DataDog · api-clients-generation-pipeline · Jul 17, 2025
@@ -1,4 +1,4 @@
 {
-  "spec_repo_commit": "2ffdc3f",
-  "generated": "2025-07-16 19:14:29.962"
+  "spec_repo_commit": "31a6042",
+  "generated": "2025-07-17 09:23:32.838"
 }
@@ -33903,9 +33903,22 @@ components:
           format: int64
           minimum: 0
           type: integer
+        flaggedIPType:
+          $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionOptionsFlaggedIPType'
         userBehaviorName:
           $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionOptionsUserBehaviorName'
       type: object
+    SecurityMonitoringRuleCaseActionOptionsFlaggedIPType:
+      description: Used with the case action of type 'flag_ip'. The value specified
+        in this field is applied as a flag to the IPs addresses.
+      enum:
+      - SUSPICIOUS
+      - FLAGGED
+      example: FLAGGED
+      type: string
+      x-enum-varnames:
+      - SUSPICIOUS
+      - FLAGGED
     SecurityMonitoringRuleCaseActionOptionsUserBehaviorName:
       description: Used with the case action of type 'user_behavior'. The value specified
         in this field is applied as a risk tag to all users affected by the rule.
@@ -33916,11 +33929,13 @@ components:
       - block_ip
       - block_user
       - user_behavior
+      - flag_ip
       type: string
       x-enum-varnames:
       - BLOCK_IP
       - BLOCK_USER
       - USER_BEHAVIOR
+      - FLAG_IP
     SecurityMonitoringRuleCaseCreate:
       description: Case when signal is generated.
       properties:

@@ -14774,6 +14774,13 @@ datadog\_api\_client.v2.model.security\_monitoring\_rule\_case\_action\_options
    :members:
    :show-inheritance:
 
+datadog\_api\_client.v2.model.security\_monitoring\_rule\_case\_action\_options\_flagged\_ip\_type module
+---------------------------------------------------------------------------------------------------------
+
+.. automodule:: datadog_api_client.v2.model.security_monitoring_rule_case_action_options_flagged_ip_type
+   :members:
+   :show-inheritance:
+
 datadog\_api\_client.v2.model.security\_monitoring\_rule\_case\_action\_type module
 -----------------------------------------------------------------------------------
 

@@ -8,6 +8,9 @@
 from datadog_api_client.v2.model.security_monitoring_rule_case_action_options import (
     SecurityMonitoringRuleCaseActionOptions,
 )
+from datadog_api_client.v2.model.security_monitoring_rule_case_action_options_flagged_ip_type import (
+    SecurityMonitoringRuleCaseActionOptionsFlaggedIPType,
+)
 from datadog_api_client.v2.model.security_monitoring_rule_case_action_type import SecurityMonitoringRuleCaseActionType
 from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
 from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod
@@ -63,6 +66,12 @@
                         user_behavior_name="behavior",
                     ),
                 ),
+                SecurityMonitoringRuleCaseAction(
+                    type=SecurityMonitoringRuleCaseActionType.FLAG_IP,
+                    options=SecurityMonitoringRuleCaseActionOptions(
+                        flagged_ip_type=SecurityMonitoringRuleCaseActionOptionsFlaggedIPType.FLAGGED,
+                    ),
+                ),
             ],
         ),
     ],

@@ -3,7 +3,7 @@
 # Copyright 2019-Present Datadog, Inc.
 from __future__ import annotations
 
-from typing import Union
+from typing import Union, TYPE_CHECKING
 
 from datadog_api_client.model_utils import (
     ModelNormal,
@@ -13,6 +13,12 @@
 )
 
 
+if TYPE_CHECKING:
+    from datadog_api_client.v2.model.security_monitoring_rule_case_action_options_flagged_ip_type import (
+        SecurityMonitoringRuleCaseActionOptionsFlaggedIPType,
+    )
+
+
 class SecurityMonitoringRuleCaseActionOptions(ModelNormal):
     validations = {
         "duration": {
@@ -22,30 +28,45 @@ class SecurityMonitoringRuleCaseActionOptions(ModelNormal):
 
     @cached_property
     def openapi_types(_):
+        from datadog_api_client.v2.model.security_monitoring_rule_case_action_options_flagged_ip_type import (
+            SecurityMonitoringRuleCaseActionOptionsFlaggedIPType,
+        )
+
         return {
             "duration": (int,),
+            "flagged_ip_type": (SecurityMonitoringRuleCaseActionOptionsFlaggedIPType,),
             "user_behavior_name": (str,),
         }
 
     attribute_map = {
         "duration": "duration",
+        "flagged_ip_type": "flaggedIPType",
         "user_behavior_name": "userBehaviorName",
     }
 
     def __init__(
-        self_, duration: Union[int, UnsetType] = unset, user_behavior_name: Union[str, UnsetType] = unset, **kwargs
+        self_,
+        duration: Union[int, UnsetType] = unset,
+        flagged_ip_type: Union[SecurityMonitoringRuleCaseActionOptionsFlaggedIPType, UnsetType] = unset,
+        user_behavior_name: Union[str, UnsetType] = unset,
+        **kwargs,
     ):
         """
         Options for the rule action
 
         :param duration: Duration of the action in seconds. 0 indicates no expiration.
         :type duration: int, optional
 
+        :param flagged_ip_type: Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IPs addresses.
+        :type flagged_ip_type: SecurityMonitoringRuleCaseActionOptionsFlaggedIPType, optional
+
         :param user_behavior_name: Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
         :type user_behavior_name: str, optional
         """
         if duration is not unset:
             kwargs["duration"] = duration
+        if flagged_ip_type is not unset:
+            kwargs["flagged_ip_type"] = flagged_ip_type
         if user_behavior_name is not unset:
             kwargs["user_behavior_name"] = user_behavior_name
         super().__init__(kwargs)
@@ -0,0 +1,42 @@
+# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
+# This product includes software developed at Datadog (https://www.datadoghq.com/).
+# Copyright 2019-Present Datadog, Inc.
+from __future__ import annotations
+
+
+from datadog_api_client.model_utils import (
+    ModelSimple,
+    cached_property,
+)
+
+from typing import ClassVar
+
+
+class SecurityMonitoringRuleCaseActionOptionsFlaggedIPType(ModelSimple):
+    """
+    Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IPs addresses.
+
+    :param value: Must be one of ["SUSPICIOUS", "FLAGGED"].
+    :type value: str
+    """
+
+    allowed_values = {
+        "SUSPICIOUS",
+        "FLAGGED",
+    }
+    SUSPICIOUS: ClassVar["SecurityMonitoringRuleCaseActionOptionsFlaggedIPType"]
+    FLAGGED: ClassVar["SecurityMonitoringRuleCaseActionOptionsFlaggedIPType"]
+
+    @cached_property
+    def openapi_types(_):
+        return {
+            "value": (str,),
+        }
+
+
+SecurityMonitoringRuleCaseActionOptionsFlaggedIPType.SUSPICIOUS = SecurityMonitoringRuleCaseActionOptionsFlaggedIPType(
+    "SUSPICIOUS"
+)
+SecurityMonitoringRuleCaseActionOptionsFlaggedIPType.FLAGGED = SecurityMonitoringRuleCaseActionOptionsFlaggedIPType(
+    "FLAGGED"
+)
@@ -16,18 +16,20 @@ class SecurityMonitoringRuleCaseActionType(ModelSimple):
     """
     The action type.
 
-    :param value: Must be one of ["block_ip", "block_user", "user_behavior"].
+    :param value: Must be one of ["block_ip", "block_user", "user_behavior", "flag_ip"].
     :type value: str
     """
 
     allowed_values = {
         "block_ip",
         "block_user",
         "user_behavior",
+        "flag_ip",
     }
     BLOCK_IP: ClassVar["SecurityMonitoringRuleCaseActionType"]
     BLOCK_USER: ClassVar["SecurityMonitoringRuleCaseActionType"]
     USER_BEHAVIOR: ClassVar["SecurityMonitoringRuleCaseActionType"]
+    FLAG_IP: ClassVar["SecurityMonitoringRuleCaseActionType"]
 
     @cached_property
     def openapi_types(_):
@@ -39,3 +41,4 @@ def openapi_types(_):
 SecurityMonitoringRuleCaseActionType.BLOCK_IP = SecurityMonitoringRuleCaseActionType("block_ip")
 SecurityMonitoringRuleCaseActionType.BLOCK_USER = SecurityMonitoringRuleCaseActionType("block_user")
 SecurityMonitoringRuleCaseActionType.USER_BEHAVIOR = SecurityMonitoringRuleCaseActionType("user_behavior")
+SecurityMonitoringRuleCaseActionType.FLAG_IP = SecurityMonitoringRuleCaseActionType("flag_ip")
@@ -2885,6 +2885,9 @@
 from datadog_api_client.v2.model.security_monitoring_rule_case_action_options import (
     SecurityMonitoringRuleCaseActionOptions,
 )
+from datadog_api_client.v2.model.security_monitoring_rule_case_action_options_flagged_ip_type import (
+    SecurityMonitoringRuleCaseActionOptionsFlaggedIPType,
+)
 from datadog_api_client.v2.model.security_monitoring_rule_case_action_type import SecurityMonitoringRuleCaseActionType
 from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
 from datadog_api_client.v2.model.security_monitoring_rule_convert_payload import SecurityMonitoringRuleConvertPayload
@@ -5704,6 +5707,7 @@
     "SecurityMonitoringRuleCase",
     "SecurityMonitoringRuleCaseAction",
     "SecurityMonitoringRuleCaseActionOptions",
+    "SecurityMonitoringRuleCaseActionOptionsFlaggedIPType",
     "SecurityMonitoringRuleCaseActionType",
     "SecurityMonitoringRuleCaseCreate",
     "SecurityMonitoringRuleConvertPayload",

@@ -225,7 +225,7 @@ Feature: Security Monitoring
   @skip-validation @team:DataDog/k9-cloud-security-platform
   Scenario: Create a detection rule with type 'application_security 'returns "OK" response
     Given new "CreateSecurityMonitoringRule" request
-    And body with value {"type":"application_security","name":"{{unique}}_appsec_rule","queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","aggregation":"count","groupByFields":["service","@http.client_ip"],"distinctFields":[]}],"filters":[],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 100000","actions":[{"type":"block_ip","options":{"duration":900}}, {"type":"user_behavior","options":{"userBehaviorName":"behavior"}}]}],"options":{"keepAlive":3600,"maxSignalDuration":86400,"evaluationWindow":900,"detectionMethod":"threshold"},"isEnabled":true,"message":"Test rule","tags":[],"groupSignalsBy":["service"]}
+    And body with value {"type":"application_security","name":"{{unique}}_appsec_rule","queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","aggregation":"count","groupByFields":["service","@http.client_ip"],"distinctFields":[]}],"filters":[],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 100000","actions":[{"type":"block_ip","options":{"duration":900}}, {"type":"user_behavior","options":{"userBehaviorName":"behavior"}},{"type":"flag_ip","options":{"flaggedIPType":"FLAGGED"}}]}],"options":{"keepAlive":3600,"maxSignalDuration":86400,"evaluationWindow":900,"detectionMethod":"threshold"},"isEnabled":true,"message":"Test rule","tags":[],"groupSignalsBy":["service"]}
     When the request is sent
     Then the response status is 200 OK
     And the response "name" is equal to "{{ unique }}_appsec_rule"