Add anomaly detection options to security monitoring rules (DataDog#3531)

Co-authored-by: ci.datadog-api-spec <packages@datadoghq.com>

Author: api-clients-generation-pipeline[bot]

.generator/schemas/v2/openapi.yaml

@@ -47320,6 +47320,86 @@ components:
           description: The name of the reference table.
           type: string
       type: object
+    SecurityMonitoringRuleAnomalyDetectionOptions:
+      additionalProperties: {}
+      description: Options on anomaly detection method.
+      properties:
+        bucketDuration:
+          $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration'
+        detectionTolerance:
+          $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance'
+        learningDuration:
+          $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration'
+        learningPeriodBaseline:
+          description: An optional override baseline to apply while the rule is in
+            the learning period. Must be greater than or equal to 0.
+          format: int64
+          minimum: 0
+          type: integer
+      type: object
+    SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration:
+      description: 'Duration in seconds of the time buckets used to aggregate events
+        matched by the rule.
+
+        Must be greater than or equal to 300.'
+      enum:
+      - 300
+      - 600
+      - 900
+      - 1800
+      - 3600
+      - 10800
+      example: 300
+      format: int32
+      type: integer
+      x-enum-varnames:
+      - FIVE_MINUTES
+      - TEN_MINUTES
+      - FIFTEEN_MINUTES
+      - THIRTY_MINUTES
+      - ONE_HOUR
+      - THREE_HOURS
+    SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance:
+      description: 'An optional parameter that sets how permissive anomaly detection
+        is.
+
+        Higher values require higher deviations before triggering a signal.'
+      enum:
+      - 1
+      - 2
+      - 3
+      - 4
+      - 5
+      example: 5
+      format: int32
+      type: integer
+      x-enum-varnames:
+      - ONE
+      - TWO
+      - THREE
+      - FOUR
+      - FIVE
+    SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration:
+      description: Learning duration in hours. Anomaly detection waits for at least
+        this amount of historical data before it starts evaluating.
+      enum:
+      - 1
+      - 6
+      - 12
+      - 24
+      - 48
+      - 168
+      - 336
+      format: int32
+      type: integer
+      x-enum-varnames:
+      - ONE_HOUR
+      - SIX_HOURS
+      - TWELVE_HOURS
+      - ONE_DAY
+      - TWO_DAYS
+      - ONE_WEEK
+      - TWO_WEEKS
     SecurityMonitoringRuleCase:
       description: Case when signal is generated.
       properties:
@@ -47685,6 +47765,8 @@ components:
     SecurityMonitoringRuleOptions:
       description: Options.
       properties:
+        anomalyDetectionOptions:
+          $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptions'
         complianceRuleOptions:
           $ref: '#/components/schemas/CloudConfigurationComplianceRuleOptions'
         decreaseCriticalityBasedOnEnv:
@@ -55124,6 +55206,8 @@ components:
     ThreatHuntingJobOptions:
       description: Job options.
       properties:
+        anomalyDetectionOptions:
+          $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptions'
         detectionMethod:
           $ref: '#/components/schemas/SecurityMonitoringRuleDetectionMethod'
         evaluationWindow:

api/datadogV2/model_security_monitoring_rule_anomaly_detection_options.go

@@ -0,0 +1,227 @@
+// Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2019-Present Datadog, Inc.
+
+package datadogV2
+
+import (
+	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
+)
+
+// SecurityMonitoringRuleAnomalyDetectionOptions Options on anomaly detection method.
+type SecurityMonitoringRuleAnomalyDetectionOptions struct {
+	// Duration in seconds of the time buckets used to aggregate events matched by the rule.
+	// Must be greater than or equal to 300.
+	BucketDuration *SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration `json:"bucketDuration,omitempty"`
+	// An optional parameter that sets how permissive anomaly detection is.
+	// Higher values require higher deviations before triggering a signal.
+	DetectionTolerance *SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance `json:"detectionTolerance,omitempty"`
+	// Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating.
+	LearningDuration *SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration `json:"learningDuration,omitempty"`
+	// An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0.
+	LearningPeriodBaseline *int64 `json:"learningPeriodBaseline,omitempty"`
+	// UnparsedObject contains the raw value of the object if there was an error when deserializing into the struct
+	UnparsedObject       map[string]interface{} `json:"-"`
+	AdditionalProperties map[string]interface{} `json:"-"`
+}
+
+// NewSecurityMonitoringRuleAnomalyDetectionOptions instantiates a new SecurityMonitoringRuleAnomalyDetectionOptions object.
+// This constructor will assign default values to properties that have it defined,
+// and makes sure properties required by API are set, but the set of arguments
+// will change when the set of required properties is changed.
+func NewSecurityMonitoringRuleAnomalyDetectionOptions() *SecurityMonitoringRuleAnomalyDetectionOptions {
+	this := SecurityMonitoringRuleAnomalyDetectionOptions{}
+	return &this
+}
+
+// NewSecurityMonitoringRuleAnomalyDetectionOptionsWithDefaults instantiates a new SecurityMonitoringRuleAnomalyDetectionOptions object.
+// This constructor will only assign default values to properties that have it defined,
+// but it doesn't guarantee that properties required by API are set.
+func NewSecurityMonitoringRuleAnomalyDetectionOptionsWithDefaults() *SecurityMonitoringRuleAnomalyDetectionOptions {
+	this := SecurityMonitoringRuleAnomalyDetectionOptions{}
+	return &this
+}
+
+// GetBucketDuration returns the BucketDuration field value if set, zero value otherwise.
+func (o *SecurityMonitoringRuleAnomalyDetectionOptions) GetBucketDuration() SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration {
+	if o == nil || o.BucketDuration == nil {
+		var ret SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration
+		return ret
+	}
+	return *o.BucketDuration
+}
+
+// GetBucketDurationOk returns a tuple with the BucketDuration field value if set, nil otherwise
+// and a boolean to check if the value has been set.
+func (o *SecurityMonitoringRuleAnomalyDetectionOptions) GetBucketDurationOk() (*SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration, bool) {
+	if o == nil || o.BucketDuration == nil {
+		return nil, false
+	}
+	return o.BucketDuration, true
+}
+
+// HasBucketDuration returns a boolean if a field has been set.
+func (o *SecurityMonitoringRuleAnomalyDetectionOptions) HasBucketDuration() bool {
+	return o != nil && o.BucketDuration != nil
+}
+
+// SetBucketDuration gets a reference to the given SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration and assigns it to the BucketDuration field.
+func (o *SecurityMonitoringRuleAnomalyDetectionOptions) SetBucketDuration(v SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration) {
+	o.BucketDuration = &v
+}
+
+// GetDetectionTolerance returns the DetectionTolerance field value if set, zero value otherwise.
+func (o *SecurityMonitoringRuleAnomalyDetectionOptions) GetDetectionTolerance() SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance {
+	if o == nil || o.DetectionTolerance == nil {
+		var ret SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance
+		return ret
+	}
+	return *o.DetectionTolerance
+}
+
+// GetDetectionToleranceOk returns a tuple with the DetectionTolerance field value if set, nil otherwise
+// and a boolean to check if the value has been set.
+func (o *SecurityMonitoringRuleAnomalyDetectionOptions) GetDetectionToleranceOk() (*SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance, bool) {
+	if o == nil || o.DetectionTolerance == nil {
+		return nil, false
+	}
+	return o.DetectionTolerance, true
+}
+
+// HasDetectionTolerance returns a boolean if a field has been set.
+func (o *SecurityMonitoringRuleAnomalyDetectionOptions) HasDetectionTolerance() bool {
+	return o != nil && o.DetectionTolerance != nil
+}
+
+// SetDetectionTolerance gets a reference to the given SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance and assigns it to the DetectionTolerance field.
+func (o *SecurityMonitoringRuleAnomalyDetectionOptions) SetDetectionTolerance(v SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance) {
+	o.DetectionTolerance = &v
+}
+
+// GetLearningDuration returns the LearningDuration field value if set, zero value otherwise.
+func (o *SecurityMonitoringRuleAnomalyDetectionOptions) GetLearningDuration() SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration {
+	if o == nil || o.LearningDuration == nil {
+		var ret SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration
+		return ret
+	}
+	return *o.LearningDuration
+}
+
+// GetLearningDurationOk returns a tuple with the LearningDuration field value if set, nil otherwise
+// and a boolean to check if the value has been set.
+func (o *SecurityMonitoringRuleAnomalyDetectionOptions) GetLearningDurationOk() (*SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration, bool) {
+	if o == nil || o.LearningDuration == nil {
+		return nil, false
+	}
+	return o.LearningDuration, true
+}
+
+// HasLearningDuration returns a boolean if a field has been set.
+func (o *SecurityMonitoringRuleAnomalyDetectionOptions) HasLearningDuration() bool {
+	return o != nil && o.LearningDuration != nil
+}
+
+// SetLearningDuration gets a reference to the given SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration and assigns it to the LearningDuration field.
+func (o *SecurityMonitoringRuleAnomalyDetectionOptions) SetLearningDuration(v SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration) {
+	o.LearningDuration = &v
+}
+
+// GetLearningPeriodBaseline returns the LearningPeriodBaseline field value if set, zero value otherwise.
+func (o *SecurityMonitoringRuleAnomalyDetectionOptions) GetLearningPeriodBaseline() int64 {
+	if o == nil || o.LearningPeriodBaseline == nil {
+		var ret int64
+		return ret
+	}
+	return *o.LearningPeriodBaseline
+}
+
+// GetLearningPeriodBaselineOk returns a tuple with the LearningPeriodBaseline field value if set, nil otherwise
+// and a boolean to check if the value has been set.
+func (o *SecurityMonitoringRuleAnomalyDetectionOptions) GetLearningPeriodBaselineOk() (*int64, bool) {
+	if o == nil || o.LearningPeriodBaseline == nil {
+		return nil, false
+	}
+	return o.LearningPeriodBaseline, true
+}
+
+// HasLearningPeriodBaseline returns a boolean if a field has been set.
+func (o *SecurityMonitoringRuleAnomalyDetectionOptions) HasLearningPeriodBaseline() bool {
+	return o != nil && o.LearningPeriodBaseline != nil
+}
+
+// SetLearningPeriodBaseline gets a reference to the given int64 and assigns it to the LearningPeriodBaseline field.
+func (o *SecurityMonitoringRuleAnomalyDetectionOptions) SetLearningPeriodBaseline(v int64) {
+	o.LearningPeriodBaseline = &v
+}
+
+// MarshalJSON serializes the struct using spec logic.
+func (o SecurityMonitoringRuleAnomalyDetectionOptions) MarshalJSON() ([]byte, error) {
+	toSerialize := map[string]interface{}{}
+	if o.UnparsedObject != nil {
+		return datadog.Marshal(o.UnparsedObject)
+	}
+	if o.BucketDuration != nil {
+		toSerialize["bucketDuration"] = o.BucketDuration
+	}
+	if o.DetectionTolerance != nil {
+		toSerialize["detectionTolerance"] = o.DetectionTolerance
+	}
+	if o.LearningDuration != nil {
+		toSerialize["learningDuration"] = o.LearningDuration
+	}
+	if o.LearningPeriodBaseline != nil {
+		toSerialize["learningPeriodBaseline"] = o.LearningPeriodBaseline
+	}
+
+	for key, value := range o.AdditionalProperties {
+		toSerialize[key] = value
+	}
+	return datadog.Marshal(toSerialize)
+}
+
+// UnmarshalJSON deserializes the given payload.
+func (o *SecurityMonitoringRuleAnomalyDetectionOptions) UnmarshalJSON(bytes []byte) (err error) {
+	all := struct {
+		BucketDuration         *SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration     `json:"bucketDuration,omitempty"`
+		DetectionTolerance     *SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance `json:"detectionTolerance,omitempty"`
+		LearningDuration       *SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration   `json:"learningDuration,omitempty"`
+		LearningPeriodBaseline *int64                                                           `json:"learningPeriodBaseline,omitempty"`
+	}{}
+	if err = datadog.Unmarshal(bytes, &all); err != nil {
+		return datadog.Unmarshal(bytes, &o.UnparsedObject)
+	}
+	additionalProperties := make(map[string]interface{})
+	if err = datadog.Unmarshal(bytes, &additionalProperties); err == nil {
+		datadog.DeleteKeys(additionalProperties, &[]string{"bucketDuration", "detectionTolerance", "learningDuration", "learningPeriodBaseline"})
+	} else {
+		return err
+	}
+
+	hasInvalidField := false
+	if all.BucketDuration != nil && !all.BucketDuration.IsValid() {
+		hasInvalidField = true
+	} else {
+		o.BucketDuration = all.BucketDuration
+	}
+	if all.DetectionTolerance != nil && !all.DetectionTolerance.IsValid() {
+		hasInvalidField = true
+	} else {
+		o.DetectionTolerance = all.DetectionTolerance
+	}
+	if all.LearningDuration != nil && !all.LearningDuration.IsValid() {
+		hasInvalidField = true
+	} else {
+		o.LearningDuration = all.LearningDuration
+	}
+	o.LearningPeriodBaseline = all.LearningPeriodBaseline
+
+	if len(additionalProperties) > 0 {
+		o.AdditionalProperties = additionalProperties
+	}
+
+	if hasInvalidField {
+		return datadog.Unmarshal(bytes, &o.UnparsedObject)
+	}
+
+	return nil
+}