Validate a detection rule

POST {{baseUrl}}/api/v2/security_monitoring/rules/validation

Validate a detection rule.

Request Body

{"name"=>"My security monitoring rule.", "isEnabled"=>true, "options"=>{"complianceRuleOptions"=>{"complexRule"=>false, "regoRule"=>{"policy"=>"package datadog\n\nimport data.datadog.output as dd_output\nimport future.keywords.contains\nimport future.keywords.if\nimport future.keywords.in\n\neval(resource) = \"skip\" if {\n  # Logic that evaluates to true if the resource should be skipped\n  true\n} else = \"pass\" {\n  # Logic that evaluates to true if the resource is compliant\n  true\n} else = \"fail\" {\n  # Logic that evaluates to true if the resource is not compliant\n  true\n}\n\n# This part remains unchanged for all rules\nresults contains result if {\n  some resource in input.resources[input.main_resource_type]\n  result := dd_output.format(resource, eval(resource))\n}\n", "resourceTypes"=>["gcp_iam_service_account", "gcp_iam_policy"]}, "resourceType"=>"aws_acm"}, "decreaseCriticalityBasedOnEnv"=>false, "detectionMethod"=>"hardcoded", "evaluationWindow"=>1800, "hardcodedEvaluatorType"=>"log4shell", "impossibleTravelOptions"=>{"baselineUserLocations"=>true}, "keepAlive"=>7200, "maxSignalDuration"=>60, "newValueOptions"=>{"forgetAfter"=>7, "learningDuration"=>0, "learningMethod"=>"duration", "learningThreshold"=>0}, "thirdPartyRuleOptions"=>{"defaultNotifications"=>["sunt laboris", "officia velit deserunt dolore"], "defaultStatus"=>"critical", "rootQueries"=>[{"groupByFields"=>["fugiat esse commodo labore", "veniam sunt"], "query"=>"source:cloudtrail"}, {"groupByFields"=>["aute in velit nisi", "commodo"], "query"=>"source:cloudtrail"}], "signalTitleTemplate"=>"tempor eu adipisicing magna"}}, "message"=>"", "filters"=>[{"action"=>"suppress", "query"=>"proident qui Lorem"}, {"action"=>"suppress", "query"=>"deserunt sint cillum veniam"}], "hasExtendedTitle"=>true, "tags"=>["env:prod", "team:security"], "type"=>"log_detection"}

HEADERS