Security Monitoring - Validation Endpoint for Suppressions

.generator/schemas/v2/openapi.yaml

@@ -64816,6 +64816,38 @@ paths:
       summary: Get suppressions affecting a specific rule
       tags:
       - Security Monitoring
+  /api/v2/security_monitoring/configuration/suppressions/validation:
+    post:
+      description: Validate a suppression rule.
+      operationId: ValidateSecurityMonitoringSuppression
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/SecurityMonitoringSuppressionUpdateRequest'
+        required: true
+      responses:
+        '204':
+          description: OK
+        '400':
+          $ref: '#/components/responses/BadRequestResponse'
+        '403':
+          $ref: '#/components/responses/NotAuthorizedResponse'
+        '429':
+          $ref: '#/components/responses/TooManyRequestsResponse'
+      security:
+      - apiKeyAuth: []
+        appKeyAuth: []
+      - AuthZ:
+        - security_monitoring_suppressions_write
+      summary: Validate a suppression rule
+      tags:
+      - Security Monitoring
+      x-codegen-request-body-name: body
+      x-permission:
+        operator: OR
+        permissions:
+        - security_monitoring_suppressions_write
   /api/v2/security_monitoring/configuration/suppressions/{suppression_id}:
     delete:
       description: Delete a specific suppression rule.

cassettes/v2/Security-Monitoring_1187227211/Validate-a-suppression-rule-returns-Bad-Request-response_1037777113/frozen.json

@@ -0,0 +1 @@
+"2025-09-01T21:36:42.334Z"

cassettes/v2/Security-Monitoring_1187227211/Validate-a-suppression-rule-returns-Bad-Request-response_1037777113/recording.har

@@ -0,0 +1,67 @@
+{
+  "log": {
+    "_recordingName": "Security Monitoring/Validate a suppression rule returns \"Bad Request\" response",
+    "creator": {
+      "comment": "persister:fs",
+      "name": "Polly.JS",
+      "version": "6.0.5"
+    },
+    "entries": [
+      {
+        "_id": "703e6a45408a1cf4017d6f3d7e7b26c9",
+        "_order": 0,
+        "cache": {},
+        "request": {
+          "bodySize": 94,
+          "cookies": [],
+          "headers": [
+            {
+              "_fromType": "array",
+              "name": "accept",
+              "value": "*/*"
+            },
+            {
+              "_fromType": "array",
+              "name": "content-type",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 615,
+          "httpVersion": "HTTP/1.1",
+          "method": "POST",
+          "postData": {
+            "mimeType": "application/json",
+            "params": [],
+            "text": "{\"data\":{\"attributes\":{\"data_exclusion_query\":\"not enough attributes\"},\"type\":\"suppressions\"}}"
+          },
+          "queryString": [],
+          "url": "https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/validation"
+        },
+        "response": {
+          "bodySize": 204,
+          "content": {
+            "mimeType": "application/json",
+            "size": 204,
+            "text": "{\"errors\":[\"input_validation_error(Field 'data.attributes.rule_query' is invalid: field 'rule_query' is required)\",\"input_validation_error(Field 'data.attributes.name' is invalid: name cannot be empty)\"]}"
+          },
+          "cookies": [],
+          "headers": [
+            {
+              "name": "content-type",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 654,
+          "httpVersion": "HTTP/1.1",
+          "redirectURL": "",
+          "status": 400,
+          "statusText": "Bad Request"
+        },
+        "startedDateTime": "2025-09-01T21:36:42.339Z",
+        "time": 423
+      }
+    ],
+    "pages": [],
+    "version": "1.2"
+  }
+}

cassettes/v2/Security-Monitoring_1187227211/Validate-a-suppression-rule-returns-OK-response_4063319893/frozen.json

@@ -0,0 +1 @@
+"2025-09-01T21:36:20.593Z"

cassettes/v2/Security-Monitoring_1187227211/Validate-a-suppression-rule-returns-OK-response_4063319893/recording.har

@@ -0,0 +1,61 @@
+{
+  "log": {
+    "_recordingName": "Security Monitoring/Validate a suppression rule returns \"OK\" response",
+    "creator": {
+      "comment": "persister:fs",
+      "name": "Polly.JS",
+      "version": "6.0.5"
+    },
+    "entries": [
+      {
+        "_id": "7fdeeb56d69b7809c8f48bdeffca83e0",
+        "_order": 0,
+        "cache": {},
+        "request": {
+          "bodySize": 285,
+          "cookies": [],
+          "headers": [
+            {
+              "_fromType": "array",
+              "name": "accept",
+              "value": "*/*"
+            },
+            {
+              "_fromType": "array",
+              "name": "content-type",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 616,
+          "httpVersion": "HTTP/1.1",
+          "method": "POST",
+          "postData": {
+            "mimeType": "application/json",
+            "params": [],
+            "text": "{\"data\":{\"attributes\":{\"data_exclusion_query\":\"source:cloudtrail account_id:12345\",\"description\":\"This rule suppresses low-severity signals in staging environments.\",\"enabled\":true,\"name\":\"Custom suppression\",\"rule_query\":\"type:log_detection source:cloudtrail\"},\"type\":\"suppressions\"}}"
+          },
+          "queryString": [],
+          "url": "https://api.datadoghq.com/api/v2/security_monitoring/configuration/suppressions/validation"
+        },
+        "response": {
+          "bodySize": 0,
+          "content": {
+            "mimeType": "text/plain",
+            "size": 0
+          },
+          "cookies": [],
+          "headers": [],
+          "headersSize": 601,
+          "httpVersion": "HTTP/1.1",
+          "redirectURL": "",
+          "status": 204,
+          "statusText": "No Content"
+        },
+        "startedDateTime": "2025-09-01T21:36:20.597Z",
+        "time": 501
+      }
+    ],
+    "pages": [],
+    "version": "1.2"
+  }
+}

examples/v2/security-monitoring/ValidateSecurityMonitoringSuppression.ts

@@ -0,0 +1,34 @@
+/**
+ * Validate a suppression rule returns "OK" response
+ */
+
+import { client, v2 } from "@datadog/datadog-api-client";
+
+const configuration = client.createConfiguration();
+const apiInstance = new v2.SecurityMonitoringApi(configuration);
+
+const params: v2.SecurityMonitoringApiValidateSecurityMonitoringSuppressionRequest =
+  {
+    body: {
+      data: {
+        attributes: {
+          dataExclusionQuery: "source:cloudtrail account_id:12345",
+          description:
+            "This rule suppresses low-severity signals in staging environments.",
+          enabled: true,
+          name: "Custom suppression",
+          ruleQuery: "type:log_detection source:cloudtrail",
+        },
+        type: "suppressions",
+      },
+    },
+  };
+
+apiInstance
+  .validateSecurityMonitoringSuppression(params)
+  .then((data: any) => {
+    console.log(
+      "API called successfully. Returned data: " + JSON.stringify(data)
+    );
+  })
+  .catch((error: any) => console.error(error));

features/support/scenarios_model_mapping.ts

@@ -3895,6 +3895,13 @@ export const ScenariosModelMappings: {[key: string]: {[key: string]: any}} = {
             },
         "operationResponseType": "SecurityMonitoringSuppressionsResponse",
     },
+    "v2.ValidateSecurityMonitoringSuppression": {
+        "body": {
+            "type": "SecurityMonitoringSuppressionUpdateRequest",
+            "format": "",
+            },
+        "operationResponseType": "{}",
+    },
     "v2.GetSecurityMonitoringSuppression": {
         "suppressionId": {
             "type": "string",

features/v2/security_monitoring.feature

@@ -1389,3 +1389,17 @@ Feature: Security Monitoring
     And body with value {"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 0"}],"hasExtendedTitle":true,"isEnabled":true,"message":"My security monitoring rule","name":"My security monitoring rule","options":{"evaluationWindow":1800,"keepAlive":1800,"maxSignalDuration":1800,"detectionMethod":"threshold"},"queries":[{"query":"source:source_here","groupByFields":["@userIdentity.assumed_role"],"distinctFields":[],"aggregation":"count","name":""}],"tags":["env:prod","team:security"],"type":"log_detection"}
     When the request is sent
     Then the response status is 204 OK
+
+  @team:DataDog/k9-cloud-security-platform
+  Scenario: Validate a suppression rule returns "Bad Request" response
+    Given new "ValidateSecurityMonitoringSuppression" request
+    And body with value {"data": {"attributes": {"data_exclusion_query": "not enough attributes"}, "type": "suppressions"}}
+    When the request is sent
+    Then the response status is 400 Bad Request
+
+  @team:DataDog/k9-cloud-security-platform
+  Scenario: Validate a suppression rule returns "OK" response
+    Given new "ValidateSecurityMonitoringSuppression" request
+    And body with value {"data": {"attributes": {"data_exclusion_query": "source:cloudtrail account_id:12345", "description": "This rule suppresses low-severity signals in staging environments.", "enabled": true, "name": "Custom suppression", "rule_query": "type:log_detection source:cloudtrail"}, "type": "suppressions"}}
+    When the request is sent
+    Then the response status is 204 OK

features/v2/undo.json

@@ -3024,6 +3024,12 @@
       "type": "safe"
     }
   },
+  "ValidateSecurityMonitoringSuppression": {
+    "tag": "Security Monitoring",
+    "undo": {
+      "type": "idempotent"
+    }
+  },
   "DeleteSecurityMonitoringSuppression": {
     "tag": "Security Monitoring",
     "undo": {