Add anomaly detection options to security monitoring rules

content/en/api/v2/csm-threats/request.CreateCSMThreatsAgentRule_1295653933.json

@@ -18,7 +18,9 @@
           }
         },
         {
-          "hash": {}
+          "hash": {
+            "field": "exec.file"
+          }
         }
       ]
     },

content/en/api/v2/csm-threats/request.CreateCSMThreatsAgentRule_1363354233.json

@@ -12,7 +12,7 @@
         {
           "set": {
             "name": "test_set",
-            "expression": "open.file.path",
+            "expression": "exec.file.path",
             "default_value": "/dev/null",
             "scope": "process"
           }

content/en/api/v2/security-monitoring/request.CreateSecurityMonitoringRule_2323193894.json

@@ -0,0 +1,42 @@
+{
+  "name": "Example-Security-Monitoring",
+  "type": "log_detection",
+  "isEnabled": true,
+  "queries": [
+    {
+      "aggregation": "count",
+      "dataSource": "logs",
+      "distinctFields": [],
+      "groupByFields": [
+        "@usr.email",
+        "@network.client.ip"
+      ],
+      "hasOptionalGroupByFields": false,
+      "name": "",
+      "query": "service:app status:error"
+    }
+  ],
+  "cases": [
+    {
+      "name": "",
+      "status": "info",
+      "notifications": [],
+      "condition": "a > 0.995"
+    }
+  ],
+  "message": "An anomaly detection rule",
+  "options": {
+    "detectionMethod": "anomaly_detection",
+    "evaluationWindow": 900,
+    "keepAlive": 3600,
+    "maxSignalDuration": 86400,
+    "anomalyDetectionOptions": {
+      "bucketDuration": 300,
+      "learningDuration": 24,
+      "detectionTolerance": 3,
+      "learningPeriodBaseline": 10
+    }
+  },
+  "tags": [],
+  "filters": []
+}

data/api/v2/CodeExamples.json

@@ -1485,6 +1485,11 @@
       "suffix": "",
       "description": "Create a detection rule returns \"OK\" response"
     },
+    {
+      "group": "security_monitoring",
+      "suffix": "_2323193894",
+      "description": "Create a detection rule with detection method 'anomaly_detection' returns \"OK\" response"
+    },
     {
       "group": "security_monitoring",
       "suffix": "_2899714190",

data/api/v2/full_spec.yaml

@@ -10236,6 +10236,10 @@ components:
           description: Whether the policy is pinned
           example: false
           type: boolean
+        policyType:
+          description: The type of the policy
+          example: policy
+          type: string
         policyVersion:
           description: The version of the policy
           example: '1'
@@ -10414,11 +10418,11 @@ components:
     CloudWorkloadSecurityAgentPolicyVersion:
       description: The versions of the policy
       properties:
-        Date:
+        date:
           description: The date and time the version was created
           nullable: true
           type: string
-        Name:
+        name:
           description: The version of the policy
           example: 1.47.0-rc2
           type: string
@@ -10445,8 +10449,11 @@ components:
           $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleActionSet'
       type: object
     CloudWorkloadSecurityAgentRuleActionHash:
-      additionalProperties: {}
-      description: An empty object indicating the hash action
+      description: Hash file specified by the field attribute
+      properties:
+        field:
+          description: The field of the hash action
+          type: string
       type: object
     CloudWorkloadSecurityAgentRuleActionMetadata:
       description: The metadata action applied on the scope matching the rule
@@ -10494,9 +10501,14 @@ components:
           format: int64
           type: integer
         value:
-          description: The value of the set action
-          type: string
+          $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleActionSetValue'
       type: object
+    CloudWorkloadSecurityAgentRuleActionSetValue:
+      description: The value of the set action
+      oneOf:
+      - type: string
+      - type: integer
+      - type: boolean
     CloudWorkloadSecurityAgentRuleActions:
       description: The array of actions the rule can perform if triggered
       items:
@@ -47542,6 +47554,86 @@ components:
           description: The name of the reference table.
           type: string
       type: object
+    SecurityMonitoringRuleAnomalyDetectionOptions:
+      additionalProperties: {}
+      description: Options on anomaly detection method.
+      properties:
+        bucketDuration:
+          $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration'
+        detectionTolerance:
+          $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance'
+        learningDuration:
+          $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration'
+        learningPeriodBaseline:
+          description: An optional override baseline to apply while the rule is in
+            the learning period. Must be greater than or equal to 0.
+          format: int64
+          minimum: 0
+          type: integer
+      type: object
+    SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration:
+      description: 'Duration in seconds of the time buckets used to aggregate events
+        matched by the rule.
+
+        Must be greater than or equal to 300.'
+      enum:
+      - 300
+      - 600
+      - 900
+      - 1800
+      - 3600
+      - 10800
+      example: 300
+      format: int32
+      type: integer
+      x-enum-varnames:
+      - FIVE_MINUTES
+      - TEN_MINUTES
+      - FIFTEEN_MINUTES
+      - THIRTY_MINUTES
+      - ONE_HOUR
+      - THREE_HOURS
+    SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance:
+      description: 'An optional parameter that sets how permissive anomaly detection
+        is.
+
+        Higher values require higher deviations before triggering a signal.'
+      enum:
+      - 1
+      - 2
+      - 3
+      - 4
+      - 5
+      example: 5
+      format: int32
+      type: integer
+      x-enum-varnames:
+      - ONE
+      - TWO
+      - THREE
+      - FOUR
+      - FIVE
+    SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration:
+      description: Learning duration in hours. Anomaly detection waits for at least
+        this amount of historical data before it starts evaluating.
+      enum:
+      - 1
+      - 6
+      - 12
+      - 24
+      - 48
+      - 168
+      - 336
+      format: int32
+      type: integer
+      x-enum-varnames:
+      - ONE_HOUR
+      - SIX_HOURS
+      - TWELVE_HOURS
+      - ONE_DAY
+      - TWO_DAYS
+      - ONE_WEEK
+      - TWO_WEEKS
     SecurityMonitoringRuleCase:
       description: Case when signal is generated.
       properties:
@@ -47907,6 +47999,8 @@ components:
     SecurityMonitoringRuleOptions:
       description: Options.
       properties:
+        anomalyDetectionOptions:
+          $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptions'
         complianceRuleOptions:
           $ref: '#/components/schemas/CloudConfigurationComplianceRuleOptions'
         decreaseCriticalityBasedOnEnv:
@@ -55346,6 +55440,8 @@ components:
     ThreatHuntingJobOptions:
       description: Job options.
       properties:
+        anomalyDetectionOptions:
+          $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptions'
         detectionMethod:
           $ref: '#/components/schemas/SecurityMonitoringRuleDetectionMethod'
         evaluationWindow: