Skip to content

Commit 8e568fd

Browse files
api-clients-generation-pipeline[bot]ci.datadog-api-spec
andauthored
Cloud SIEM - Add instantaneousBaseline to anomaly detection options (#3457)
Co-authored-by: ci.datadog-api-spec <packages@datadoghq.com>
1 parent 1494209 commit 8e568fd

File tree

7 files changed

+156
-8
lines changed

7 files changed

+156
-8
lines changed

.generator/schemas/v2/openapi.yaml

Lines changed: 14 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -40874,6 +40874,8 @@ components:
4087440874
type: integer
4087540875
type:
4087640876
$ref: '#/components/schemas/ObservabilityPipelineBufferOptionsMemoryType'
40877+
when_full:
40878+
$ref: '#/components/schemas/ObservabilityPipelineBufferOptionsWhenFull'
4087740879
type: object
4087840880
ObservabilityPipelineMemoryBufferSizeOptions:
4087940881
description: Options for configuring a memory buffer by queue length.
@@ -40885,6 +40887,8 @@ components:
4088540887
type: integer
4088640888
type:
4088740889
$ref: '#/components/schemas/ObservabilityPipelineBufferOptionsMemoryType'
40890+
when_full:
40891+
$ref: '#/components/schemas/ObservabilityPipelineBufferOptionsWhenFull'
4088840892
type: object
4088940893
ObservabilityPipelineMetadataEntry:
4089040894
description: A custom metadata entry.
@@ -53476,6 +53480,8 @@ components:
5347653480
$ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration'
5347753481
detectionTolerance:
5347853482
$ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance'
53483+
instantaneousBaseline:
53484+
$ref: '#/components/schemas/SecurityMonitoringRuleInstantaneousBaseline'
5347953485
learningDuration:
5348053486
$ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration'
5348153487
learningPeriodBaseline:
@@ -53813,6 +53819,13 @@ components:
5381353819
or credentialed API access.'
5381453820
example: true
5381553821
type: boolean
53822+
SecurityMonitoringRuleInstantaneousBaseline:
53823+
description: When set to true, Datadog uses previous values that fall within
53824+
the defined learning window to construct the baseline, enabling the system
53825+
to establish an accurate baseline more rapidly rather than relying solely
53826+
on gradual learning over time.
53827+
example: false
53828+
type: boolean
5381653829
SecurityMonitoringRuleKeepAlive:
5381753830
description: 'Once a signal is generated, the signal will remain "open" if a
5381853831
case is matched at least once within
@@ -53886,7 +53899,7 @@ components:
5388653899
forgetAfter:
5388753900
$ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsForgetAfter'
5388853901
instantaneousBaseline:
53889-
$ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsInstantaneousBaseline'
53902+
$ref: '#/components/schemas/SecurityMonitoringRuleInstantaneousBaseline'
5389053903
learningDuration:
5389153904
$ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsLearningDuration'
5389253905
learningMethod:
@@ -53912,13 +53925,6 @@ components:
5391253925
- TWO_WEEKS
5391353926
- THREE_WEEKS
5391453927
- FOUR_WEEKS
53915-
SecurityMonitoringRuleNewValueOptionsInstantaneousBaseline:
53916-
description: When set to true, Datadog uses previous values that fall within
53917-
the defined learning window to construct the baseline, enabling the system
53918-
to establish an accurate baseline more rapidly rather than relying solely
53919-
on gradual learning over time.
53920-
example: false
53921-
type: boolean
5392253928
SecurityMonitoringRuleNewValueOptionsLearningDuration:
5392353929
default: 0
5392453930
description: 'The duration in days during which values are learned, and after
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
"2026-02-10T14:48:33.727Z"
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,104 @@
1+
{
2+
"log": {
3+
"_recordingName": "Security Monitoring/Create a detection rule with detection method 'anomaly_detection' with enabled feature 'instantaneousBaseline' returns \"OK\" response",
4+
"creator": {
5+
"comment": "persister:fs",
6+
"name": "Polly.JS",
7+
"version": "6.0.5"
8+
},
9+
"entries": [
10+
{
11+
"_id": "0481e6824f9915d0d8b3bf9ea1f6d724",
12+
"_order": 0,
13+
"cache": {},
14+
"request": {
15+
"bodySize": 754,
16+
"cookies": [],
17+
"headers": [
18+
{
19+
"_fromType": "array",
20+
"name": "accept",
21+
"value": "application/json"
22+
},
23+
{
24+
"_fromType": "array",
25+
"name": "content-type",
26+
"value": "application/json"
27+
}
28+
],
29+
"headersSize": 588,
30+
"httpVersion": "HTTP/1.1",
31+
"method": "POST",
32+
"postData": {
33+
"mimeType": "application/json",
34+
"params": [],
35+
"text": "{\"cases\":[{\"condition\":\"a > 0.995\",\"name\":\"\",\"notifications\":[],\"status\":\"info\"}],\"filters\":[],\"isEnabled\":true,\"message\":\"An anomaly detection rule\",\"name\":\"Test-Create_a_detection_rule_with_detection_method_anomaly_detection_with_enabled_feature_instantaneousBa-1770734913\",\"options\":{\"anomalyDetectionOptions\":{\"bucketDuration\":300,\"detectionTolerance\":3,\"instantaneousBaseline\":true,\"learningDuration\":24},\"detectionMethod\":\"anomaly_detection\",\"evaluationWindow\":900,\"keepAlive\":3600,\"maxSignalDuration\":86400},\"queries\":[{\"aggregation\":\"count\",\"dataSource\":\"logs\",\"distinctFields\":[],\"groupByFields\":[\"@usr.email\",\"@network.client.ip\"],\"hasOptionalGroupByFields\":false,\"name\":\"\",\"query\":\"service:app status:error\"}],\"tags\":[],\"type\":\"log_detection\"}"
36+
},
37+
"queryString": [],
38+
"url": "https://api.datadoghq.com/api/v2/security_monitoring/rules"
39+
},
40+
"response": {
41+
"bodySize": 1151,
42+
"content": {
43+
"mimeType": "application/json",
44+
"size": 1151,
45+
"text": "{\"name\":\"Test-Create_a_detection_rule_with_detection_method_anomaly_detection_with_enabled_feature_instantaneousBa-1770734913\",\"createdAt\":1770734914087,\"isDefault\":false,\"isPartner\":false,\"isEnabled\":true,\"isBeta\":false,\"isDeleted\":false,\"isDeprecated\":false,\"queries\":[{\"query\":\"service:app status:error\",\"groupByFields\":[\"@usr.email\",\"@network.client.ip\"],\"hasOptionalGroupByFields\":false,\"distinctFields\":[],\"aggregation\":\"count\",\"name\":\"\",\"dataSource\":\"logs\"}],\"options\":{\"evaluationWindow\":1800,\"detectionMethod\":\"anomaly_detection\",\"maxSignalDuration\":86400,\"keepAlive\":3600,\"anomalyDetectionOptions\":{\"bucketDuration\":300,\"learningDuration\":24,\"detectionTolerance\":3,\"instantaneousBaseline\":true,\"instantaneousBaselineTimeoutMinutes\":30}},\"cases\":[{\"name\":\"\",\"status\":\"info\",\"notifications\":[],\"condition\":\"a \\u003e 0.995\"}],\"message\":\"An anomaly detection rule\",\"tags\":[],\"hasExtendedTitle\":false,\"type\":\"log_detection\",\"filters\":[],\"version\":1,\"id\":\"mtt-vs9-dyl\",\"blocking\":false,\"metadata\":{\"entities\":null,\"sources\":null},\"creationAuthorId\":1445416,\"creator\":{\"handle\":\"frog@datadoghq.com\",\"name\":\"frog\"},\"updater\":{\"handle\":\"\",\"name\":\"\"}}"
46+
},
47+
"cookies": [],
48+
"headers": [
49+
{
50+
"name": "content-type",
51+
"value": "application/json"
52+
}
53+
],
54+
"headersSize": 655,
55+
"httpVersion": "HTTP/1.1",
56+
"redirectURL": "",
57+
"status": 200,
58+
"statusText": "OK"
59+
},
60+
"startedDateTime": "2026-02-10T14:48:33.729Z",
61+
"time": 419
62+
},
63+
{
64+
"_id": "558eee7fd626bf2770eec8e5ee4a3d7a",
65+
"_order": 0,
66+
"cache": {},
67+
"request": {
68+
"bodySize": 0,
69+
"cookies": [],
70+
"headers": [
71+
{
72+
"_fromType": "array",
73+
"name": "accept",
74+
"value": "*/*"
75+
}
76+
],
77+
"headersSize": 536,
78+
"httpVersion": "HTTP/1.1",
79+
"method": "DELETE",
80+
"queryString": [],
81+
"url": "https://api.datadoghq.com/api/v2/security_monitoring/rules/mtt-vs9-dyl"
82+
},
83+
"response": {
84+
"bodySize": 0,
85+
"content": {
86+
"mimeType": "text/plain",
87+
"size": 0
88+
},
89+
"cookies": [],
90+
"headers": [],
91+
"headersSize": 601,
92+
"httpVersion": "HTTP/1.1",
93+
"redirectURL": "",
94+
"status": 204,
95+
"statusText": "No Content"
96+
},
97+
"startedDateTime": "2026-02-10T14:48:34.155Z",
98+
"time": 449
99+
}
100+
],
101+
"pages": [],
102+
"version": "1.2"
103+
}
104+
}

features/v2/security_monitoring.feature

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -456,6 +456,17 @@ Feature: Security Monitoring
456456
And the response "options.anomalyDetectionOptions.learningPeriodBaseline" is equal to 10
457457
And the response "options.anomalyDetectionOptions.detectionTolerance" is equal to 3
458458

459+
@team:DataDog/k9-cloud-security-platform
460+
Scenario: Create a detection rule with detection method 'anomaly_detection' with enabled feature 'instantaneousBaseline' returns "OK" response
461+
Given new "CreateSecurityMonitoringRule" request
462+
And body with value {"name":"{{ unique }}","type":"log_detection","isEnabled":true,"queries":[{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":["@usr.email","@network.client.ip"],"hasOptionalGroupByFields":false,"name":"","query":"service:app status:error"}],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 0.995"}],"message":"An anomaly detection rule","options":{"detectionMethod":"anomaly_detection","evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400,"anomalyDetectionOptions":{"bucketDuration":300,"learningDuration":24,"detectionTolerance":3,"instantaneousBaseline":true}},"tags":[],"filters":[]}
463+
When the request is sent
464+
Then the response status is 200 OK
465+
And the response "name" is equal to "{{ unique }}"
466+
And the response "type" is equal to "log_detection"
467+
And the response "options.detectionMethod" is equal to "anomaly_detection"
468+
And the response "options.anomalyDetectionOptions.instantaneousBaseline" is equal to true
469+
459470
@team:DataDog/k9-cloud-security-platform
460471
Scenario: Create a detection rule with detection method 'sequence_detection' returns "OK" response
461472
Given new "CreateSecurityMonitoringRule" request

services/observability_pipelines/src/v2/models/ObservabilityPipelineMemoryBufferOptions.ts

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
import { AttributeTypeMap } from "@datadog/datadog-api-client";
22

33
import { ObservabilityPipelineBufferOptionsMemoryType } from "./ObservabilityPipelineBufferOptionsMemoryType";
4+
import { ObservabilityPipelineBufferOptionsWhenFull } from "./ObservabilityPipelineBufferOptionsWhenFull";
45

56
/**
67
* Options for configuring a memory buffer by byte size.
@@ -14,6 +15,10 @@ export class ObservabilityPipelineMemoryBufferOptions {
1415
* The type of the buffer that will be configured, a memory buffer.
1516
*/
1617
"type"?: ObservabilityPipelineBufferOptionsMemoryType;
18+
/**
19+
* Behavior when the buffer is full (block and stop accepting new events, or drop new events)
20+
*/
21+
"whenFull"?: ObservabilityPipelineBufferOptionsWhenFull;
1722
/**
1823
* A container for additional, undeclared properties.
1924
* This is a holder for any undeclared properties as specified with
@@ -38,6 +43,10 @@ export class ObservabilityPipelineMemoryBufferOptions {
3843
baseName: "type",
3944
type: "ObservabilityPipelineBufferOptionsMemoryType",
4045
},
46+
whenFull: {
47+
baseName: "when_full",
48+
type: "ObservabilityPipelineBufferOptionsWhenFull",
49+
},
4150
additionalProperties: {
4251
baseName: "additionalProperties",
4352
type: "{ [key: string]: any; }",

services/observability_pipelines/src/v2/models/ObservabilityPipelineMemoryBufferSizeOptions.ts

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
import { AttributeTypeMap } from "@datadog/datadog-api-client";
22

33
import { ObservabilityPipelineBufferOptionsMemoryType } from "./ObservabilityPipelineBufferOptionsMemoryType";
4+
import { ObservabilityPipelineBufferOptionsWhenFull } from "./ObservabilityPipelineBufferOptionsWhenFull";
45

56
/**
67
* Options for configuring a memory buffer by queue length.
@@ -14,6 +15,10 @@ export class ObservabilityPipelineMemoryBufferSizeOptions {
1415
* The type of the buffer that will be configured, a memory buffer.
1516
*/
1617
"type"?: ObservabilityPipelineBufferOptionsMemoryType;
18+
/**
19+
* Behavior when the buffer is full (block and stop accepting new events, or drop new events)
20+
*/
21+
"whenFull"?: ObservabilityPipelineBufferOptionsWhenFull;
1722
/**
1823
* A container for additional, undeclared properties.
1924
* This is a holder for any undeclared properties as specified with
@@ -38,6 +43,10 @@ export class ObservabilityPipelineMemoryBufferSizeOptions {
3843
baseName: "type",
3944
type: "ObservabilityPipelineBufferOptionsMemoryType",
4045
},
46+
whenFull: {
47+
baseName: "when_full",
48+
type: "ObservabilityPipelineBufferOptionsWhenFull",
49+
},
4150
additionalProperties: {
4251
baseName: "additionalProperties",
4352
type: "{ [key: string]: any; }",

services/security_monitoring/src/v2/models/SecurityMonitoringRuleAnomalyDetectionOptions.ts

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,10 @@ export class SecurityMonitoringRuleAnomalyDetectionOptions {
1818
* Higher values require higher deviations before triggering a signal.
1919
*/
2020
"detectionTolerance"?: SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance;
21+
/**
22+
* When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time.
23+
*/
24+
"instantaneousBaseline"?: boolean;
2125
/**
2226
* Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating.
2327
*/
@@ -51,6 +55,10 @@ export class SecurityMonitoringRuleAnomalyDetectionOptions {
5155
type: "SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance",
5256
format: "int32",
5357
},
58+
instantaneousBaseline: {
59+
baseName: "instantaneousBaseline",
60+
type: "boolean",
61+
},
5462
learningDuration: {
5563
baseName: "learningDuration",
5664
type: "SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration",

0 commit comments

Comments
 (0)