DataDog · api-clients-generation-pipeline · Jun 8, 2026
@@ -44181,6 +44181,16 @@ components:
           items:
             type: string
           type: array
+        triage_state:
+          description: "Current triage state of the indicator: not_reviewed or reviewed."
+          type: string
+        triaged_at:
+          description: Timestamp when the indicator was last triaged.
+          format: date-time
+          type: string
+        triaged_by:
+          description: UUID of the user who last triaged the indicator.
+          type: string
       type: object
     IoCIndicatorDetailed:
       description: An indicator of compromise with extended context from your environment.
@@ -44299,6 +44309,21 @@ components:
           items:
             type: string
           type: array
+        triage_history:
+          description: Full triage history timeline. Returned only when `include_triage_history` is true.
+          items:
+            $ref: "#/components/schemas/IoCTriageEvent"
+          type: array
+        triage_state:
+          description: "Current triage state of the indicator: not_reviewed or reviewed."
+          type: string
+        triaged_at:
+          description: Timestamp when the indicator was last triaged.
+          format: date-time
+          type: string
+        triaged_by:
+          description: UUID of the user who last triaged the indicator.
+          type: string
         users:
           additionalProperties:
             description: List of user identifiers in this category.
@@ -44337,6 +44362,97 @@ components:
           description: Name of the threat intelligence source.
           type: string
       type: object
+    IoCTriageEvent:
+      description: A single entry in an indicator's triage history timeline.
+      properties:
+        triage_state:
+          description: "Triage state set by this action: not_reviewed or reviewed."
+          type: string
+        triaged_at:
+          description: Timestamp when this triage action occurred.
+          format: date-time
+          type: string
+        triaged_by:
+          description: UUID of the user who performed this triage action.
+          type: string
+      type: object
+    IoCTriageWriteRequest:
+      description: Request body for creating or updating an indicator triage state.
+      properties:
+        data:
+          $ref: "#/components/schemas/IoCTriageWriteRequestData"
+      required:
+        - data
+      type: object
+    IoCTriageWriteRequestAttributes:
+      description: Attributes for setting an indicator's triage state.
+      properties:
+        indicator:
+          description: The indicator value to triage (for example, an IP address or domain).
+          example: "192.0.2.1"
+          type: string
+        triage_state:
+          description: "The triage state to set: not_reviewed or reviewed."
+          example: reviewed
+          type: string
+      required:
+        - indicator
+        - triage_state
+      type: object
+    IoCTriageWriteRequestData:
+      description: Data object for the triage write request.
+      properties:
+        attributes:
+          $ref: "#/components/schemas/IoCTriageWriteRequestAttributes"
+        type:
+          default: ioc_triage_state
+          description: Triage state resource type.
+          example: ioc_triage_state
+          type: string
+      required:
+        - type
+        - attributes
+      type: object
+    IoCTriageWriteResponse:
+      description: Response for the create indicator triage state endpoint.
+      properties:
+        data:
+          $ref: "#/components/schemas/IoCTriageWriteResponseData"
+      type: object
+    IoCTriageWriteResponseAttributes:
+      description: Attributes of a created or updated triage state.
+      properties:
+        created_at:
+          description: Timestamp when the triage record was created.
+          format: date-time
+          type: string
+        indicator:
+          description: The indicator value that was triaged.
+          type: string
+        triage_state:
+          description: "The triage state that was set: not_reviewed or reviewed."
+          type: string
+        triaged_at:
+          description: Timestamp when the triage state was set.
+          format: date-time
+          type: string
+        triaged_by:
+          description: UUID of the user who set the triage state.
+          type: string
+      type: object
+    IoCTriageWriteResponseData:
+      description: Data object of the triage write response.
+      properties:
+        attributes:
+          $ref: "#/components/schemas/IoCTriageWriteResponseAttributes"
+        id:
+          description: Unique identifier for the triage state record.
+          type: string
+        type:
+          default: ioc_triage_state
+          description: Triage state resource type.
+          type: string
+      type: object
     Issue:
       description: The issue matching the request.
       properties:
@@ -159560,6 +159676,25 @@ paths:
           schema:
             default: desc
             type: string
+        - description: When true, return only OCSF field-based matches. When false, return regex/message-based matches.
+          in: query
+          name: ocsf
+          required: false
+          schema:
+            default: true
+            type: boolean
+        - description: Filter indicators whose triage state was updated by a specific user UUID.
+          in: query
+          name: worked_by
+          required: false
+          schema:
+            type: string
+        - description: "Filter by triage state: not_reviewed or reviewed."
+          in: query
+          name: triage_state
+          required: false
+          schema:
+            type: string
       responses:
         "200":
           content:
@@ -159611,6 +159746,38 @@ paths:
           required: true
           schema:
             type: string
+        - description: When true, return only OCSF field-based matches. When false, return regex/message-based matches.
+          in: query
+          name: ocsf
+          required: false
+          schema:
+            default: true
+            type: boolean
+        - description: Include full triage history for the indicator.
+          in: query
+          name: include_triage_history
+          required: false
+          schema:
+            default: false
+            type: boolean
+        - description: Maximum number of triage history events returned. Only applied when `include_triage_history` is true.
+          in: query
+          name: triage_history_limit
+          required: false
+          schema:
+            default: 50
+            format: int32
+            maximum: 1000
+            minimum: 1
+            type: integer
+        - description: Pagination offset into the triage history. Only applied when `include_triage_history` is true.
+          in: query
+          name: triage_history_offset
+          required: false
+          schema:
+            default: 0
+            format: int32
+            type: integer
       responses:
         "200":
           content:
@@ -159648,6 +159815,62 @@ paths:
       x-unstable: |-
         **Note**: This endpoint is in beta and may be subject to changes.
         Please check the documentation regularly for updates.
+  /api/v2/security/siem/ioc-explorer/triage:
+    post:
+      description: |-
+        Set the triage state of an indicator of compromise (IoC). This creates or
+        updates the triage state for the indicator in your organization.
+      operationId: CreateIoCTriageState
+      requestBody:
+        content:
+          "application/json":
+            examples:
+              default:
+                value:
+                  data:
+                    attributes:
+                      indicator: "192.0.2.1"
+                      triage_state: reviewed
+                    type: ioc_triage_state
+            schema:
+              $ref: "#/components/schemas/IoCTriageWriteRequest"
+        description: The triage state to set for the indicator.
+        required: true
+      responses:
+        "201":
+          content:
+            "application/json":
+              examples:
+                default:
+                  value:
+                    data:
+                      attributes:
+                        created_at: "2026-06-04T12:00:00Z"
+                        indicator: "192.0.2.1"
+                        triage_state: reviewed
+                        triaged_at: "2026-06-04T12:00:00Z"
+                        triaged_by: 11111111-2222-3333-4444-555555555555
+                      id: abc-123
+                      type: ioc_triage_state
+              schema:
+                $ref: "#/components/schemas/IoCTriageWriteResponse"
+          description: Created
+        "400":
+          $ref: "#/components/responses/BadRequestResponse"
+        "403":
+          $ref: "#/components/responses/NotAuthorizedResponse"
+        "429":
+          $ref: "#/components/responses/TooManyRequestsResponse"
+      security:
+        - apiKeyAuth: []
+          appKeyAuth: []
+        - AuthZ:
+            - security_monitoring_signals_write
+      summary: Create or update an indicator triage state
+      tags: ["Security Monitoring"]
+      x-unstable: |-
+        **Note**: This endpoint is in beta and may be subject to changes.
+        Please check the documentation regularly for updates.
   /api/v2/security/signals/notification_rules:
     get:
       description: Returns the list of notification rules for security signals.

@@ -0,0 +1,23 @@
+// Create or update an indicator triage state returns "Created" response
+use datadog_api_client::datadog;
+use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
+use datadog_api_client::datadogV2::model::IoCTriageWriteRequest;
+use datadog_api_client::datadogV2::model::IoCTriageWriteRequestAttributes;
+use datadog_api_client::datadogV2::model::IoCTriageWriteRequestData;
+
+#[tokio::main]
+async fn main() {
+    let body = IoCTriageWriteRequest::new(IoCTriageWriteRequestData::new(
+        IoCTriageWriteRequestAttributes::new("192.0.2.1".to_string(), "reviewed".to_string()),
+        "ioc_triage_state".to_string(),
+    ));
+    let mut configuration = datadog::Configuration::new();
+    configuration.set_unstable_operation_enabled("v2.CreateIoCTriageState", true);
+    let api = SecurityMonitoringAPI::with_config(configuration);
+    let resp = api.create_io_c_triage_state(body).await;
+    if let Ok(value) = resp {
+        println!("{:#?}", value);
+    } else {
+        println!("{:#?}", resp.unwrap_err());
+    }
+}
@@ -1,5 +1,6 @@
 // Get an indicator of compromise returns "OK" response
 use datadog_api_client::datadog;
+use datadog_api_client::datadogV2::api_security_monitoring::GetIndicatorOfCompromiseOptionalParams;
 use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
 
 #[tokio::main]
@@ -9,7 +10,8 @@ async fn main() {
     let api = SecurityMonitoringAPI::with_config(configuration);
     let resp = api
         .get_indicator_of_compromise(
-            "masscan/1.3 (https://github.com/robertdavidgraham/masscan)".to_string(),
+            "192.0.2.1".to_string(),
+            GetIndicatorOfCompromiseOptionalParams::default().include_triage_history(true),
         )
         .await;
     if let Ok(value) = resp {

@@ -296,6 +296,7 @@ impl Default for Configuration {
                 "v2.convert_security_monitoring_terraform_resource".to_owned(),
                 false,
             ),
+            ("v2.create_io_c_triage_state".to_owned(), false),
             (
                 "v2.create_sample_log_generation_subscription".to_owned(),
                 false,
-Original file line number
+Diff line change
@@ Expand Up / @@ -296,6 +296,7 @@ impl Default for Configuration { @@
                     "v2.convert_security_monitoring_terraform_resource".to_owned(),
                     false,
                 ),
+                ("v2.create_io_c_triage_state".to_owned(), false),
                 (
                     "v2.create_sample_log_generation_subscription".to_owned(),
                     false,
@@ Expand Down @@