Cloud SIEM - Add instantaneousBaseline feature parameter. (DataDog#2814)

Co-authored-by: ci.datadog-api-spec <packages@datadoghq.com>

Author: api-clients-generation-pipeline[bot]

.generator/schemas/v2/openapi.yaml

@@ -47596,6 +47596,8 @@ components:
       properties:
         forgetAfter:
           $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsForgetAfter'
+        instantaneousBaseline:
+          $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsInstantaneousBaseline'
         learningDuration:
           $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsLearningDuration'
         learningMethod:
@@ -47621,6 +47623,13 @@ components:
       - TWO_WEEKS
       - THREE_WEEKS
       - FOUR_WEEKS
+    SecurityMonitoringRuleNewValueOptionsInstantaneousBaseline:
+      description: When set to true, Datadog uses previous values that fall within
+        the defined learning window to construct the baseline, enabling the system
+        to establish an accurate baseline more rapidly rather than relying solely
+        on gradual learning over time.
+      example: false
+      type: boolean
     SecurityMonitoringRuleNewValueOptionsLearningDuration:
       default: 0
       description: 'The duration in days during which values are learned, and after

cassettes/features/v2/security_monitoring/Validate-a-detection-rule-with-detection-method-new-value-with-enabled-feature-instantaneousBaseline-returns-OK-response.frozen

@@ -0,0 +1 @@
+2025-12-10T08:37:17.537Z

cassettes/features/v2/security_monitoring/Validate-a-detection-rule-with-detection-method-new-value-with-enabled-feature-instantaneousBaseline-returns-OK-response.yml

@@ -0,0 +1,54 @@
+# Validate a detection rule with detection method 'new_value' with enabled feature 'instantaneousBaseline' returns "OK"
+response
+
+require "datadog_api_client"
+api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new
+
+body = DatadogAPIClient::V2::SecurityMonitoringStandardRulePayload.new({
+  cases: [
+    DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({
+      name: "",
+      status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO,
+      notifications: [],
+    }),
+  ],
+  has_extended_title: true,
+  is_enabled: true,
+  message: "My security monitoring rule",
+  name: "My security monitoring rule",
+  options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({
+    evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES,
+    keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::FIVE_MINUTES,
+    max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES,
+    detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::NEW_VALUE,
+    new_value_options: DatadogAPIClient::V2::SecurityMonitoringRuleNewValueOptions.new({
+      forget_after: DatadogAPIClient::V2::SecurityMonitoringRuleNewValueOptionsForgetAfter::ONE_WEEK,
+      instantaneous_baseline: true,
+      learning_duration: DatadogAPIClient::V2::SecurityMonitoringRuleNewValueOptionsLearningDuration::ONE_DAY,
+      learning_threshold: DatadogAPIClient::V2::SecurityMonitoringRuleNewValueOptionsLearningThreshold::ZERO_OCCURRENCES,
+      learning_method: DatadogAPIClient::V2::SecurityMonitoringRuleNewValueOptionsLearningMethod::DURATION,
+    }),
+  }),
+  queries: [
+    DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({
+      query: "source:source_here",
+      group_by_fields: [
+        "@userIdentity.assumed_role",
+      ],
+      distinct_fields: [],
+      metric: "name",
+      metrics: [
+        "name",
+      ],
+      aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::NEW_VALUE,
+      name: "",
+      data_source: DatadogAPIClient::V2::SecurityMonitoringStandardDataSource::LOGS,
+    }),
+  ],
+  tags: [
+    "env:prod",
+    "team:security",
+  ],
+  type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION,
+})
+api_instance.validate_security_monitoring_rule(body)

examples/v2/security-monitoring/ValidateSecurityMonitoringRule_2609327779.rb

@@ -1764,6 +1764,13 @@ Feature: Security Monitoring
     When the request is sent
     Then the response status is 204 OK
 
+  @team:DataDog/k9-cloud-security-platform
+  Scenario: Validate a detection rule with detection method 'new_value' with enabled feature 'instantaneousBaseline' returns "OK" response
+    Given new "ValidateSecurityMonitoringRule" request
+    And body with value {"cases":[{"name":"","status":"info","notifications":[]}],"hasExtendedTitle":true,"isEnabled":true,"message":"My security monitoring rule","name":"My security monitoring rule","options":{"evaluationWindow":0,"keepAlive":300,"maxSignalDuration":600,"detectionMethod":"new_value","newValueOptions":{"forgetAfter":7,"instantaneousBaseline":true,"learningDuration":1,"learningThreshold":0,"learningMethod":"duration"}},"queries":[{"query":"source:source_here","groupByFields":["@userIdentity.assumed_role"],"distinctFields":[],"metric":"name","metrics":["name"],"aggregation":"new_value","name":"","dataSource":"logs"}],"tags":["env:prod","team:security"],"type":"log_detection"}
+    When the request is sent
+    Then the response status is 204 OK
+
   @team:DataDog/k9-cloud-security-platform
   Scenario: Validate a detection rule with detection method 'sequence_detection' returns "OK" response
     Given new "ValidateSecurityMonitoringRule" request

features/v2/security_monitoring.feature

@@ -24,6 +24,9 @@ class SecurityMonitoringRuleNewValueOptions
     # The duration in days after which a learned value is forgotten.
     attr_accessor :forget_after
 
+    # When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time.
+    attr_accessor :instantaneous_baseline
+
     # The duration in days during which values are learned, and after which signals will be generated for values that
     # weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
     attr_accessor :learning_duration
@@ -41,6 +44,7 @@ class SecurityMonitoringRuleNewValueOptions
     def self.attribute_map
       {
         :'forget_after' => :'forgetAfter',
+        :'instantaneous_baseline' => :'instantaneousBaseline',
         :'learning_duration' => :'learningDuration',
         :'learning_method' => :'learningMethod',
         :'learning_threshold' => :'learningThreshold'
@@ -52,6 +56,7 @@ def self.attribute_map
     def self.openapi_types
       {
         :'forget_after' => :'SecurityMonitoringRuleNewValueOptionsForgetAfter',
+        :'instantaneous_baseline' => :'Boolean',
         :'learning_duration' => :'SecurityMonitoringRuleNewValueOptionsLearningDuration',
         :'learning_method' => :'SecurityMonitoringRuleNewValueOptionsLearningMethod',
         :'learning_threshold' => :'SecurityMonitoringRuleNewValueOptionsLearningThreshold'
@@ -80,6 +85,10 @@ def initialize(attributes = {})
         self.forget_after = attributes[:'forget_after']
       end
 
+      if attributes.key?(:'instantaneous_baseline')
+        self.instantaneous_baseline = attributes[:'instantaneous_baseline']
+      end
+
       if attributes.key?(:'learning_duration')
         self.learning_duration = attributes[:'learning_duration']
       end
@@ -120,6 +129,7 @@ def ==(o)
       return true if self.equal?(o)
       self.class == o.class &&
           forget_after == o.forget_after &&
+          instantaneous_baseline == o.instantaneous_baseline &&
           learning_duration == o.learning_duration &&
           learning_method == o.learning_method &&
           learning_threshold == o.learning_threshold &&
@@ -130,7 +140,7 @@ def ==(o)
     # @return [Integer] Hash code
     # @!visibility private
     def hash
-      [forget_after, learning_duration, learning_method, learning_threshold, additional_properties].hash
+      [forget_after, instantaneous_baseline, learning_duration, learning_method, learning_threshold, additional_properties].hash
     end
   end
 end