From 6077707ac57b18309200606d4ff4695a60a27218 Mon Sep 17 00:00:00 2001 From: "api-clients-generation-pipeline[bot]" <54105614+api-clients-generation-pipeline[bot]@users.noreply.github.com> Date: Wed, 17 Dec 2025 09:48:22 +0000 Subject: [PATCH] Cloud SIEM - Add instantaneousBaseline feature parameter. (#2814) Co-authored-by: ci.datadog-api-spec --- .generator/schemas/v2/openapi.yaml | 9 ++++ ...taneousBaseline-returns-OK-response.frozen | 1 + ...tantaneousBaseline-returns-OK-response.yml | 23 ++++++++ ...lidateSecurityMonitoringRule_2609327779.rb | 54 +++++++++++++++++++ features/v2/security_monitoring.feature | 7 +++ ...urity_monitoring_rule_new_value_options.rb | 12 ++++- 6 files changed, 105 insertions(+), 1 deletion(-) create mode 100644 cassettes/features/v2/security_monitoring/Validate-a-detection-rule-with-detection-method-new-value-with-enabled-feature-instantaneousBaseline-returns-OK-response.frozen create mode 100644 cassettes/features/v2/security_monitoring/Validate-a-detection-rule-with-detection-method-new-value-with-enabled-feature-instantaneousBaseline-returns-OK-response.yml create mode 100644 examples/v2/security-monitoring/ValidateSecurityMonitoringRule_2609327779.rb diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml index 42168cb0f307..aed4024cec70 100644 --- a/.generator/schemas/v2/openapi.yaml +++ b/.generator/schemas/v2/openapi.yaml @@ -47596,6 +47596,8 @@ components: properties: forgetAfter: $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsForgetAfter' + instantaneousBaseline: + $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsInstantaneousBaseline' learningDuration: $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsLearningDuration' learningMethod: @@ -47621,6 +47623,13 @@ components: - TWO_WEEKS - THREE_WEEKS - FOUR_WEEKS + SecurityMonitoringRuleNewValueOptionsInstantaneousBaseline: + description: When set to true, Datadog uses previous values that fall within + the defined learning window to construct the baseline, enabling the system + to establish an accurate baseline more rapidly rather than relying solely + on gradual learning over time. + example: false + type: boolean SecurityMonitoringRuleNewValueOptionsLearningDuration: default: 0 description: 'The duration in days during which values are learned, and after diff --git a/cassettes/features/v2/security_monitoring/Validate-a-detection-rule-with-detection-method-new-value-with-enabled-feature-instantaneousBaseline-returns-OK-response.frozen b/cassettes/features/v2/security_monitoring/Validate-a-detection-rule-with-detection-method-new-value-with-enabled-feature-instantaneousBaseline-returns-OK-response.frozen new file mode 100644 index 000000000000..22633ada0a5f --- /dev/null +++ b/cassettes/features/v2/security_monitoring/Validate-a-detection-rule-with-detection-method-new-value-with-enabled-feature-instantaneousBaseline-returns-OK-response.frozen @@ -0,0 +1 @@ +2025-12-10T08:37:17.537Z \ No newline at end of file diff --git a/cassettes/features/v2/security_monitoring/Validate-a-detection-rule-with-detection-method-new-value-with-enabled-feature-instantaneousBaseline-returns-OK-response.yml b/cassettes/features/v2/security_monitoring/Validate-a-detection-rule-with-detection-method-new-value-with-enabled-feature-instantaneousBaseline-returns-OK-response.yml new file mode 100644 index 000000000000..ab41fc876723 --- /dev/null +++ b/cassettes/features/v2/security_monitoring/Validate-a-detection-rule-with-detection-method-new-value-with-enabled-feature-instantaneousBaseline-returns-OK-response.yml @@ -0,0 +1,23 @@ +http_interactions: +- recorded_at: Wed, 10 Dec 2025 08:37:17 GMT + request: + body: + encoding: UTF-8 + string: '{"cases":[{"name":"","notifications":[],"status":"info"}],"hasExtendedTitle":true,"isEnabled":true,"message":"My + security monitoring rule","name":"My security monitoring rule","options":{"detectionMethod":"new_value","evaluationWindow":0,"keepAlive":300,"maxSignalDuration":600,"newValueOptions":{"forgetAfter":7,"instantaneousBaseline":true,"learningDuration":1,"learningMethod":"duration","learningThreshold":0}},"queries":[{"aggregation":"new_value","dataSource":"logs","distinctFields":[],"groupByFields":["@userIdentity.assumed_role"],"metric":"name","metrics":["name"],"name":"","query":"source:source_here"}],"tags":["env:prod","team:security"],"type":"log_detection"}' + headers: + Accept: + - '*/*' + Content-Type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/security_monitoring/rules/validation + response: + body: + encoding: UTF-8 + string: '' + headers: {} + status: + code: 204 + message: No Content +recorded_with: VCR 6.0.0 diff --git a/examples/v2/security-monitoring/ValidateSecurityMonitoringRule_2609327779.rb b/examples/v2/security-monitoring/ValidateSecurityMonitoringRule_2609327779.rb new file mode 100644 index 000000000000..9e06438b2224 --- /dev/null +++ b/examples/v2/security-monitoring/ValidateSecurityMonitoringRule_2609327779.rb @@ -0,0 +1,54 @@ +# Validate a detection rule with detection method 'new_value' with enabled feature 'instantaneousBaseline' returns "OK" +response + +require "datadog_api_client" +api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new + +body = DatadogAPIClient::V2::SecurityMonitoringStandardRulePayload.new({ + cases: [ + DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({ + name: "", + status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO, + notifications: [], + }), + ], + has_extended_title: true, + is_enabled: true, + message: "My security monitoring rule", + name: "My security monitoring rule", + options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({ + evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES, + keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::FIVE_MINUTES, + max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES, + detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::NEW_VALUE, + new_value_options: DatadogAPIClient::V2::SecurityMonitoringRuleNewValueOptions.new({ + forget_after: DatadogAPIClient::V2::SecurityMonitoringRuleNewValueOptionsForgetAfter::ONE_WEEK, + instantaneous_baseline: true, + learning_duration: DatadogAPIClient::V2::SecurityMonitoringRuleNewValueOptionsLearningDuration::ONE_DAY, + learning_threshold: DatadogAPIClient::V2::SecurityMonitoringRuleNewValueOptionsLearningThreshold::ZERO_OCCURRENCES, + learning_method: DatadogAPIClient::V2::SecurityMonitoringRuleNewValueOptionsLearningMethod::DURATION, + }), + }), + queries: [ + DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({ + query: "source:source_here", + group_by_fields: [ + "@userIdentity.assumed_role", + ], + distinct_fields: [], + metric: "name", + metrics: [ + "name", + ], + aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::NEW_VALUE, + name: "", + data_source: DatadogAPIClient::V2::SecurityMonitoringStandardDataSource::LOGS, + }), + ], + tags: [ + "env:prod", + "team:security", + ], + type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION, +}) +api_instance.validate_security_monitoring_rule(body) diff --git a/features/v2/security_monitoring.feature b/features/v2/security_monitoring.feature index 9fe6168328fc..e86aed12b315 100644 --- a/features/v2/security_monitoring.feature +++ b/features/v2/security_monitoring.feature @@ -1764,6 +1764,13 @@ Feature: Security Monitoring When the request is sent Then the response status is 204 OK + @team:DataDog/k9-cloud-security-platform + Scenario: Validate a detection rule with detection method 'new_value' with enabled feature 'instantaneousBaseline' returns "OK" response + Given new "ValidateSecurityMonitoringRule" request + And body with value {"cases":[{"name":"","status":"info","notifications":[]}],"hasExtendedTitle":true,"isEnabled":true,"message":"My security monitoring rule","name":"My security monitoring rule","options":{"evaluationWindow":0,"keepAlive":300,"maxSignalDuration":600,"detectionMethod":"new_value","newValueOptions":{"forgetAfter":7,"instantaneousBaseline":true,"learningDuration":1,"learningThreshold":0,"learningMethod":"duration"}},"queries":[{"query":"source:source_here","groupByFields":["@userIdentity.assumed_role"],"distinctFields":[],"metric":"name","metrics":["name"],"aggregation":"new_value","name":"","dataSource":"logs"}],"tags":["env:prod","team:security"],"type":"log_detection"} + When the request is sent + Then the response status is 204 OK + @team:DataDog/k9-cloud-security-platform Scenario: Validate a detection rule with detection method 'sequence_detection' returns "OK" response Given new "ValidateSecurityMonitoringRule" request diff --git a/lib/datadog_api_client/v2/models/security_monitoring_rule_new_value_options.rb b/lib/datadog_api_client/v2/models/security_monitoring_rule_new_value_options.rb index c492dcb63777..77e2f4d09add 100644 --- a/lib/datadog_api_client/v2/models/security_monitoring_rule_new_value_options.rb +++ b/lib/datadog_api_client/v2/models/security_monitoring_rule_new_value_options.rb @@ -24,6 +24,9 @@ class SecurityMonitoringRuleNewValueOptions # The duration in days after which a learned value is forgotten. attr_accessor :forget_after + # When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. + attr_accessor :instantaneous_baseline + # The duration in days during which values are learned, and after which signals will be generated for values that # weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned. attr_accessor :learning_duration @@ -41,6 +44,7 @@ class SecurityMonitoringRuleNewValueOptions def self.attribute_map { :'forget_after' => :'forgetAfter', + :'instantaneous_baseline' => :'instantaneousBaseline', :'learning_duration' => :'learningDuration', :'learning_method' => :'learningMethod', :'learning_threshold' => :'learningThreshold' @@ -52,6 +56,7 @@ def self.attribute_map def self.openapi_types { :'forget_after' => :'SecurityMonitoringRuleNewValueOptionsForgetAfter', + :'instantaneous_baseline' => :'Boolean', :'learning_duration' => :'SecurityMonitoringRuleNewValueOptionsLearningDuration', :'learning_method' => :'SecurityMonitoringRuleNewValueOptionsLearningMethod', :'learning_threshold' => :'SecurityMonitoringRuleNewValueOptionsLearningThreshold' @@ -80,6 +85,10 @@ def initialize(attributes = {}) self.forget_after = attributes[:'forget_after'] end + if attributes.key?(:'instantaneous_baseline') + self.instantaneous_baseline = attributes[:'instantaneous_baseline'] + end + if attributes.key?(:'learning_duration') self.learning_duration = attributes[:'learning_duration'] end @@ -120,6 +129,7 @@ def ==(o) return true if self.equal?(o) self.class == o.class && forget_after == o.forget_after && + instantaneous_baseline == o.instantaneous_baseline && learning_duration == o.learning_duration && learning_method == o.learning_method && learning_threshold == o.learning_threshold && @@ -130,7 +140,7 @@ def ==(o) # @return [Integer] Hash code # @!visibility private def hash - [forget_after, learning_duration, learning_method, learning_threshold, additional_properties].hash + [forget_after, instantaneous_baseline, learning_duration, learning_method, learning_threshold, additional_properties].hash end end end