Cloud SIEM - Add instantaneousBaseline feature parameter. (#3503)

Co-authored-by: ci.datadog-api-spec <packages@datadoghq.com>

Author: api-clients-generation-pipeline[bot]

.generator/schemas/v2/openapi.yaml

@@ -47596,6 +47596,8 @@ components:
       properties:
         forgetAfter:
           $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsForgetAfter'
+        instantaneousBaseline:
+          $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsInstantaneousBaseline'
         learningDuration:
           $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsLearningDuration'
         learningMethod:
@@ -47621,6 +47623,13 @@ components:
       - TWO_WEEKS
       - THREE_WEEKS
       - FOUR_WEEKS
+    SecurityMonitoringRuleNewValueOptionsInstantaneousBaseline:
+      description: When set to true, Datadog uses previous values that fall within
+        the defined learning window to construct the baseline, enabling the system
+        to establish an accurate baseline more rapidly rather than relying solely
+        on gradual learning over time.
+      example: false
+      type: boolean
     SecurityMonitoringRuleNewValueOptionsLearningDuration:
       default: 0
       description: 'The duration in days during which values are learned, and after

api/datadogV2/model_security_monitoring_rule_new_value_options.go

@@ -12,6 +12,8 @@ import (
 type SecurityMonitoringRuleNewValueOptions struct {
 	// The duration in days after which a learned value is forgotten.
 	ForgetAfter *SecurityMonitoringRuleNewValueOptionsForgetAfter `json:"forgetAfter,omitempty"`
+	// When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time.
+	InstantaneousBaseline *bool `json:"instantaneousBaseline,omitempty"`
 	// The duration in days during which values are learned, and after which signals will be generated for values that
 	// weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
 	LearningDuration *SecurityMonitoringRuleNewValueOptionsLearningDuration `json:"learningDuration,omitempty"`
@@ -81,6 +83,34 @@ func (o *SecurityMonitoringRuleNewValueOptions) SetForgetAfter(v SecurityMonitor
 	o.ForgetAfter = &v
 }
 
+// GetInstantaneousBaseline returns the InstantaneousBaseline field value if set, zero value otherwise.
+func (o *SecurityMonitoringRuleNewValueOptions) GetInstantaneousBaseline() bool {
+	if o == nil || o.InstantaneousBaseline == nil {
+		var ret bool
+		return ret
+	}
+	return *o.InstantaneousBaseline
+}
+
+// GetInstantaneousBaselineOk returns a tuple with the InstantaneousBaseline field value if set, nil otherwise
+// and a boolean to check if the value has been set.
+func (o *SecurityMonitoringRuleNewValueOptions) GetInstantaneousBaselineOk() (*bool, bool) {
+	if o == nil || o.InstantaneousBaseline == nil {
+		return nil, false
+	}
+	return o.InstantaneousBaseline, true
+}
+
+// HasInstantaneousBaseline returns a boolean if a field has been set.
+func (o *SecurityMonitoringRuleNewValueOptions) HasInstantaneousBaseline() bool {
+	return o != nil && o.InstantaneousBaseline != nil
+}
+
+// SetInstantaneousBaseline gets a reference to the given bool and assigns it to the InstantaneousBaseline field.
+func (o *SecurityMonitoringRuleNewValueOptions) SetInstantaneousBaseline(v bool) {
+	o.InstantaneousBaseline = &v
+}
+
 // GetLearningDuration returns the LearningDuration field value if set, zero value otherwise.
 func (o *SecurityMonitoringRuleNewValueOptions) GetLearningDuration() SecurityMonitoringRuleNewValueOptionsLearningDuration {
 	if o == nil || o.LearningDuration == nil {
@@ -174,6 +204,9 @@ func (o SecurityMonitoringRuleNewValueOptions) MarshalJSON() ([]byte, error) {
 	if o.ForgetAfter != nil {
 		toSerialize["forgetAfter"] = o.ForgetAfter
 	}
+	if o.InstantaneousBaseline != nil {
+		toSerialize["instantaneousBaseline"] = o.InstantaneousBaseline
+	}
 	if o.LearningDuration != nil {
 		toSerialize["learningDuration"] = o.LearningDuration
 	}
@@ -193,17 +226,18 @@ func (o SecurityMonitoringRuleNewValueOptions) MarshalJSON() ([]byte, error) {
 // UnmarshalJSON deserializes the given payload.
 func (o *SecurityMonitoringRuleNewValueOptions) UnmarshalJSON(bytes []byte) (err error) {
 	all := struct {
-		ForgetAfter       *SecurityMonitoringRuleNewValueOptionsForgetAfter       `json:"forgetAfter,omitempty"`
-		LearningDuration  *SecurityMonitoringRuleNewValueOptionsLearningDuration  `json:"learningDuration,omitempty"`
-		LearningMethod    *SecurityMonitoringRuleNewValueOptionsLearningMethod    `json:"learningMethod,omitempty"`
-		LearningThreshold *SecurityMonitoringRuleNewValueOptionsLearningThreshold `json:"learningThreshold,omitempty"`
+		ForgetAfter           *SecurityMonitoringRuleNewValueOptionsForgetAfter       `json:"forgetAfter,omitempty"`
+		InstantaneousBaseline *bool                                                   `json:"instantaneousBaseline,omitempty"`
+		LearningDuration      *SecurityMonitoringRuleNewValueOptionsLearningDuration  `json:"learningDuration,omitempty"`
+		LearningMethod        *SecurityMonitoringRuleNewValueOptionsLearningMethod    `json:"learningMethod,omitempty"`
+		LearningThreshold     *SecurityMonitoringRuleNewValueOptionsLearningThreshold `json:"learningThreshold,omitempty"`
 	}{}
 	if err = datadog.Unmarshal(bytes, &all); err != nil {
 		return datadog.Unmarshal(bytes, &o.UnparsedObject)
 	}
 	additionalProperties := make(map[string]interface{})
 	if err = datadog.Unmarshal(bytes, &additionalProperties); err == nil {
-		datadog.DeleteKeys(additionalProperties, &[]string{"forgetAfter", "learningDuration", "learningMethod", "learningThreshold"})
+		datadog.DeleteKeys(additionalProperties, &[]string{"forgetAfter", "instantaneousBaseline", "learningDuration", "learningMethod", "learningThreshold"})
 	} else {
 		return err
 	}
@@ -214,6 +248,7 @@ func (o *SecurityMonitoringRuleNewValueOptions) UnmarshalJSON(bytes []byte) (err
 	} else {
 		o.ForgetAfter = all.ForgetAfter
 	}
+	o.InstantaneousBaseline = all.InstantaneousBaseline
 	if all.LearningDuration != nil && !all.LearningDuration.IsValid() {
 		hasInvalidField = true
 	} else {

examples/v2/security-monitoring/ValidateSecurityMonitoringRule_2609327779.go

@@ -0,0 +1,74 @@
+// Validate a detection rule with detection method 'new_value' with enabled feature 'instantaneousBaseline' returns "OK"
+// response
+
+package main
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
+	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
+)
+
+func main() {
+	body := datadogV2.SecurityMonitoringRuleValidatePayload{
+		SecurityMonitoringStandardRulePayload: &datadogV2.SecurityMonitoringStandardRulePayload{
+			Cases: []datadogV2.SecurityMonitoringRuleCaseCreate{
+				{
+					Name:          datadog.PtrString(""),
+					Status:        datadogV2.SECURITYMONITORINGRULESEVERITY_INFO,
+					Notifications: []string{},
+				},
+			},
+			HasExtendedTitle: datadog.PtrBool(true),
+			IsEnabled:        true,
+			Message:          "My security monitoring rule",
+			Name:             "My security monitoring rule",
+			Options: datadogV2.SecurityMonitoringRuleOptions{
+				EvaluationWindow:  datadogV2.SECURITYMONITORINGRULEEVALUATIONWINDOW_ZERO_MINUTES.Ptr(),
+				KeepAlive:         datadogV2.SECURITYMONITORINGRULEKEEPALIVE_FIVE_MINUTES.Ptr(),
+				MaxSignalDuration: datadogV2.SECURITYMONITORINGRULEMAXSIGNALDURATION_TEN_MINUTES.Ptr(),
+				DetectionMethod:   datadogV2.SECURITYMONITORINGRULEDETECTIONMETHOD_NEW_VALUE.Ptr(),
+				NewValueOptions: &datadogV2.SecurityMonitoringRuleNewValueOptions{
+					ForgetAfter:           datadogV2.SECURITYMONITORINGRULENEWVALUEOPTIONSFORGETAFTER_ONE_WEEK.Ptr(),
+					InstantaneousBaseline: datadog.PtrBool(true),
+					LearningDuration:      datadogV2.SECURITYMONITORINGRULENEWVALUEOPTIONSLEARNINGDURATION_ONE_DAY.Ptr(),
+					LearningThreshold:     datadogV2.SECURITYMONITORINGRULENEWVALUEOPTIONSLEARNINGTHRESHOLD_ZERO_OCCURRENCES.Ptr(),
+					LearningMethod:        datadogV2.SECURITYMONITORINGRULENEWVALUEOPTIONSLEARNINGMETHOD_DURATION.Ptr(),
+				},
+			},
+			Queries: []datadogV2.SecurityMonitoringStandardRuleQuery{
+				{
+					Query: datadog.PtrString("source:source_here"),
+					GroupByFields: []string{
+						"@userIdentity.assumed_role",
+					},
+					DistinctFields: []string{},
+					Metric:         datadog.PtrString("name"),
+					Metrics: []string{
+						"name",
+					},
+					Aggregation: datadogV2.SECURITYMONITORINGRULEQUERYAGGREGATION_NEW_VALUE.Ptr(),
+					Name:        datadog.PtrString(""),
+					DataSource:  datadogV2.SECURITYMONITORINGSTANDARDDATASOURCE_LOGS.Ptr(),
+				},
+			},
+			Tags: []string{
+				"env:prod",
+				"team:security",
+			},
+			Type: datadogV2.SECURITYMONITORINGRULETYPECREATE_LOG_DETECTION.Ptr(),
+		}}
+	ctx := datadog.NewDefaultContext(context.Background())
+	configuration := datadog.NewConfiguration()
+	apiClient := datadog.NewAPIClient(configuration)
+	api := datadogV2.NewSecurityMonitoringApi(apiClient)
+	r, err := api.ValidateSecurityMonitoringRule(ctx, body)
+
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Error when calling `SecurityMonitoringApi.ValidateSecurityMonitoringRule`: %v\n", err)
+		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
+	}
+}

tests/scenarios/cassettes/TestScenarios/v2/Feature_Security_Monitoring/Scenario_Validate_a_detection_rule_with_detection_method_new_value_with_enabled_feature_instantaneousBaseline_returns_OK_response.freeze

@@ -0,0 +1 @@
+2025-12-10T08:37:17.537Z

tests/scenarios/cassettes/TestScenarios/v2/Feature_Security_Monitoring/Scenario_Validate_a_detection_rule_with_detection_method_new_value_with_enabled_feature_instantaneousBaseline_returns_OK_response.yaml

@@ -0,0 +1,20 @@
+interactions:
+- request:
+    body: |
+      {"cases":[{"name":"","notifications":[],"status":"info"}],"hasExtendedTitle":true,"isEnabled":true,"message":"My security monitoring rule","name":"My security monitoring rule","options":{"detectionMethod":"new_value","evaluationWindow":0,"keepAlive":300,"maxSignalDuration":600,"newValueOptions":{"forgetAfter":7,"instantaneousBaseline":true,"learningDuration":1,"learningMethod":"duration","learningThreshold":0}},"queries":[{"aggregation":"new_value","dataSource":"logs","distinctFields":[],"groupByFields":["@userIdentity.assumed_role"],"metric":"name","metrics":["name"],"name":"","query":"source:source_here"}],"tags":["env:prod","team:security"],"type":"log_detection"}
+    form: {}
+    headers:
+      Accept:
+      - '*/*'
+      Content-Type:
+      - application/json
+    id: 0
+    method: POST
+    url: https://api.datadoghq.com/api/v2/security_monitoring/rules/validation
+  response:
+    body: ''
+    code: 204
+    duration: 0ms
+    headers: {}
+    status: 204 No Content
+version: 2

tests/scenarios/features/v2/security_monitoring.feature

@@ -1764,6 +1764,13 @@ Feature: Security Monitoring
     When the request is sent
     Then the response status is 204 OK
 
+  @team:DataDog/k9-cloud-security-platform
+  Scenario: Validate a detection rule with detection method 'new_value' with enabled feature 'instantaneousBaseline' returns "OK" response
+    Given new "ValidateSecurityMonitoringRule" request
+    And body with value {"cases":[{"name":"","status":"info","notifications":[]}],"hasExtendedTitle":true,"isEnabled":true,"message":"My security monitoring rule","name":"My security monitoring rule","options":{"evaluationWindow":0,"keepAlive":300,"maxSignalDuration":600,"detectionMethod":"new_value","newValueOptions":{"forgetAfter":7,"instantaneousBaseline":true,"learningDuration":1,"learningThreshold":0,"learningMethod":"duration"}},"queries":[{"query":"source:source_here","groupByFields":["@userIdentity.assumed_role"],"distinctFields":[],"metric":"name","metrics":["name"],"aggregation":"new_value","name":"","dataSource":"logs"}],"tags":["env:prod","team:security"],"type":"log_detection"}
+    When the request is sent
+    Then the response status is 204 OK
+
   @team:DataDog/k9-cloud-security-platform
   Scenario: Validate a detection rule with detection method 'sequence_detection' returns "OK" response
     Given new "ValidateSecurityMonitoringRule" request