Skip to content

Commit 3e8a019

Browse files
api-clients-generation-pipeline[bot]ci.datadog-api-spec
andauthored
Cloud SIEM - Add instantaneousBaseline to anomaly detection options (#3176)
Co-authored-by: ci.datadog-api-spec <packages@datadoghq.com>
1 parent 52bf42c commit 3e8a019

8 files changed

+189
-8
lines changed

.generator/schemas/v2/openapi.yaml

Lines changed: 14 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -40874,6 +40874,8 @@ components:
4087440874
type: integer
4087540875
type:
4087640876
$ref: '#/components/schemas/ObservabilityPipelineBufferOptionsMemoryType'
40877+
when_full:
40878+
$ref: '#/components/schemas/ObservabilityPipelineBufferOptionsWhenFull'
4087740879
type: object
4087840880
ObservabilityPipelineMemoryBufferSizeOptions:
4087940881
description: Options for configuring a memory buffer by queue length.
@@ -40885,6 +40887,8 @@ components:
4088540887
type: integer
4088640888
type:
4088740889
$ref: '#/components/schemas/ObservabilityPipelineBufferOptionsMemoryType'
40890+
when_full:
40891+
$ref: '#/components/schemas/ObservabilityPipelineBufferOptionsWhenFull'
4088840892
type: object
4088940893
ObservabilityPipelineMetadataEntry:
4089040894
description: A custom metadata entry.
@@ -53476,6 +53480,8 @@ components:
5347653480
$ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration'
5347753481
detectionTolerance:
5347853482
$ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance'
53483+
instantaneousBaseline:
53484+
$ref: '#/components/schemas/SecurityMonitoringRuleInstantaneousBaseline'
5347953485
learningDuration:
5348053486
$ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration'
5348153487
learningPeriodBaseline:
@@ -53813,6 +53819,13 @@ components:
5381353819
or credentialed API access.'
5381453820
example: true
5381553821
type: boolean
53822+
SecurityMonitoringRuleInstantaneousBaseline:
53823+
description: When set to true, Datadog uses previous values that fall within
53824+
the defined learning window to construct the baseline, enabling the system
53825+
to establish an accurate baseline more rapidly rather than relying solely
53826+
on gradual learning over time.
53827+
example: false
53828+
type: boolean
5381653829
SecurityMonitoringRuleKeepAlive:
5381753830
description: 'Once a signal is generated, the signal will remain "open" if a
5381853831
case is matched at least once within
@@ -53886,7 +53899,7 @@ components:
5388653899
forgetAfter:
5388753900
$ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsForgetAfter'
5388853901
instantaneousBaseline:
53889-
$ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsInstantaneousBaseline'
53902+
$ref: '#/components/schemas/SecurityMonitoringRuleInstantaneousBaseline'
5389053903
learningDuration:
5389153904
$ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsLearningDuration'
5389253905
learningMethod:
@@ -53912,13 +53925,6 @@ components:
5391253925
- TWO_WEEKS
5391353926
- THREE_WEEKS
5391453927
- FOUR_WEEKS
53915-
SecurityMonitoringRuleNewValueOptionsInstantaneousBaseline:
53916-
description: When set to true, Datadog uses previous values that fall within
53917-
the defined learning window to construct the baseline, enabling the system
53918-
to establish an accurate baseline more rapidly rather than relying solely
53919-
on gradual learning over time.
53920-
example: false
53921-
type: boolean
5392253928
SecurityMonitoringRuleNewValueOptionsLearningDuration:
5392353929
default: 0
5392453930
description: 'The duration in days during which values are learned, and after
Lines changed: 89 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,89 @@
1+
"""
2+
Create a detection rule with detection method 'anomaly_detection' with enabled feature 'instantaneousBaseline' returns
3+
"OK" response
4+
"""
5+
6+
from datadog_api_client import ApiClient, Configuration
7+
from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
8+
from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options import (
9+
SecurityMonitoringRuleAnomalyDetectionOptions,
10+
)
11+
from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options_bucket_duration import (
12+
SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration,
13+
)
14+
from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options_detection_tolerance import (
15+
SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance,
16+
)
17+
from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options_learning_duration import (
18+
SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration,
19+
)
20+
from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
21+
from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod
22+
from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
23+
SecurityMonitoringRuleEvaluationWindow,
24+
)
25+
from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
26+
from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
27+
SecurityMonitoringRuleMaxSignalDuration,
28+
)
29+
from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
30+
from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
31+
SecurityMonitoringRuleQueryAggregation,
32+
)
33+
from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
34+
from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
35+
from datadog_api_client.v2.model.security_monitoring_standard_data_source import SecurityMonitoringStandardDataSource
36+
from datadog_api_client.v2.model.security_monitoring_standard_rule_create_payload import (
37+
SecurityMonitoringStandardRuleCreatePayload,
38+
)
39+
from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery
40+
41+
body = SecurityMonitoringStandardRuleCreatePayload(
42+
name="Example-Security-Monitoring",
43+
type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
44+
is_enabled=True,
45+
queries=[
46+
SecurityMonitoringStandardRuleQuery(
47+
aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
48+
data_source=SecurityMonitoringStandardDataSource.LOGS,
49+
distinct_fields=[],
50+
group_by_fields=[
51+
"@usr.email",
52+
"@network.client.ip",
53+
],
54+
has_optional_group_by_fields=False,
55+
name="",
56+
query="service:app status:error",
57+
),
58+
],
59+
cases=[
60+
SecurityMonitoringRuleCaseCreate(
61+
name="",
62+
status=SecurityMonitoringRuleSeverity.INFO,
63+
notifications=[],
64+
condition="a > 0.995",
65+
),
66+
],
67+
message="An anomaly detection rule",
68+
options=SecurityMonitoringRuleOptions(
69+
detection_method=SecurityMonitoringRuleDetectionMethod.ANOMALY_DETECTION,
70+
evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,
71+
keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR,
72+
max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY,
73+
anomaly_detection_options=SecurityMonitoringRuleAnomalyDetectionOptions(
74+
bucket_duration=SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration.FIVE_MINUTES,
75+
learning_duration=SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration.ONE_DAY,
76+
detection_tolerance=SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance.THREE,
77+
instantaneous_baseline=True,
78+
),
79+
),
80+
tags=[],
81+
filters=[],
82+
)
83+
84+
configuration = Configuration()
85+
with ApiClient(configuration) as api_client:
86+
api_instance = SecurityMonitoringApi(api_client)
87+
response = api_instance.create_security_monitoring_rule(body=body)
88+
89+
print(response)

src/datadog_api_client/v2/model/observability_pipeline_memory_buffer_options.py

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,9 @@
1717
from datadog_api_client.v2.model.observability_pipeline_buffer_options_memory_type import (
1818
ObservabilityPipelineBufferOptionsMemoryType,
1919
)
20+
from datadog_api_client.v2.model.observability_pipeline_buffer_options_when_full import (
21+
ObservabilityPipelineBufferOptionsWhenFull,
22+
)
2023

2124

2225
class ObservabilityPipelineMemoryBufferOptions(ModelNormal):
@@ -25,21 +28,27 @@ def openapi_types(_):
2528
from datadog_api_client.v2.model.observability_pipeline_buffer_options_memory_type import (
2629
ObservabilityPipelineBufferOptionsMemoryType,
2730
)
31+
from datadog_api_client.v2.model.observability_pipeline_buffer_options_when_full import (
32+
ObservabilityPipelineBufferOptionsWhenFull,
33+
)
2834

2935
return {
3036
"max_size": (int,),
3137
"type": (ObservabilityPipelineBufferOptionsMemoryType,),
38+
"when_full": (ObservabilityPipelineBufferOptionsWhenFull,),
3239
}
3340

3441
attribute_map = {
3542
"max_size": "max_size",
3643
"type": "type",
44+
"when_full": "when_full",
3745
}
3846

3947
def __init__(
4048
self_,
4149
max_size: Union[int, UnsetType] = unset,
4250
type: Union[ObservabilityPipelineBufferOptionsMemoryType, UnsetType] = unset,
51+
when_full: Union[ObservabilityPipelineBufferOptionsWhenFull, UnsetType] = unset,
4352
**kwargs,
4453
):
4554
"""
@@ -50,9 +59,14 @@ def __init__(
5059
5160
:param type: The type of the buffer that will be configured, a memory buffer.
5261
:type type: ObservabilityPipelineBufferOptionsMemoryType, optional
62+
63+
:param when_full: Behavior when the buffer is full (block and stop accepting new events, or drop new events)
64+
:type when_full: ObservabilityPipelineBufferOptionsWhenFull, optional
5365
"""
5466
if max_size is not unset:
5567
kwargs["max_size"] = max_size
5668
if type is not unset:
5769
kwargs["type"] = type
70+
if when_full is not unset:
71+
kwargs["when_full"] = when_full
5872
super().__init__(kwargs)

src/datadog_api_client/v2/model/observability_pipeline_memory_buffer_size_options.py

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,9 @@
1717
from datadog_api_client.v2.model.observability_pipeline_buffer_options_memory_type import (
1818
ObservabilityPipelineBufferOptionsMemoryType,
1919
)
20+
from datadog_api_client.v2.model.observability_pipeline_buffer_options_when_full import (
21+
ObservabilityPipelineBufferOptionsWhenFull,
22+
)
2023

2124

2225
class ObservabilityPipelineMemoryBufferSizeOptions(ModelNormal):
@@ -25,21 +28,27 @@ def openapi_types(_):
2528
from datadog_api_client.v2.model.observability_pipeline_buffer_options_memory_type import (
2629
ObservabilityPipelineBufferOptionsMemoryType,
2730
)
31+
from datadog_api_client.v2.model.observability_pipeline_buffer_options_when_full import (
32+
ObservabilityPipelineBufferOptionsWhenFull,
33+
)
2834

2935
return {
3036
"max_events": (int,),
3137
"type": (ObservabilityPipelineBufferOptionsMemoryType,),
38+
"when_full": (ObservabilityPipelineBufferOptionsWhenFull,),
3239
}
3340

3441
attribute_map = {
3542
"max_events": "max_events",
3643
"type": "type",
44+
"when_full": "when_full",
3745
}
3846

3947
def __init__(
4048
self_,
4149
max_events: Union[int, UnsetType] = unset,
4250
type: Union[ObservabilityPipelineBufferOptionsMemoryType, UnsetType] = unset,
51+
when_full: Union[ObservabilityPipelineBufferOptionsWhenFull, UnsetType] = unset,
4352
**kwargs,
4453
):
4554
"""
@@ -50,9 +59,14 @@ def __init__(
5059
5160
:param type: The type of the buffer that will be configured, a memory buffer.
5261
:type type: ObservabilityPipelineBufferOptionsMemoryType, optional
62+
63+
:param when_full: Behavior when the buffer is full (block and stop accepting new events, or drop new events)
64+
:type when_full: ObservabilityPipelineBufferOptionsWhenFull, optional
5365
"""
5466
if max_events is not unset:
5567
kwargs["max_events"] = max_events
5668
if type is not unset:
5769
kwargs["type"] = type
70+
if when_full is not unset:
71+
kwargs["when_full"] = when_full
5872
super().__init__(kwargs)

src/datadog_api_client/v2/model/security_monitoring_rule_anomaly_detection_options.py

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -47,13 +47,15 @@ def openapi_types(_):
4747
return {
4848
"bucket_duration": (SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration,),
4949
"detection_tolerance": (SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance,),
50+
"instantaneous_baseline": (bool,),
5051
"learning_duration": (SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration,),
5152
"learning_period_baseline": (int,),
5253
}
5354

5455
attribute_map = {
5556
"bucket_duration": "bucketDuration",
5657
"detection_tolerance": "detectionTolerance",
58+
"instantaneous_baseline": "instantaneousBaseline",
5759
"learning_duration": "learningDuration",
5860
"learning_period_baseline": "learningPeriodBaseline",
5961
}
@@ -62,6 +64,7 @@ def __init__(
6264
self_,
6365
bucket_duration: Union[SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration, UnsetType] = unset,
6466
detection_tolerance: Union[SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance, UnsetType] = unset,
67+
instantaneous_baseline: Union[bool, UnsetType] = unset,
6568
learning_duration: Union[SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration, UnsetType] = unset,
6669
learning_period_baseline: Union[int, UnsetType] = unset,
6770
**kwargs,
@@ -77,6 +80,9 @@ def __init__(
7780
Higher values require higher deviations before triggering a signal.
7881
:type detection_tolerance: SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance, optional
7982
83+
:param instantaneous_baseline: When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time.
84+
:type instantaneous_baseline: bool, optional
85+
8086
:param learning_duration: Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating.
8187
:type learning_duration: SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration, optional
8288
@@ -87,6 +93,8 @@ def __init__(
8793
kwargs["bucket_duration"] = bucket_duration
8894
if detection_tolerance is not unset:
8995
kwargs["detection_tolerance"] = detection_tolerance
96+
if instantaneous_baseline is not unset:
97+
kwargs["instantaneous_baseline"] = instantaneous_baseline
9098
if learning_duration is not unset:
9199
kwargs["learning_duration"] = learning_duration
92100
if learning_period_baseline is not unset:
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
2026-02-10T14:48:33.727Z
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
interactions:
2+
- request:
3+
body: '{"cases":[{"condition":"a > 0.995","name":"","notifications":[],"status":"info"}],"filters":[],"isEnabled":true,"message":"An
4+
anomaly detection rule","name":"Test-Create_a_detection_rule_with_detection_method_anomaly_detection_with_enabled_feature_instantaneousBa-1770734913","options":{"anomalyDetectionOptions":{"bucketDuration":300,"detectionTolerance":3,"instantaneousBaseline":true,"learningDuration":24},"detectionMethod":"anomaly_detection","evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"queries":[{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":["@usr.email","@network.client.ip"],"hasOptionalGroupByFields":false,"name":"","query":"service:app
5+
status:error"}],"tags":[],"type":"log_detection"}'
6+
headers:
7+
accept:
8+
- application/json
9+
content-type:
10+
- application/json
11+
method: POST
12+
uri: https://api.datadoghq.com/api/v2/security_monitoring/rules
13+
response:
14+
body:
15+
string: '{"name":"Test-Create_a_detection_rule_with_detection_method_anomaly_detection_with_enabled_feature_instantaneousBa-1770734913","createdAt":1770734914087,"isDefault":false,"isPartner":false,"isEnabled":true,"isBeta":false,"isDeleted":false,"isDeprecated":false,"queries":[{"query":"service:app
16+
status:error","groupByFields":["@usr.email","@network.client.ip"],"hasOptionalGroupByFields":false,"distinctFields":[],"aggregation":"count","name":"","dataSource":"logs"}],"options":{"evaluationWindow":1800,"detectionMethod":"anomaly_detection","maxSignalDuration":86400,"keepAlive":3600,"anomalyDetectionOptions":{"bucketDuration":300,"learningDuration":24,"detectionTolerance":3,"instantaneousBaseline":true,"instantaneousBaselineTimeoutMinutes":30}},"cases":[{"name":"","status":"info","notifications":[],"condition":"a
17+
\u003e 0.995"}],"message":"An anomaly detection rule","tags":[],"hasExtendedTitle":false,"type":"log_detection","filters":[],"version":1,"id":"mtt-vs9-dyl","blocking":false,"metadata":{"entities":null,"sources":null},"creationAuthorId":1445416,"creator":{"handle":"frog@datadoghq.com","name":"frog"},"updater":{"handle":"","name":""}}'
18+
headers:
19+
content-type:
20+
- application/json
21+
status:
22+
code: 200
23+
message: OK
24+
- request:
25+
body: null
26+
headers:
27+
accept:
28+
- '*/*'
29+
method: DELETE
30+
uri: https://api.datadoghq.com/api/v2/security_monitoring/rules/mtt-vs9-dyl
31+
response:
32+
body:
33+
string: ''
34+
headers: {}
35+
status:
36+
code: 204
37+
message: No Content
38+
version: 1

tests/v2/features/security_monitoring.feature

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -456,6 +456,17 @@ Feature: Security Monitoring
456456
And the response "options.anomalyDetectionOptions.learningPeriodBaseline" is equal to 10
457457
And the response "options.anomalyDetectionOptions.detectionTolerance" is equal to 3
458458

459+
@team:DataDog/k9-cloud-security-platform
460+
Scenario: Create a detection rule with detection method 'anomaly_detection' with enabled feature 'instantaneousBaseline' returns "OK" response
461+
Given new "CreateSecurityMonitoringRule" request
462+
And body with value {"name":"{{ unique }}","type":"log_detection","isEnabled":true,"queries":[{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":["@usr.email","@network.client.ip"],"hasOptionalGroupByFields":false,"name":"","query":"service:app status:error"}],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 0.995"}],"message":"An anomaly detection rule","options":{"detectionMethod":"anomaly_detection","evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400,"anomalyDetectionOptions":{"bucketDuration":300,"learningDuration":24,"detectionTolerance":3,"instantaneousBaseline":true}},"tags":[],"filters":[]}
463+
When the request is sent
464+
Then the response status is 200 OK
465+
And the response "name" is equal to "{{ unique }}"
466+
And the response "type" is equal to "log_detection"
467+
And the response "options.detectionMethod" is equal to "anomaly_detection"
468+
And the response "options.anomalyDetectionOptions.instantaneousBaseline" is equal to true
469+
459470
@team:DataDog/k9-cloud-security-platform
460471
Scenario: Create a detection rule with detection method 'sequence_detection' returns "OK" response
461472
Given new "CreateSecurityMonitoringRule" request

0 commit comments

Comments
 (0)