DataDog · api-clients-generation-pipeline · May 26, 2026
@@ -18908,9 +18908,6 @@ components:
     ConvertJobResultsToSignalsAttributes:
       description: Attributes for converting historical job results to signals.
       properties:
-        id:
-          description: Request ID.
-          type: string
         jobResultIds:
           description: Job result IDs.
           example:
@@ -37540,10 +37537,34 @@ components:
     HistoricalJobQuery:
       description: Query for selecting logs analyzed by the historical job.
       properties:
+        additionalFilters:
+          description: Additional filters appended to the query at evaluation time.
+          type: string
         aggregation:
           $ref: "#/components/schemas/SecurityMonitoringRuleQueryAggregation"
+        correlatedByFields:
+          description: Fields used to correlate results across queries in sequence detection rules.
+          items:
+            description: Field.
+            type: string
+          type: array
+        correlatedQueryIndex:
+          description: Zero-based index of the query to correlate with in sequence detection rules. Up to 10 queries are supported, so valid values are 0 to 9.
+          format: int64
+          maximum: 9
+          minimum: 0
+          type: integer
+        customQueryExtension:
+          description: Custom query extension used to refine the base query.
+          type: string
         dataSource:
           $ref: "#/components/schemas/SecurityMonitoringStandardDataSource"
+        datasetIds:
+          description: IDs of reference datasets used by this query.
+          items:
+            description: Dataset ID.
+            type: string
+          type: array
         distinctFields:
           description: Field for which the cardinality is measured. Sent as an array.
           items:
@@ -37561,6 +37582,15 @@ components:
           description: When false, events without a group-by value are ignored by the query. When true, events with missing group-by fields are processed with `N/A`, replacing the missing values.
           example: false
           type: boolean
+        index:
+          description: Index used to load the data for this query.
+          type: string
+        indexes:
+          description: Indexes used to load the data for this query. Mutually exclusive with `index`.
+          items:
+            description: Index name.
+            type: string
+          type: array
         metrics:
           description: Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
           items:
@@ -37574,6 +37604,9 @@ components:
           description: Query to run on logs.
           example: a > 3
           type: string
+        queryLanguage:
+          description: Language used to parse the query string.
+          type: string
       type: object
     HistoricalJobResponse:
       description: Historical job response.
@@ -37607,6 +37640,10 @@ components:
         modifiedAt:
           description: Last modification time of the job.
           type: string
+        progressRate:
+          description: Job execution progress as a value between 0 and 1. Omitted for finished jobs.
+          format: double
+          type: number
         signalOutput:
           description: Whether the job outputs signals.
           type: boolean
@@ -43137,9 +43174,10 @@ components:
             $ref: "#/components/schemas/CalculatedField"
           type: array
         cases:
-          description: Cases used for generating job results.
+          description: Cases used for generating job results. Up to 10 cases are allowed.
           items:
             $ref: "#/components/schemas/SecurityMonitoringRuleCaseCreate"
+          maxItems: 10
           type: array
         from:
           description: Starting time of data analyzed by the job.
@@ -43169,9 +43207,10 @@ components:
         options:
           $ref: "#/components/schemas/HistoricalJobOptions"
         queries:
-          description: Queries for selecting logs analyzed by the job.
+          description: Queries for selecting logs analyzed by the job. Up to 10 queries are allowed.
           items:
             $ref: "#/components/schemas/HistoricalJobQuery"
+          maxItems: 10
           type: array
         referenceTables:
           description: Reference tables used in the queries.
@@ -43185,10 +43224,11 @@ components:
             type: string
           type: array
         thirdPartyCases:
-          description: Cases for generating results from third-party detection method. Only available for third-party detection method.
+          description: Cases for generating results from third-party detection method. Only available for third-party detection method. Up to 10 cases are allowed.
           example: []
           items:
             $ref: "#/components/schemas/SecurityMonitoringThirdPartyRuleCaseCreate"
+          maxItems: 10
           type: array
         to:
           description: Ending time of data analyzed by the job.
@@ -43210,6 +43250,12 @@ components:
     JobDefinitionFromRule:
       description: Definition of a historical job based on a security monitoring rule.
       properties:
+        caseIndex:
+          description: Zero-based index of the rule case to use as the job's signal condition. When omitted, all cases are evaluated. Up to 10 cases are supported, so valid values are 0 to 9.
+          format: int32
+          maximum: 9
+          minimum: 0
+          type: integer
         from:
           description: Starting time of data analyzed by the job.
           example: 1729843470000
@@ -70274,11 +70320,11 @@ components:
       properties:
         fromRule:
           $ref: "#/components/schemas/JobDefinitionFromRule"
-        id:
-          description: Request ID.
-          type: string
         jobDefinition:
           $ref: "#/components/schemas/JobDefinition"
+        signalOutput:
+          description: Whether the job outputs signals when results are converted.
+          type: boolean
       type: object
     RunHistoricalJobRequestData:
       description: Data for running a historical job request.
@@ -154835,7 +154881,7 @@ paths:
         **Note**: This endpoint is in beta and may be subject to changes.
         Please check the documentation regularly for updates.
   /api/v2/siem-historical-detections/histsignals/search:
-    get:
+    post:
       description: Search hist signals.
       operationId: SearchSecurityMonitoringHistsignals
       requestBody:
@@ -154887,6 +154933,7 @@ paths:
             - security_monitoring_signals_read
       summary: Search hist signals
       tags: ["Security Monitoring"]
+      x-codegen-request-body-name: body
       "x-permission":
         operator: OR
         permissions:

@@ -3448,7 +3448,7 @@ def __init__(self, api_client=None):
                 "auth": ["apiKeyAuth", "appKeyAuth", "AuthZ"],
                 "endpoint_path": "/api/v2/siem-historical-detections/histsignals/search",
                 "operation_id": "search_security_monitoring_histsignals",
-                "http_method": "GET",
+                "http_method": "POST",
                 "version": "v2",
             },
             params_map={

@@ -3,13 +3,11 @@
 # Copyright 2019-Present Datadog, Inc.
 from __future__ import annotations
 
-from typing import List, Union, TYPE_CHECKING
+from typing import List, TYPE_CHECKING
 
 from datadog_api_client.model_utils import (
     ModelNormal,
     cached_property,
-    unset,
-    UnsetType,
 )
 
 
@@ -23,15 +21,13 @@ def openapi_types(_):
         from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
 
         return {
-            "id": (str,),
             "job_result_ids": ([str],),
             "notifications": ([str],),
             "signal_message": (str,),
             "signal_severity": (SecurityMonitoringRuleSeverity,),
         }
 
     attribute_map = {
-        "id": "id",
         "job_result_ids": "jobResultIds",
         "notifications": "notifications",
         "signal_message": "signalMessage",
@@ -44,15 +40,11 @@ def __init__(
         notifications: List[str],
         signal_message: str,
         signal_severity: SecurityMonitoringRuleSeverity,
-        id: Union[str, UnsetType] = unset,
         **kwargs,
     ):
         """
         Attributes for converting historical job results to signals.
 
-        :param id: Request ID.
-        :type id: str, optional
-
         :param job_result_ids: Job result IDs.
         :type job_result_ids: [str]
 
@@ -65,8 +57,6 @@ def __init__(
         :param signal_severity: Severity of the Security Signal.
         :type signal_severity: SecurityMonitoringRuleSeverity
         """
-        if id is not unset:
-            kwargs["id"] = id
         super().__init__(kwargs)
 
         self_.job_result_ids = job_result_ids

@@ -23,6 +23,13 @@
 
 
 class HistoricalJobQuery(ModelNormal):
+    validations = {
+        "correlated_query_index": {
+            "inclusive_maximum": 9,
+            "inclusive_minimum": 0,
+        },
+    }
+
     @cached_property
     def openapi_types(_):
         from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
@@ -33,48 +40,87 @@ def openapi_types(_):
         )
 
         return {
+            "additional_filters": (str,),
             "aggregation": (SecurityMonitoringRuleQueryAggregation,),
+            "correlated_by_fields": ([str],),
+            "correlated_query_index": (int,),
+            "custom_query_extension": (str,),
             "data_source": (SecurityMonitoringStandardDataSource,),
+            "dataset_ids": ([str],),
             "distinct_fields": ([str],),
             "group_by_fields": ([str],),
             "has_optional_group_by_fields": (bool,),
+            "index": (str,),
+            "indexes": ([str],),
             "metrics": ([str],),
             "name": (str,),
             "query": (str,),
+            "query_language": (str,),
         }
 
     attribute_map = {
+        "additional_filters": "additionalFilters",
         "aggregation": "aggregation",
+        "correlated_by_fields": "correlatedByFields",
+        "correlated_query_index": "correlatedQueryIndex",
+        "custom_query_extension": "customQueryExtension",
         "data_source": "dataSource",
+        "dataset_ids": "datasetIds",
         "distinct_fields": "distinctFields",
         "group_by_fields": "groupByFields",
         "has_optional_group_by_fields": "hasOptionalGroupByFields",
+        "index": "index",
+        "indexes": "indexes",
         "metrics": "metrics",
         "name": "name",
         "query": "query",
+        "query_language": "queryLanguage",
     }
 
     def __init__(
         self_,
+        additional_filters: Union[str, UnsetType] = unset,
         aggregation: Union[SecurityMonitoringRuleQueryAggregation, UnsetType] = unset,
+        correlated_by_fields: Union[List[str], UnsetType] = unset,
+        correlated_query_index: Union[int, UnsetType] = unset,
+        custom_query_extension: Union[str, UnsetType] = unset,
         data_source: Union[SecurityMonitoringStandardDataSource, UnsetType] = unset,
+        dataset_ids: Union[List[str], UnsetType] = unset,
         distinct_fields: Union[List[str], UnsetType] = unset,
         group_by_fields: Union[List[str], UnsetType] = unset,
         has_optional_group_by_fields: Union[bool, UnsetType] = unset,
+        index: Union[str, UnsetType] = unset,
+        indexes: Union[List[str], UnsetType] = unset,
         metrics: Union[List[str], UnsetType] = unset,
         name: Union[str, UnsetType] = unset,
         query: Union[str, UnsetType] = unset,
+        query_language: Union[str, UnsetType] = unset,
         **kwargs,
     ):
         """
         Query for selecting logs analyzed by the historical job.
 
+        :param additional_filters: Additional filters appended to the query at evaluation time.
+        :type additional_filters: str, optional
+
         :param aggregation: The aggregation type.
         :type aggregation: SecurityMonitoringRuleQueryAggregation, optional
 
+        :param correlated_by_fields: Fields used to correlate results across queries in sequence detection rules.
+        :type correlated_by_fields: [str], optional
+
+        :param correlated_query_index: Zero-based index of the query to correlate with in sequence detection rules. Up to 10 queries are supported, so valid values are 0 to 9.
+        :type correlated_query_index: int, optional
+
+        :param custom_query_extension: Custom query extension used to refine the base query.
+        :type custom_query_extension: str, optional
+
         :param data_source: Source of events, either logs, audit trail, security signals, or Datadog events. ``app_sec_spans`` is deprecated in favor of ``spans``.
         :type data_source: SecurityMonitoringStandardDataSource, optional
 
+        :param dataset_ids: IDs of reference datasets used by this query.
+        :type dataset_ids: [str], optional
+
         :param distinct_fields: Field for which the cardinality is measured. Sent as an array.
         :type distinct_fields: [str], optional
 
@@ -84,6 +130,12 @@ def __init__(
         :param has_optional_group_by_fields: When false, events without a group-by value are ignored by the query. When true, events with missing group-by fields are processed with ``N/A`` , replacing the missing values.
         :type has_optional_group_by_fields: bool, optional
 
+        :param index: Index used to load the data for this query.
+        :type index: str, optional
+
+        :param indexes: Indexes used to load the data for this query. Mutually exclusive with ``index``.
+        :type indexes: [str], optional
+
         :param metrics: Group of target fields to aggregate over when using the sum, max, geo data, or new value aggregations. The sum, max, and geo data aggregations only accept one value in this list, whereas the new value aggregation accepts up to five values.
         :type metrics: [str], optional
 
@@ -92,21 +144,40 @@ def __init__(
 
         :param query: Query to run on logs.
         :type query: str, optional
+
+        :param query_language: Language used to parse the query string.
+        :type query_language: str, optional
         """
+        if additional_filters is not unset:
+            kwargs["additional_filters"] = additional_filters
         if aggregation is not unset:
             kwargs["aggregation"] = aggregation
+        if correlated_by_fields is not unset:
+            kwargs["correlated_by_fields"] = correlated_by_fields
+        if correlated_query_index is not unset:
+            kwargs["correlated_query_index"] = correlated_query_index
+        if custom_query_extension is not unset:
+            kwargs["custom_query_extension"] = custom_query_extension
         if data_source is not unset:
             kwargs["data_source"] = data_source
+        if dataset_ids is not unset:
+            kwargs["dataset_ids"] = dataset_ids
         if distinct_fields is not unset:
             kwargs["distinct_fields"] = distinct_fields
         if group_by_fields is not unset:
             kwargs["group_by_fields"] = group_by_fields
         if has_optional_group_by_fields is not unset:
             kwargs["has_optional_group_by_fields"] = has_optional_group_by_fields
+        if index is not unset:
+            kwargs["index"] = index
+        if indexes is not unset:
+            kwargs["indexes"] = indexes
         if metrics is not unset:
             kwargs["metrics"] = metrics
         if name is not unset:
             kwargs["name"] = name
         if query is not unset:
             kwargs["query"] = query
+        if query_language is not unset:
+            kwargs["query_language"] = query_language
         super().__init__(kwargs)