Update an existing rule

PUT {{baseUrl}}/api/v2/security_monitoring/rules/:rule_id

Update an existing rule. When updating cases, queries or options, the whole field must be included. For example, when modifying a query all queries must be included. Default rules can only be updated to be enabled, to change notifications, or to update the tags (default tags cannot be removed).

Request Body

{"cases"=>[{"condition"=>"in dolore minim", "name"=>"ad incididunt mollit eiusmod", "notifications"=>["laborum qui tempor cupidatat commodo", "ut nulla fugiat"], "status"=>"critical"}, {"condition"=>"dolore in Ut", "name"=>"incidid", "notifications"=>["Ut occaecat irure tempor", "Excepteur nulla sunt est"], "status"=>"critical"}], "complianceSignalOptions"=>{"defaultActivationStatus"=>true, "defaultGroupByFields"=>["eiusmod dolor Ut", "aute consectetur et eiusmod sunt"], "userActivationStatus"=>true, "userGroupByFields"=>["enim ut", "ex"]}, "filters"=>[{"action"=>"require", "query"=>"cillum eu anim sint"}, {"action"=>"require", "query"=>"fugiat in"}], "hasExtendedTitle"=>true, "isEnabled"=>false, "message"=>"dolore proident", "name"=>"dolore dolor", "options"=>{"complianceRuleOptions"=>{"complexRule"=>true, "regoRule"=>{"policy"=>"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n  # Logic that evaluates to true if the resource should be skipped\n  true\n} else = \"pass\" {\n  # Logic that evaluates to true if the resource is compliant\n  true\n} else = \"fail\" {\n  # Logic that evaluates to true if the resource is not compliant\n  true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n  some resource in input.resources[input.main_resource_type]\n  result := dd_output.format(resource, eval(resource))\n}\n", "resourceTypes"=>["gcp_iam_service_account", "gcp_iam_policy"]}, "resourceType"=>"aws_acm"}, "decreaseCriticalityBasedOnEnv"=>false, "detectionMethod"=>"new_value", "evaluationWindow"=>900, "hardcodedEvaluatorType"=>"log4shell", "impossibleTravelOptions"=>{"baselineUserLocations"=>true}, "keepAlive"=>1800, "maxSignalDuration"=>43200, "newValueOptions"=>{"forgetAfter"=>14, "learningDuration"=>0, "learningMethod"=>"duration", "learningThreshold"=>0}, "thirdPartyRuleOptions"=>{"defaultNotifications"=>["officia sed occaecat", "sit non pariatur"], "defaultStatus"=>"critical", "rootQueries"=>[{"groupByFields"=>["in aliqua laborum tempor", "fugiat velit"], "query"=>"source:cloudtrail"}, {"groupByFields"=>["in aute", "labore dolore magna ut nisi"], "query"=>"source:cloudtrail"}], "signalTitleTemplate"=>"eu consequat dolor qui in"}}, "queries"=>[{"aggregation"=>"new_value", "distinctFields"=>["qui veniam tempor", "id aliquip"], "groupByFields"=>["aliquip aute officia esse", "laborum "], "hasOptionalGroupByFields"=>false, "metrics"=>["dolore consectetur nulla occaecat", "labore occaecat id"], "name"=>"tempor est consequat", "query"=>"a > 3"}, {"aggregation"=>"max", "distinctFields"=>["mollit aute", "tempor enim"], "groupByFields"=>["adipisicing sint sunt irure tempor", "nulla anim id incid"], "hasOptionalGroupByFields"=>false, "metrics"=>["id in aliqua", "dolor nisi ut irure do"], "name"=>"do reprehenderit ullamco tempor", "query"=>"a > 3"}], "tags"=>["laboris eu nulla veniam", "labore nulla consequat"], "version"=>1}

HEADERS

Key	Datatype	Required	Description
`Content-Type`	string
`Accept`	string

RESPONSES

status: OK

{&quot;cases&quot;:[{&quot;condition&quot;:&quot;fugiat labore laboris esse&quot;,&quot;name&quot;:&quot;in vo&quot;,&quot;notifications&quot;:[&quot;eu non aute&quot;,&quot;labore est&quot;],&quot;status&quot;:&quot;critical&quot;},{&quot;condition&quot;:&quot;nisi Duis&quot;,&quot;name&quot;:&quot;ea fugiat&quot;,&quot;notifications&quot;:[&quot;ex in&quot;,&quot;culpa dolor reprehenderit laboris Excepteur&quot;],&quot;status&quot;:&quot;critical&quot;}],&quot;complianceSignalOptions&quot;:{&quot;defaultActivationStatus&quot;:true,&quot;defaultGroupByFields&quot;:[&quot;enim culpa elit nulla&quot;,&quot;irure Ut&quot;],&quot;userActivationStatus&quot;:false,&quot;userGroupByFields&quot;:[&quot;in irure aute&quot;,&quot;nisi occaecat culpa&quot;]},&quot;createdAt&quot;:22509595,&quot;creationAuthorId&quot;:56594621,&quot;defaultTags&quot;:[&quot;security:attacks&quot;],&quot;deprecationDate&quot;:-40719165,&quot;filters&quot;:[{&quot;action&quot;:&quot;require&quot;,&quot;query&quot;:&quot;amet sit&quot;},{&quot;action&quot;:&quot;suppress&quot;,&quot;query&quot;:&quot;incididunt ullamco&quot;}],&quot;hasExtendedTitle&quot;:false,&quot;id&quot;:&quot;nulla Ut dolor&quot;,&quot;isDefault&quot;:false,&quot;isDeleted&quot;:false,&quot;isEnabled&quot;:false,&quot;message&quot;:&quot;velit dolore esse tempor&quot;,&quot;name&quot;:&quot;cillum et voluptate&quot;,&quot;options&quot;:{&quot;complianceRuleOptions&quot;:{&quot;complexRule&quot;:false,&quot;regoRule&quot;:{&quot;policy&quot;:&quot;package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \&quot;skip\&quot; if {\n  # Logic that evaluates to true if the resource should be skipped\n  true\n} else = \&quot;pass\&quot; {\n  # Logic that evaluates to true if the resource is compliant\n  true\n} else = \&quot;fail\&quot; {\n  # Logic that evaluates to true if the resource is not compliant\n  true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n  some resource in input.resources[input.main_resource_type]\n  result := dd_output.format(resource, eval(resource))\n}\n&quot;,&quot;resourceTypes&quot;:[&quot;gcp_iam_service_account&quot;,&quot;gcp_iam_policy&quot;]},&quot;resourceType&quot;:&quot;aws_acm&quot;},&quot;decreaseCriticalityBasedOnEnv&quot;:false,&quot;detectionMethod&quot;:&quot;threshold&quot;,&quot;evaluationWindow&quot;:900,&quot;hardcodedEvaluatorType&quot;:&quot;log4shell&quot;,&quot;impossibleTravelOptions&quot;:{&quot;baselineUserLocations&quot;:true},&quot;keepAlive&quot;:600,&quot;maxSignalDuration&quot;:3600,&quot;newValueOptions&quot;:{&quot;forgetAfter&quot;:7,&quot;learningDuration&quot;:0,&quot;learningMethod&quot;:&quot;duration&quot;,&quot;learningThreshold&quot;:0},&quot;thirdPartyRuleOptions&quot;:{&quot;defaultNotifications&quot;:[&quot;dolor ad est&quot;,&quot;dolor exercitation&quot;],&quot;defaultStatus&quot;:&quot;critical&quot;,&quot;rootQueries&quot;:[{&quot;groupByFields&quot;:[&quot;Ut&quot;,&quot;nostrud nulla id Lorem magn&quot;],&quot;query&quot;:&quot;source:cloudtrail&quot;},{&quot;groupByFields&quot;:[&quot;reprehenderit&quot;,&quot;aliquip laborum dolore&quot;],&quot;query&quot;:&quot;source:cloudtrail&quot;}],&quot;signalTitleTemplate&quot;:&quot;Duis eu Excepteu&quot;}},&quot;queries&quot;:[{&quot;aggregation&quot;:&quot;sum&quot;,&quot;distinctFields&quot;:[&quot;laborum&quot;,&quot;adipisicing Excepteur dolor&quot;],&quot;groupByFields&quot;:[&quot;id ipsum reprehenderit&quot;,&quot;amet velit&quot;],&quot;hasOptionalGroupByFields&quot;:false,&quot;metrics&quot;:[&quot;veniam commodo aliqua non Ut&quot;,&quot;veli&quot;],&quot;name&quot;:&quot;quis Lorem&quot;,&quot;query&quot;:&quot;a \u003e 3&quot;},{&quot;aggregation&quot;:&quot;geo_data&quot;,&quot;distinctFields&quot;:[&quot;tempor nulla&quot;,&quot;dolor dolore eu anim&quot;],&quot;groupByFields&quot;:[&quot;consequat elit cillum sunt fugiat&quot;,&quot;ullamco ut&quot;],&quot;hasOptionalGroupByFields&quot;:false,&quot;metrics&quot;:[&quot;nisi eiusmod&quot;,&quot;et irure ad&quot;],&quot;name&quot;:&quot;cupidatat aliqua&quot;,&quot;query&quot;:&quot;a \u003e 3&quot;}],&quot;tags&quot;:[&quot;esse&quot;,&quot;dolor&quot;],&quot;type&quot;:&quot;application_security&quot;,&quot;updateAuthorId&quot;:29716473,&quot;version&quot;:-86173542}