Provides a Datadog Security Monitoring Rule API resource. This can be used to create and manage Datadog security monitoring rules. To change settings for a default rule use datadog_security_default_rule
instead.
resource "datadog_security_monitoring_rule" "myrule" {
name = "My rule"
message = "The rule has triggered."
enabled = true
query {
name = "errors"
query = "status:error"
aggregation = "count"
group_by_fields = ["host"]
}
query {
name = "warnings"
query = "status:warning"
aggregation = "count"
group_by_fields = ["host"]
}
case {
status = "high"
condition = "errors > 3 && warnings > 10"
notifications = ["@user"]
}
options {
evaluation_window = 300
keep_alive = 600
max_signal_duration = 900
}
tags = ["type:dos"]
}
message
(String) Message for generated signals.name
(String) The name of the rule.case
(Block List, Max: 10) Cases for generating signals. (see below for nested schema)enabled
(Boolean) Whether the rule is enabled. Defaults to true
.filter
(Block List) Additional queries to filter matched events before they are processed. Note: This field is deprecated for log detection, signal correlation, and workload security rules. (see below for nested schema)has_extended_title
(Boolean) Whether the notifications include the triggering group-by values in their title. Defaults to false
.options
(Block List, Max: 1) Options on rules. (see below for nested schema)query
(Block List) Queries for selecting logs which are part of the rule. (see below for nested schema)signal_query
(Block List) Queries for selecting logs which are part of the rule. (see below for nested schema)tags
(Set of String) Tags for generated signals.third_party_case
(Block List, Max: 10) Cases for generating signals for third-party rules. Only required and accepted for third-party rules (see below for nested schema)type
(String) The rule type. Valid values are application_security
, log_detection
, workload_security
, signal_correlation
. Defaults to "log_detection"
.id
(String) The ID of this resource.case
Required:
status
(String) Severity of the Security Signal. Valid values are info
, low
, medium
, high
, critical
.Optional:
condition
(String) A rule case contains logical operations (>
,>=
, &&
, ||
) to determine if a signal should be generated based on the event counts in the previously defined queries.name
(String) Name of the case.notifications
(List of String) Notification targets for each rule case.filter
Required:
action
(String) The type of filtering action. Valid values are require
, suppress
.query
(String) Query for selecting logs to apply the filtering action.options
Optional:
decrease_criticality_based_on_env
(Boolean) If true, signals in non-production environments have a lower severity than what is defined by the rule case, which can reduce noise. The decrement is applied when the environment tag of the signal starts with staging
, test
, or dev
. Only available when the rule type is log_detection
. Defaults to false
.detection_method
(String) The detection method. Valid values are threshold
, new_value
, anomaly_detection
, impossible_travel
, hardcoded
, third_party
. Defaults to "threshold"
.evaluation_window
(Number) A time window is specified to match when at least one of the cases matches true. This is a sliding window and evaluates in real time. Valid values are 0
, 60
, 300
, 600
, 900
, 1800
, 3600
, 7200
.impossible_travel_options
(Block List, Max: 1) Options for rules using the impossible travel detection method. (see below for nested schema)keep_alive
(Number) Once a signal is generated, the signal will remain “open” if a case is matched at least once within this keep alive window (in seconds). Valid values are 0
, 60
, 300
, 600
, 900
, 1800
, 3600
, 7200
, 10800
, 21600
.max_signal_duration
(Number) A signal will “close” regardless of the query being matched once the time exceeds the maximum duration (in seconds). This time is calculated from the first seen timestamp. Valid values are 0
, 60
, 300
, 600
, 900
, 1800
, 3600
, 7200
, 10800
, 21600
, 43200
, 86400
.new_value_options
(Block List, Max: 1) New value rules specific options. (see below for nested schema)third_party_rule_options
(Block List, Max: 1) Options for rules using the third-party detection method. (see below for nested schema)options.impossible_travel_options
Optional:
baseline_user_locations
(Boolean) If true, signals are suppressed for the first 24 hours. During that time, Datadog learns the user's regular access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access. Defaults to false
.options.new_value_options
Required:
forget_after
(Number) The duration in days after which a learned value is forgotten. Valid values are 1
, 2
, 7
, 14
, 21
, 28
.Optional:
learning_duration
(Number) The duration in days during which values are learned, and after which signals will be generated for values that weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. Valid values are 0
, 1
, 7
. Defaults to 1
.learning_method
(String) The learning method used to determine when signals should be generated for values that weren't learned. Valid values are duration
, threshold
. Defaults to "duration"
.learning_threshold
(Number) A number of occurrences after which signals are generated for values that weren't learned. Valid values are 0
, 1
. Defaults to 0
.options.third_party_rule_options
Required:
default_status
(String) Severity of the default rule case, when none of the third-party cases match. Valid values are info
, low
, medium
, high
, critical
.root_query
(Block List, Min: 1, Max: 10) Queries to be combined with third-party case queries. Each of them can have different group by fields, to aggregate differently based on the type of alert. (see below for nested schema)Optional:
default_notifications
(List of String) Notification targets for the default rule case, when none of the third-party cases match.signal_title_template
(String) A template for the signal title; if omitted, the title is generated based on the case name.options.third_party_rule_options.root_query
Required:
query
(String) Query to filter logs.Optional:
group_by_fields
(List of String) Fields to group by. If empty, each log triggers a signal.query
Required:
query
(String) Query to run on logs.Optional:
agent_rule
(Block List, Deprecated) Deprecated. It won't be applied anymore. Deprecated. agent_rule
has been deprecated in favor of new Agent Rule resource. (see below for nested schema)aggregation
(String) The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are count
, cardinality
, sum
, max
, new_value
, geo_data
, event_count
, none
. Defaults to "count"
.distinct_fields
(List of String) Field for which the cardinality is measured. Sent as an array.group_by_fields
(List of String) Fields to group by.metric
(String, Deprecated) The target field to aggregate over when using the sum
, max
, or geo_data
aggregations. Deprecated. Configure metrics
instead. This attribute will be removed in the next major version of the provider.metrics
(List of String) Group of target fields to aggregate over when using the sum
, max
, geo_data
, or new_value
aggregations. The sum
, max
, and geo_data
aggregations only accept one value in this list, whereas the new_value
aggregation accepts up to five values.name
(String) Name of the query. Not compatible with new_value
aggregations.query.agent_rule
Required:
agent_rule_id
(String) Deprecated. It won't be applied anymore.expression
(String) Deprecated. It won't be applied anymore.signal_query
Required:
rule_id
(String) Rule ID of the signal to correlate.Optional:
aggregation
(String) The aggregation type. For Signal Correlation rules, it must be event_count. Valid values are count
, cardinality
, sum
, max
, new_value
, geo_data
, event_count
, none
. Defaults to "event_count"
.correlated_by_fields
(List of String) Fields to correlate by.correlated_query_index
(String) Index of the rule query used to retrieve the correlated field. An empty string applies correlation on the non-projected per query attributes of the rule. Defaults to ""
.default_rule_id
(String) Default Rule ID of the signal to correlate. This value is READ-ONLY.name
(String) Name of the query. Not compatible with new_value
aggregations.third_party_case
Required:
status
(String) Severity of the Security Signal. Valid values are info
, low
, medium
, high
, critical
.Optional:
name
(String) Name of the case.notifications
(List of String) Notification targets for each rule case.query
(String) A query to associate a third-party event to this case.Import is supported using the following syntax:
# Security monitoring rules can be imported using ID, e.g.
terraform import datadog_security_monitoring_rule.my_rule m0o-hto-lkb