diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml index 2d470c8f2f..2d1f24f090 100644 --- a/.generator/schemas/v2/openapi.yaml +++ b/.generator/schemas/v2/openapi.yaml @@ -44181,6 +44181,16 @@ components: items: type: string type: array + triage_state: + description: "Current triage state of the indicator: not_reviewed or reviewed." + type: string + triaged_at: + description: Timestamp when the indicator was last triaged. + format: date-time + type: string + triaged_by: + description: UUID of the user who last triaged the indicator. + type: string type: object IoCIndicatorDetailed: description: An indicator of compromise with extended context from your environment. @@ -44299,6 +44309,21 @@ components: items: type: string type: array + triage_history: + description: Full triage history timeline. Returned only when `include_triage_history` is true. + items: + $ref: "#/components/schemas/IoCTriageEvent" + type: array + triage_state: + description: "Current triage state of the indicator: not_reviewed or reviewed." + type: string + triaged_at: + description: Timestamp when the indicator was last triaged. + format: date-time + type: string + triaged_by: + description: UUID of the user who last triaged the indicator. + type: string users: additionalProperties: description: List of user identifiers in this category. @@ -44337,6 +44362,97 @@ components: description: Name of the threat intelligence source. type: string type: object + IoCTriageEvent: + description: A single entry in an indicator's triage history timeline. + properties: + triage_state: + description: "Triage state set by this action: not_reviewed or reviewed." + type: string + triaged_at: + description: Timestamp when this triage action occurred. + format: date-time + type: string + triaged_by: + description: UUID of the user who performed this triage action. + type: string + type: object + IoCTriageWriteRequest: + description: Request body for creating or updating an indicator triage state. + properties: + data: + $ref: "#/components/schemas/IoCTriageWriteRequestData" + required: + - data + type: object + IoCTriageWriteRequestAttributes: + description: Attributes for setting an indicator's triage state. + properties: + indicator: + description: The indicator value to triage (for example, an IP address or domain). + example: "192.0.2.1" + type: string + triage_state: + description: "The triage state to set: not_reviewed or reviewed." + example: reviewed + type: string + required: + - indicator + - triage_state + type: object + IoCTriageWriteRequestData: + description: Data object for the triage write request. + properties: + attributes: + $ref: "#/components/schemas/IoCTriageWriteRequestAttributes" + type: + default: ioc_triage_state + description: Triage state resource type. + example: ioc_triage_state + type: string + required: + - type + - attributes + type: object + IoCTriageWriteResponse: + description: Response for the create indicator triage state endpoint. + properties: + data: + $ref: "#/components/schemas/IoCTriageWriteResponseData" + type: object + IoCTriageWriteResponseAttributes: + description: Attributes of a created or updated triage state. + properties: + created_at: + description: Timestamp when the triage record was created. + format: date-time + type: string + indicator: + description: The indicator value that was triaged. + type: string + triage_state: + description: "The triage state that was set: not_reviewed or reviewed." + type: string + triaged_at: + description: Timestamp when the triage state was set. + format: date-time + type: string + triaged_by: + description: UUID of the user who set the triage state. + type: string + type: object + IoCTriageWriteResponseData: + description: Data object of the triage write response. + properties: + attributes: + $ref: "#/components/schemas/IoCTriageWriteResponseAttributes" + id: + description: Unique identifier for the triage state record. + type: string + type: + default: ioc_triage_state + description: Triage state resource type. + type: string + type: object Issue: description: The issue matching the request. properties: @@ -159560,6 +159676,25 @@ paths: schema: default: desc type: string + - description: When true, return only OCSF field-based matches. When false, return regex/message-based matches. + in: query + name: ocsf + required: false + schema: + default: true + type: boolean + - description: Filter indicators whose triage state was updated by a specific user UUID. + in: query + name: worked_by + required: false + schema: + type: string + - description: "Filter by triage state: not_reviewed or reviewed." + in: query + name: triage_state + required: false + schema: + type: string responses: "200": content: @@ -159611,6 +159746,38 @@ paths: required: true schema: type: string + - description: When true, return only OCSF field-based matches. When false, return regex/message-based matches. + in: query + name: ocsf + required: false + schema: + default: true + type: boolean + - description: Include full triage history for the indicator. + in: query + name: include_triage_history + required: false + schema: + default: false + type: boolean + - description: Maximum number of triage history events returned. Only applied when `include_triage_history` is true. + in: query + name: triage_history_limit + required: false + schema: + default: 50 + format: int32 + maximum: 1000 + minimum: 1 + type: integer + - description: Pagination offset into the triage history. Only applied when `include_triage_history` is true. + in: query + name: triage_history_offset + required: false + schema: + default: 0 + format: int32 + type: integer responses: "200": content: @@ -159648,6 +159815,62 @@ paths: x-unstable: |- **Note**: This endpoint is in beta and may be subject to changes. Please check the documentation regularly for updates. + /api/v2/security/siem/ioc-explorer/triage: + post: + description: |- + Set the triage state of an indicator of compromise (IoC). This creates or + updates the triage state for the indicator in your organization. + operationId: CreateIoCTriageState + requestBody: + content: + "application/json": + examples: + default: + value: + data: + attributes: + indicator: "192.0.2.1" + triage_state: reviewed + type: ioc_triage_state + schema: + $ref: "#/components/schemas/IoCTriageWriteRequest" + description: The triage state to set for the indicator. + required: true + responses: + "201": + content: + "application/json": + examples: + default: + value: + data: + attributes: + created_at: "2026-06-04T12:00:00Z" + indicator: "192.0.2.1" + triage_state: reviewed + triaged_at: "2026-06-04T12:00:00Z" + triaged_by: 11111111-2222-3333-4444-555555555555 + id: abc-123 + type: ioc_triage_state + schema: + $ref: "#/components/schemas/IoCTriageWriteResponse" + description: Created + "400": + $ref: "#/components/responses/BadRequestResponse" + "403": + $ref: "#/components/responses/NotAuthorizedResponse" + "429": + $ref: "#/components/responses/TooManyRequestsResponse" + security: + - apiKeyAuth: [] + appKeyAuth: [] + - AuthZ: + - security_monitoring_signals_write + summary: Create or update an indicator triage state + tags: ["Security Monitoring"] + x-unstable: |- + **Note**: This endpoint is in beta and may be subject to changes. + Please check the documentation regularly for updates. /api/v2/security/signals/notification_rules: get: description: Returns the list of notification rules for security signals. diff --git a/docs/datadog_api_client.v2.model.rst b/docs/datadog_api_client.v2.model.rst index f1ceac9025..c051863df9 100644 --- a/docs/datadog_api_client.v2.model.rst +++ b/docs/datadog_api_client.v2.model.rst @@ -18169,6 +18169,55 @@ datadog\_api\_client.v2.model.io\_c\_source module :members: :show-inheritance: +datadog\_api\_client.v2.model.io\_c\_triage\_event module +--------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.io_c_triage_event + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.io\_c\_triage\_write\_request module +------------------------------------------------------------------ + +.. automodule:: datadog_api_client.v2.model.io_c_triage_write_request + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.io\_c\_triage\_write\_request\_attributes module +------------------------------------------------------------------------------ + +.. automodule:: datadog_api_client.v2.model.io_c_triage_write_request_attributes + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.io\_c\_triage\_write\_request\_data module +------------------------------------------------------------------------ + +.. automodule:: datadog_api_client.v2.model.io_c_triage_write_request_data + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.io\_c\_triage\_write\_response module +------------------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.io_c_triage_write_response + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.io\_c\_triage\_write\_response\_attributes module +------------------------------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.io_c_triage_write_response_attributes + :members: + :show-inheritance: + +datadog\_api\_client.v2.model.io\_c\_triage\_write\_response\_data module +------------------------------------------------------------------------- + +.. automodule:: datadog_api_client.v2.model.io_c_triage_write_response_data + :members: + :show-inheritance: + datadog\_api\_client.v2.model.ios\_sourcemap\_attributes module --------------------------------------------------------------- diff --git a/examples/v2/security-monitoring/CreateIoCTriageState.py b/examples/v2/security-monitoring/CreateIoCTriageState.py new file mode 100644 index 0000000000..1c97eef77d --- /dev/null +++ b/examples/v2/security-monitoring/CreateIoCTriageState.py @@ -0,0 +1,27 @@ +""" +Create or update an indicator triage state returns "Created" response +""" + +from datadog_api_client import ApiClient, Configuration +from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi +from datadog_api_client.v2.model.io_c_triage_write_request import IoCTriageWriteRequest +from datadog_api_client.v2.model.io_c_triage_write_request_attributes import IoCTriageWriteRequestAttributes +from datadog_api_client.v2.model.io_c_triage_write_request_data import IoCTriageWriteRequestData + +body = IoCTriageWriteRequest( + data=IoCTriageWriteRequestData( + attributes=IoCTriageWriteRequestAttributes( + indicator="192.0.2.1", + triage_state="reviewed", + ), + type="ioc_triage_state", + ), +) + +configuration = Configuration() +configuration.unstable_operations["create_io_c_triage_state"] = True +with ApiClient(configuration) as api_client: + api_instance = SecurityMonitoringApi(api_client) + response = api_instance.create_io_c_triage_state(body=body) + + print(response) diff --git a/examples/v2/security-monitoring/GetIndicatorOfCompromise.py b/examples/v2/security-monitoring/GetIndicatorOfCompromise.py index 0e44580585..56aba2d0ff 100644 --- a/examples/v2/security-monitoring/GetIndicatorOfCompromise.py +++ b/examples/v2/security-monitoring/GetIndicatorOfCompromise.py @@ -10,7 +10,8 @@ with ApiClient(configuration) as api_client: api_instance = SecurityMonitoringApi(api_client) response = api_instance.get_indicator_of_compromise( - indicator="masscan/1.3 (https://github.com/robertdavidgraham/masscan)", + indicator="192.0.2.1", + include_triage_history=True, ) print(response) diff --git a/src/datadog_api_client/configuration.py b/src/datadog_api_client/configuration.py index 62cd8f6abf..6beaec209a 100644 --- a/src/datadog_api_client/configuration.py +++ b/src/datadog_api_client/configuration.py @@ -394,6 +394,7 @@ def __init__( "v2.cancel_historical_job": False, "v2.convert_job_result_to_signal": False, "v2.convert_security_monitoring_terraform_resource": False, + "v2.create_io_c_triage_state": False, "v2.create_sample_log_generation_subscription": False, "v2.create_security_monitoring_dataset": False, "v2.create_security_monitoring_integration_config": False, diff --git a/src/datadog_api_client/v2/api/security_monitoring_api.py b/src/datadog_api_client/v2/api/security_monitoring_api.py index ff04f6317b..65c0cd6319 100644 --- a/src/datadog_api_client/v2/api/security_monitoring_api.py +++ b/src/datadog_api_client/v2/api/security_monitoring_api.py @@ -64,6 +64,8 @@ from datadog_api_client.v2.model.cloud_asset_type import CloudAssetType from datadog_api_client.v2.model.io_c_explorer_list_response import IoCExplorerListResponse from datadog_api_client.v2.model.get_io_c_indicator_response import GetIoCIndicatorResponse +from datadog_api_client.v2.model.io_c_triage_write_response import IoCTriageWriteResponse +from datadog_api_client.v2.model.io_c_triage_write_request import IoCTriageWriteRequest from datadog_api_client.v2.model.notification_rule_response import NotificationRuleResponse from datadog_api_client.v2.model.create_notification_rule_parameters import CreateNotificationRuleParameters from datadog_api_client.v2.model.patch_notification_rule_parameters import PatchNotificationRuleParameters @@ -698,6 +700,26 @@ def __init__(self, api_client=None): api_client=api_client, ) + self._create_io_c_triage_state_endpoint = _Endpoint( + settings={ + "response_type": (IoCTriageWriteResponse,), + "auth": ["apiKeyAuth", "appKeyAuth", "AuthZ"], + "endpoint_path": "/api/v2/security/siem/ioc-explorer/triage", + "operation_id": "create_io_c_triage_state", + "http_method": "POST", + "version": "v2", + }, + params_map={ + "body": { + "required": True, + "openapi_types": (IoCTriageWriteRequest,), + "location": "body", + }, + }, + headers_map={"accept": ["application/json"], "content_type": ["application/json"]}, + api_client=api_client, + ) + self._create_jira_issues_endpoint = _Endpoint( settings={ "response_type": (FindingCaseResponseArray,), @@ -1578,6 +1600,30 @@ def __init__(self, api_client=None): "attribute": "indicator", "location": "query", }, + "ocsf": { + "openapi_types": (bool,), + "attribute": "ocsf", + "location": "query", + }, + "include_triage_history": { + "openapi_types": (bool,), + "attribute": "include_triage_history", + "location": "query", + }, + "triage_history_limit": { + "validation": { + "inclusive_maximum": 1000, + "inclusive_minimum": 1, + }, + "openapi_types": (int,), + "attribute": "triage_history_limit", + "location": "query", + }, + "triage_history_offset": { + "openapi_types": (int,), + "attribute": "triage_history_offset", + "location": "query", + }, }, headers_map={ "accept": ["application/json"], @@ -2578,6 +2624,21 @@ def __init__(self, api_client=None): "attribute": "sort[order]", "location": "query", }, + "ocsf": { + "openapi_types": (bool,), + "attribute": "ocsf", + "location": "query", + }, + "worked_by": { + "openapi_types": (str,), + "attribute": "worked_by", + "location": "query", + }, + "triage_state": { + "openapi_types": (str,), + "attribute": "triage_state", + "location": "query", + }, }, headers_map={ "accept": ["application/json"], @@ -4295,6 +4356,24 @@ def create_custom_framework( return self._create_custom_framework_endpoint.call_with_http_info(**kwargs) + def create_io_c_triage_state( + self, + body: IoCTriageWriteRequest, + ) -> IoCTriageWriteResponse: + """Create or update an indicator triage state. + + Set the triage state of an indicator of compromise (IoC). This creates or + updates the triage state for the indicator in your organization. + + :param body: The triage state to set for the indicator. + :type body: IoCTriageWriteRequest + :rtype: IoCTriageWriteResponse + """ + kwargs: Dict[str, Any] = {} + kwargs["body"] = body + + return self._create_io_c_triage_state_endpoint.call_with_http_info(**kwargs) + def create_jira_issues( self, body: CreateJiraIssueRequestArray, @@ -5029,6 +5108,11 @@ def get_historical_job( def get_indicator_of_compromise( self, indicator: str, + *, + ocsf: Union[bool, UnsetType] = unset, + include_triage_history: Union[bool, UnsetType] = unset, + triage_history_limit: Union[int, UnsetType] = unset, + triage_history_offset: Union[int, UnsetType] = unset, ) -> GetIoCIndicatorResponse: """Get an indicator of compromise. @@ -5036,11 +5120,31 @@ def get_indicator_of_compromise( :param indicator: The indicator value to look up (for example, an IP address or domain). :type indicator: str + :param ocsf: When true, return only OCSF field-based matches. When false, return regex/message-based matches. + :type ocsf: bool, optional + :param include_triage_history: Include full triage history for the indicator. + :type include_triage_history: bool, optional + :param triage_history_limit: Maximum number of triage history events returned. Only applied when ``include_triage_history`` is true. + :type triage_history_limit: int, optional + :param triage_history_offset: Pagination offset into the triage history. Only applied when ``include_triage_history`` is true. + :type triage_history_offset: int, optional :rtype: GetIoCIndicatorResponse """ kwargs: Dict[str, Any] = {} kwargs["indicator"] = indicator + if ocsf is not unset: + kwargs["ocsf"] = ocsf + + if include_triage_history is not unset: + kwargs["include_triage_history"] = include_triage_history + + if triage_history_limit is not unset: + kwargs["triage_history_limit"] = triage_history_limit + + if triage_history_offset is not unset: + kwargs["triage_history_offset"] = triage_history_offset + return self._get_indicator_of_compromise_endpoint.call_with_http_info(**kwargs) def get_investigation_log_queries_matching_signal( @@ -6042,6 +6146,9 @@ def list_indicators_of_compromise( query: Union[str, UnsetType] = unset, sort_column: Union[str, UnsetType] = unset, sort_order: Union[str, UnsetType] = unset, + ocsf: Union[bool, UnsetType] = unset, + worked_by: Union[str, UnsetType] = unset, + triage_state: Union[str, UnsetType] = unset, ) -> IoCExplorerListResponse: """List indicators of compromise. @@ -6057,6 +6164,12 @@ def list_indicators_of_compromise( :type sort_column: str, optional :param sort_order: Sort order: asc or desc. :type sort_order: str, optional + :param ocsf: When true, return only OCSF field-based matches. When false, return regex/message-based matches. + :type ocsf: bool, optional + :param worked_by: Filter indicators whose triage state was updated by a specific user UUID. + :type worked_by: str, optional + :param triage_state: Filter by triage state: not_reviewed or reviewed. + :type triage_state: str, optional :rtype: IoCExplorerListResponse """ kwargs: Dict[str, Any] = {} @@ -6075,6 +6188,15 @@ def list_indicators_of_compromise( if sort_order is not unset: kwargs["sort_order"] = sort_order + if ocsf is not unset: + kwargs["ocsf"] = ocsf + + if worked_by is not unset: + kwargs["worked_by"] = worked_by + + if triage_state is not unset: + kwargs["triage_state"] = triage_state + return self._list_indicators_of_compromise_endpoint.call_with_http_info(**kwargs) def list_multiple_rulesets( diff --git a/src/datadog_api_client/v2/model/io_c_indicator.py b/src/datadog_api_client/v2/model/io_c_indicator.py index 1b4a7d2704..e342dc0a21 100644 --- a/src/datadog_api_client/v2/model/io_c_indicator.py +++ b/src/datadog_api_client/v2/model/io_c_indicator.py @@ -50,6 +50,9 @@ def openapi_types(_): "signal_tier": (int,), "suspicious_sources": ([IoCSource], none_type), "tags": ([str],), + "triage_state": (str,), + "triaged_at": (datetime,), + "triaged_by": (str,), } attribute_map = { @@ -74,6 +77,9 @@ def openapi_types(_): "signal_tier": "signal_tier", "suspicious_sources": "suspicious_sources", "tags": "tags", + "triage_state": "triage_state", + "triaged_at": "triaged_at", + "triaged_by": "triaged_by", } def __init__( @@ -99,6 +105,9 @@ def __init__( signal_tier: Union[int, UnsetType] = unset, suspicious_sources: Union[List[IoCSource], none_type, UnsetType] = unset, tags: Union[List[str], UnsetType] = unset, + triage_state: Union[str, UnsetType] = unset, + triaged_at: Union[datetime, UnsetType] = unset, + triaged_by: Union[str, UnsetType] = unset, **kwargs, ): """ @@ -166,6 +175,15 @@ def __init__( :param tags: Tags associated with the indicator. :type tags: [str], optional + + :param triage_state: Current triage state of the indicator: not_reviewed or reviewed. + :type triage_state: str, optional + + :param triaged_at: Timestamp when the indicator was last triaged. + :type triaged_at: datetime, optional + + :param triaged_by: UUID of the user who last triaged the indicator. + :type triaged_by: str, optional """ if as_geo is not unset: kwargs["as_geo"] = as_geo @@ -209,4 +227,10 @@ def __init__( kwargs["suspicious_sources"] = suspicious_sources if tags is not unset: kwargs["tags"] = tags + if triage_state is not unset: + kwargs["triage_state"] = triage_state + if triaged_at is not unset: + kwargs["triaged_at"] = triaged_at + if triaged_by is not unset: + kwargs["triaged_by"] = triaged_by super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/io_c_indicator_detailed.py b/src/datadog_api_client/v2/model/io_c_indicator_detailed.py index dfed28097f..1b85cc01c3 100644 --- a/src/datadog_api_client/v2/model/io_c_indicator_detailed.py +++ b/src/datadog_api_client/v2/model/io_c_indicator_detailed.py @@ -22,6 +22,7 @@ from datadog_api_client.v2.model.io_c_source import IoCSource from datadog_api_client.v2.model.io_c_score_effect import IoCScoreEffect from datadog_api_client.v2.model.io_c_signal_severity_count import IoCSignalSeverityCount + from datadog_api_client.v2.model.io_c_triage_event import IoCTriageEvent class IoCIndicatorDetailed(ModelNormal): @@ -31,6 +32,7 @@ def openapi_types(_): from datadog_api_client.v2.model.io_c_source import IoCSource from datadog_api_client.v2.model.io_c_score_effect import IoCScoreEffect from datadog_api_client.v2.model.io_c_signal_severity_count import IoCSignalSeverityCount + from datadog_api_client.v2.model.io_c_triage_event import IoCTriageEvent return { "additional_data": ( @@ -78,6 +80,10 @@ def openapi_types(_): "signal_tier": (int,), "suspicious_sources": ([IoCSource], none_type), "tags": ([str],), + "triage_history": ([IoCTriageEvent],), + "triage_state": (str,), + "triaged_at": (datetime,), + "triaged_by": (str,), "users": ({str: ([str],)},), } @@ -112,6 +118,10 @@ def openapi_types(_): "signal_tier": "signal_tier", "suspicious_sources": "suspicious_sources", "tags": "tags", + "triage_history": "triage_history", + "triage_state": "triage_state", + "triaged_at": "triaged_at", + "triaged_by": "triaged_by", "users": "users", } @@ -147,6 +157,10 @@ def __init__( signal_tier: Union[int, UnsetType] = unset, suspicious_sources: Union[List[IoCSource], none_type, UnsetType] = unset, tags: Union[List[str], UnsetType] = unset, + triage_history: Union[List[IoCTriageEvent], UnsetType] = unset, + triage_state: Union[str, UnsetType] = unset, + triaged_at: Union[datetime, UnsetType] = unset, + triaged_by: Union[str, UnsetType] = unset, users: Union[Dict[str, List[str]], UnsetType] = unset, **kwargs, ): @@ -243,6 +257,18 @@ def __init__( :param tags: Tags associated with the indicator. :type tags: [str], optional + :param triage_history: Full triage history timeline. Returned only when ``include_triage_history`` is true. + :type triage_history: [IoCTriageEvent], optional + + :param triage_state: Current triage state of the indicator: not_reviewed or reviewed. + :type triage_state: str, optional + + :param triaged_at: Timestamp when the indicator was last triaged. + :type triaged_at: datetime, optional + + :param triaged_by: UUID of the user who last triaged the indicator. + :type triaged_by: str, optional + :param users: Users associated with this indicator, grouped by category. :type users: {str: ([str],)}, optional """ @@ -306,6 +332,14 @@ def __init__( kwargs["suspicious_sources"] = suspicious_sources if tags is not unset: kwargs["tags"] = tags + if triage_history is not unset: + kwargs["triage_history"] = triage_history + if triage_state is not unset: + kwargs["triage_state"] = triage_state + if triaged_at is not unset: + kwargs["triaged_at"] = triaged_at + if triaged_by is not unset: + kwargs["triaged_by"] = triaged_by if users is not unset: kwargs["users"] = users super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/io_c_triage_event.py b/src/datadog_api_client/v2/model/io_c_triage_event.py new file mode 100644 index 0000000000..a8a074dcd7 --- /dev/null +++ b/src/datadog_api_client/v2/model/io_c_triage_event.py @@ -0,0 +1,57 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import Union + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + datetime, + unset, + UnsetType, +) + + +class IoCTriageEvent(ModelNormal): + @cached_property + def openapi_types(_): + return { + "triage_state": (str,), + "triaged_at": (datetime,), + "triaged_by": (str,), + } + + attribute_map = { + "triage_state": "triage_state", + "triaged_at": "triaged_at", + "triaged_by": "triaged_by", + } + + def __init__( + self_, + triage_state: Union[str, UnsetType] = unset, + triaged_at: Union[datetime, UnsetType] = unset, + triaged_by: Union[str, UnsetType] = unset, + **kwargs, + ): + """ + A single entry in an indicator's triage history timeline. + + :param triage_state: Triage state set by this action: not_reviewed or reviewed. + :type triage_state: str, optional + + :param triaged_at: Timestamp when this triage action occurred. + :type triaged_at: datetime, optional + + :param triaged_by: UUID of the user who performed this triage action. + :type triaged_by: str, optional + """ + if triage_state is not unset: + kwargs["triage_state"] = triage_state + if triaged_at is not unset: + kwargs["triaged_at"] = triaged_at + if triaged_by is not unset: + kwargs["triaged_by"] = triaged_by + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/io_c_triage_write_request.py b/src/datadog_api_client/v2/model/io_c_triage_write_request.py new file mode 100644 index 0000000000..55f9562c9c --- /dev/null +++ b/src/datadog_api_client/v2/model/io_c_triage_write_request.py @@ -0,0 +1,40 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import TYPE_CHECKING + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, +) + + +if TYPE_CHECKING: + from datadog_api_client.v2.model.io_c_triage_write_request_data import IoCTriageWriteRequestData + + +class IoCTriageWriteRequest(ModelNormal): + @cached_property + def openapi_types(_): + from datadog_api_client.v2.model.io_c_triage_write_request_data import IoCTriageWriteRequestData + + return { + "data": (IoCTriageWriteRequestData,), + } + + attribute_map = { + "data": "data", + } + + def __init__(self_, data: IoCTriageWriteRequestData, **kwargs): + """ + Request body for creating or updating an indicator triage state. + + :param data: Data object for the triage write request. + :type data: IoCTriageWriteRequestData + """ + super().__init__(kwargs) + + self_.data = data diff --git a/src/datadog_api_client/v2/model/io_c_triage_write_request_attributes.py b/src/datadog_api_client/v2/model/io_c_triage_write_request_attributes.py new file mode 100644 index 0000000000..94fa3b8277 --- /dev/null +++ b/src/datadog_api_client/v2/model/io_c_triage_write_request_attributes.py @@ -0,0 +1,39 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, +) + + +class IoCTriageWriteRequestAttributes(ModelNormal): + @cached_property + def openapi_types(_): + return { + "indicator": (str,), + "triage_state": (str,), + } + + attribute_map = { + "indicator": "indicator", + "triage_state": "triage_state", + } + + def __init__(self_, indicator: str, triage_state: str, **kwargs): + """ + Attributes for setting an indicator's triage state. + + :param indicator: The indicator value to triage (for example, an IP address or domain). + :type indicator: str + + :param triage_state: The triage state to set: not_reviewed or reviewed. + :type triage_state: str + """ + super().__init__(kwargs) + + self_.indicator = indicator + self_.triage_state = triage_state diff --git a/src/datadog_api_client/v2/model/io_c_triage_write_request_data.py b/src/datadog_api_client/v2/model/io_c_triage_write_request_data.py new file mode 100644 index 0000000000..2f9a056d57 --- /dev/null +++ b/src/datadog_api_client/v2/model/io_c_triage_write_request_data.py @@ -0,0 +1,47 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import TYPE_CHECKING + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, +) + + +if TYPE_CHECKING: + from datadog_api_client.v2.model.io_c_triage_write_request_attributes import IoCTriageWriteRequestAttributes + + +class IoCTriageWriteRequestData(ModelNormal): + @cached_property + def openapi_types(_): + from datadog_api_client.v2.model.io_c_triage_write_request_attributes import IoCTriageWriteRequestAttributes + + return { + "attributes": (IoCTriageWriteRequestAttributes,), + "type": (str,), + } + + attribute_map = { + "attributes": "attributes", + "type": "type", + } + + def __init__(self_, attributes: IoCTriageWriteRequestAttributes, **kwargs): + """ + Data object for the triage write request. + + :param attributes: Attributes for setting an indicator's triage state. + :type attributes: IoCTriageWriteRequestAttributes + + :param type: Triage state resource type. + :type type: str + """ + super().__init__(kwargs) + type = kwargs.get("type", "ioc_triage_state") + + self_.attributes = attributes + self_.type = type diff --git a/src/datadog_api_client/v2/model/io_c_triage_write_response.py b/src/datadog_api_client/v2/model/io_c_triage_write_response.py new file mode 100644 index 0000000000..b26905e832 --- /dev/null +++ b/src/datadog_api_client/v2/model/io_c_triage_write_response.py @@ -0,0 +1,42 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import Union, TYPE_CHECKING + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + unset, + UnsetType, +) + + +if TYPE_CHECKING: + from datadog_api_client.v2.model.io_c_triage_write_response_data import IoCTriageWriteResponseData + + +class IoCTriageWriteResponse(ModelNormal): + @cached_property + def openapi_types(_): + from datadog_api_client.v2.model.io_c_triage_write_response_data import IoCTriageWriteResponseData + + return { + "data": (IoCTriageWriteResponseData,), + } + + attribute_map = { + "data": "data", + } + + def __init__(self_, data: Union[IoCTriageWriteResponseData, UnsetType] = unset, **kwargs): + """ + Response for the create indicator triage state endpoint. + + :param data: Data object of the triage write response. + :type data: IoCTriageWriteResponseData, optional + """ + if data is not unset: + kwargs["data"] = data + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/io_c_triage_write_response_attributes.py b/src/datadog_api_client/v2/model/io_c_triage_write_response_attributes.py new file mode 100644 index 0000000000..0d0aa11f99 --- /dev/null +++ b/src/datadog_api_client/v2/model/io_c_triage_write_response_attributes.py @@ -0,0 +1,73 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import Union + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + datetime, + unset, + UnsetType, +) + + +class IoCTriageWriteResponseAttributes(ModelNormal): + @cached_property + def openapi_types(_): + return { + "created_at": (datetime,), + "indicator": (str,), + "triage_state": (str,), + "triaged_at": (datetime,), + "triaged_by": (str,), + } + + attribute_map = { + "created_at": "created_at", + "indicator": "indicator", + "triage_state": "triage_state", + "triaged_at": "triaged_at", + "triaged_by": "triaged_by", + } + + def __init__( + self_, + created_at: Union[datetime, UnsetType] = unset, + indicator: Union[str, UnsetType] = unset, + triage_state: Union[str, UnsetType] = unset, + triaged_at: Union[datetime, UnsetType] = unset, + triaged_by: Union[str, UnsetType] = unset, + **kwargs, + ): + """ + Attributes of a created or updated triage state. + + :param created_at: Timestamp when the triage record was created. + :type created_at: datetime, optional + + :param indicator: The indicator value that was triaged. + :type indicator: str, optional + + :param triage_state: The triage state that was set: not_reviewed or reviewed. + :type triage_state: str, optional + + :param triaged_at: Timestamp when the triage state was set. + :type triaged_at: datetime, optional + + :param triaged_by: UUID of the user who set the triage state. + :type triaged_by: str, optional + """ + if created_at is not unset: + kwargs["created_at"] = created_at + if indicator is not unset: + kwargs["indicator"] = indicator + if triage_state is not unset: + kwargs["triage_state"] = triage_state + if triaged_at is not unset: + kwargs["triaged_at"] = triaged_at + if triaged_by is not unset: + kwargs["triaged_by"] = triaged_by + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/io_c_triage_write_response_data.py b/src/datadog_api_client/v2/model/io_c_triage_write_response_data.py new file mode 100644 index 0000000000..c7961ef645 --- /dev/null +++ b/src/datadog_api_client/v2/model/io_c_triage_write_response_data.py @@ -0,0 +1,62 @@ +# Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. +# This product includes software developed at Datadog (https://www.datadoghq.com/). +# Copyright 2019-Present Datadog, Inc. +from __future__ import annotations + +from typing import Union, TYPE_CHECKING + +from datadog_api_client.model_utils import ( + ModelNormal, + cached_property, + unset, + UnsetType, +) + + +if TYPE_CHECKING: + from datadog_api_client.v2.model.io_c_triage_write_response_attributes import IoCTriageWriteResponseAttributes + + +class IoCTriageWriteResponseData(ModelNormal): + @cached_property + def openapi_types(_): + from datadog_api_client.v2.model.io_c_triage_write_response_attributes import IoCTriageWriteResponseAttributes + + return { + "attributes": (IoCTriageWriteResponseAttributes,), + "id": (str,), + "type": (str,), + } + + attribute_map = { + "attributes": "attributes", + "id": "id", + "type": "type", + } + + def __init__( + self_, + attributes: Union[IoCTriageWriteResponseAttributes, UnsetType] = unset, + id: Union[str, UnsetType] = unset, + type: Union[str, UnsetType] = unset, + **kwargs, + ): + """ + Data object of the triage write response. + + :param attributes: Attributes of a created or updated triage state. + :type attributes: IoCTriageWriteResponseAttributes, optional + + :param id: Unique identifier for the triage state record. + :type id: str, optional + + :param type: Triage state resource type. + :type type: str, optional + """ + if attributes is not unset: + kwargs["attributes"] = attributes + if id is not unset: + kwargs["id"] = id + if type is not unset: + kwargs["type"] = type + super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/models/__init__.py b/src/datadog_api_client/v2/models/__init__.py index 817d63c3f9..7fbba24232 100644 --- a/src/datadog_api_client/v2/models/__init__.py +++ b/src/datadog_api_client/v2/models/__init__.py @@ -3402,6 +3402,13 @@ from datadog_api_client.v2.model.io_c_score_effect import IoCScoreEffect from datadog_api_client.v2.model.io_c_signal_severity_count import IoCSignalSeverityCount from datadog_api_client.v2.model.io_c_source import IoCSource +from datadog_api_client.v2.model.io_c_triage_event import IoCTriageEvent +from datadog_api_client.v2.model.io_c_triage_write_request import IoCTriageWriteRequest +from datadog_api_client.v2.model.io_c_triage_write_request_attributes import IoCTriageWriteRequestAttributes +from datadog_api_client.v2.model.io_c_triage_write_request_data import IoCTriageWriteRequestData +from datadog_api_client.v2.model.io_c_triage_write_response import IoCTriageWriteResponse +from datadog_api_client.v2.model.io_c_triage_write_response_attributes import IoCTriageWriteResponseAttributes +from datadog_api_client.v2.model.io_c_triage_write_response_data import IoCTriageWriteResponseData from datadog_api_client.v2.model.issue import Issue from datadog_api_client.v2.model.issue_assignee_relationship import IssueAssigneeRelationship from datadog_api_client.v2.model.issue_attributes import IssueAttributes @@ -11556,6 +11563,13 @@ "IoCScoreEffect", "IoCSignalSeverityCount", "IoCSource", + "IoCTriageEvent", + "IoCTriageWriteRequest", + "IoCTriageWriteRequestAttributes", + "IoCTriageWriteRequestData", + "IoCTriageWriteResponse", + "IoCTriageWriteResponseAttributes", + "IoCTriageWriteResponseData", "Issue", "IssueAssigneeRelationship", "IssueAttributes", diff --git a/tests/v2/cassettes/test_scenarios/test_create_or_update_an_indicator_triage_state_returns_bad_request_response.frozen b/tests/v2/cassettes/test_scenarios/test_create_or_update_an_indicator_triage_state_returns_bad_request_response.frozen new file mode 100644 index 0000000000..d6a26ed39d --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_create_or_update_an_indicator_triage_state_returns_bad_request_response.frozen @@ -0,0 +1 @@ +2026-06-05T12:20:47.940Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_create_or_update_an_indicator_triage_state_returns_bad_request_response.yaml b/tests/v2/cassettes/test_scenarios/test_create_or_update_an_indicator_triage_state_returns_bad_request_response.yaml new file mode 100644 index 0000000000..6926fb6cda --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_create_or_update_an_indicator_triage_state_returns_bad_request_response.yaml @@ -0,0 +1,20 @@ +interactions: +- request: + body: '{"data":{"attributes":{"indicator":"192.0.2.1","triage_state":"invalid_state"},"type":"ioc_triage_state"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/security/siem/ioc-explorer/triage + response: + body: + string: '{"errors":[{"title":"Generic Error","detail":"invalid triage_state"}]}' + headers: + content-type: + - application/vnd.api+json + status: + code: 400 + message: Bad Request +version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_create_or_update_an_indicator_triage_state_returns_created_response.frozen b/tests/v2/cassettes/test_scenarios/test_create_or_update_an_indicator_triage_state_returns_created_response.frozen new file mode 100644 index 0000000000..0ac630dda1 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_create_or_update_an_indicator_triage_state_returns_created_response.frozen @@ -0,0 +1 @@ +2026-06-05T12:22:26.137Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_create_or_update_an_indicator_triage_state_returns_created_response.yaml b/tests/v2/cassettes/test_scenarios/test_create_or_update_an_indicator_triage_state_returns_created_response.yaml new file mode 100644 index 0000000000..1fa5b65e90 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_create_or_update_an_indicator_triage_state_returns_created_response.yaml @@ -0,0 +1,20 @@ +interactions: +- request: + body: '{"data":{"attributes":{"indicator":"192.0.2.1","triage_state":"reviewed"},"type":"ioc_triage_state"}}' + headers: + accept: + - application/json + content-type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/security/siem/ioc-explorer/triage + response: + body: + string: '{"data":{"id":"2e6eff68-4ffa-4cab-b9bb-d9ce1ef3b42a","type":"ioc_triage_state","attributes":{"created_at":"2026-06-05T12:22:26.488248Z","indicator":"192.0.2.1","triage_state":"reviewed","triaged_at":"2026-06-05T12:22:26.488248Z","triaged_by":"dc6535c4-0b70-47aa-9c6a-9b0fc0be3f19"}}}' + headers: + content-type: + - application/vnd.api+json + status: + code: 201 + message: Created +version: 1 diff --git a/tests/v2/cassettes/test_scenarios/test_get_an_indicator_of_compromise_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_get_an_indicator_of_compromise_returns_ok_response.frozen index fc8ed109ad..3dc6b0aa0a 100644 --- a/tests/v2/cassettes/test_scenarios/test_get_an_indicator_of_compromise_returns_ok_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_get_an_indicator_of_compromise_returns_ok_response.frozen @@ -1 +1 @@ -2026-04-14T18:22:29.733Z \ No newline at end of file +2026-06-05T12:58:33.985Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_get_an_indicator_of_compromise_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_get_an_indicator_of_compromise_returns_ok_response.yaml index 67802c5892..e198205210 100644 --- a/tests/v2/cassettes/test_scenarios/test_get_an_indicator_of_compromise_returns_ok_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_get_an_indicator_of_compromise_returns_ok_response.yaml @@ -5,13 +5,11 @@ interactions: accept: - application/json method: GET - uri: https://api.datadoghq.com/api/v2/security/siem/ioc-explorer/indicator?indicator=masscan%2F1.3%20%28https%3A%2F%2Fgithub.com%2Frobertdavidgraham%2Fmasscan%29 + uri: https://api.datadoghq.com/api/v2/security/siem/ioc-explorer/indicator?indicator=192.0.2.1&include_triage_history=true response: body: - string: '{"data":{"id":"65a31893-cc59-4125-9424-44f7ba083e53","type":"get_indicator_response","attributes":{"data":{"id":"masscan/1.3 - (https://github.com/robertdavidgraham/masscan)","indicator":"masscan/1.3 (https://github.com/robertdavidgraham/masscan)","indicator_type":"User - Agent","score":4,"as_type":"hosting","malicious_sources":null,"suspicious_sources":[{"name":"Datadog - Threat Research"}],"benign_sources":null,"categories":["scanner"],"tags":[],"signal_matches":0,"log_matches":45,"first_seen":"2025-01-08T23:24:45Z","last_seen":"2026-04-10T14:36:20Z","signal_tier":0,"max_trust_score":"RAISE_SCORE","m_sources":"NO_EFFECT","m_persistence":"RAISE_SCORE","m_signal":"NO_EFFECT","m_as_type":"NO_EFFECT","log_sources":[],"services":[],"signal_severity":[],"users":{},"critical_assets":[],"hosts":[],"as_number":"","as_organization":"","as_cidr_block":""}}}}' + string: '{"data":{"id":"b38eb8e1-61c8-470f-be58-f41531a7c134","type":"get_indicator_response","attributes":{"data":{"id":"192.0.2.1","indicator":"192.0.2.1","indicator_type":"IP + Address","score":4,"as_type":"hosting","malicious_sources":null,"suspicious_sources":[{"name":"SOURCE1"}],"benign_sources":null,"categories":["hosting_proxy"],"tags":[],"signal_matches":1,"log_matches":7,"signal_tier":0,"max_trust_score":"RAISE_SCORE","m_sources":"NO_EFFECT","m_persistence":"NO_EFFECT","m_signal":"NO_EFFECT","m_as_type":"NO_EFFECT","triage_state":"reviewed","triaged_at":"2026-06-03T18:55:42.108938Z","triaged_by":"00000000-0000-0000-0000-000000000000","log_sources":[],"services":[],"signal_severity":[{"severity":"info","count":1}],"users":{},"critical_assets":[],"hosts":[],"additional_data":{},"triage_history":[{"triaged_at":"2026-06-03T18:55:42.108938Z","triaged_by":"00000000-0000-0000-0000-000000000000","triage_state":"reviewed"},{"triaged_at":"2026-06-03T13:32:14.735424Z","triaged_by":"00000000-0000-0000-0000-000000000000","triage_state":"reviewed"}]}}}}' headers: content-type: - application/vnd.api+json diff --git a/tests/v2/cassettes/test_scenarios/test_list_indicators_of_compromise_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_list_indicators_of_compromise_returns_ok_response.frozen index 5814ac627e..b1bf7726a1 100644 --- a/tests/v2/cassettes/test_scenarios/test_list_indicators_of_compromise_returns_ok_response.frozen +++ b/tests/v2/cassettes/test_scenarios/test_list_indicators_of_compromise_returns_ok_response.frozen @@ -1 +1 @@ -2026-04-14T18:22:48.392Z \ No newline at end of file +2026-06-05T12:32:21.136Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_list_indicators_of_compromise_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_list_indicators_of_compromise_returns_ok_response.yaml index 4f6ed05ab2..6639fae697 100644 --- a/tests/v2/cassettes/test_scenarios/test_list_indicators_of_compromise_returns_ok_response.yaml +++ b/tests/v2/cassettes/test_scenarios/test_list_indicators_of_compromise_returns_ok_response.yaml @@ -8,9 +8,8 @@ interactions: uri: https://api.datadoghq.com/api/v2/security/siem/ioc-explorer?limit=1 response: body: - string: '{"data":{"id":"a4e3b616-e180-4b47-a379-43da9c5b300e","type":"ioc_explorer_response","attributes":{"data":[{"id":"43.228.157.121","indicator":"43.228.157.121","indicator_type":"IP - Address","score":8,"as_type":"hosting","malicious_sources":[{"name":"threatfox"}],"suspicious_sources":[{"name":"tor"},{"name":"SPUR"}],"benign_sources":null,"categories":["malware","tor","hosting_proxy"],"tags":[],"signal_matches":0,"log_matches":14,"signal_tier":0,"max_trust_score":"RAISE_SCORE","m_sources":"RAISE_SCORE","m_persistence":"NO_EFFECT","m_signal":"NO_EFFECT","m_as_type":"NO_EFFECT","as_geo":{"city":"Frankfurt - am Main","country_code":"DE","country_name":"Germany"}}],"metadata":{"count":25091},"paging":{"offset":1}}}}' + string: '{"data":{"id":"22b62903-4053-42ed-9448-c750da2ecd81","type":"ioc_explorer_response","attributes":{"data":[{"id":"192.0.2.1","indicator":"192.0.2.1","indicator_type":"IP + Address","score":4,"as_type":"hosting","malicious_sources":null,"suspicious_sources":[{"name":"SOURCE1"}],"benign_sources":null,"categories":["hosting_proxy"],"tags":[],"signal_matches":1,"log_matches":7,"signal_tier":0,"max_trust_score":"RAISE_SCORE","m_sources":"NO_EFFECT","m_persistence":"NO_EFFECT","m_signal":"NO_EFFECT","m_as_type":"NO_EFFECT","triage_state":"reviewed","triaged_at":"2026-06-03T18:55:42.108938Z","triaged_by":"00000000-0000-0000-0000-000000000000"}],"metadata":{"count":585},"paging":{"offset":1}}}}' headers: content-type: - application/vnd.api+json diff --git a/tests/v2/features/security_monitoring.feature b/tests/v2/features/security_monitoring.feature index bae8918780..7e4a21f8c6 100644 --- a/tests/v2/features/security_monitoring.feature +++ b/tests/v2/features/security_monitoring.feature @@ -954,6 +954,22 @@ Feature: Security Monitoring When the request is sent Then the response status is 404 Not Found + @replay-only @skip-terraform-config @team:DataDog/k9-cloud-siem + Scenario: Create or update an indicator triage state returns "Bad Request" response + Given operation "CreateIoCTriageState" enabled + And new "CreateIoCTriageState" request + And body with value {"data": {"attributes": {"indicator": "192.0.2.1", "triage_state": "invalid_state"}, "type": "ioc_triage_state"}} + When the request is sent + Then the response status is 400 Bad Request + + @replay-only @skip-terraform-config @team:DataDog/k9-cloud-siem + Scenario: Create or update an indicator triage state returns "Created" response + Given operation "CreateIoCTriageState" enabled + And new "CreateIoCTriageState" request + And body with value {"data": {"attributes": {"indicator": "192.0.2.1", "triage_state": "reviewed"}, "type": "ioc_triage_state"}} + When the request is sent + Then the response status is 201 Created + @generated @skip @team:DataDog/k9-cloud-siem Scenario: Deactivate content pack returns "Accepted" response Given operation "DeactivateContentPack" enabled @@ -1730,7 +1746,8 @@ Feature: Security Monitoring Scenario: Get an indicator of compromise returns "OK" response Given operation "GetIndicatorOfCompromise" enabled And new "GetIndicatorOfCompromise" request - And request contains "indicator" parameter with value "masscan/1.3 (https://github.com/robertdavidgraham/masscan)" + And request contains "indicator" parameter with value "192.0.2.1" + And request contains "include_triage_history" parameter with value true When the request is sent Then the response status is 200 OK diff --git a/tests/v2/features/undo.json b/tests/v2/features/undo.json index 9101d0155c..e5e1b9ed26 100644 --- a/tests/v2/features/undo.json +++ b/tests/v2/features/undo.json @@ -6706,6 +6706,12 @@ "type": "safe" } }, + "CreateIoCTriageState": { + "tag": "Security Monitoring", + "undo": { + "type": "safe" + } + }, "GetSignalNotificationRules": { "tag": "Security Monitoring", "undo": {