Cloud SIEM - Add instantaneousBaseline to anomaly detection options

.generator/schemas/v2/openapi.yaml

@@ -40874,6 +40874,8 @@ components:
           type: integer
         type:
           $ref: '#/components/schemas/ObservabilityPipelineBufferOptionsMemoryType'
+        when_full:
+          $ref: '#/components/schemas/ObservabilityPipelineBufferOptionsWhenFull'
       type: object
     ObservabilityPipelineMemoryBufferSizeOptions:
       description: Options for configuring a memory buffer by queue length.
@@ -40885,6 +40887,8 @@ components:
           type: integer
         type:
           $ref: '#/components/schemas/ObservabilityPipelineBufferOptionsMemoryType'
+        when_full:
+          $ref: '#/components/schemas/ObservabilityPipelineBufferOptionsWhenFull'
       type: object
     ObservabilityPipelineMetadataEntry:
       description: A custom metadata entry.
@@ -53476,6 +53480,8 @@ components:
           $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration'
         detectionTolerance:
           $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance'
+        instantaneousBaseline:
+          $ref: '#/components/schemas/SecurityMonitoringRuleInstantaneousBaseline'
         learningDuration:
           $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration'
         learningPeriodBaseline:
@@ -53813,6 +53819,13 @@ components:
         or credentialed API access.'
       example: true
       type: boolean
+    SecurityMonitoringRuleInstantaneousBaseline:
+      description: When set to true, Datadog uses previous values that fall within
+        the defined learning window to construct the baseline, enabling the system
+        to establish an accurate baseline more rapidly rather than relying solely
+        on gradual learning over time.
+      example: false
+      type: boolean
     SecurityMonitoringRuleKeepAlive:
       description: 'Once a signal is generated, the signal will remain "open" if a
         case is matched at least once within
@@ -53886,7 +53899,7 @@ components:
         forgetAfter:
           $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsForgetAfter'
         instantaneousBaseline:
-          $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsInstantaneousBaseline'
+          $ref: '#/components/schemas/SecurityMonitoringRuleInstantaneousBaseline'
         learningDuration:
           $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsLearningDuration'
         learningMethod:
@@ -53912,13 +53925,6 @@ components:
       - TWO_WEEKS
       - THREE_WEEKS
       - FOUR_WEEKS
-    SecurityMonitoringRuleNewValueOptionsInstantaneousBaseline:
-      description: When set to true, Datadog uses previous values that fall within
-        the defined learning window to construct the baseline, enabling the system
-        to establish an accurate baseline more rapidly rather than relying solely
-        on gradual learning over time.
-      example: false
-      type: boolean
     SecurityMonitoringRuleNewValueOptionsLearningDuration:
       default: 0
       description: 'The duration in days during which values are learned, and after

examples/v2/security-monitoring/CreateSecurityMonitoringRule_3355193622.py

@@ -0,0 +1,89 @@
+"""
+Create a detection rule with detection method 'anomaly_detection' with enabled feature 'instantaneousBaseline' returns
+"OK" response
+"""
+
+from datadog_api_client import ApiClient, Configuration
+from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
+from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options import (
+    SecurityMonitoringRuleAnomalyDetectionOptions,
+)
+from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options_bucket_duration import (
+    SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration,
+)
+from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options_detection_tolerance import (
+    SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance,
+)
+from datadog_api_client.v2.model.security_monitoring_rule_anomaly_detection_options_learning_duration import (
+    SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration,
+)
+from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
+from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod
+from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
+    SecurityMonitoringRuleEvaluationWindow,
+)
+from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
+from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
+    SecurityMonitoringRuleMaxSignalDuration,
+)
+from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
+from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
+    SecurityMonitoringRuleQueryAggregation,
+)
+from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
+from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
+from datadog_api_client.v2.model.security_monitoring_standard_data_source import SecurityMonitoringStandardDataSource
+from datadog_api_client.v2.model.security_monitoring_standard_rule_create_payload import (
+    SecurityMonitoringStandardRuleCreatePayload,
+)
+from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery
+
+body = SecurityMonitoringStandardRuleCreatePayload(
+    name="Example-Security-Monitoring",
+    type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
+    is_enabled=True,
+    queries=[
+        SecurityMonitoringStandardRuleQuery(
+            aggregation=SecurityMonitoringRuleQueryAggregation.COUNT,
+            data_source=SecurityMonitoringStandardDataSource.LOGS,
+            distinct_fields=[],
+            group_by_fields=[
+                "@usr.email",
+                "@network.client.ip",
+            ],
+            has_optional_group_by_fields=False,
+            name="",
+            query="service:app status:error",
+        ),
+    ],
+    cases=[
+        SecurityMonitoringRuleCaseCreate(
+            name="",
+            status=SecurityMonitoringRuleSeverity.INFO,
+            notifications=[],
+            condition="a > 0.995",
+        ),
+    ],
+    message="An anomaly detection rule",
+    options=SecurityMonitoringRuleOptions(
+        detection_method=SecurityMonitoringRuleDetectionMethod.ANOMALY_DETECTION,
+        evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,
+        keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR,
+        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY,
+        anomaly_detection_options=SecurityMonitoringRuleAnomalyDetectionOptions(
+            bucket_duration=SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration.FIVE_MINUTES,
+            learning_duration=SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration.ONE_DAY,
+            detection_tolerance=SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance.THREE,
+            instantaneous_baseline=True,
+        ),
+    ),
+    tags=[],
+    filters=[],
+)
+
+configuration = Configuration()
+with ApiClient(configuration) as api_client:
+    api_instance = SecurityMonitoringApi(api_client)
+    response = api_instance.create_security_monitoring_rule(body=body)
+
+    print(response)

src/datadog_api_client/v2/model/observability_pipeline_memory_buffer_options.py

@@ -17,6 +17,9 @@
     from datadog_api_client.v2.model.observability_pipeline_buffer_options_memory_type import (
         ObservabilityPipelineBufferOptionsMemoryType,
     )
+    from datadog_api_client.v2.model.observability_pipeline_buffer_options_when_full import (
+        ObservabilityPipelineBufferOptionsWhenFull,
+    )
 
 
 class ObservabilityPipelineMemoryBufferOptions(ModelNormal):
@@ -25,21 +28,27 @@ def openapi_types(_):
         from datadog_api_client.v2.model.observability_pipeline_buffer_options_memory_type import (
             ObservabilityPipelineBufferOptionsMemoryType,
         )
+        from datadog_api_client.v2.model.observability_pipeline_buffer_options_when_full import (
+            ObservabilityPipelineBufferOptionsWhenFull,
+        )
 
         return {
             "max_size": (int,),
             "type": (ObservabilityPipelineBufferOptionsMemoryType,),
+            "when_full": (ObservabilityPipelineBufferOptionsWhenFull,),
         }
 
     attribute_map = {
         "max_size": "max_size",
         "type": "type",
+        "when_full": "when_full",
     }
 
     def __init__(
         self_,
         max_size: Union[int, UnsetType] = unset,
         type: Union[ObservabilityPipelineBufferOptionsMemoryType, UnsetType] = unset,
+        when_full: Union[ObservabilityPipelineBufferOptionsWhenFull, UnsetType] = unset,
         **kwargs,
     ):
         """
@@ -50,9 +59,14 @@ def __init__(
 
         :param type: The type of the buffer that will be configured, a memory buffer.
         :type type: ObservabilityPipelineBufferOptionsMemoryType, optional
+
+        :param when_full: Behavior when the buffer is full (block and stop accepting new events, or drop new events)
+        :type when_full: ObservabilityPipelineBufferOptionsWhenFull, optional
         """
         if max_size is not unset:
             kwargs["max_size"] = max_size
         if type is not unset:
             kwargs["type"] = type
+        if when_full is not unset:
+            kwargs["when_full"] = when_full
         super().__init__(kwargs)

src/datadog_api_client/v2/model/observability_pipeline_memory_buffer_size_options.py

@@ -17,6 +17,9 @@
     from datadog_api_client.v2.model.observability_pipeline_buffer_options_memory_type import (
         ObservabilityPipelineBufferOptionsMemoryType,
     )
+    from datadog_api_client.v2.model.observability_pipeline_buffer_options_when_full import (
+        ObservabilityPipelineBufferOptionsWhenFull,
+    )
 
 
 class ObservabilityPipelineMemoryBufferSizeOptions(ModelNormal):
@@ -25,21 +28,27 @@ def openapi_types(_):
         from datadog_api_client.v2.model.observability_pipeline_buffer_options_memory_type import (
             ObservabilityPipelineBufferOptionsMemoryType,
         )
+        from datadog_api_client.v2.model.observability_pipeline_buffer_options_when_full import (
+            ObservabilityPipelineBufferOptionsWhenFull,
+        )
 
         return {
             "max_events": (int,),
             "type": (ObservabilityPipelineBufferOptionsMemoryType,),
+            "when_full": (ObservabilityPipelineBufferOptionsWhenFull,),
         }
 
     attribute_map = {
         "max_events": "max_events",
         "type": "type",
+        "when_full": "when_full",
     }
 
     def __init__(
         self_,
         max_events: Union[int, UnsetType] = unset,
         type: Union[ObservabilityPipelineBufferOptionsMemoryType, UnsetType] = unset,
+        when_full: Union[ObservabilityPipelineBufferOptionsWhenFull, UnsetType] = unset,
         **kwargs,
     ):
         """
@@ -50,9 +59,14 @@ def __init__(
 
         :param type: The type of the buffer that will be configured, a memory buffer.
         :type type: ObservabilityPipelineBufferOptionsMemoryType, optional
+
+        :param when_full: Behavior when the buffer is full (block and stop accepting new events, or drop new events)
+        :type when_full: ObservabilityPipelineBufferOptionsWhenFull, optional
         """
         if max_events is not unset:
             kwargs["max_events"] = max_events
         if type is not unset:
             kwargs["type"] = type
+        if when_full is not unset:
+            kwargs["when_full"] = when_full
         super().__init__(kwargs)

src/datadog_api_client/v2/model/security_monitoring_rule_anomaly_detection_options.py

@@ -47,13 +47,15 @@ def openapi_types(_):
         return {
             "bucket_duration": (SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration,),
             "detection_tolerance": (SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance,),
+            "instantaneous_baseline": (bool,),
             "learning_duration": (SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration,),
             "learning_period_baseline": (int,),
         }
 
     attribute_map = {
         "bucket_duration": "bucketDuration",
         "detection_tolerance": "detectionTolerance",
+        "instantaneous_baseline": "instantaneousBaseline",
         "learning_duration": "learningDuration",
         "learning_period_baseline": "learningPeriodBaseline",
     }
@@ -62,6 +64,7 @@ def __init__(
         self_,
         bucket_duration: Union[SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration, UnsetType] = unset,
         detection_tolerance: Union[SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance, UnsetType] = unset,
+        instantaneous_baseline: Union[bool, UnsetType] = unset,
         learning_duration: Union[SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration, UnsetType] = unset,
         learning_period_baseline: Union[int, UnsetType] = unset,
         **kwargs,
@@ -77,6 +80,9 @@ def __init__(
             Higher values require higher deviations before triggering a signal.
         :type detection_tolerance: SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance, optional
 
+        :param instantaneous_baseline: When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time.
+        :type instantaneous_baseline: bool, optional
+
         :param learning_duration: Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating.
         :type learning_duration: SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration, optional
 
@@ -87,6 +93,8 @@ def __init__(
             kwargs["bucket_duration"] = bucket_duration
         if detection_tolerance is not unset:
             kwargs["detection_tolerance"] = detection_tolerance
+        if instantaneous_baseline is not unset:
+            kwargs["instantaneous_baseline"] = instantaneous_baseline
         if learning_duration is not unset:
             kwargs["learning_duration"] = learning_duration
         if learning_period_baseline is not unset:

tests/v2/cassettes/test_scenarios/test_create_a_detection_rule_with_detection_method_anomaly_detection_with_enabled_feature_instantaneousbaseline_returns_ok_response.frozen

@@ -0,0 +1 @@
+2026-02-10T14:48:33.727Z

tests/v2/cassettes/test_scenarios/test_create_a_detection_rule_with_detection_method_anomaly_detection_with_enabled_feature_instantaneousbaseline_returns_ok_response.yaml

@@ -0,0 +1,38 @@
+interactions:
+- request:
+    body: '{"cases":[{"condition":"a > 0.995","name":"","notifications":[],"status":"info"}],"filters":[],"isEnabled":true,"message":"An
+      anomaly detection rule","name":"Test-Create_a_detection_rule_with_detection_method_anomaly_detection_with_enabled_feature_instantaneousBa-1770734913","options":{"anomalyDetectionOptions":{"bucketDuration":300,"detectionTolerance":3,"instantaneousBaseline":true,"learningDuration":24},"detectionMethod":"anomaly_detection","evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"queries":[{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":["@usr.email","@network.client.ip"],"hasOptionalGroupByFields":false,"name":"","query":"service:app
+      status:error"}],"tags":[],"type":"log_detection"}'
+    headers:
+      accept:
+      - application/json
+      content-type:
+      - application/json
+    method: POST
+    uri: https://api.datadoghq.com/api/v2/security_monitoring/rules
+  response:
+    body:
+      string: '{"name":"Test-Create_a_detection_rule_with_detection_method_anomaly_detection_with_enabled_feature_instantaneousBa-1770734913","createdAt":1770734914087,"isDefault":false,"isPartner":false,"isEnabled":true,"isBeta":false,"isDeleted":false,"isDeprecated":false,"queries":[{"query":"service:app
+        status:error","groupByFields":["@usr.email","@network.client.ip"],"hasOptionalGroupByFields":false,"distinctFields":[],"aggregation":"count","name":"","dataSource":"logs"}],"options":{"evaluationWindow":1800,"detectionMethod":"anomaly_detection","maxSignalDuration":86400,"keepAlive":3600,"anomalyDetectionOptions":{"bucketDuration":300,"learningDuration":24,"detectionTolerance":3,"instantaneousBaseline":true,"instantaneousBaselineTimeoutMinutes":30}},"cases":[{"name":"","status":"info","notifications":[],"condition":"a
+        \u003e 0.995"}],"message":"An anomaly detection rule","tags":[],"hasExtendedTitle":false,"type":"log_detection","filters":[],"version":1,"id":"mtt-vs9-dyl","blocking":false,"metadata":{"entities":null,"sources":null},"creationAuthorId":1445416,"creator":{"handle":"frog@datadoghq.com","name":"frog"},"updater":{"handle":"","name":""}}'
+    headers:
+      content-type:
+      - application/json
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      accept:
+      - '*/*'
+    method: DELETE
+    uri: https://api.datadoghq.com/api/v2/security_monitoring/rules/mtt-vs9-dyl
+  response:
+    body:
+      string: ''
+    headers: {}
+    status:
+      code: 204
+      message: No Content
+version: 1

tests/v2/features/security_monitoring.feature

@@ -456,6 +456,17 @@ Feature: Security Monitoring
     And the response "options.anomalyDetectionOptions.learningPeriodBaseline" is equal to 10
     And the response "options.anomalyDetectionOptions.detectionTolerance" is equal to 3
 
+  @team:DataDog/k9-cloud-security-platform
+  Scenario: Create a detection rule with detection method 'anomaly_detection' with enabled feature 'instantaneousBaseline' returns "OK" response
+    Given new "CreateSecurityMonitoringRule" request
+    And body with value {"name":"{{ unique }}","type":"log_detection","isEnabled":true,"queries":[{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":["@usr.email","@network.client.ip"],"hasOptionalGroupByFields":false,"name":"","query":"service:app status:error"}],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 0.995"}],"message":"An anomaly detection rule","options":{"detectionMethod":"anomaly_detection","evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400,"anomalyDetectionOptions":{"bucketDuration":300,"learningDuration":24,"detectionTolerance":3,"instantaneousBaseline":true}},"tags":[],"filters":[]}
+    When the request is sent
+    Then the response status is 200 OK
+    And the response "name" is equal to "{{ unique }}"
+    And the response "type" is equal to "log_detection"
+    And the response "options.detectionMethod" is equal to "anomaly_detection"
+    And the response "options.anomalyDetectionOptions.instantaneousBaseline" is equal to true
+
   @team:DataDog/k9-cloud-security-platform
   Scenario: Create a detection rule with detection method 'sequence_detection' returns "OK" response
     Given new "CreateSecurityMonitoringRule" request