From 8d343ffd6c40db50f66a148723701972bbd5f22f Mon Sep 17 00:00:00 2001
From: "api-clients-generation-pipeline[bot]"
 <54105614+api-clients-generation-pipeline[bot]@users.noreply.github.com>
Date: Wed, 18 Mar 2026 10:26:20 +0000
Subject: [PATCH 1/2] Add audit track to list of available org connections
 (#3065)

Co-authored-by: ci.datadog-api-spec <packages@datadoghq.com>
---
 .generator/schemas/v2/openapi.yaml                           | 2 ++
 lib/datadog_api_client/v2/models/org_connection_type_enum.rb | 1 +
 2 files changed, 3 insertions(+)

diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml
index 6ae3aae26d9b..3aecf1fb968a 100644
--- a/.generator/schemas/v2/openapi.yaml
+++ b/.generator/schemas/v2/openapi.yaml
@@ -48162,11 +48162,13 @@ components:
       enum:
       - logs
       - metrics
+      - audit
       example: logs
       type: string
       x-enum-varnames:
       - LOGS
       - METRICS
+      - AUDIT
     OrgConnectionUpdate:
       description: Org connection update data.
       properties:
diff --git a/lib/datadog_api_client/v2/models/org_connection_type_enum.rb b/lib/datadog_api_client/v2/models/org_connection_type_enum.rb
index f0aced09c324..e76699c6a488 100644
--- a/lib/datadog_api_client/v2/models/org_connection_type_enum.rb
+++ b/lib/datadog_api_client/v2/models/org_connection_type_enum.rb
@@ -23,5 +23,6 @@ class OrgConnectionTypeEnum
 
     LOGS = "logs".freeze
     METRICS = "metrics".freeze
+    AUDIT = "audit".freeze
   end
 end

From 34f658fd80eaa59d8cdc26c1c6fc980848085805 Mon Sep 17 00:00:00 2001
From: "api-clients-generation-pipeline[bot]"
 <54105614+api-clients-generation-pipeline[bot]@users.noreply.github.com>
Date: Wed, 18 Mar 2026 10:53:26 +0000
Subject: [PATCH 2/2] Add OpenAPI documentation for keep_unmatched field in
 ocsf mapper processor  (#3122)

Co-authored-by: ci.datadog-api-spec <packages@datadoghq.com>
---
 .generator/schemas/v2/openapi.yaml            |  5 ++
 ...-keep-unmatched-returns-OK-response.frozen |  1 +
 ...per-keep-unmatched-returns-OK-response.yml | 28 ++++++++++
 .../ValidatePipeline_3067748504.rb            | 56 +++++++++++++++++++
 features/v2/observability_pipelines.feature   |  8 +++
 ...vability_pipeline_ocsf_mapper_processor.rb | 12 +++-
 6 files changed, 109 insertions(+), 1 deletion(-)
 create mode 100644 cassettes/features/v2/observability_pipelines/Validate-an-observability-pipeline-with-OCSF-mapper-keep-unmatched-returns-OK-response.frozen
 create mode 100644 cassettes/features/v2/observability_pipelines/Validate-an-observability-pipeline-with-OCSF-mapper-keep-unmatched-returns-OK-response.yml
 create mode 100644 examples/v2/observability-pipelines/ValidatePipeline_3067748504.rb

diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml
index 3aecf1fb968a..7ae721a4124b 100644
--- a/.generator/schemas/v2/openapi.yaml
+++ b/.generator/schemas/v2/openapi.yaml
@@ -44855,6 +44855,11 @@ components:
             targets.
           example: service:my-service
           type: string
+        keep_unmatched:
+          description: Whether to keep an event that does not match any of the mapping
+            filters.
+          example: false
+          type: boolean
         mappings:
           description: A list of mapping rules to convert events to the OCSF format.
           items:
diff --git a/cassettes/features/v2/observability_pipelines/Validate-an-observability-pipeline-with-OCSF-mapper-keep-unmatched-returns-OK-response.frozen b/cassettes/features/v2/observability_pipelines/Validate-an-observability-pipeline-with-OCSF-mapper-keep-unmatched-returns-OK-response.frozen
new file mode 100644
index 000000000000..4cc5bbd3eda5
--- /dev/null
+++ b/cassettes/features/v2/observability_pipelines/Validate-an-observability-pipeline-with-OCSF-mapper-keep-unmatched-returns-OK-response.frozen
@@ -0,0 +1 @@
+2026-03-16T13:02:49.264Z
\ No newline at end of file
diff --git a/cassettes/features/v2/observability_pipelines/Validate-an-observability-pipeline-with-OCSF-mapper-keep-unmatched-returns-OK-response.yml b/cassettes/features/v2/observability_pipelines/Validate-an-observability-pipeline-with-OCSF-mapper-keep-unmatched-returns-OK-response.yml
new file mode 100644
index 000000000000..f5a0fe640239
--- /dev/null
+++ b/cassettes/features/v2/observability_pipelines/Validate-an-observability-pipeline-with-OCSF-mapper-keep-unmatched-returns-OK-response.yml
@@ -0,0 +1,28 @@
+http_interactions:
+- recorded_at: Mon, 16 Mar 2026 13:02:49 GMT
+  request:
+    body:
+      encoding: UTF-8
+      string: '{"data":{"attributes":{"config":{"destinations":[{"id":"datadog-logs-destination","inputs":["my-processor-group"],"type":"datadog_logs"}],"processor_groups":[{"enabled":true,"id":"my-processor-group","include":"service:my-service","inputs":["datadog-agent-source"],"processors":[{"enabled":true,"id":"ocsf-mapper-processor","include":"service:my-service","keep_unmatched":true,"mappings":[{"include":"source:cloudtrail","mapping":"CloudTrail
+        Account Change"}],"type":"ocsf_mapper"}]}],"sources":[{"id":"datadog-agent-source","type":"datadog_agent"}]},"name":"OCSF
+        Mapper Keep Unmatched Pipeline"},"type":"pipelines"}}'
+    headers:
+      Accept:
+      - application/json
+      Content-Type:
+      - application/json
+    method: POST
+    uri: https://api.datadoghq.com/api/v2/obs-pipelines/pipelines/validate
+  response:
+    body:
+      encoding: UTF-8
+      string: '{"errors":[]}
+
+        '
+    headers:
+      Content-Type:
+      - application/vnd.api+json
+    status:
+      code: 200
+      message: OK
+recorded_with: VCR 6.0.0
diff --git a/examples/v2/observability-pipelines/ValidatePipeline_3067748504.rb b/examples/v2/observability-pipelines/ValidatePipeline_3067748504.rb
new file mode 100644
index 000000000000..ef24116eb20f
--- /dev/null
+++ b/examples/v2/observability-pipelines/ValidatePipeline_3067748504.rb
@@ -0,0 +1,56 @@
+# Validate an observability pipeline with OCSF mapper keep_unmatched returns "OK" response
+
+require "datadog_api_client"
+api_instance = DatadogAPIClient::V2::ObservabilityPipelinesAPI.new
+
+body = DatadogAPIClient::V2::ObservabilityPipelineSpec.new({
+  data: DatadogAPIClient::V2::ObservabilityPipelineSpecData.new({
+    attributes: DatadogAPIClient::V2::ObservabilityPipelineDataAttributes.new({
+      config: DatadogAPIClient::V2::ObservabilityPipelineConfig.new({
+        destinations: [
+          DatadogAPIClient::V2::ObservabilityPipelineDatadogLogsDestination.new({
+            id: "datadog-logs-destination",
+            inputs: [
+              "my-processor-group",
+            ],
+            type: DatadogAPIClient::V2::ObservabilityPipelineDatadogLogsDestinationType::DATADOG_LOGS,
+          }),
+        ],
+        processor_groups: [
+          DatadogAPIClient::V2::ObservabilityPipelineConfigProcessorGroup.new({
+            enabled: true,
+            id: "my-processor-group",
+            include: "service:my-service",
+            inputs: [
+              "datadog-agent-source",
+            ],
+            processors: [
+              DatadogAPIClient::V2::ObservabilityPipelineOcsfMapperProcessor.new({
+                enabled: true,
+                id: "ocsf-mapper-processor",
+                include: "service:my-service",
+                type: DatadogAPIClient::V2::ObservabilityPipelineOcsfMapperProcessorType::OCSF_MAPPER,
+                keep_unmatched: true,
+                mappings: [
+                  DatadogAPIClient::V2::ObservabilityPipelineOcsfMapperProcessorMapping.new({
+                    include: "source:cloudtrail",
+                    mapping: DatadogAPIClient::V2::ObservabilityPipelineOcsfMappingLibrary::CLOUDTRAIL_ACCOUNT_CHANGE,
+                  }),
+                ],
+              }),
+            ],
+          }),
+        ],
+        sources: [
+          DatadogAPIClient::V2::ObservabilityPipelineDatadogAgentSource.new({
+            id: "datadog-agent-source",
+            type: DatadogAPIClient::V2::ObservabilityPipelineDatadogAgentSourceType::DATADOG_AGENT,
+          }),
+        ],
+      }),
+      name: "OCSF Mapper Keep Unmatched Pipeline",
+    }),
+    type: "pipelines",
+  }),
+})
+p api_instance.validate_pipeline(body)
diff --git a/features/v2/observability_pipelines.feature b/features/v2/observability_pipelines.feature
index e272303955a0..7e8ceefc82e4 100644
--- a/features/v2/observability_pipelines.feature
+++ b/features/v2/observability_pipelines.feature
@@ -191,6 +191,14 @@ Feature: Observability Pipelines
     When the request is sent
     Then the response status is 400 Bad Request
 
+  @team:DataDog/observability-pipelines
+  Scenario: Validate an observability pipeline with OCSF mapper keep_unmatched returns "OK" response
+    Given new "ValidatePipeline" request
+    And body with value {"data": {"attributes": {"config": {"destinations": [{"id": "datadog-logs-destination", "inputs": ["my-processor-group"], "type": "datadog_logs"}], "processor_groups": [{"enabled": true, "id": "my-processor-group", "include": "service:my-service", "inputs": ["datadog-agent-source"], "processors": [{"enabled": true, "id": "ocsf-mapper-processor", "include": "service:my-service", "type": "ocsf_mapper", "keep_unmatched": true, "mappings": [{"include": "source:cloudtrail", "mapping": "CloudTrail Account Change"}]}]}], "sources": [{"id": "datadog-agent-source", "type": "datadog_agent"}]}, "name": "OCSF Mapper Keep Unmatched Pipeline"}, "type": "pipelines"}}
+    When the request is sent
+    Then the response status is 200 OK
+    And the response "errors" has length 0
+
   @team:DataDog/observability-pipelines
   Scenario: Validate an observability pipeline with OCSF mapper library mapping returns "OK" response
     Given new "ValidatePipeline" request
diff --git a/lib/datadog_api_client/v2/models/observability_pipeline_ocsf_mapper_processor.rb b/lib/datadog_api_client/v2/models/observability_pipeline_ocsf_mapper_processor.rb
index ec44d070a772..c950b74913da 100644
--- a/lib/datadog_api_client/v2/models/observability_pipeline_ocsf_mapper_processor.rb
+++ b/lib/datadog_api_client/v2/models/observability_pipeline_ocsf_mapper_processor.rb
@@ -35,6 +35,9 @@ class ObservabilityPipelineOcsfMapperProcessor
     # A Datadog search query used to determine which logs this processor targets.
     attr_reader :include
 
+    # Whether to keep an event that does not match any of the mapping filters.
+    attr_accessor :keep_unmatched
+
     # A list of mapping rules to convert events to the OCSF format.
     attr_reader :mappings
 
@@ -51,6 +54,7 @@ def self.attribute_map
         :'enabled' => :'enabled',
         :'id' => :'id',
         :'include' => :'include',
+        :'keep_unmatched' => :'keep_unmatched',
         :'mappings' => :'mappings',
         :'type' => :'type'
       }
@@ -64,6 +68,7 @@ def self.openapi_types
         :'enabled' => :'Boolean',
         :'id' => :'String',
         :'include' => :'String',
+        :'keep_unmatched' => :'Boolean',
         :'mappings' => :'Array<ObservabilityPipelineOcsfMapperProcessorMapping>',
         :'type' => :'ObservabilityPipelineOcsfMapperProcessorType'
       }
@@ -103,6 +108,10 @@ def initialize(attributes = {})
         self.include = attributes[:'include']
       end
 
+      if attributes.key?(:'keep_unmatched')
+        self.keep_unmatched = attributes[:'keep_unmatched']
+      end
+
       if attributes.key?(:'mappings')
         if (value = attributes[:'mappings']).is_a?(Array)
           self.mappings = value
@@ -206,6 +215,7 @@ def ==(o)
           enabled == o.enabled &&
           id == o.id &&
           include == o.include &&
+          keep_unmatched == o.keep_unmatched &&
           mappings == o.mappings &&
           type == o.type &&
           additional_properties == o.additional_properties
@@ -215,7 +225,7 @@ def ==(o)
     # @return [Integer] Hash code
     # @!visibility private
     def hash
-      [display_name, enabled, id, include, mappings, type, additional_properties].hash
+      [display_name, enabled, id, include, keep_unmatched, mappings, type, additional_properties].hash
     end
   end
 end