContent" is equal to "resource \"datadog_security_monitoring_rule\" \"_{{ unique_hash }}\" {\n\tname = \"_{{ unique_hash }}\"\n\tenabled = true\n\tquery {\n\t\tquery = \"@test:true\"\n\t\tgroup_by_fields = []\n\t\thas_optional_group_by_fields = false\n\t\tdistinct_fields = []\n\t\taggregation = \"count\"\n\t\tname = \"\"\n\t\tdata_source = \"logs\"\n\t}\n\toptions {\n\t\tkeep_alive = 3600\n\t\tmax_signal_duration = 86400\n\t\tdetection_method = \"threshold\"\n\t\tevaluation_window = 900\n\t}\n\tcase {\n\t\tname = \"\"\n\t\tstatus = \"info\"\n\t\tnotifications = []\n\t\tcondition = \"a > 0\"\n\t}\n\tmessage = \"Test rule\"\n\ttags = []\n\thas_extended_title = false\n\ttype = \"log_detection\"\n}\n" - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Convert an existing rule from JSON to Terraform returns "Bad Request" response Given new "ConvertExistingSecurityMonitoringRule" request And request contains "rule_id" parameter from "REPLACE.ME" When the request is sent Then the response status is 400 Bad Request - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Convert an existing rule from JSON to Terraform returns "Not Found" response Given new "ConvertExistingSecurityMonitoringRule" request And request contains "rule_id" parameter from "REPLACE.ME" When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Convert an existing rule from JSON to Terraform returns "OK" response Given new "ConvertExistingSecurityMonitoringRule" request And there is a valid "security_rule_hash" in the system @@ -398,7 +398,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Create a cloud_configuration rule returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"type":"cloud_configuration","name":"{{ unique }}_cloud","isEnabled":false,"cases":[{"status":"info","notifications":["channel"]}],"options":{"complianceRuleOptions":{"resourceType":"gcp_compute_disk","complexRule": false,"regoRule":{"policy":"package datadog\n\nimport data.datadog.output as dd_output\n\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\nmilliseconds_in_a_day := ((1000 * 60) * 60) * 24\n\neval(iam_service_account_key) = \"skip\" if {\n\tiam_service_account_key.disabled\n} else = \"pass\" if {\n\t(iam_service_account_key.resource_seen_at / milliseconds_in_a_day) - (iam_service_account_key.valid_after_time / milliseconds_in_a_day) <= 90\n} else = \"fail\"\n\n# This part remains unchanged for all rules\nresults contains result if {\n\tsome resource in input.resources[input.main_resource_type]\n\tresult := dd_output.format(resource, eval(resource))\n}\n","resourceTypes":["gcp_compute_disk"]}}},"message":"ddd","tags":["my:tag"],"complianceSignalOptions":{"userActivationStatus":true,"userGroupByFields":["@account_id"]},"filters":[{"action":"require","query":"resource_id:helo*"},{"action":"suppress","query":"control:helo*"}]} @@ -409,21 +409,21 @@ Feature: Security Monitoring And the response "message" is equal to "ddd" And the response "options.complianceRuleOptions.resourceType" is equal to "gcp_compute_disk" - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Create a critical asset returns "Bad Request" response Given new "CreateSecurityMonitoringCriticalAsset" request And body with value {"data": {"type": "critical_assets", "attributes": {"query": "host:test"}}} When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Create a critical asset returns "Conflict" response Given new "CreateSecurityMonitoringCriticalAsset" request And body with value {"data": {"attributes": {"enabled": true, "query": "security:monitoring", "rule_query": "type:(log_detection OR signal_correlation OR workload_security OR application_security) source:cloudtrail", "severity": "increase", "tags": ["team:database", "source:cloudtrail"]}, "type": "critical_assets"}} When the request is sent Then the response status is 409 Conflict - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Create a critical asset returns "OK" response Given new "CreateSecurityMonitoringCriticalAsset" request And body with value {"data": {"type": "critical_assets", "attributes": {"query": "host:{{ unique_lower_alnum }}", "rule_query": "type:(log_detection OR signal_correlation OR workload_security OR application_security) source:cloudtrail", "severity": "decrease", "tags": ["team:security", "env:test"]}}} @@ -432,14 +432,14 @@ Feature: Security Monitoring And the response "data.type" is equal to "critical_assets" And the response "data.attributes.severity" is equal to "decrease" - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Create a custom framework returns "Bad Request" response Given new "CreateCustomFramework" request And body with value {"data":{"type":"custom_framework","attributes":{"name":"name","handle":"","version":"10","icon_url":"test-url","requirements":[{"name":"requirement","controls":[{"name":"control","rules_id":["def-000-be9"]}]}]}}} When the request is sent Then the response status is 400 Bad Request - @replay-only @skip-terraform-config @team:DataDog/k9-cloud-security-platform + @replay-only @skip-terraform-config @team:DataDog/k9-cloud-siem Scenario: Create a custom framework returns "Conflict" response Given there is a valid "custom_framework" in the system And new "CreateCustomFramework" request @@ -447,21 +447,21 @@ Feature: Security Monitoring When the request is sent Then the response status is 409 Conflict - @replay-only @skip-terraform-config @team:DataDog/k9-cloud-security-platform + @replay-only @skip-terraform-config @team:DataDog/k9-cloud-siem Scenario: Create a custom framework returns "OK" response Given new "CreateCustomFramework" request And body with value {"data":{"type":"custom_framework","attributes":{"name":"name","handle":"create-framework-new","version":"10","icon_url":"test-url","requirements":[{"name":"requirement","controls":[{"name":"control","rules_id":["def-000-be9"]}]}]}}} When the request is sent Then the response status is 200 OK - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Create a detection rule returns "Bad Request" response Given new "CreateSecurityMonitoringRule" request And body with value {"name":"{{ unique }}", "queries":[{"query":""}],"cases":[{"status":"info"}],"options":{},"message":"Test rule","tags":[],"isEnabled":true} When the request is sent Then the response status is 400 Bad Request - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Create a detection rule returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"name":"{{ unique }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"metric":""}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type":"log_detection", "referenceTables":[{"tableName": "synthetics_test_reference_table_dont_delete", "columnName": "value", "logFieldPath":"testtag", "checkPresence":true, "ruleQueryName":"a"}]} @@ -472,7 +472,7 @@ Feature: Security Monitoring And the response "message" is equal to "Test rule" And the response "referenceTables" is equal to [{"tableName": "synthetics_test_reference_table_dont_delete", "columnName": "value", "logFieldPath":"testtag", "checkPresence":true, "ruleQueryName":"a"}] - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Create a detection rule with detection method 'anomaly_detection' returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"name":"{{ unique }}","type":"log_detection","isEnabled":true,"queries":[{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":["@usr.email","@network.client.ip"],"hasOptionalGroupByFields":false,"name":"","query":"service:app status:error"}],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 0.995"}],"message":"An anomaly detection rule","options":{"detectionMethod":"anomaly_detection","evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400,"anomalyDetectionOptions":{"bucketDuration":300,"learningDuration":24,"detectionTolerance":3,"learningPeriodBaseline":10}},"tags":[],"filters":[]} @@ -486,7 +486,7 @@ Feature: Security Monitoring And the response "options.anomalyDetectionOptions.learningPeriodBaseline" is equal to 10 And the response "options.anomalyDetectionOptions.detectionTolerance" is equal to 3 - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Create a detection rule with detection method 'anomaly_detection' with enabled feature 'instantaneousBaseline' returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"name":"{{ unique }}","type":"log_detection","isEnabled":true,"queries":[{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":["@usr.email","@network.client.ip"],"hasOptionalGroupByFields":false,"name":"","query":"service:app status:error"}],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 0.995"}],"message":"An anomaly detection rule","options":{"detectionMethod":"anomaly_detection","evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400,"anomalyDetectionOptions":{"bucketDuration":300,"learningDuration":24,"detectionTolerance":3,"instantaneousBaseline":true}},"tags":[],"filters":[]} @@ -497,7 +497,7 @@ Feature: Security Monitoring And the response "options.detectionMethod" is equal to "anomaly_detection" And the response "options.anomalyDetectionOptions.instantaneousBaseline" is equal to true - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Create a detection rule with detection method 'sequence_detection' returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"name":"{{ unique }}","type":"log_detection","isEnabled":true,"queries":[{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":[],"hasOptionalGroupByFields":false,"name":"","query":"service:logs-rule-reducer source:paul test2"},{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":[],"hasOptionalGroupByFields":false,"name":"","query":"service:logs-rule-reducer source:paul test1"}],"cases":[{"name":"","status":"info","notifications":[],"condition":"step_b > 0"}],"message":"Logs and signals asdf","options":{"detectionMethod":"sequence_detection","evaluationWindow":0,"keepAlive":300,"maxSignalDuration":600,"sequenceDetectionOptions":{"stepTransitions":[{"child":"step_b","evaluationWindow":900,"parent":"step_a"}],"steps":[{"condition":"a > 0","evaluationWindow":60,"name":"step_a"},{"condition":"b > 0","evaluationWindow":60,"name":"step_b"}]}},"tags":[]} @@ -507,7 +507,7 @@ Feature: Security Monitoring And the response "type" is equal to "log_detection" And the response "options.detectionMethod" is equal to "sequence_detection" - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Create a detection rule with detection method 'third_party' returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"name":"{{ unique }}","type":"log_detection","isEnabled":true,"thirdPartyCases":[{"query":"status:error","name":"high","status":"high"},{"query":"status:info","name":"low","status":"low"}],"queries":[],"cases":[],"message":"This is a third party rule","options":{"detectionMethod":"third_party","keepAlive":0,"maxSignalDuration":600,"thirdPartyRuleOptions":{"defaultStatus":"info","rootQueries":[{"query":"source:guardduty @details.alertType:*EC2*", "groupByFields":["instance-id"]},{"query":"source:guardduty", "groupByFields":[]}]}}} @@ -518,7 +518,7 @@ Feature: Security Monitoring And the response "options.detectionMethod" is equal to "third_party" And the response "thirdPartyCases[0].query" is equal to "status:error" - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Create a detection rule with type 'application_security 'returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"type":"application_security","name":"{{unique}}_appsec_rule","queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","aggregation":"count","groupByFields":["service","@http.client_ip"],"distinctFields":[]}],"filters":[],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 100000","actions":[{"type":"block_ip","options":{"duration":900}}, {"type":"user_behavior","options":{"userBehaviorName":"behavior"}}, {"type":"flag_ip","options":{"flaggedIPType":"FLAGGED"}}]}],"options":{"keepAlive":3600,"maxSignalDuration":86400,"evaluationWindow":900,"detectionMethod":"threshold"},"isEnabled":true,"message":"Test rule","tags":[],"groupSignalsBy":["service"]} @@ -528,7 +528,7 @@ Feature: Security Monitoring And the response "type" is equal to "application_security" And the response "message" is equal to "Test rule" - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Create a detection rule with type 'impossible_travel' returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"queries":[{"aggregation":"geo_data","groupByFields":["@usr.id"],"distinctFields":[],"metric":"@network.client.geoip","query":"*"}],"cases":[{"name":"","status":"info","notifications":[]}],"hasExtendedTitle":true,"message":"test","isEnabled":true,"options":{"maxSignalDuration":86400,"evaluationWindow":900,"keepAlive":3600,"detectionMethod":"impossible_travel","impossibleTravelOptions":{"baselineUserLocations":false}},"name":"{{ unique }}","type":"log_detection","tags":[],"filters":[]} @@ -539,7 +539,7 @@ Feature: Security Monitoring And the response "message" is equal to "test" And the response "options.detectionMethod" is equal to "impossible_travel" - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Create a detection rule with type 'signal_correlation' returns "OK" response Given there is a valid "security_rule" in the system And there is a valid "security_rule_bis" in the system @@ -552,7 +552,7 @@ Feature: Security Monitoring And the response "message" is equal to "Test signal correlation rule" And the response "isEnabled" is equal to true - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Create a detection rule with type 'workload_security' returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"name":"{{ unique }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"metric":""}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type": "workload_security"} @@ -591,7 +591,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 201 Successfully created the notification rule. - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Create a scheduled detection rule returns "OK" response Given new "CreateSecurityMonitoringRule" request And body with value {"name":"{{ unique }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"indexes":["main"]}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type":"log_detection", "schedulingOptions": {"rrule": "FREQ=HOURLY;INTERVAL=2;", "start": "2025-06-18T12:00:00", "timezone": "Europe/Paris"}} @@ -602,28 +602,28 @@ Feature: Security Monitoring And the response "message" is equal to "Test rule" And the response "schedulingOptions" is equal to {"rrule": "FREQ=HOURLY;INTERVAL=2;", "start": "2025-06-18T12:00:00", "timezone": "Europe/Paris"} - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Create a scheduled rule without rrule returns "Bad Request" response Given new "CreateSecurityMonitoringRule" request And body with value {"name":"{{ unique }}", "queries":[{"query":"@test:true","aggregation":"count","groupByFields":[],"distinctFields":[],"indexes":["main"]}],"filters":[],"cases":[{"name":"","status":"info","condition":"a > 0","notifications":[]}],"options":{"evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"message":"Test rule","tags":[],"isEnabled":true, "type":"log_detection", "schedulingOptions": {"start": "2025-06-18T12:00:00", "timezone": "Europe/Paris"}} When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Create a security filter returns "Bad Request" response Given new "CreateSecurityFilter" request And body with value {"data": {"attributes": {"exclusion_filters": [{"name": "Exclude staging", "query": "source:staging"}], "filtered_data_type": "logs", "is_enabled": true, "name": "Custom security filter", "query": "service:api"}, "type": "security_filters"}} When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Create a security filter returns "Conflict" response Given new "CreateSecurityFilter" request And body with value {"data": {"attributes": {"exclusion_filters": [{"name": "Exclude staging", "query": "source:staging"}], "filtered_data_type": "logs", "is_enabled": true, "name": "Custom security filter", "query": "service:api"}, "type": "security_filters"}} When the request is sent Then the response status is 409 Conflict - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Create a security filter returns "OK" response Given new "CreateSecurityFilter" request And body with value {"data": {"attributes": {"exclusion_filters": [{"name": "Exclude staging", "query": "source:staging"}], "filtered_data_type": "logs", "is_enabled": true, "name": "{{ unique }}", "query": "service:{{ unique_alnum }}"}, "type": "security_filters"}} @@ -635,21 +635,21 @@ Feature: Security Monitoring And the response "data.attributes.exclusion_filters[0].name" is equal to "Exclude staging" And the response "data.attributes.exclusion_filters[0].query" is equal to "source:staging" - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Create a suppression rule returns "Bad Request" response Given new "CreateSecurityMonitoringSuppression" request And body with value {"data": {"attributes": {"data_exclusion_query": "source:cloudtrail account_id:12345", "description": "This rule suppresses low-severity signals in staging environments.", "enabled": true, "expiration_date": 1703187336000, "name": "Custom suppression", "rule_query": "type:log_detection source:cloudtrail", "start_date": 1703187336000, "suppression_query": "env:staging status:low", "tags": ["technique:T1110-brute-force", "source:cloudtrail"]}, "type": "suppressions"}} When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Create a suppression rule returns "Conflict" response Given new "CreateSecurityMonitoringSuppression" request And body with value {"data": {"attributes": {"data_exclusion_query": "source:cloudtrail account_id:12345", "description": "This rule suppresses low-severity signals in staging environments.", "enabled": true, "expiration_date": 1703187336000, "name": "Custom suppression", "rule_query": "type:log_detection source:cloudtrail", "start_date": 1703187336000, "suppression_query": "env:staging status:low", "tags": ["technique:T1110-brute-force", "source:cloudtrail"]}, "type": "suppressions"}} When the request is sent Then the response status is 409 Conflict - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Create a suppression rule returns "OK" response Given new "CreateSecurityMonitoringSuppression" request And body with value {"data": {"attributes": {"description": "This rule suppresses low-severity signals in staging environments.", "enabled": true, "start_date": {{ timestamp('now + 10d') }}000, "expiration_date": {{ timestamp('now + 21d') }}000, "name": "{{ unique }}", "rule_query": "type:log_detection source:cloudtrail", "suppression_query": "env:staging status:low", "tags": ["technique:T1110-brute-force", "source:cloudtrail"]}, "type": "suppressions"}} @@ -659,7 +659,7 @@ Feature: Security Monitoring And the response "data.attributes.enabled" is equal to true And the response "data.attributes.rule_query" is equal to "type:log_detection source:cloudtrail" - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Create a suppression rule with an exclusion query returns "OK" response Given new "CreateSecurityMonitoringSuppression" request And body with value {"data": {"attributes": {"description": "This rule suppresses low-severity signals in staging environments.", "enabled": true, "start_date": {{ timestamp('now + 10d') }}000, "expiration_date": {{ timestamp('now + 21d') }}000, "name": "{{ unique }}", "rule_query": "type:log_detection source:cloudtrail", "data_exclusion_query": "account_id:12345"}, "type": "suppressions"}} @@ -738,7 +738,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Deactivate content pack returns "Accepted" response Given operation "DeactivateContentPack" enabled And new "DeactivateContentPack" request @@ -746,7 +746,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 202 Accepted - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Deactivate content pack returns "Not Found" response Given operation "DeactivateContentPack" enabled And new "DeactivateContentPack" request @@ -754,14 +754,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Delete a critical asset returns "Not Found" response Given new "DeleteSecurityMonitoringCriticalAsset" request And request contains "critical_asset_id" parameter with value "00000000-0000-0000-0000-000000000000" When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Delete a critical asset returns "OK" response Given there is a valid "critical_asset" in the system And new "DeleteSecurityMonitoringCriticalAsset" request @@ -769,7 +769,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 204 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Delete a custom framework returns "Bad Request" response Given new "DeleteCustomFramework" request And request contains "handle" parameter with value "handle-does-not-exist" @@ -777,7 +777,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @replay-only @team:DataDog/k9-cloud-security-platform + @replay-only @team:DataDog/k9-cloud-siem Scenario: Delete a custom framework returns "OK" response Given there is a valid "custom_framework" in the system And new "DeleteCustomFramework" request @@ -786,14 +786,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Delete a non existing rule returns "Not Found" response Given new "DeleteSecurityMonitoringRule" request And request contains "rule_id" parameter with value "ThisRuleIdProbablyDoesntExist" When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Delete a security filter returns "No Content" response Given there is a valid "security_filter" in the system And new "DeleteSecurityFilter" request @@ -801,14 +801,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 204 No Content - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Delete a security filter returns "Not Found" response Given new "DeleteSecurityFilter" request And request contains "security_filter_id" parameter from "REPLACE.ME" When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Delete a security filter returns "OK" response Given new "DeleteSecurityFilter" request And request contains "security_filter_id" parameter from "REPLACE.ME" @@ -830,14 +830,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 204 Rule successfully deleted. - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Delete a suppression rule returns "Not Found" response Given new "DeleteSecurityMonitoringSuppression" request And request contains "suppression_id" parameter with value "does-not-exist" When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Delete a suppression rule returns "OK" response Given there is a valid "suppression" in the system And new "DeleteSecurityMonitoringSuppression" request @@ -860,7 +860,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 204 Rule successfully deleted. - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Delete an existing job returns "Bad Request" response Given operation "DeleteThreatHuntingJob" enabled And new "DeleteThreatHuntingJob" request @@ -868,7 +868,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Delete an existing job returns "Conflict" response Given operation "DeleteThreatHuntingJob" enabled And new "DeleteThreatHuntingJob" request @@ -876,7 +876,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 409 Conflict - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Delete an existing job returns "Not Found" response Given operation "DeleteThreatHuntingJob" enabled And new "DeleteThreatHuntingJob" request @@ -884,7 +884,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Delete an existing job returns "OK" response Given operation "DeleteThreatHuntingJob" enabled And new "DeleteThreatHuntingJob" request @@ -892,14 +892,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 204 OK - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Delete an existing rule returns "Not Found" response Given new "DeleteSecurityMonitoringRule" request And request contains "rule_id" parameter from "REPLACE.ME" When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Delete an existing rule returns "OK" response Given there is a valid "security_rule" in the system And new "DeleteSecurityMonitoringRule" request @@ -952,7 +952,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Get a cloud configuration rule's details returns "OK" response Given there is a valid "cloud_configuration_rule" in the system And new "GetSecurityMonitoringRule" request @@ -962,14 +962,14 @@ Feature: Security Monitoring And the response "name" is equal to "{{ unique }}_cloud" And the response "id" has the same value as "cloud_configuration_rule.id" - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get a critical asset returns "Not Found" response Given new "GetSecurityMonitoringCriticalAsset" request And request contains "critical_asset_id" parameter with value "00000000-0000-0000-0000-000000000000" When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Get a critical asset returns "OK" response Given new "GetSecurityMonitoringCriticalAsset" request And there is a valid "critical_asset" in the system @@ -979,7 +979,7 @@ Feature: Security Monitoring And the response "data.attributes.rule_query" has the same value as "critical_asset.data.attributes.rule_query" And the response "data.attributes.severity" is equal to "medium" - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get a custom framework returns "Bad Request" response Given new "GetCustomFramework" request And request contains "handle" parameter with value "frame-does-not-exist" @@ -987,7 +987,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @replay-only @team:DataDog/k9-cloud-security-platform + @replay-only @team:DataDog/k9-cloud-siem Scenario: Get a custom framework returns "OK" response Given there is a valid "custom_framework" in the system And new "GetCustomFramework" request @@ -1021,7 +1021,7 @@ Feature: Security Monitoring Then the response status is 200 OK And the response "data.attributes.evaluation" is equal to "pass" - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a hist signal's details returns "Bad Request" response Given operation "GetSecurityMonitoringHistsignal" enabled And new "GetSecurityMonitoringHistsignal" request @@ -1029,7 +1029,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a hist signal's details returns "Not Found" response Given operation "GetSecurityMonitoringHistsignal" enabled And new "GetSecurityMonitoringHistsignal" request @@ -1037,7 +1037,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a hist signal's details returns "OK" response Given operation "GetSecurityMonitoringHistsignal" enabled And new "GetSecurityMonitoringHistsignal" request @@ -1045,7 +1045,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get a job's details returns "Bad Request" response Given operation "GetThreatHuntingJob" enabled And new "GetThreatHuntingJob" request @@ -1053,7 +1053,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get a job's details returns "Not Found" response Given operation "GetThreatHuntingJob" enabled And new "GetThreatHuntingJob" request @@ -1061,7 +1061,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get a job's details returns "OK" response Given operation "GetThreatHuntingJob" enabled And operation "RunThreatHuntingJob" enabled @@ -1071,7 +1071,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a job's hist signals returns "Bad Request" response Given operation "GetSecurityMonitoringHistsignalsByJobId" enabled And new "GetSecurityMonitoringHistsignalsByJobId" request @@ -1079,7 +1079,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a job's hist signals returns "Not Found" response Given operation "GetSecurityMonitoringHistsignalsByJobId" enabled And new "GetSecurityMonitoringHistsignalsByJobId" request @@ -1087,7 +1087,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a job's hist signals returns "OK" response Given operation "GetSecurityMonitoringHistsignalsByJobId" enabled And new "GetSecurityMonitoringHistsignalsByJobId" request @@ -1095,21 +1095,21 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a list of security signals returns "Bad Request" response Given new "SearchSecurityMonitoringSignals" request And body with value {"filter": {"from": "2019-01-02T09:42:36.320Z", "query": "security:attack status:high", "to": "2019-01-03T09:42:36.320Z"}, "page": {"cursor": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==", "limit": 25}, "sort": "timestamp"} When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a list of security signals returns "OK" response Given new "SearchSecurityMonitoringSignals" request And body with value {"filter": {"from": "2019-01-02T09:42:36.320Z", "query": "security:attack status:high", "to": "2019-01-03T09:42:36.320Z"}, "page": {"cursor": "eyJzdGFydEF0IjoiQVFBQUFYS2tMS3pPbm40NGV3QUFBQUJCV0V0clRFdDZVbG8zY3pCRmNsbHJiVmxDWlEifQ==", "limit": 25}, "sort": "timestamp"} When the request is sent Then the response status is 200 OK - @replay-only @skip-validation @team:DataDog/k9-cloud-security-platform @with-pagination + @replay-only @skip-validation @team:DataDog/k9-cloud-siem @with-pagination Scenario: Get a list of security signals returns "OK" response with pagination Given new "SearchSecurityMonitoringSignals" request And body with value {"filter": {"from": "{{ timeISO("now-15m") }}", "query": "security:attack status:high", "to": "{{ timeISO("now") }}"}, "page": {"limit": 2}, "sort": "timestamp"} @@ -1117,19 +1117,19 @@ Feature: Security Monitoring Then the response status is 200 OK And the response has 3 items - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a quick list of security signals returns "Bad Request" response Given new "ListSecurityMonitoringSignals" request When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a quick list of security signals returns "OK" response Given new "ListSecurityMonitoringSignals" request When the request is sent Then the response status is 200 OK - @replay-only @skip-validation @team:DataDog/k9-cloud-security-platform @with-pagination + @replay-only @skip-validation @team:DataDog/k9-cloud-siem @with-pagination Scenario: Get a quick list of security signals returns "OK" response with pagination Given new "ListSecurityMonitoringSignals" request And request contains "page[limit]" parameter with value 2 @@ -1137,14 +1137,14 @@ Feature: Security Monitoring Then the response status is 200 OK And the response has 3 items - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get a rule's details returns "Not Found" response Given new "GetSecurityMonitoringRule" request And request contains "rule_id" parameter with value "abcde-12345" When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Get a rule's details returns "OK" response Given new "GetSecurityMonitoringRule" request And there is a valid "security_rule" in the system @@ -1154,7 +1154,7 @@ Feature: Security Monitoring And the response "name" is equal to "{{ unique }}" And the response "id" has the same value as "security_rule.id" - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a rule's version history returns "Bad Request" response Given operation "GetRuleVersionHistory" enabled And new "GetRuleVersionHistory" request @@ -1162,7 +1162,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a rule's version history returns "Not Found" response Given operation "GetRuleVersionHistory" enabled And new "GetRuleVersionHistory" request @@ -1170,7 +1170,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a rule's version history returns "OK" response Given operation "GetRuleVersionHistory" enabled And new "GetRuleVersionHistory" request @@ -1178,14 +1178,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get a security filter returns "Not Found" response Given new "GetSecurityFilter" request And request contains "security_filter_id" parameter from "REPLACE.ME" When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get a security filter returns "OK" response Given there is a valid "security_filter" in the system And new "GetSecurityFilter" request @@ -1198,28 +1198,28 @@ Feature: Security Monitoring And the response "data.attributes.exclusion_filters[0].name" is equal to "Exclude logs from staging" And the response "data.attributes.exclusion_filters[0].query" is equal to "source:staging" - @replay-only @team:DataDog/k9-cloud-security-platform + @replay-only @team:DataDog/k9-cloud-siem Scenario: Get a signal's details returns "Not Found" response Given new "GetSecurityMonitoringSignal" request And request contains "signal_id" parameter with value "AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptCL3QUEm3nt2" When the request is sent Then the response status is 404 Not Found - @replay-only @team:DataDog/k9-cloud-security-platform + @replay-only @team:DataDog/k9-cloud-siem Scenario: Get a signal's details returns "OK" response Given new "GetSecurityMonitoringSignal" request And request contains "signal_id" parameter with value "AQAAAYNqUBVU4-rffwAAAABBWU5xVUJWVUFBQjJBd3ptMDdQUnF3QUE" When the request is sent Then the response status is 200 OK - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Get a suppression rule returns "Not Found" response Given new "GetSecurityMonitoringSuppression" request And request contains "suppression_id" parameter with value "this-does-not-exist" When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Get a suppression rule returns "OK" response Given new "GetSecurityMonitoringSuppression" request And there is a valid "suppression" in the system @@ -1229,14 +1229,14 @@ Feature: Security Monitoring And the response "data.attributes.rule_query" has the same value as "suppression.data.attributes.rule_query" And the response "data.attributes.suppression_query" is equal to "env:test" - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get a suppression's version history returns "Not Found" response Given new "GetSuppressionVersionHistory" request And request contains "suppression_id" parameter with value "this-does-not-exist" When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get a suppression's version history returns "OK" response Given new "GetSuppressionVersionHistory" request And there is a valid "suppression" in the system @@ -1244,13 +1244,13 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get all critical assets returns "OK" response Given new "ListSecurityMonitoringCriticalAssets" request When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get all security filters returns "OK" response Given new "ListSecurityFilters" request When the request is sent @@ -1258,13 +1258,13 @@ Feature: Security Monitoring And the response "data" has item with field "attributes.filtered_data_type" with value "logs" And the response "data" has item with field "attributes.is_builtin" with value true - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get all suppression rules returns "OK" response Given new "ListSecurityMonitoringSuppressions" request When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get all suppression rules returns "OK" response with pagination Given new "ListSecurityMonitoringSuppressions" request And there is a valid "suppression" in the system @@ -1276,7 +1276,7 @@ Feature: Security Monitoring Then the response status is 200 OK And the response "data" has length 1 - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get all suppression rules returns "OK" response with sort ascending Given new "ListSecurityMonitoringSuppressions" request And there is a valid "suppression" in the system @@ -1287,7 +1287,7 @@ Feature: Security Monitoring Then the response status is 200 OK And the response "data[0].attributes.name" is equal to "suppression {{ unique_hash }}" - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get all suppression rules returns "OK" response with sort descending Given new "ListSecurityMonitoringSuppressions" request And there is a valid "suppression" in the system @@ -1298,28 +1298,28 @@ Feature: Security Monitoring Then the response status is 200 OK And the response "data[0].attributes.name" is equal to "suppression2 {{ unique_hash }}" - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get content pack states returns "Not Found" response Given operation "GetContentPacksStates" enabled And new "GetContentPacksStates" request When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Get content pack states returns "OK" response Given operation "GetContentPacksStates" enabled And new "GetContentPacksStates" request When the request is sent Then the response status is 200 OK - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Get critical assets affecting a specific rule returns "Not Found" response Given new "GetCriticalAssetsAffectingRule" request And request contains "rule_id" parameter with value "aaa-bbb-ccc-ddd" When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get critical assets affecting a specific rule returns "OK" response Given new "GetCriticalAssetsAffectingRule" request And there is a valid "security_rule" in the system @@ -1371,7 +1371,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 Notification rule details. - @skip-go @skip-java @skip-ruby @team:DataDog/k9-cloud-security-platform + @skip-go @skip-java @skip-ruby @team:DataDog/k9-cloud-siem Scenario: Get rule version history returns "OK" response Given operation "GetRuleVersionHistory" enabled And new "GetRuleVersionHistory" request @@ -1384,14 +1384,14 @@ Feature: Security Monitoring And the response "data.attributes.count" is equal to 1 And the response "data.attributes.data[1].rule.name" has the same value as "security_rule.name" - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get suppressions affecting a specific rule returns "Not Found" response Given new "GetSuppressionsAffectingRule" request And request contains "rule_id" parameter with value "aaa-bbb-ccc-ddd" When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get suppressions affecting a specific rule returns "OK" response Given new "GetSuppressionsAffectingRule" request And there is a valid "security_rule" in the system @@ -1399,14 +1399,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get suppressions affecting future rule returns "Bad Request" response Given new "GetSuppressionsAffectingFutureRule" request And body with value {"invalid_key":"invalid_value"} When the request is sent Then the response status is 400 Bad Request - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Get suppressions affecting future rule returns "OK" response Given new "GetSuppressionsAffectingFutureRule" request And body from file "security_monitoring_future_rule_suppression_payload.json" @@ -1500,28 +1500,28 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: List hist signals returns "Bad Request" response Given operation "ListSecurityMonitoringHistsignals" enabled And new "ListSecurityMonitoringHistsignals" request When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: List hist signals returns "Not Found" response Given operation "ListSecurityMonitoringHistsignals" enabled And new "ListSecurityMonitoringHistsignals" request When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: List hist signals returns "OK" response Given operation "ListSecurityMonitoringHistsignals" enabled And new "ListSecurityMonitoringHistsignals" request When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: List historical jobs returns "OK" response Given operation "ListThreatHuntingJobs" enabled And operation "RunThreatHuntingJob" enabled @@ -1531,14 +1531,14 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: List resource filters returns "Bad Request" response Given new "GetResourceEvaluationFilters" request And request contains "account_id" parameter with value "123456789" When the request is sent Then the response status is 400 Bad Request - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: List resource filters returns "OK" response Given new "GetResourceEvaluationFilters" request And request contains "cloud_provider" parameter with value "aws" @@ -1546,13 +1546,13 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: List rules returns "Bad Request" response Given new "ListSecurityMonitoringRules" request When the request is sent Then the response status is 400 Bad Request - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: List rules returns "OK" response Given new "ListSecurityMonitoringRules" request When the request is sent @@ -1604,14 +1604,14 @@ Feature: Security Monitoring And the response "meta.page" has field "after" And the response "links" has field "next" - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: List threat hunting jobs returns "Bad Request" response Given operation "ListThreatHuntingJobs" enabled And new "ListThreatHuntingJobs" request When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: List threat hunting jobs returns "OK" response Given operation "ListThreatHuntingJobs" enabled And new "ListThreatHuntingJobs" request @@ -1670,7 +1670,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Modify the triage assignee of a security signal returns "Bad Request" response Given new "EditSecurityMonitoringSignalAssignee" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -1678,7 +1678,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Modify the triage assignee of a security signal returns "Not Found" response Given new "EditSecurityMonitoringSignalAssignee" request And request contains "signal_id" parameter from "REPLACE.ME" @@ -1686,7 +1686,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @replay-only @team:DataDog/k9-cloud-security-platform + @replay-only @team:DataDog/k9-cloud-siem Scenario: Modify the triage assignee of a security signal returns "OK" response Given new "EditSecurityMonitoringSignalAssignee" request And request contains "signal_id" parameter with value "AQAAAYG1bl5K4HuUewAAAABBWUcxYmw1S0FBQmt2RmhRN0V4ZUVnQUE" @@ -1809,7 +1809,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Run a threat hunting job returns "Bad Request" response Given operation "RunThreatHuntingJob" enabled And new "RunThreatHuntingJob" request @@ -1817,7 +1817,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Run a threat hunting job returns "Not Found" response Given operation "RunThreatHuntingJob" enabled And new "RunThreatHuntingJob" request @@ -1825,7 +1825,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Run a threat hunting job returns "Status created" response Given operation "RunThreatHuntingJob" enabled And new "RunThreatHuntingJob" request @@ -1833,7 +1833,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 201 Status created - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Search hist signals returns "Bad Request" response Given operation "SearchSecurityMonitoringHistsignals" enabled And new "SearchSecurityMonitoringHistsignals" request @@ -1841,7 +1841,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Search hist signals returns "Not Found" response Given operation "SearchSecurityMonitoringHistsignals" enabled And new "SearchSecurityMonitoringHistsignals" request @@ -1849,7 +1849,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Search hist signals returns "OK" response Given operation "SearchSecurityMonitoringHistsignals" enabled And new "SearchSecurityMonitoringHistsignals" request @@ -1881,21 +1881,21 @@ Feature: Security Monitoring And the response "meta.page" has field "after" And the response "links" has field "next" - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Test a rule returns "Bad Request" response Given new "TestSecurityMonitoringRule" request And body with value {"rule": {"cases": [], "filters": [{"action": "require"}], "hasExtendedTitle": true, "isEnabled": true, "message": "", "name": "My security monitoring rule.", "options": {"decreaseCriticalityBasedOnEnv": false, "detectionMethod": "threshold", "evaluationWindow": 0, "hardcodedEvaluatorType": "log4shell", "impossibleTravelOptions": {"baselineUserLocations": true}, "keepAlive": 0, "maxSignalDuration": 0, "newValueOptions": {"forgetAfter": 1, "learningDuration": 0, "learningMethod": "duration", "learningThreshold": 0}, "thirdPartyRuleOptions": {"defaultNotifications": [], "defaultStatus": "critical", "rootQueries": [{"groupByFields": [], "query": "source:cloudtrail"}]}}, "queries": [], "tags": ["env:prod", "team:security"], "thirdPartyCases": [], "type": "application_security"}, "ruleQueryPayloads": [{"expectedResult": true, "index": 0, "payload": {"ddsource": "nginx", "ddtags": "env:staging,version:5.1", "hostname": "i-012345678", "message": "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World", "service": "payment"}}]} When the request is sent Then the response status is 400 Bad Request - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Test a rule returns "Not Found" response Given new "TestSecurityMonitoringRule" request And body with value {"rule": {"cases": [], "filters": [{"action": "require"}], "hasExtendedTitle": true, "isEnabled": true, "message": "", "name": "My security monitoring rule.", "options": {"decreaseCriticalityBasedOnEnv": false, "detectionMethod": "threshold", "evaluationWindow": 0, "hardcodedEvaluatorType": "log4shell", "impossibleTravelOptions": {"baselineUserLocations": true}, "keepAlive": 0, "maxSignalDuration": 0, "newValueOptions": {"forgetAfter": 1, "learningDuration": 0, "learningMethod": "duration", "learningThreshold": 0}, "thirdPartyRuleOptions": {"defaultNotifications": [], "defaultStatus": "critical", "rootQueries": [{"groupByFields": [], "query": "source:cloudtrail"}]}}, "queries": [], "tags": ["env:prod", "team:security"], "thirdPartyCases": [], "type": "application_security"}, "ruleQueryPayloads": [{"expectedResult": true, "index": 0, "payload": {"ddsource": "nginx", "ddtags": "env:staging,version:5.1", "hostname": "i-012345678", "message": "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World", "service": "payment"}}]} When the request is sent Then the response status is 404 Not Found - @skip-go @skip-java @skip-ruby @skip-typescript @team:DataDog/k9-cloud-security-platform + @skip-go @skip-java @skip-ruby @skip-typescript @team:DataDog/k9-cloud-siem Scenario: Test a rule returns "OK" response Given new "TestSecurityMonitoringRule" request And body with value {"rule": {"cases": [{"name": "","status": "info","notifications": [],"condition": "a > 0"}],"hasExtendedTitle": true,"isEnabled": true,"message": "My security monitoring rule message.","name": "My security monitoring rule.","options": {"decreaseCriticalityBasedOnEnv": false,"detectionMethod": "threshold","evaluationWindow": 0,"keepAlive": 0,"maxSignalDuration": 0},"queries": [{"query": "source:source_here","groupByFields": ["@userIdentity.assumed_role"],"distinctFields": [],"aggregation": "count","name": ""}],"tags": ["env:prod", "team:security"],"type": "log_detection"}, "ruleQueryPayloads": [{"expectedResult": true,"index": 0,"payload": {"ddsource": "source_here","ddtags": "env:staging,version:5.1","hostname": "i-012345678","message": "2019-11-19T14:37:58,995 INFO [process.name][20081] Hello World","service": "payment","userIdentity": {"assumed_role" : "fake assumed_role"}}}]} @@ -1903,7 +1903,7 @@ Feature: Security Monitoring Then the response status is 200 OK And the response "results[0]" is equal to true - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Test an existing rule returns "Bad Request" response Given new "TestExistingSecurityMonitoringRule" request And request contains "rule_id" parameter from "REPLACE.ME" @@ -1911,7 +1911,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Test an existing rule returns "Not Found" response Given new "TestExistingSecurityMonitoringRule" request And request contains "rule_id" parameter from "REPLACE.ME" @@ -1919,7 +1919,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Test an existing rule returns "OK" response Given new "TestExistingSecurityMonitoringRule" request And request contains "rule_id" parameter from "REPLACE.ME" @@ -1927,7 +1927,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Update a cloud configuration rule's details returns "OK" response Given new "UpdateSecurityMonitoringRule" request And there is a valid "cloud_configuration_rule" in the system @@ -1938,7 +1938,7 @@ Feature: Security Monitoring And the response "name" is equal to "{{ unique }}_cloud_updated" And the response "id" has the same value as "cloud_configuration_rule.id" - @skip @team:DataDog/k9-cloud-security-platform + @skip @team:DataDog/k9-cloud-siem Scenario: Update a critical asset returns "Bad Request" response Given new "UpdateSecurityMonitoringCriticalAsset" request And request contains "critical_asset_id" parameter with value "00000000-0000-0000-0000-000000000000" @@ -1946,7 +1946,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Update a critical asset returns "Concurrent Modification" response Given new "UpdateSecurityMonitoringCriticalAsset" request And request contains "critical_asset_id" parameter from "REPLACE.ME" @@ -1954,7 +1954,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 409 Concurrent Modification - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Update a critical asset returns "Not Found" response Given new "UpdateSecurityMonitoringCriticalAsset" request And request contains "critical_asset_id" parameter with value "00000000-0000-0000-0000-000000000001" @@ -1962,7 +1962,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Update a critical asset returns "OK" response Given new "UpdateSecurityMonitoringCriticalAsset" request And there is a valid "critical_asset" in the system @@ -1975,7 +1975,7 @@ Feature: Security Monitoring And the response "data.attributes.enabled" is equal to false And the response "data.attributes.version" is equal to 2 - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Update a custom framework returns "Bad Request" response Given new "UpdateCustomFramework" request And request contains "handle" parameter with value "create-framework-new" @@ -1984,7 +1984,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @replay-only @team:DataDog/k9-cloud-security-platform + @replay-only @team:DataDog/k9-cloud-siem Scenario: Update a custom framework returns "OK" response Given there is a valid "custom_framework" in the system And new "UpdateCustomFramework" request @@ -1994,7 +1994,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 200 OK - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Update a security filter returns "Bad Request" response Given new "UpdateSecurityFilter" request And request contains "security_filter_id" parameter from "REPLACE.ME" @@ -2002,7 +2002,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Update a security filter returns "Concurrent Modification" response Given new "UpdateSecurityFilter" request And request contains "security_filter_id" parameter from "REPLACE.ME" @@ -2010,7 +2010,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 409 Concurrent Modification - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Update a security filter returns "Not Found" response Given new "UpdateSecurityFilter" request And request contains "security_filter_id" parameter from "REPLACE.ME" @@ -2018,7 +2018,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Update a security filter returns "OK" response Given new "UpdateSecurityFilter" request And there is a valid "security_filter" in the system @@ -2030,7 +2030,7 @@ Feature: Security Monitoring And the response "data.attributes.filtered_data_type" is equal to "logs" And the response "data.attributes.name" is equal to "{{ unique }}" - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Update a suppression rule returns "Bad Request" response Given new "UpdateSecurityMonitoringSuppression" request And request contains "suppression_id" parameter from "REPLACE.ME" @@ -2038,7 +2038,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Update a suppression rule returns "Concurrent Modification" response Given new "UpdateSecurityMonitoringSuppression" request And request contains "suppression_id" parameter from "REPLACE.ME" @@ -2046,7 +2046,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 409 Concurrent Modification - @generated @skip @team:DataDog/k9-cloud-security-platform + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Update a suppression rule returns "Not Found" response Given new "UpdateSecurityMonitoringSuppression" request And request contains "suppression_id" parameter from "REPLACE.ME" @@ -2054,7 +2054,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Update a suppression rule returns "OK" response Given new "UpdateSecurityMonitoringSuppression" request And there is a valid "suppression" in the system @@ -2066,7 +2066,7 @@ Feature: Security Monitoring And the response "data.attributes.suppression_query" is equal to "env:staging status:low" And the response "data.attributes.version" is equal to 2 - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Update an existing rule returns "Bad Request" response Given new "UpdateSecurityMonitoringRule" request And there is a valid "security_rule" in the system @@ -2075,7 +2075,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 400 Bad Request - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Update an existing rule returns "Not Found" response Given new "UpdateSecurityMonitoringRule" request And request contains "rule_id" parameter with value "abcde-12345" @@ -2083,7 +2083,7 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found - @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-validation @team:DataDog/k9-cloud-siem Scenario: Update an existing rule returns "OK" response Given new "UpdateSecurityMonitoringRule" request And there is a valid "security_rule" in the system @@ -2094,56 +2094,56 @@ Feature: Security Monitoring And the response "name" is equal to "{{ unique }}-Updated" And the response "id" has the same value as "security_rule.id" - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Update resource filters returns "Bad Request" response Given new "UpdateResourceEvaluationFilters" request And body with value {"data": {"attributes": {"cloud_provider": {"invalid": {"aws_account_id": ["tag1:v1"]}}}, "id": "csm_resource_filter", "type": "csm_resource_filter"}} When the request is sent Then the response status is 400 Bad Request - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Update resource filters returns "OK" response Given new "UpdateResourceEvaluationFilters" request And body with value {"data": {"attributes": {"cloud_provider": {"aws": {"aws_account_id": ["tag1:v1"]}}}, "id": "csm_resource_filter", "type": "csm_resource_filter"}} When the request is sent Then the response status is 201 OK - @skip-go @skip-java @skip-python @skip-ruby @skip-rust @skip-typescript @skip-validation @team:DataDog/k9-cloud-security-platform + @skip-go @skip-java @skip-python @skip-ruby @skip-rust @skip-typescript @skip-validation @team:DataDog/k9-cloud-siem Scenario: Validate a detection rule returns "Bad Request" response Given new "ValidateSecurityMonitoringRule" request And body with value {"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 0"}],"hasExtendedTitle":true,"isEnabled":true,"message":"My security monitoring rule","name":"My security monitoring rule","options":{"evaluationWindow":1800,"keepAlive":999999,"maxSignalDuration":1800,"detectionMethod":"threshold"},"queries":[{"query":"source:source_here","groupByFields":["@userIdentity.assumed_role"],"distinctFields":[],"aggregation":"count","name":""}],"tags":["env:prod","team:security"],"type":"log_detection"} When the request is sent Then the response status is 400 Bad Request - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Validate a detection rule returns "OK" response Given new "ValidateSecurityMonitoringRule" request And body with value {"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 0"}],"hasExtendedTitle":true,"isEnabled":true,"message":"My security monitoring rule","name":"My security monitoring rule","options":{"evaluationWindow":1800,"keepAlive":1800,"maxSignalDuration":1800,"detectionMethod":"threshold"},"queries":[{"query":"source:source_here","groupByFields":["@userIdentity.assumed_role"],"distinctFields":[],"aggregation":"count","name":""}],"tags":["env:prod","team:security"],"type":"log_detection"} When the request is sent Then the response status is 204 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Validate a detection rule with detection method 'new_value' with enabled feature 'instantaneousBaseline' returns "OK" response Given new "ValidateSecurityMonitoringRule" request And body with value {"cases":[{"name":"","status":"info","notifications":[]}],"hasExtendedTitle":true,"isEnabled":true,"message":"My security monitoring rule","name":"My security monitoring rule","options":{"evaluationWindow":0,"keepAlive":300,"maxSignalDuration":600,"detectionMethod":"new_value","newValueOptions":{"forgetAfter":7,"instantaneousBaseline":true,"learningDuration":1,"learningThreshold":0,"learningMethod":"duration"}},"queries":[{"query":"source:source_here","groupByFields":["@userIdentity.assumed_role"],"distinctFields":[],"metric":"name","metrics":["name"],"aggregation":"new_value","name":"","dataSource":"logs"}],"tags":["env:prod","team:security"],"type":"log_detection"} When the request is sent Then the response status is 204 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Validate a detection rule with detection method 'sequence_detection' returns "OK" response Given new "ValidateSecurityMonitoringRule" request And body with value {"cases":[{"name":"","status":"info","notifications":[],"condition":"step_b > 0"}],"hasExtendedTitle":true,"isEnabled":true,"message":"My security monitoring rule","name":"My security monitoring rule","options":{"evaluationWindow":0,"keepAlive":300,"maxSignalDuration":600,"detectionMethod":"sequence_detection","sequenceDetectionOptions":{"stepTransitions":[{"child":"step_b","evaluationWindow":900,"parent":"step_a"}],"steps":[{"condition":"a > 0","evaluationWindow":60,"name":"step_a"},{"condition":"b > 0","evaluationWindow":60,"name":"step_b"}]}},"queries":[{"query":"source:source_here","groupByFields":["@userIdentity.assumed_role"],"distinctFields":[],"aggregation":"count","name":""},{"query":"source:source_here2","groupByFields":[],"distinctFields":[],"aggregation":"count","name":""}],"tags":["env:prod","team:security"],"type":"log_detection"} When the request is sent Then the response status is 204 OK - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Validate a suppression rule returns "Bad Request" response Given new "ValidateSecurityMonitoringSuppression" request And body with value {"data": {"attributes": {"name" : "cold_harbour", "enabled": false, "rule_query":"rule:[A-Invalid", "data_exclusion_query": "not enough attributes"}, "type": "suppressions"}} When the request is sent Then the response status is 400 Bad Request - @team:DataDog/k9-cloud-security-platform + @team:DataDog/k9-cloud-siem Scenario: Validate a suppression rule returns "OK" response Given new "ValidateSecurityMonitoringSuppression" request And body with value {"data": {"attributes": {"data_exclusion_query": "source:cloudtrail account_id:12345", "description": "This rule suppresses low-severity signals in staging environments.", "enabled": true, "name": "Custom suppression", "rule_query": "type:log_detection source:cloudtrail"}, "type": "suppressions"}}