diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml index 03f9a17530..83eb288171 100644 --- a/.generator/schemas/v2/openapi.yaml +++ b/.generator/schemas/v2/openapi.yaml @@ -40874,6 +40874,8 @@ components: type: integer type: $ref: '#/components/schemas/ObservabilityPipelineBufferOptionsMemoryType' + when_full: + $ref: '#/components/schemas/ObservabilityPipelineBufferOptionsWhenFull' type: object ObservabilityPipelineMemoryBufferSizeOptions: description: Options for configuring a memory buffer by queue length. @@ -40885,6 +40887,8 @@ components: type: integer type: $ref: '#/components/schemas/ObservabilityPipelineBufferOptionsMemoryType' + when_full: + $ref: '#/components/schemas/ObservabilityPipelineBufferOptionsWhenFull' type: object ObservabilityPipelineMetadataEntry: description: A custom metadata entry. @@ -53476,6 +53480,8 @@ components: $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration' detectionTolerance: $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance' + instantaneousBaseline: + $ref: '#/components/schemas/SecurityMonitoringRuleInstantaneousBaseline' learningDuration: $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration' learningPeriodBaseline: @@ -53813,6 +53819,13 @@ components: or credentialed API access.' example: true type: boolean + SecurityMonitoringRuleInstantaneousBaseline: + description: When set to true, Datadog uses previous values that fall within + the defined learning window to construct the baseline, enabling the system + to establish an accurate baseline more rapidly rather than relying solely + on gradual learning over time. + example: false + type: boolean SecurityMonitoringRuleKeepAlive: description: 'Once a signal is generated, the signal will remain "open" if a case is matched at least once within @@ -53886,7 +53899,7 @@ components: forgetAfter: $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsForgetAfter' instantaneousBaseline: - $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsInstantaneousBaseline' + $ref: '#/components/schemas/SecurityMonitoringRuleInstantaneousBaseline' learningDuration: $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsLearningDuration' learningMethod: @@ -53912,13 +53925,6 @@ components: - TWO_WEEKS - THREE_WEEKS - FOUR_WEEKS - SecurityMonitoringRuleNewValueOptionsInstantaneousBaseline: - description: When set to true, Datadog uses previous values that fall within - the defined learning window to construct the baseline, enabling the system - to establish an accurate baseline more rapidly rather than relying solely - on gradual learning over time. - example: false - type: boolean SecurityMonitoringRuleNewValueOptionsLearningDuration: default: 0 description: 'The duration in days during which values are learned, and after diff --git a/examples/v2/security-monitoring/CreateSecurityMonitoringRule_3355193622.py b/examples/v2/security-monitoring/CreateSecurityMonitoringRule_3355193622.py new file mode 100644 index 0000000000..2d07377654 --- /dev/null +++ b/examples/v2/security-monitoring/CreateSecurityMonitoringRule_3355193622.py @@ -0,0 +1,89 @@ +""" +Create a detection rule with detection method 'anomaly_detection' with enabled feature 'instantaneousBaseline' returns +"OK" response +""" + +from datadog_api_client import ApiClient, Configuration +from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi +from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options import ( + SecurityMonitoringRuleAnomalyDetectionOptions, +) +from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options_bucket_duration import ( + SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration, +) +from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options_detection_tolerance import ( + SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance, +) +from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options_learning_duration import ( + SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration, +) +from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate +from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod +from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import ( + SecurityMonitoringRuleEvaluationWindow, +) +from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive +from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import ( + SecurityMonitoringRuleMaxSignalDuration, +) +from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions +from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import ( + SecurityMonitoringRuleQueryAggregation, +) +from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity +from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate +from datadog_api_client.v2.model.security_monitoring_standard_data_source import SecurityMonitoringStandardDataSource +from datadog_api_client.v2.model.security_monitoring_standard_rule_create_payload import ( + SecurityMonitoringStandardRuleCreatePayload, +) +from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery + +body = SecurityMonitoringStandardRuleCreatePayload( + name="Example-Security-Monitoring", + type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION, + is_enabled=True, + queries=[ + SecurityMonitoringStandardRuleQuery( + aggregation=SecurityMonitoringRuleQueryAggregation.COUNT, + data_source=SecurityMonitoringStandardDataSource.LOGS, + distinct_fields=[], + group_by_fields=[ + "@usr.email", + "@network.client.ip", + ], + has_optional_group_by_fields=False, + name="", + query="service:app status:error", + ), + ], + cases=[ + SecurityMonitoringRuleCaseCreate( + name="", + status=SecurityMonitoringRuleSeverity.INFO, + notifications=[], + condition="a > 0.995", + ), + ], + message="An anomaly detection rule", + options=SecurityMonitoringRuleOptions( + detection_method=SecurityMonitoringRuleDetectionMethod.ANOMALY_DETECTION, + evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES, + keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR, + max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY, + anomaly_detection_options=SecurityMonitoringRuleAnomalyDetectionOptions( + bucket_duration=SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration.FIVE_MINUTES, + learning_duration=SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration.ONE_DAY, + detection_tolerance=SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance.THREE, + instantaneous_baseline=True, + ), + ), + tags=[], + filters=[], +) + +configuration = Configuration() +with ApiClient(configuration) as api_client: + api_instance = SecurityMonitoringApi(api_client) + response = api_instance.create_security_monitoring_rule(body=body) + + print(response) diff --git a/src/datadog_api_client/v2/model/observability_pipeline_memory_buffer_options.py b/src/datadog_api_client/v2/model/observability_pipeline_memory_buffer_options.py index 8f72c02416..2093ffaf2a 100644 --- a/src/datadog_api_client/v2/model/observability_pipeline_memory_buffer_options.py +++ b/src/datadog_api_client/v2/model/observability_pipeline_memory_buffer_options.py @@ -17,6 +17,9 @@ from datadog_api_client.v2.model.observability_pipeline_buffer_options_memory_type import ( ObservabilityPipelineBufferOptionsMemoryType, ) + from datadog_api_client.v2.model.observability_pipeline_buffer_options_when_full import ( + ObservabilityPipelineBufferOptionsWhenFull, + ) class ObservabilityPipelineMemoryBufferOptions(ModelNormal): @@ -25,21 +28,27 @@ def openapi_types(_): from datadog_api_client.v2.model.observability_pipeline_buffer_options_memory_type import ( ObservabilityPipelineBufferOptionsMemoryType, ) + from datadog_api_client.v2.model.observability_pipeline_buffer_options_when_full import ( + ObservabilityPipelineBufferOptionsWhenFull, + ) return { "max_size": (int,), "type": (ObservabilityPipelineBufferOptionsMemoryType,), + "when_full": (ObservabilityPipelineBufferOptionsWhenFull,), } attribute_map = { "max_size": "max_size", "type": "type", + "when_full": "when_full", } def __init__( self_, max_size: Union[int, UnsetType] = unset, type: Union[ObservabilityPipelineBufferOptionsMemoryType, UnsetType] = unset, + when_full: Union[ObservabilityPipelineBufferOptionsWhenFull, UnsetType] = unset, **kwargs, ): """ @@ -50,9 +59,14 @@ def __init__( :param type: The type of the buffer that will be configured, a memory buffer. :type type: ObservabilityPipelineBufferOptionsMemoryType, optional + + :param when_full: Behavior when the buffer is full (block and stop accepting new events, or drop new events) + :type when_full: ObservabilityPipelineBufferOptionsWhenFull, optional """ if max_size is not unset: kwargs["max_size"] = max_size if type is not unset: kwargs["type"] = type + if when_full is not unset: + kwargs["when_full"] = when_full super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/observability_pipeline_memory_buffer_size_options.py b/src/datadog_api_client/v2/model/observability_pipeline_memory_buffer_size_options.py index 3218ba0b19..9caa534a88 100644 --- a/src/datadog_api_client/v2/model/observability_pipeline_memory_buffer_size_options.py +++ b/src/datadog_api_client/v2/model/observability_pipeline_memory_buffer_size_options.py @@ -17,6 +17,9 @@ from datadog_api_client.v2.model.observability_pipeline_buffer_options_memory_type import ( ObservabilityPipelineBufferOptionsMemoryType, ) + from datadog_api_client.v2.model.observability_pipeline_buffer_options_when_full import ( + ObservabilityPipelineBufferOptionsWhenFull, + ) class ObservabilityPipelineMemoryBufferSizeOptions(ModelNormal): @@ -25,21 +28,27 @@ def openapi_types(_): from datadog_api_client.v2.model.observability_pipeline_buffer_options_memory_type import ( ObservabilityPipelineBufferOptionsMemoryType, ) + from datadog_api_client.v2.model.observability_pipeline_buffer_options_when_full import ( + ObservabilityPipelineBufferOptionsWhenFull, + ) return { "max_events": (int,), "type": (ObservabilityPipelineBufferOptionsMemoryType,), + "when_full": (ObservabilityPipelineBufferOptionsWhenFull,), } attribute_map = { "max_events": "max_events", "type": "type", + "when_full": "when_full", } def __init__( self_, max_events: Union[int, UnsetType] = unset, type: Union[ObservabilityPipelineBufferOptionsMemoryType, UnsetType] = unset, + when_full: Union[ObservabilityPipelineBufferOptionsWhenFull, UnsetType] = unset, **kwargs, ): """ @@ -50,9 +59,14 @@ def __init__( :param type: The type of the buffer that will be configured, a memory buffer. :type type: ObservabilityPipelineBufferOptionsMemoryType, optional + + :param when_full: Behavior when the buffer is full (block and stop accepting new events, or drop new events) + :type when_full: ObservabilityPipelineBufferOptionsWhenFull, optional """ if max_events is not unset: kwargs["max_events"] = max_events if type is not unset: kwargs["type"] = type + if when_full is not unset: + kwargs["when_full"] = when_full super().__init__(kwargs) diff --git a/src/datadog_api_client/v2/model/security_monitoring_rule_anomaly_detection_options.py b/src/datadog_api_client/v2/model/security_monitoring_rule_anomaly_detection_options.py index e7f172a6e0..d578f5ea38 100644 --- a/src/datadog_api_client/v2/model/security_monitoring_rule_anomaly_detection_options.py +++ b/src/datadog_api_client/v2/model/security_monitoring_rule_anomaly_detection_options.py @@ -47,6 +47,7 @@ def openapi_types(_): return { "bucket_duration": (SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration,), "detection_tolerance": (SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance,), + "instantaneous_baseline": (bool,), "learning_duration": (SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration,), "learning_period_baseline": (int,), } @@ -54,6 +55,7 @@ def openapi_types(_): attribute_map = { "bucket_duration": "bucketDuration", "detection_tolerance": "detectionTolerance", + "instantaneous_baseline": "instantaneousBaseline", "learning_duration": "learningDuration", "learning_period_baseline": "learningPeriodBaseline", } @@ -62,6 +64,7 @@ def __init__( self_, bucket_duration: Union[SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration, UnsetType] = unset, detection_tolerance: Union[SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance, UnsetType] = unset, + instantaneous_baseline: Union[bool, UnsetType] = unset, learning_duration: Union[SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration, UnsetType] = unset, learning_period_baseline: Union[int, UnsetType] = unset, **kwargs, @@ -77,6 +80,9 @@ def __init__( Higher values require higher deviations before triggering a signal. :type detection_tolerance: SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance, optional + :param instantaneous_baseline: When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. + :type instantaneous_baseline: bool, optional + :param learning_duration: Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. :type learning_duration: SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration, optional @@ -87,6 +93,8 @@ def __init__( kwargs["bucket_duration"] = bucket_duration if detection_tolerance is not unset: kwargs["detection_tolerance"] = detection_tolerance + if instantaneous_baseline is not unset: + kwargs["instantaneous_baseline"] = instantaneous_baseline if learning_duration is not unset: kwargs["learning_duration"] = learning_duration if learning_period_baseline is not unset: diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_detection_rule_with_detection_method_anomaly_detection_with_enabled_feature_instantaneousbaseline_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_create_a_detection_rule_with_detection_method_anomaly_detection_with_enabled_feature_instantaneousbaseline_returns_ok_response.frozen new file mode 100644 index 0000000000..79c8c04745 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_create_a_detection_rule_with_detection_method_anomaly_detection_with_enabled_feature_instantaneousbaseline_returns_ok_response.frozen @@ -0,0 +1 @@ +2026-02-10T14:48:33.727Z \ No newline at end of file diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_detection_rule_with_detection_method_anomaly_detection_with_enabled_feature_instantaneousbaseline_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_create_a_detection_rule_with_detection_method_anomaly_detection_with_enabled_feature_instantaneousbaseline_returns_ok_response.yaml new file mode 100644 index 0000000000..6942eba671 --- /dev/null +++ b/tests/v2/cassettes/test_scenarios/test_create_a_detection_rule_with_detection_method_anomaly_detection_with_enabled_feature_instantaneousbaseline_returns_ok_response.yaml @@ -0,0 +1,38 @@ +interactions: +- request: + body: '{"cases":[{"condition":"a > 0.995","name":"","notifications":[],"status":"info"}],"filters":[],"isEnabled":true,"message":"An + anomaly detection rule","name":"Test-Create_a_detection_rule_with_detection_method_anomaly_detection_with_enabled_feature_instantaneousBa-1770734913","options":{"anomalyDetectionOptions":{"bucketDuration":300,"detectionTolerance":3,"instantaneousBaseline":true,"learningDuration":24},"detectionMethod":"anomaly_detection","evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"queries":[{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":["@usr.email","@network.client.ip"],"hasOptionalGroupByFields":false,"name":"","query":"service:app + status:error"}],"tags":[],"type":"log_detection"}' + headers: + accept: + - application/json + content-type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/security_monitoring/rules + response: + body: + string: '{"name":"Test-Create_a_detection_rule_with_detection_method_anomaly_detection_with_enabled_feature_instantaneousBa-1770734913","createdAt":1770734914087,"isDefault":false,"isPartner":false,"isEnabled":true,"isBeta":false,"isDeleted":false,"isDeprecated":false,"queries":[{"query":"service:app + status:error","groupByFields":["@usr.email","@network.client.ip"],"hasOptionalGroupByFields":false,"distinctFields":[],"aggregation":"count","name":"","dataSource":"logs"}],"options":{"evaluationWindow":1800,"detectionMethod":"anomaly_detection","maxSignalDuration":86400,"keepAlive":3600,"anomalyDetectionOptions":{"bucketDuration":300,"learningDuration":24,"detectionTolerance":3,"instantaneousBaseline":true,"instantaneousBaselineTimeoutMinutes":30}},"cases":[{"name":"","status":"info","notifications":[],"condition":"a + \u003e 0.995"}],"message":"An anomaly detection rule","tags":[],"hasExtendedTitle":false,"type":"log_detection","filters":[],"version":1,"id":"mtt-vs9-dyl","blocking":false,"metadata":{"entities":null,"sources":null},"creationAuthorId":1445416,"creator":{"handle":"frog@datadoghq.com","name":"frog"},"updater":{"handle":"","name":""}}' + headers: + content-type: + - application/json + status: + code: 200 + message: OK +- request: + body: null + headers: + accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/security_monitoring/rules/mtt-vs9-dyl + response: + body: + string: '' + headers: {} + status: + code: 204 + message: No Content +version: 1 diff --git a/tests/v2/features/security_monitoring.feature b/tests/v2/features/security_monitoring.feature index df5e32bcc4..5695a7ea4a 100644 --- a/tests/v2/features/security_monitoring.feature +++ b/tests/v2/features/security_monitoring.feature @@ -456,6 +456,17 @@ Feature: Security Monitoring And the response "options.anomalyDetectionOptions.learningPeriodBaseline" is equal to 10 And the response "options.anomalyDetectionOptions.detectionTolerance" is equal to 3 + @team:DataDog/k9-cloud-security-platform + Scenario: Create a detection rule with detection method 'anomaly_detection' with enabled feature 'instantaneousBaseline' returns "OK" response + Given new "CreateSecurityMonitoringRule" request + And body with value {"name":"{{ unique }}","type":"log_detection","isEnabled":true,"queries":[{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":["@usr.email","@network.client.ip"],"hasOptionalGroupByFields":false,"name":"","query":"service:app status:error"}],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 0.995"}],"message":"An anomaly detection rule","options":{"detectionMethod":"anomaly_detection","evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400,"anomalyDetectionOptions":{"bucketDuration":300,"learningDuration":24,"detectionTolerance":3,"instantaneousBaseline":true}},"tags":[],"filters":[]} + When the request is sent + Then the response status is 200 OK + And the response "name" is equal to "{{ unique }}" + And the response "type" is equal to "log_detection" + And the response "options.detectionMethod" is equal to "anomaly_detection" + And the response "options.anomalyDetectionOptions.instantaneousBaseline" is equal to true + @team:DataDog/k9-cloud-security-platform Scenario: Create a detection rule with detection method 'sequence_detection' returns "OK" response Given new "CreateSecurityMonitoringRule" request