diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml index 03f9a175301..83eb2881717 100644 --- a/.generator/schemas/v2/openapi.yaml +++ b/.generator/schemas/v2/openapi.yaml @@ -40874,6 +40874,8 @@ components: type: integer type: $ref: '#/components/schemas/ObservabilityPipelineBufferOptionsMemoryType' + when_full: + $ref: '#/components/schemas/ObservabilityPipelineBufferOptionsWhenFull' type: object ObservabilityPipelineMemoryBufferSizeOptions: description: Options for configuring a memory buffer by queue length. @@ -40885,6 +40887,8 @@ components: type: integer type: $ref: '#/components/schemas/ObservabilityPipelineBufferOptionsMemoryType' + when_full: + $ref: '#/components/schemas/ObservabilityPipelineBufferOptionsWhenFull' type: object ObservabilityPipelineMetadataEntry: description: A custom metadata entry. @@ -53476,6 +53480,8 @@ components: $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration' detectionTolerance: $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance' + instantaneousBaseline: + $ref: '#/components/schemas/SecurityMonitoringRuleInstantaneousBaseline' learningDuration: $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration' learningPeriodBaseline: @@ -53813,6 +53819,13 @@ components: or credentialed API access.' example: true type: boolean + SecurityMonitoringRuleInstantaneousBaseline: + description: When set to true, Datadog uses previous values that fall within + the defined learning window to construct the baseline, enabling the system + to establish an accurate baseline more rapidly rather than relying solely + on gradual learning over time. + example: false + type: boolean SecurityMonitoringRuleKeepAlive: description: 'Once a signal is generated, the signal will remain "open" if a case is matched at least once within @@ -53886,7 +53899,7 @@ components: forgetAfter: $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsForgetAfter' instantaneousBaseline: - $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsInstantaneousBaseline' + $ref: '#/components/schemas/SecurityMonitoringRuleInstantaneousBaseline' learningDuration: $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsLearningDuration' learningMethod: @@ -53912,13 +53925,6 @@ components: - TWO_WEEKS - THREE_WEEKS - FOUR_WEEKS - SecurityMonitoringRuleNewValueOptionsInstantaneousBaseline: - description: When set to true, Datadog uses previous values that fall within - the defined learning window to construct the baseline, enabling the system - to establish an accurate baseline more rapidly rather than relying solely - on gradual learning over time. - example: false - type: boolean SecurityMonitoringRuleNewValueOptionsLearningDuration: default: 0 description: 'The duration in days during which values are learned, and after diff --git a/cassettes/features/v2/security_monitoring/Create-a-detection-rule-with-detection-method-anomaly-detection-with-enabled-feature-instantaneousBaseline-returns-OK-response.frozen b/cassettes/features/v2/security_monitoring/Create-a-detection-rule-with-detection-method-anomaly-detection-with-enabled-feature-instantaneousBaseline-returns-OK-response.frozen new file mode 100644 index 00000000000..79c8c047451 --- /dev/null +++ b/cassettes/features/v2/security_monitoring/Create-a-detection-rule-with-detection-method-anomaly-detection-with-enabled-feature-instantaneousBaseline-returns-OK-response.frozen @@ -0,0 +1 @@ +2026-02-10T14:48:33.727Z \ No newline at end of file diff --git a/cassettes/features/v2/security_monitoring/Create-a-detection-rule-with-detection-method-anomaly-detection-with-enabled-feature-instantaneousBaseline-returns-OK-response.yml b/cassettes/features/v2/security_monitoring/Create-a-detection-rule-with-detection-method-anomaly-detection-with-enabled-feature-instantaneousBaseline-returns-OK-response.yml new file mode 100644 index 00000000000..cd31585332d --- /dev/null +++ b/cassettes/features/v2/security_monitoring/Create-a-detection-rule-with-detection-method-anomaly-detection-with-enabled-feature-instantaneousBaseline-returns-OK-response.yml @@ -0,0 +1,44 @@ +http_interactions: +- recorded_at: Tue, 10 Feb 2026 14:48:33 GMT + request: + body: + encoding: UTF-8 + string: '{"cases":[{"condition":"a > 0.995","name":"","notifications":[],"status":"info"}],"filters":[],"isEnabled":true,"message":"An + anomaly detection rule","name":"Test-Create_a_detection_rule_with_detection_method_anomaly_detection_with_enabled_feature_instantaneousBa-1770734913","options":{"anomalyDetectionOptions":{"bucketDuration":300,"detectionTolerance":3,"instantaneousBaseline":true,"learningDuration":24},"detectionMethod":"anomaly_detection","evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400},"queries":[{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":["@usr.email","@network.client.ip"],"hasOptionalGroupByFields":false,"name":"","query":"service:app + status:error"}],"tags":[],"type":"log_detection"}' + headers: + Accept: + - application/json + Content-Type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/security_monitoring/rules + response: + body: + encoding: UTF-8 + string: '{"name":"Test-Create_a_detection_rule_with_detection_method_anomaly_detection_with_enabled_feature_instantaneousBa-1770734913","createdAt":1770734914087,"isDefault":false,"isPartner":false,"isEnabled":true,"isBeta":false,"isDeleted":false,"isDeprecated":false,"queries":[{"query":"service:app + status:error","groupByFields":["@usr.email","@network.client.ip"],"hasOptionalGroupByFields":false,"distinctFields":[],"aggregation":"count","name":"","dataSource":"logs"}],"options":{"evaluationWindow":1800,"detectionMethod":"anomaly_detection","maxSignalDuration":86400,"keepAlive":3600,"anomalyDetectionOptions":{"bucketDuration":300,"learningDuration":24,"detectionTolerance":3,"instantaneousBaseline":true,"instantaneousBaselineTimeoutMinutes":30}},"cases":[{"name":"","status":"info","notifications":[],"condition":"a + \u003e 0.995"}],"message":"An anomaly detection rule","tags":[],"hasExtendedTitle":false,"type":"log_detection","filters":[],"version":1,"id":"mtt-vs9-dyl","blocking":false,"metadata":{"entities":null,"sources":null},"creationAuthorId":1445416,"creator":{"handle":"frog@datadoghq.com","name":"frog"},"updater":{"handle":"","name":""}}' + headers: + Content-Type: + - application/json + status: + code: 200 + message: OK +- recorded_at: Tue, 10 Feb 2026 14:48:33 GMT + request: + body: null + headers: + Accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/security_monitoring/rules/mtt-vs9-dyl + response: + body: + encoding: UTF-8 + string: '' + headers: {} + status: + code: 204 + message: No Content +recorded_with: VCR 6.0.0 diff --git a/examples/v2/security-monitoring/CreateSecurityMonitoringRule_3355193622.rb b/examples/v2/security-monitoring/CreateSecurityMonitoringRule_3355193622.rb new file mode 100644 index 00000000000..fd382ef1405 --- /dev/null +++ b/examples/v2/security-monitoring/CreateSecurityMonitoringRule_3355193622.rb @@ -0,0 +1,49 @@ +# Create a detection rule with detection method 'anomaly_detection' with enabled feature 'instantaneousBaseline' returns +# "OK" response + +require "datadog_api_client" +api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new + +body = DatadogAPIClient::V2::SecurityMonitoringStandardRuleCreatePayload.new({ + name: "Example-Security-Monitoring", + type: DatadogAPIClient::V2::SecurityMonitoringRuleTypeCreate::LOG_DETECTION, + is_enabled: true, + queries: [ + DatadogAPIClient::V2::SecurityMonitoringStandardRuleQuery.new({ + aggregation: DatadogAPIClient::V2::SecurityMonitoringRuleQueryAggregation::COUNT, + data_source: DatadogAPIClient::V2::SecurityMonitoringStandardDataSource::LOGS, + distinct_fields: [], + group_by_fields: [ + "@usr.email", + "@network.client.ip", + ], + has_optional_group_by_fields: false, + name: "", + query: "service:app status:error", + }), + ], + cases: [ + DatadogAPIClient::V2::SecurityMonitoringRuleCaseCreate.new({ + name: "", + status: DatadogAPIClient::V2::SecurityMonitoringRuleSeverity::INFO, + notifications: [], + condition: "a > 0.995", + }), + ], + message: "An anomaly detection rule", + options: DatadogAPIClient::V2::SecurityMonitoringRuleOptions.new({ + detection_method: DatadogAPIClient::V2::SecurityMonitoringRuleDetectionMethod::ANOMALY_DETECTION, + evaluation_window: DatadogAPIClient::V2::SecurityMonitoringRuleEvaluationWindow::FIFTEEN_MINUTES, + keep_alive: DatadogAPIClient::V2::SecurityMonitoringRuleKeepAlive::ONE_HOUR, + max_signal_duration: DatadogAPIClient::V2::SecurityMonitoringRuleMaxSignalDuration::ONE_DAY, + anomaly_detection_options: DatadogAPIClient::V2::SecurityMonitoringRuleAnomalyDetectionOptions.new({ + bucket_duration: DatadogAPIClient::V2::SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration::FIVE_MINUTES, + learning_duration: DatadogAPIClient::V2::SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration::ONE_DAY, + detection_tolerance: DatadogAPIClient::V2::SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance::THREE, + instantaneous_baseline: true, + }), + }), + tags: [], + filters: [], +}) +p api_instance.create_security_monitoring_rule(body) diff --git a/examples/v2/security-monitoring/ValidateSecurityMonitoringRule_2609327779.rb b/examples/v2/security-monitoring/ValidateSecurityMonitoringRule_2609327779.rb index 9e06438b222..7cc1f8e84fb 100644 --- a/examples/v2/security-monitoring/ValidateSecurityMonitoringRule_2609327779.rb +++ b/examples/v2/security-monitoring/ValidateSecurityMonitoringRule_2609327779.rb @@ -1,5 +1,5 @@ # Validate a detection rule with detection method 'new_value' with enabled feature 'instantaneousBaseline' returns "OK" -response +# response require "datadog_api_client" api_instance = DatadogAPIClient::V2::SecurityMonitoringAPI.new diff --git a/features/v2/security_monitoring.feature b/features/v2/security_monitoring.feature index df5e32bcc4d..5695a7ea4a5 100644 --- a/features/v2/security_monitoring.feature +++ b/features/v2/security_monitoring.feature @@ -456,6 +456,17 @@ Feature: Security Monitoring And the response "options.anomalyDetectionOptions.learningPeriodBaseline" is equal to 10 And the response "options.anomalyDetectionOptions.detectionTolerance" is equal to 3 + @team:DataDog/k9-cloud-security-platform + Scenario: Create a detection rule with detection method 'anomaly_detection' with enabled feature 'instantaneousBaseline' returns "OK" response + Given new "CreateSecurityMonitoringRule" request + And body with value {"name":"{{ unique }}","type":"log_detection","isEnabled":true,"queries":[{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":["@usr.email","@network.client.ip"],"hasOptionalGroupByFields":false,"name":"","query":"service:app status:error"}],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 0.995"}],"message":"An anomaly detection rule","options":{"detectionMethod":"anomaly_detection","evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400,"anomalyDetectionOptions":{"bucketDuration":300,"learningDuration":24,"detectionTolerance":3,"instantaneousBaseline":true}},"tags":[],"filters":[]} + When the request is sent + Then the response status is 200 OK + And the response "name" is equal to "{{ unique }}" + And the response "type" is equal to "log_detection" + And the response "options.detectionMethod" is equal to "anomaly_detection" + And the response "options.anomalyDetectionOptions.instantaneousBaseline" is equal to true + @team:DataDog/k9-cloud-security-platform Scenario: Create a detection rule with detection method 'sequence_detection' returns "OK" response Given new "CreateSecurityMonitoringRule" request diff --git a/lib/datadog_api_client/v2/models/observability_pipeline_memory_buffer_options.rb b/lib/datadog_api_client/v2/models/observability_pipeline_memory_buffer_options.rb index eb67ff1e90d..76360b8bc15 100644 --- a/lib/datadog_api_client/v2/models/observability_pipeline_memory_buffer_options.rb +++ b/lib/datadog_api_client/v2/models/observability_pipeline_memory_buffer_options.rb @@ -27,6 +27,9 @@ class ObservabilityPipelineMemoryBufferOptions # The type of the buffer that will be configured, a memory buffer. attr_accessor :type + # Behavior when the buffer is full (block and stop accepting new events, or drop new events) + attr_accessor :when_full + attr_accessor :additional_properties # Attribute mapping from ruby-style variable name to JSON key. @@ -34,7 +37,8 @@ class ObservabilityPipelineMemoryBufferOptions def self.attribute_map { :'max_size' => :'max_size', - :'type' => :'type' + :'type' => :'type', + :'when_full' => :'when_full' } end @@ -43,7 +47,8 @@ def self.attribute_map def self.openapi_types { :'max_size' => :'Integer', - :'type' => :'ObservabilityPipelineBufferOptionsMemoryType' + :'type' => :'ObservabilityPipelineBufferOptionsMemoryType', + :'when_full' => :'ObservabilityPipelineBufferOptionsWhenFull' } end @@ -72,6 +77,10 @@ def initialize(attributes = {}) if attributes.key?(:'type') self.type = attributes[:'type'] end + + if attributes.key?(:'when_full') + self.when_full = attributes[:'when_full'] + end end # Returns the object in the form of hash, with additionalProperties support. @@ -102,6 +111,7 @@ def ==(o) self.class == o.class && max_size == o.max_size && type == o.type && + when_full == o.when_full && additional_properties == o.additional_properties end @@ -109,7 +119,7 @@ def ==(o) # @return [Integer] Hash code # @!visibility private def hash - [max_size, type, additional_properties].hash + [max_size, type, when_full, additional_properties].hash end end end diff --git a/lib/datadog_api_client/v2/models/observability_pipeline_memory_buffer_size_options.rb b/lib/datadog_api_client/v2/models/observability_pipeline_memory_buffer_size_options.rb index 04f5e0b68aa..f6d2b81f9e2 100644 --- a/lib/datadog_api_client/v2/models/observability_pipeline_memory_buffer_size_options.rb +++ b/lib/datadog_api_client/v2/models/observability_pipeline_memory_buffer_size_options.rb @@ -27,6 +27,9 @@ class ObservabilityPipelineMemoryBufferSizeOptions # The type of the buffer that will be configured, a memory buffer. attr_accessor :type + # Behavior when the buffer is full (block and stop accepting new events, or drop new events) + attr_accessor :when_full + attr_accessor :additional_properties # Attribute mapping from ruby-style variable name to JSON key. @@ -34,7 +37,8 @@ class ObservabilityPipelineMemoryBufferSizeOptions def self.attribute_map { :'max_events' => :'max_events', - :'type' => :'type' + :'type' => :'type', + :'when_full' => :'when_full' } end @@ -43,7 +47,8 @@ def self.attribute_map def self.openapi_types { :'max_events' => :'Integer', - :'type' => :'ObservabilityPipelineBufferOptionsMemoryType' + :'type' => :'ObservabilityPipelineBufferOptionsMemoryType', + :'when_full' => :'ObservabilityPipelineBufferOptionsWhenFull' } end @@ -72,6 +77,10 @@ def initialize(attributes = {}) if attributes.key?(:'type') self.type = attributes[:'type'] end + + if attributes.key?(:'when_full') + self.when_full = attributes[:'when_full'] + end end # Returns the object in the form of hash, with additionalProperties support. @@ -102,6 +111,7 @@ def ==(o) self.class == o.class && max_events == o.max_events && type == o.type && + when_full == o.when_full && additional_properties == o.additional_properties end @@ -109,7 +119,7 @@ def ==(o) # @return [Integer] Hash code # @!visibility private def hash - [max_events, type, additional_properties].hash + [max_events, type, when_full, additional_properties].hash end end end diff --git a/lib/datadog_api_client/v2/models/security_monitoring_rule_anomaly_detection_options.rb b/lib/datadog_api_client/v2/models/security_monitoring_rule_anomaly_detection_options.rb index 705b2be019f..3de7ddc3e74 100644 --- a/lib/datadog_api_client/v2/models/security_monitoring_rule_anomaly_detection_options.rb +++ b/lib/datadog_api_client/v2/models/security_monitoring_rule_anomaly_detection_options.rb @@ -29,6 +29,9 @@ class SecurityMonitoringRuleAnomalyDetectionOptions # Higher values require higher deviations before triggering a signal. attr_accessor :detection_tolerance + # When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time. + attr_accessor :instantaneous_baseline + # Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating. attr_accessor :learning_duration @@ -43,6 +46,7 @@ def self.attribute_map { :'bucket_duration' => :'bucketDuration', :'detection_tolerance' => :'detectionTolerance', + :'instantaneous_baseline' => :'instantaneousBaseline', :'learning_duration' => :'learningDuration', :'learning_period_baseline' => :'learningPeriodBaseline' } @@ -54,6 +58,7 @@ def self.openapi_types { :'bucket_duration' => :'SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration', :'detection_tolerance' => :'SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance', + :'instantaneous_baseline' => :'Boolean', :'learning_duration' => :'SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration', :'learning_period_baseline' => :'Integer' } @@ -85,6 +90,10 @@ def initialize(attributes = {}) self.detection_tolerance = attributes[:'detection_tolerance'] end + if attributes.key?(:'instantaneous_baseline') + self.instantaneous_baseline = attributes[:'instantaneous_baseline'] + end + if attributes.key?(:'learning_duration') self.learning_duration = attributes[:'learning_duration'] end @@ -140,6 +149,7 @@ def ==(o) self.class == o.class && bucket_duration == o.bucket_duration && detection_tolerance == o.detection_tolerance && + instantaneous_baseline == o.instantaneous_baseline && learning_duration == o.learning_duration && learning_period_baseline == o.learning_period_baseline && additional_properties == o.additional_properties @@ -149,7 +159,7 @@ def ==(o) # @return [Integer] Hash code # @!visibility private def hash - [bucket_duration, detection_tolerance, learning_duration, learning_period_baseline, additional_properties].hash + [bucket_duration, detection_tolerance, instantaneous_baseline, learning_duration, learning_period_baseline, additional_properties].hash end end end