Add baselineUserLocationsDuration to Impossible Travel rule options (#4119)

Co-authored-by: ci.datadog-api-spec <packages@datadoghq.com>

Author: api-clients-generation-pipeline[bot]

.generator/schemas/v2/openapi.yaml

@@ -70685,11 +70685,20 @@ components:
       properties:
         baselineUserLocations:
           $ref: "#/components/schemas/SecurityMonitoringRuleImpossibleTravelOptionsBaselineUserLocations"
+        baselineUserLocationsDuration:
+          $ref: "#/components/schemas/SecurityMonitoringRuleImpossibleTravelOptionsBaselineUserLocationsDuration"
       type: object
     SecurityMonitoringRuleImpossibleTravelOptionsBaselineUserLocations:
       description: "If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access."
       example: true
       type: boolean
+    SecurityMonitoringRuleImpossibleTravelOptionsBaselineUserLocationsDuration:
+      description: The duration in days during which Datadog learns the user's regular access locations. After this period, signals are generated for accesses from unknown locations.
+      format: int32
+      maximum: 30
+      minimum: 1
+      nullable: true
+      type: integer
     SecurityMonitoringRuleInstantaneousBaseline:
       description: When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time.
       example: false
@@ -143305,6 +143314,7 @@ paths:
                     hardcodedEvaluatorType: log4shell
                     impossibleTravelOptions:
                       baselineUserLocations: true
+                      baselineUserLocationsDuration: 7
                     newValueOptions:
                       instantaneousBaseline: false
                       learningMethod: duration
@@ -144061,6 +144071,7 @@ paths:
                     hardcodedEvaluatorType: log4shell
                     impossibleTravelOptions:
                       baselineUserLocations: true
+                      baselineUserLocationsDuration: 7
                     keepAlive: 3600
                     maxSignalDuration: 86400
                     newValueOptions:
@@ -144162,6 +144173,7 @@ paths:
                       hardcodedEvaluatorType: log4shell
                       impossibleTravelOptions:
                         baselineUserLocations: true
+                        baselineUserLocationsDuration: 7
                       keepAlive: 0
                       maxSignalDuration: 0
                       newValueOptions:
@@ -144275,6 +144287,7 @@ paths:
                     hardcodedEvaluatorType: log4shell
                     impossibleTravelOptions:
                       baselineUserLocations: true
+                      baselineUserLocationsDuration: 7
                     keepAlive: 1800
                     maxSignalDuration: 1800
                     newValueOptions:

api/datadogV2/model_security_monitoring_rule_impossible_travel_options.go

@@ -13,6 +13,8 @@ type SecurityMonitoringRuleImpossibleTravelOptions struct {
 	// If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular
 	// access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
 	BaselineUserLocations *bool `json:"baselineUserLocations,omitempty"`
+	// The duration in days during which Datadog learns the user's regular access locations. After this period, signals are generated for accesses from unknown locations.
+	BaselineUserLocationsDuration datadog.NullableInt32 `json:"baselineUserLocationsDuration,omitempty"`
 	// UnparsedObject contains the raw value of the object if there was an error when deserializing into the struct
 	UnparsedObject       map[string]interface{} `json:"-"`
 	AdditionalProperties map[string]interface{} `json:"-"`
@@ -63,6 +65,45 @@ func (o *SecurityMonitoringRuleImpossibleTravelOptions) SetBaselineUserLocations
 	o.BaselineUserLocations = &v
 }
 
+// GetBaselineUserLocationsDuration returns the BaselineUserLocationsDuration field value if set, zero value otherwise (both if not set or set to explicit null).
+func (o *SecurityMonitoringRuleImpossibleTravelOptions) GetBaselineUserLocationsDuration() int32 {
+	if o == nil || o.BaselineUserLocationsDuration.Get() == nil {
+		var ret int32
+		return ret
+	}
+	return *o.BaselineUserLocationsDuration.Get()
+}
+
+// GetBaselineUserLocationsDurationOk returns a tuple with the BaselineUserLocationsDuration field value if set, nil otherwise
+// and a boolean to check if the value has been set.
+// NOTE: If the value is an explicit nil, `nil, true` will be returned.
+func (o *SecurityMonitoringRuleImpossibleTravelOptions) GetBaselineUserLocationsDurationOk() (*int32, bool) {
+	if o == nil {
+		return nil, false
+	}
+	return o.BaselineUserLocationsDuration.Get(), o.BaselineUserLocationsDuration.IsSet()
+}
+
+// HasBaselineUserLocationsDuration returns a boolean if a field has been set.
+func (o *SecurityMonitoringRuleImpossibleTravelOptions) HasBaselineUserLocationsDuration() bool {
+	return o != nil && o.BaselineUserLocationsDuration.IsSet()
+}
+
+// SetBaselineUserLocationsDuration gets a reference to the given datadog.NullableInt32 and assigns it to the BaselineUserLocationsDuration field.
+func (o *SecurityMonitoringRuleImpossibleTravelOptions) SetBaselineUserLocationsDuration(v int32) {
+	o.BaselineUserLocationsDuration.Set(&v)
+}
+
+// SetBaselineUserLocationsDurationNil sets the value for BaselineUserLocationsDuration to be an explicit nil.
+func (o *SecurityMonitoringRuleImpossibleTravelOptions) SetBaselineUserLocationsDurationNil() {
+	o.BaselineUserLocationsDuration.Set(nil)
+}
+
+// UnsetBaselineUserLocationsDuration ensures that no value is present for BaselineUserLocationsDuration, not even an explicit nil.
+func (o *SecurityMonitoringRuleImpossibleTravelOptions) UnsetBaselineUserLocationsDuration() {
+	o.BaselineUserLocationsDuration.Unset()
+}
+
 // MarshalJSON serializes the struct using spec logic.
 func (o SecurityMonitoringRuleImpossibleTravelOptions) MarshalJSON() ([]byte, error) {
 	toSerialize := map[string]interface{}{}
@@ -72,6 +113,9 @@ func (o SecurityMonitoringRuleImpossibleTravelOptions) MarshalJSON() ([]byte, er
 	if o.BaselineUserLocations != nil {
 		toSerialize["baselineUserLocations"] = o.BaselineUserLocations
 	}
+	if o.BaselineUserLocationsDuration.IsSet() {
+		toSerialize["baselineUserLocationsDuration"] = o.BaselineUserLocationsDuration.Get()
+	}
 
 	for key, value := range o.AdditionalProperties {
 		toSerialize[key] = value
@@ -82,18 +126,20 @@ func (o SecurityMonitoringRuleImpossibleTravelOptions) MarshalJSON() ([]byte, er
 // UnmarshalJSON deserializes the given payload.
 func (o *SecurityMonitoringRuleImpossibleTravelOptions) UnmarshalJSON(bytes []byte) (err error) {
 	all := struct {
-		BaselineUserLocations *bool `json:"baselineUserLocations,omitempty"`
+		BaselineUserLocations         *bool                 `json:"baselineUserLocations,omitempty"`
+		BaselineUserLocationsDuration datadog.NullableInt32 `json:"baselineUserLocationsDuration,omitempty"`
 	}{}
 	if err = datadog.Unmarshal(bytes, &all); err != nil {
 		return datadog.Unmarshal(bytes, &o.UnparsedObject)
 	}
 	additionalProperties := make(map[string]interface{})
 	if err = datadog.Unmarshal(bytes, &additionalProperties); err == nil {
-		datadog.DeleteKeys(additionalProperties, &[]string{"baselineUserLocations"})
+		datadog.DeleteKeys(additionalProperties, &[]string{"baselineUserLocations", "baselineUserLocationsDuration"})
 	} else {
 		return err
 	}
 	o.BaselineUserLocations = all.BaselineUserLocations
+	o.BaselineUserLocationsDuration = all.BaselineUserLocationsDuration
 
 	if len(additionalProperties) > 0 {
 		o.AdditionalProperties = additionalProperties

examples/v2/security-monitoring/CreateSecurityMonitoringRule_3243059428.go

@@ -0,0 +1,67 @@
+// Create a detection rule with type 'impossible_travel' and baselineUserLocationsDuration returns "OK" response
+
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
+	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
+)
+
+func main() {
+	body := datadogV2.SecurityMonitoringRuleCreatePayload{
+		SecurityMonitoringStandardRuleCreatePayload: &datadogV2.SecurityMonitoringStandardRuleCreatePayload{
+			Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{
+				{
+					Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_GEO_DATA.Ptr(),
+					GroupByFields: []string{
+						"@usr.id",
+					},
+					DistinctFields: []string{},
+					Metric:         datadog.PtrString("@network.client.geoip"),
+					Query:          datadog.PtrString("*"),
+				},
+			},
+			Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{
+				{
+					Name:          datadog.PtrString(""),
+					Status:        datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
+					Notifications: []string{},
+				},
+			},
+			HasExtendedTitle: datadog.PtrBool(true),
+			Message:          "test",
+			IsEnabled:        true,
+			Options: datadogV2.SecurityMonitoringRuleOptions{
+				MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_ONE_DAY.Ptr(),
+				EvaluationWindow:  datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_FIFTEEN_MINUTES.Ptr(),
+				KeepAlive:         datadogV2.SECURITYMONITORINGRULEKEEPALIVE_ONE_HOUR.Ptr(),
+				DetectionMethod:   datadogV2.SECURITYMONITORINGRULEDETECTIONMETHOD_IMPOSSIBLE_TRAVEL.Ptr(),
+				ImpossibleTravelOptions: &datadogV2.SecurityMonitoringRuleImpossibleTravelOptions{
+					BaselineUserLocations:         datadog.PtrBool(true),
+					BaselineUserLocationsDuration: *datadog.NewNullableInt32(datadog.PtrInt32(7)),
+				},
+			},
+			Name:    "Example-Security-Monitoring",
+			Type:    datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(),
+			Tags:    []string{},
+			Filters: []datadogV2.SecurityMonitoringFilter{},
+		}}
+	ctx := datadog.NewDefaultContext(context.Background())
+	configuration := datadog.NewConfiguration()
+	apiClient := datadog.NewAPIClient(configuration)
+	api := datadogV2.NewSecurityMonitoringApi(apiClient)
+	resp, r, err := api.CreateSecurityMonitoringRule(ctx, body)
+
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.CreateSecurityMonitoringRule`: %v\n", err)
+		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
+	}
+
+	responseContent, _ := json.MarshalIndent(resp, "", "  ")
+	fmt.Fprintf(os.Stdout, "Response from `SecurityMonitoringApi.CreateSecurityMonitoringRule`:\n%s\n", responseContent)
+}

tests/scenarios/cassettes/TestScenarios/v2/Feature_Security_Monitoring/Scenario_Create_a_detection_rule_with_type_impossible_travel_and_baselineUserLocationsDuration_returns_OK_response.freeze

@@ -0,0 +1 @@
+2026-05-20T15:12:27.397Z

tests/scenarios/cassettes/TestScenarios/v2/Feature_Security_Monitoring/Scenario_Create_a_detection_rule_with_type_impossible_travel_and_baselineUserLocationsDuration_returns_OK_response.yaml

@@ -0,0 +1,38 @@
+interactions:
+- request:
+    body: |
+      {"cases":[{"name":"","notifications":[],"status":"info"}],"filters":[],"hasExtendedTitle":true,"isEnabled":true,"message":"test","name":"Test-Create_a_detection_rule_with_type_impossible_travel_and_baselineUserLocationsDuration_returns_OK_res-1779289947","options":{"detectionMethod":"impossible_travel","evaluationWindow":900,"impossibleTravelOptions":{"baselineUserLocations":true,"baselineUserLocationsDuration":7},"keepAlive":3600,"maxSignalDuration":86400},"queries":[{"aggregation":"geo_data","distinctFields":[],"groupByFields":["@usr.id"],"metric":"@network.client.geoip","query":"*"}],"tags":[],"type":"log_detection"}
+    form: {}
+    headers:
+      Accept:
+      - application/json
+      Content-Type:
+      - application/json
+    id: 0
+    method: POST
+    url: https://api.datadoghq.com/api/v2/security_monitoring/rules
+  response:
+    body: '{"name":"Test-Create_a_detection_rule_with_type_impossible_travel_and_baselineUserLocationsDuration_returns_OK_res-1779289947","createdAt":1779289949181,"isDefault":false,"isPartner":false,"isEnabled":true,"isBeta":false,"isDeleted":false,"isDeprecated":false,"queries":[{"query":"*","groupByFields":["@usr.id"],"hasOptionalGroupByFields":false,"distinctFields":[],"metric":"@network.client.geoip","metrics":["@network.client.geoip"],"aggregation":"geo_data","name":"","dataSource":"logs"}],"options":{"evaluationWindow":900,"detectionMethod":"impossible_travel","maxSignalDuration":86400,"keepAlive":3600,"impossibleTravelOptions":{"baselineUserLocations":true,"baselineUserLocationsDuration":7,"detectIpTransition":false}},"cases":[{"name":"","status":"info","notifications":[]}],"message":"test","tags":[],"hasExtendedTitle":true,"type":"log_detection","filters":[],"version":1,"id":"v2k-viu-svz","blocking":false,"metadata":{"entities":null,"sources":null},"creationAuthorId":2320499,"creator":{"handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","name":"CI
+      Account"},"updater":{"handle":"","name":""}}'
+    code: 200
+    duration: 0ms
+    headers:
+      Content-Type:
+      - application/json
+    status: 200 OK
+- request:
+    body: ''
+    form: {}
+    headers:
+      Accept:
+      - '*/*'
+    id: 1
+    method: DELETE
+    url: https://api.datadoghq.com/api/v2/security_monitoring/rules/v2k-viu-svz
+  response:
+    body: ''
+    code: 204
+    duration: 0ms
+    headers: {}
+    status: 204 No Content
+version: 2

tests/scenarios/features/v2/security_monitoring.feature

@@ -559,6 +559,19 @@ Feature: Security Monitoring
     And the response "type" is equal to "application_security"
     And the response "message" is equal to "Test rule"
 
+  @skip-validation @team:DataDog/k9-cloud-siem
+  Scenario: Create a detection rule with type 'impossible_travel' and baselineUserLocationsDuration returns "OK" response
+    Given new "CreateSecurityMonitoringRule" request
+    And body with value {"queries":[{"aggregation":"geo_data","groupByFields":["@usr.id"],"distinctFields":[],"metric":"@network.client.geoip","query":"*"}],"cases":[{"name":"","status":"info","notifications":[]}],"hasExtendedTitle":true,"message":"test","isEnabled":true,"options":{"maxSignalDuration":86400,"evaluationWindow":900,"keepAlive":3600,"detectionMethod":"impossible_travel","impossibleTravelOptions":{"baselineUserLocations":true,"baselineUserLocationsDuration":7}},"name":"{{ unique }}","type":"log_detection","tags":[],"filters":[]}
+    When the request is sent
+    Then the response status is 200 OK
+    And the response "name" is equal to "{{ unique }}"
+    And the response "type" is equal to "log_detection"
+    And the response "message" is equal to "test"
+    And the response "options.detectionMethod" is equal to "impossible_travel"
+    And the response "options.impossibleTravelOptions.baselineUserLocations" is equal to true
+    And the response "options.impossibleTravelOptions.baselineUserLocationsDuration" is equal to 7
+
   @skip-validation @team:DataDog/k9-cloud-siem
   Scenario: Create a detection rule with type 'impossible_travel' returns "OK" response
     Given new "CreateSecurityMonitoringRule" request