ConnectionMaster · pull · Sep 19, 2025 · Sep 19, 2025 · Sep 19, 2025
diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml
@@ -20470,6 +20470,8 @@ components:
           $ref: '#/components/schemas/SecurityMonitoringRuleMaxSignalDuration'
         newValueOptions:
           $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptions'
+        sequenceDetectionOptions:
+          $ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionOptions'
         thirdPartyRuleOptions:
           $ref: '#/components/schemas/SecurityMonitoringRuleThirdPartyOptions'
       type: object
@@ -40786,6 +40788,7 @@ components:
       - hardcoded
       - third_party
       - anomaly_threshold
+      - sequence_detection
       type: string
       x-enum-varnames:
       - THRESHOLD
@@ -40795,6 +40798,7 @@ components:
       - HARDCODED
       - THIRD_PARTY
       - ANOMALY_THRESHOLD
+      - SEQUENCE_DETECTION
     SecurityMonitoringRuleEvaluationWindow:
       description: 'A time window is specified to match when at least one of the cases
         matches true. This is a sliding window
@@ -41008,6 +41012,8 @@ components:
           $ref: '#/components/schemas/SecurityMonitoringRuleMaxSignalDuration'
         newValueOptions:
           $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptions'
+        sequenceDetectionOptions:
+          $ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionOptions'
         thirdPartyRuleOptions:
           $ref: '#/components/schemas/SecurityMonitoringRuleThirdPartyOptions'
       type: object
@@ -41083,6 +41089,47 @@ components:
       oneOf:
       - $ref: '#/components/schemas/SecurityMonitoringStandardRuleResponse'
       - $ref: '#/components/schemas/SecurityMonitoringSignalRuleResponse'
+    SecurityMonitoringRuleSequenceDetectionOptions:
+      description: Options on sequence detection method.
+      properties:
+        stepTransitions:
+          description: Transitions defining the allowed order of steps and their evaluation
+            windows.
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionStepTransition'
+          type: array
+        steps:
+          description: Steps that define the conditions to be matched in sequence.
+          items:
+            $ref: '#/components/schemas/SecurityMonitoringRuleSequenceDetectionStep'
+          type: array
+      type: object
+    SecurityMonitoringRuleSequenceDetectionStep:
+      description: Step definition for sequence detection containing the step name,
+        condition, and evaluation window.
+      properties:
+        condition:
+          description: Condition referencing rule queries (e.g., `a > 0`).
+          type: string
+        evaluationWindow:
+          $ref: '#/components/schemas/SecurityMonitoringRuleEvaluationWindow'
+        name:
+          description: Unique name identifying the step.
+          type: string
+      type: object
+    SecurityMonitoringRuleSequenceDetectionStepTransition:
+      description: Transition from a parent step to a child step within a sequence
+        detection rule.
+      properties:
+        child:
+          description: Name of the child step.
+          type: string
+        evaluationWindow:
+          $ref: '#/components/schemas/SecurityMonitoringRuleEvaluationWindow'
+        parent:
+          description: Name of the parent step.
+          type: string
+      type: object
     SecurityMonitoringRuleSeverity:
       description: Severity of the Security Signal.
       enum:
@@ -56869,7 +56916,7 @@ paths:
           $ref: '#/components/responses/TooManyRequestsResponse'
       security:
       - apiKeyAuth: []
-      - appKeyAuth: []
+        appKeyAuth: []
       summary: Delete a deployment event
       tags:
       - DORA Metrics
@@ -56945,7 +56992,7 @@ paths:
           $ref: '#/components/responses/TooManyRequestsResponse'
       security:
       - apiKeyAuth: []
-      - appKeyAuth: []
+        appKeyAuth: []
       summary: Get a deployment event
       tags:
       - DORA Metrics
@@ -57026,7 +57073,7 @@ paths:
           $ref: '#/components/responses/TooManyRequestsResponse'
       security:
       - apiKeyAuth: []
-      - appKeyAuth: []
+        appKeyAuth: []
       summary: Delete a failure event
       tags:
       - DORA Metrics
@@ -57102,7 +57149,7 @@ paths:
           $ref: '#/components/responses/TooManyRequestsResponse'
       security:
       - apiKeyAuth: []
-      - appKeyAuth: []
+        appKeyAuth: []
       summary: Get a failure event
       tags:
       - DORA Metrics

diff --git a/...eate-a-detection-rule-with-detection-method-sequence-detection-returns-OK-response.frozen b/...eate-a-detection-rule-with-detection-method-sequence-detection-returns-OK-response.frozen
@@ -0,0 +1 @@
+2025-09-12T15:45:55.719Z
diff --git a/.../Create-a-detection-rule-with-detection-method-sequence-detection-returns-OK-response.yml b/.../Create-a-detection-rule-with-detection-method-sequence-detection-returns-OK-response.yml
diff --git a/...date-a-detection-rule-with-detection-method-sequence-detection-returns-OK-response.frozen b/...date-a-detection-rule-with-detection-method-sequence-detection-returns-OK-response.frozen
@@ -0,0 +1 @@
+2025-09-12T15:43:48.016Z
diff --git a/...alidate-a-detection-rule-with-detection-method-sequence-detection-returns-OK-response.yml b/...alidate-a-detection-rule-with-detection-method-sequence-detection-returns-OK-response.yml
diff --git a/examples/v2/security-monitoring/CreateSecurityMonitoringRule_2899714190.rb b/examples/v2/security-monitoring/CreateSecurityMonitoringRule_2899714190.rb
@@ -0,0 +1,68 @@
+# Create a detection rule with detection method 'sequence_detection' returns "OK" response
+
+require "datadog_api_client"
+api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
+
+body = DatadogAPIClient::V2::SecurityMonitoringStandardRuleCreatePayload.new({
+  name: "Example-Security-Monitoring",
+  type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
+  is_enabled: true,
+  queries: [
+    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
+      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
+      data_source: DatadogAPIClient::V2::SecurityMonitoringStandardDataSource::LOGS,
+      distinct_fields: [],
+      group_by_fields: [],
+      has_optional_group_by_fields: false,
+      name: "",
+      query: "service:logs-rule-reducer source:paul test2",
+    }),
+    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
+      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
+      data_source: DatadogAPIClient::V2::SecurityMonitoringStandardDataSource::LOGS,
+      distinct_fields: [],
+      group_by_fields: [],
+      has_optional_group_by_fields: false,
+      name: "",
+      query: "service:logs-rule-reducer source:paul test1",
+    }),
+  ],
+  cases: [
+    DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
+      name: "",
+      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
+      notifications: [],
+      condition: "step_b > 0",
+    }),
+  ],
+  message: "Logs and signals asdf",
+  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
+    detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::SEQUENCE_DETECTION,
+    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES,
+    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::FIVE_MINUTES,
+    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES,
+    sequence_detection_options: DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionOptions.new({
+      step_transitions: [
+        DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionStepTransition.new({
+          child: "step_b",
+          evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
+          parent: "step_a",
+        }),
+      ],
+      steps: [
+        DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionStep.new({
+          condition: "a > 0",
+          evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE,
+          name: "step_a",
+        }),
+        DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionStep.new({
+          condition: "b > 0",
+          evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE,
+          name: "step_b",
+        }),
+      ],
+    }),
+  }),
+  tags: [],
+})
+p api_instance.create_security_monitoring_rule(body)
diff --git a/examples/v2/security-monitoring/ValidateSecurityMonitoringRule_4152369508.rb b/examples/v2/security-monitoring/ValidateSecurityMonitoringRule_4152369508.rb
@@ -0,0 +1,70 @@
+# Validate a detection rule with detection method 'sequence_detection' returns "OK" response
+
+require "datadog_api_client"
+api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
+
+body = DatadogAPIClient::V2::SecurityMonitoringStandardRulePayload.new({
+  cases: [
+    DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
+      name: "",
+      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
+      notifications: [],
+      condition: "step_b > 0",
+    }),
+  ],
+  has_extended_title: true,
+  is_enabled: true,
+  message: "My security monitoring rule",
+  name: "My security monitoring rule",
+  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
+    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES,
+    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::FIVE_MINUTES,
+    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES,
+    detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::SEQUENCE_DETECTION,
+    sequence_detection_options: DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionOptions.new({
+      step_transitions: [
+        DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionStepTransition.new({
+          child: "step_b",
+          evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES,
+          parent: "step_a",
+        }),
+      ],
+      steps: [
+        DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionStep.new({
+          condition: "a > 0",
+          evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE,
+          name: "step_a",
+        }),
+        DatadogAPIClient::V2::SecurityMonitoringRuleSequenceDetectionStep.new({
+          condition: "b > 0",
+          evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ONE_MINUTE,
+          name: "step_b",
+        }),
+      ],
+    }),
+  }),
+  queries: [
+    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
+      query: "source:source_here",
+      group_by_fields: [
+        "@userIdentity.assumed_role",
+      ],
+      distinct_fields: [],
+      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
+      name: "",
+    }),
+    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
+      query: "source:source_here2",
+      group_by_fields: [],
+      distinct_fields: [],
+      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT,
+      name: "",
+    }),
+  ],
+  tags: [
+    "env:prod",
+    "team:security",
+  ],
+  type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
+})
+api_instance.validate_security_monitoring_rule(body)
diff --git a/features/v2/dora_metrics.feature b/features/v2/dora_metrics.feature
@@ -42,28 +42,32 @@ Feature: DORA Metrics
 
   @generated @skip @team:DataDog/ci-app-backend
   Scenario: Get a deployment event returns "Bad Request" response
-    Given new "GetDORADeployment" request
+    Given a valid "appKeyAuth" key in the system
+    And new "GetDORADeployment" request
     And request contains "deployment_id" parameter from "REPLACE.ME"
     When the request is sent
     Then the response status is 400 Bad Request
 
   @generated @skip @team:DataDog/ci-app-backend
   Scenario: Get a deployment event returns "OK" response
-    Given new "GetDORADeployment" request
+    Given a valid "appKeyAuth" key in the system
+    And new "GetDORADeployment" request
     And request contains "deployment_id" parameter from "REPLACE.ME"
     When the request is sent
     Then the response status is 200 OK
 
   @generated @skip @team:DataDog/ci-app-backend
   Scenario: Get a failure event returns "Bad Request" response
-    Given new "GetDORAFailure" request
+    Given a valid "appKeyAuth" key in the system
+    And new "GetDORAFailure" request
     And request contains "failure_id" parameter from "REPLACE.ME"
     When the request is sent
     Then the response status is 400 Bad Request
 
   @generated @skip @team:DataDog/ci-app-backend
   Scenario: Get a failure event returns "OK" response
-    Given new "GetDORAFailure" request
+    Given a valid "appKeyAuth" key in the system
+    And new "GetDORAFailure" request
     And request contains "failure_id" parameter from "REPLACE.ME"
     When the request is sent
     Then the response status is 200 OK