Cloud SIEM - Add instantaneousBaseline to anomaly detection options (#3457)

Co-authored-by: ci.datadog-api-spec <packages@datadoghq.com>

Author: api-clients-generation-pipeline[bot]

.generator/schemas/v2/openapi.yaml

@@ -40874,6 +40874,8 @@ components:
           type: integer
         type:
           $ref: '#/components/schemas/ObservabilityPipelineBufferOptionsMemoryType'
+        when_full:
+          $ref: '#/components/schemas/ObservabilityPipelineBufferOptionsWhenFull'
       type: object
     ObservabilityPipelineMemoryBufferSizeOptions:
       description: Options for configuring a memory buffer by queue length.
@@ -40885,6 +40887,8 @@ components:
           type: integer
         type:
           $ref: '#/components/schemas/ObservabilityPipelineBufferOptionsMemoryType'
+        when_full:
+          $ref: '#/components/schemas/ObservabilityPipelineBufferOptionsWhenFull'
       type: object
     ObservabilityPipelineMetadataEntry:
       description: A custom metadata entry.
@@ -53476,6 +53480,8 @@ components:
           $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration'
         detectionTolerance:
           $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance'
+        instantaneousBaseline:
+          $ref: '#/components/schemas/SecurityMonitoringRuleInstantaneousBaseline'
         learningDuration:
           $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration'
         learningPeriodBaseline:
@@ -53813,6 +53819,13 @@ components:
         or credentialed API access.'
       example: true
       type: boolean
+    SecurityMonitoringRuleInstantaneousBaseline:
+      description: When set to true, Datadog uses previous values that fall within
+        the defined learning window to construct the baseline, enabling the system
+        to establish an accurate baseline more rapidly rather than relying solely
+        on gradual learning over time.
+      example: false
+      type: boolean
     SecurityMonitoringRuleKeepAlive:
       description: 'Once a signal is generated, the signal will remain "open" if a
         case is matched at least once within
@@ -53886,7 +53899,7 @@ components:
         forgetAfter:
           $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsForgetAfter'
         instantaneousBaseline:
-          $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsInstantaneousBaseline'
+          $ref: '#/components/schemas/SecurityMonitoringRuleInstantaneousBaseline'
         learningDuration:
           $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsLearningDuration'
         learningMethod:
@@ -53912,13 +53925,6 @@ components:
       - TWO_WEEKS
       - THREE_WEEKS
       - FOUR_WEEKS
-    SecurityMonitoringRuleNewValueOptionsInstantaneousBaseline:
-      description: When set to true, Datadog uses previous values that fall within
-        the defined learning window to construct the baseline, enabling the system
-        to establish an accurate baseline more rapidly rather than relying solely
-        on gradual learning over time.
-      example: false
-      type: boolean
     SecurityMonitoringRuleNewValueOptionsLearningDuration:
       default: 0
       description: 'The duration in days during which values are learned, and after

cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-detection-method-anomaly_detection-with-enabled-feature-inst_2022405684/frozen.json

@@ -0,0 +1 @@
+"2026-02-10T14:48:33.727Z"

cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-detection-method-anomaly_detection-with-enabled-feature-inst_2022405684/recording.har

@@ -0,0 +1,104 @@
+{
+  "log": {
+    "_recordingName": "Security Monitoring/Create a detection rule with detection method 'anomaly_detection' with enabled feature 'instantaneousBaseline' returns \"OK\" response",
+    "creator": {
+      "comment": "persister:fs",
+      "name": "Polly.JS",
+      "version": "6.0.5"
+    },
+    "entries": [
+      {
+        "_id": "0481e6824f9915d0d8b3bf9ea1f6d724",
+        "_order": 0,
+        "cache": {},
+        "request": {
+          "bodySize": 754,
+          "cookies": [],
+          "headers": [
+            {
+              "_fromType": "array",
+              "name": "accept",
+              "value": "application/json"
+            },
+            {
+              "_fromType": "array",
+              "name": "content-type",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 588,
+          "httpVersion": "HTTP/1.1",
+          "method": "POST",
+          "postData": {
+            "mimeType": "application/json",
+            "params": [],
+            "text": "{\"cases\":[{\"condition\":\"a > 0.995\",\"name\":\"\",\"notifications\":[],\"status\":\"info\"}],\"filters\":[],\"isEnabled\":true,\"message\":\"An anomaly detection rule\",\"name\":\"Test-Create_a_detection_rule_with_detection_method_anomaly_detection_with_enabled_feature_instantaneousBa-1770734913\",\"options\":{\"anomalyDetectionOptions\":{\"bucketDuration\":300,\"detectionTolerance\":3,\"instantaneousBaseline\":true,\"learningDuration\":24},\"detectionMethod\":\"anomaly_detection\",\"evaluationWindow\":900,\"keepAlive\":3600,\"maxSignalDuration\":86400},\"queries\":[{\"aggregation\":\"count\",\"dataSource\":\"logs\",\"distinctFields\":[],\"groupByFields\":[\"@usr.email\",\"@network.client.ip\"],\"hasOptionalGroupByFields\":false,\"name\":\"\",\"query\":\"service:app status:error\"}],\"tags\":[],\"type\":\"log_detection\"}"
+          },
+          "queryString": [],
+          "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules"
+        },
+        "response": {
+          "bodySize": 1151,
+          "content": {
+            "mimeType": "application/json",
+            "size": 1151,
+            "text": "{\"name\":\"Test-Create_a_detection_rule_with_detection_method_anomaly_detection_with_enabled_feature_instantaneousBa-1770734913\",\"createdAt\":1770734914087,\"isDefault\":false,\"isPartner\":false,\"isEnabled\":true,\"isBeta\":false,\"isDeleted\":false,\"isDeprecated\":false,\"queries\":[{\"query\":\"service:app status:error\",\"groupByFields\":[\"@usr.email\",\"@network.client.ip\"],\"hasOptionalGroupByFields\":false,\"distinctFields\":[],\"aggregation\":\"count\",\"name\":\"\",\"dataSource\":\"logs\"}],\"options\":{\"evaluationWindow\":1800,\"detectionMethod\":\"anomaly_detection\",\"maxSignalDuration\":86400,\"keepAlive\":3600,\"anomalyDetectionOptions\":{\"bucketDuration\":300,\"learningDuration\":24,\"detectionTolerance\":3,\"instantaneousBaseline\":true,\"instantaneousBaselineTimeoutMinutes\":30}},\"cases\":[{\"name\":\"\",\"status\":\"info\",\"notifications\":[],\"condition\":\"a \\u003e 0.995\"}],\"message\":\"An anomaly detection rule\",\"tags\":[],\"hasExtendedTitle\":false,\"type\":\"log_detection\",\"filters\":[],\"version\":1,\"id\":\"mtt-vs9-dyl\",\"blocking\":false,\"metadata\":{\"entities\":null,\"sources\":null},\"creationAuthorId\":1445416,\"creator\":{\"handle\":\"frog@datadoghq.com\",\"name\":\"frog\"},\"updater\":{\"handle\":\"\",\"name\":\"\"}}"
+          },
+          "cookies": [],
+          "headers": [
+            {
+              "name": "content-type",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 655,
+          "httpVersion": "HTTP/1.1",
+          "redirectURL": "",
+          "status": 200,
+          "statusText": "OK"
+        },
+        "startedDateTime": "2026-02-10T14:48:33.729Z",
+        "time": 419
+      },
+      {
+        "_id": "558eee7fd626bf2770eec8e5ee4a3d7a",
+        "_order": 0,
+        "cache": {},
+        "request": {
+          "bodySize": 0,
+          "cookies": [],
+          "headers": [
+            {
+              "_fromType": "array",
+              "name": "accept",
+              "value": "*/*"
+            }
+          ],
+          "headersSize": 536,
+          "httpVersion": "HTTP/1.1",
+          "method": "DELETE",
+          "queryString": [],
+          "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules/mtt-vs9-dyl"
+        },
+        "response": {
+          "bodySize": 0,
+          "content": {
+            "mimeType": "text/plain",
+            "size": 0
+          },
+          "cookies": [],
+          "headers": [],
+          "headersSize": 601,
+          "httpVersion": "HTTP/1.1",
+          "redirectURL": "",
+          "status": 204,
+          "statusText": "No Content"
+        },
+        "startedDateTime": "2026-02-10T14:48:34.155Z",
+        "time": 449
+      }
+    ],
+    "pages": [],
+    "version": "1.2"
+  }
+}

features/v2/security_monitoring.feature

@@ -456,6 +456,17 @@ Feature: Security Monitoring
     And the response "options.anomalyDetectionOptions.learningPeriodBaseline" is equal to 10
     And the response "options.anomalyDetectionOptions.detectionTolerance" is equal to 3
 
+  @team:DataDog/k9-cloud-security-platform
+  Scenario: Create a detection rule with detection method 'anomaly_detection' with enabled feature 'instantaneousBaseline' returns "OK" response
+    Given new "CreateSecurityMonitoringRule" request
+    And body with value {"name":"{{ unique }}","type":"log_detection","isEnabled":true,"queries":[{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":["@usr.email","@network.client.ip"],"hasOptionalGroupByFields":false,"name":"","query":"service:app status:error"}],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 0.995"}],"message":"An anomaly detection rule","options":{"detectionMethod":"anomaly_detection","evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400,"anomalyDetectionOptions":{"bucketDuration":300,"learningDuration":24,"detectionTolerance":3,"instantaneousBaseline":true}},"tags":[],"filters":[]}
+    When the request is sent
+    Then the response status is 200 OK
+    And the response "name" is equal to "{{ unique }}"
+    And the response "type" is equal to "log_detection"
+    And the response "options.detectionMethod" is equal to "anomaly_detection"
+    And the response "options.anomalyDetectionOptions.instantaneousBaseline" is equal to true
+
   @team:DataDog/k9-cloud-security-platform
   Scenario: Create a detection rule with detection method 'sequence_detection' returns "OK" response
     Given new "CreateSecurityMonitoringRule" request

services/observability_pipelines/src/v2/models/ObservabilityPipelineMemoryBufferOptions.ts

@@ -1,6 +1,7 @@
 import { AttributeTypeMap } from "@datadog/datadog-api-client";
 
 import { ObservabilityPipelineBufferOptionsMemoryType } from "./ObservabilityPipelineBufferOptionsMemoryType";
+import { ObservabilityPipelineBufferOptionsWhenFull } from "./ObservabilityPipelineBufferOptionsWhenFull";
 
 /**
  * Options for configuring a memory buffer by byte size.
@@ -14,6 +15,10 @@ export class ObservabilityPipelineMemoryBufferOptions {
    * The type of the buffer that will be configured, a memory buffer.
    */
   "type"?: ObservabilityPipelineBufferOptionsMemoryType;
+  /**
+   * Behavior when the buffer is full (block and stop accepting new events, or drop new events)
+   */
+  "whenFull"?: ObservabilityPipelineBufferOptionsWhenFull;
   /**
    * A container for additional, undeclared properties.
    * This is a holder for any undeclared properties as specified with
@@ -38,6 +43,10 @@ export class ObservabilityPipelineMemoryBufferOptions {
       baseName: "type",
       type: "ObservabilityPipelineBufferOptionsMemoryType",
     },
+    whenFull: {
+      baseName: "when_full",
+      type: "ObservabilityPipelineBufferOptionsWhenFull",
+    },
     additionalProperties: {
       baseName: "additionalProperties",
       type: "{ [key: string]: any; }",

services/observability_pipelines/src/v2/models/ObservabilityPipelineMemoryBufferSizeOptions.ts

@@ -1,6 +1,7 @@
 import { AttributeTypeMap } from "@datadog/datadog-api-client";
 
 import { ObservabilityPipelineBufferOptionsMemoryType } from "./ObservabilityPipelineBufferOptionsMemoryType";
+import { ObservabilityPipelineBufferOptionsWhenFull } from "./ObservabilityPipelineBufferOptionsWhenFull";
 
 /**
  * Options for configuring a memory buffer by queue length.
@@ -14,6 +15,10 @@ export class ObservabilityPipelineMemoryBufferSizeOptions {
    * The type of the buffer that will be configured, a memory buffer.
    */
   "type"?: ObservabilityPipelineBufferOptionsMemoryType;
+  /**
+   * Behavior when the buffer is full (block and stop accepting new events, or drop new events)
+   */
+  "whenFull"?: ObservabilityPipelineBufferOptionsWhenFull;
   /**
    * A container for additional, undeclared properties.
    * This is a holder for any undeclared properties as specified with
@@ -38,6 +43,10 @@ export class ObservabilityPipelineMemoryBufferSizeOptions {
       baseName: "type",
       type: "ObservabilityPipelineBufferOptionsMemoryType",
     },
+    whenFull: {
+      baseName: "when_full",
+      type: "ObservabilityPipelineBufferOptionsWhenFull",
+    },
     additionalProperties: {
       baseName: "additionalProperties",
       type: "{ [key: string]: any; }",

services/security_monitoring/src/v2/models/SecurityMonitoringRuleAnomalyDetectionOptions.ts

@@ -18,6 +18,10 @@ export class SecurityMonitoringRuleAnomalyDetectionOptions {
    * Higher values require higher deviations before triggering a signal.
    */
   "detectionTolerance"?: SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance;
+  /**
+   * When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time.
+   */
+  "instantaneousBaseline"?: boolean;
   /**
    * Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating.
    */
@@ -51,6 +55,10 @@ export class SecurityMonitoringRuleAnomalyDetectionOptions {
       type: "SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance",
       format: "int32",
     },
+    instantaneousBaseline: {
+      baseName: "instantaneousBaseline",
+      type: "boolean",
+    },
     learningDuration: {
       baseName: "learningDuration",
       type: "SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration",