Cloud SIEM - Add instantaneousBaseline to anomaly detection options

.generator/schemas/v2/openapi.yaml

@@ -40869,8 +40869,6 @@ components:
           type: integer
         type:
           $ref: '#/components/schemas/ObservabilityPipelineBufferOptionsMemoryType'
-        when_full:
-          $ref: '#/components/schemas/ObservabilityPipelineBufferOptionsWhenFull'
       type: object
     ObservabilityPipelineMemoryBufferSizeOptions:
       description: Options for configuring a memory buffer by queue length.
@@ -40882,8 +40880,6 @@ components:
           type: integer
         type:
           $ref: '#/components/schemas/ObservabilityPipelineBufferOptionsMemoryType'
-        when_full:
-          $ref: '#/components/schemas/ObservabilityPipelineBufferOptionsWhenFull'
       type: object
     ObservabilityPipelineMetadataEntry:
       description: A custom metadata entry.
@@ -53475,6 +53471,8 @@ components:
           $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration'
         detectionTolerance:
           $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance'
+        instantaneousBaseline:
+          $ref: '#/components/schemas/SecurityMonitoringRuleInstantaneousBaseline'
         learningDuration:
           $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration'
         learningPeriodBaseline:
@@ -53812,6 +53810,13 @@ components:
         or credentialed API access.'
       example: true
       type: boolean
+    SecurityMonitoringRuleInstantaneousBaseline:
+      description: When set to true, Datadog uses previous values that fall within
+        the defined learning window to construct the baseline, enabling the system
+        to establish an accurate baseline more rapidly rather than relying solely
+        on gradual learning over time.
+      example: false
+      type: boolean
     SecurityMonitoringRuleKeepAlive:
       description: 'Once a signal is generated, the signal will remain "open" if a
         case is matched at least once within
@@ -53885,7 +53890,7 @@ components:
         forgetAfter:
           $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsForgetAfter'
         instantaneousBaseline:
-          $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsInstantaneousBaseline'
+          $ref: '#/components/schemas/SecurityMonitoringRuleInstantaneousBaseline'
         learningDuration:
           $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsLearningDuration'
         learningMethod:
@@ -53911,13 +53916,6 @@ components:
       - TWO_WEEKS
       - THREE_WEEKS
       - FOUR_WEEKS
-    SecurityMonitoringRuleNewValueOptionsInstantaneousBaseline:
-      description: When set to true, Datadog uses previous values that fall within
-        the defined learning window to construct the baseline, enabling the system
-        to establish an accurate baseline more rapidly rather than relying solely
-        on gradual learning over time.
-      example: false
-      type: boolean
     SecurityMonitoringRuleNewValueOptionsLearningDuration:
       default: 0
       description: 'The duration in days during which values are learned, and after

examples/v2/security-monitoring/CreateSecurityMonitoringRule_3355193622.java

@@ -0,0 +1,87 @@
+// Create a detection rule with detection method 'anomaly_detection' with enabled feature
+// 'instantaneousBaseline' returns
+// "OK" response
+
+import com.datadog.api.client.ApiClient;
+import com.datadog.api.client.ApiException;
+import com.datadog.api.client.v2.api.SecurityMonitoringApi;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleAnomalyDetectionOptions;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleCaseCreate;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleCreatePayload;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleDetectionMethod;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleEvaluationWindow;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleKeepAlive;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleMaxSignalDuration;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleOptions;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleQueryAggregation;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleResponse;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleSeverity;
+import com.datadog.api.client.v2.model.SecurityMonitoringRuleTypeCreate;
+import com.datadog.api.client.v2.model.SecurityMonitoringStandardDataSource;
+import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleCreatePayload;
+import com.datadog.api.client.v2.model.SecurityMonitoringStandardRuleQuery;
+import java.util.Arrays;
+import java.util.Collections;
+
+public class Example {
+  public static void main(String[] args) {
+    ApiClient defaultClient = ApiClient.getDefaultApiClient();
+    SecurityMonitoringApi apiInstance = new SecurityMonitoringApi(defaultClient);
+
+    SecurityMonitoringRuleCreatePayload body =
+        new SecurityMonitoringRuleCreatePayload(
+            new SecurityMonitoringStandardRuleCreatePayload()
+                .name("Example-Security-Monitoring")
+                .type(SecurityMonitoringRuleTypeCreate.LOG_DETECTION)
+                .isEnabled(true)
+                .queries(
+                    Collections.singletonList(
+                        new SecurityMonitoringStandardRuleQuery()
+                            .aggregation(SecurityMonitoringRuleQueryAggregation.COUNT)
+                            .dataSource(SecurityMonitoringStandardDataSource.LOGS)
+                            .groupByFields(Arrays.asList("@usr.email", "@network.client.ip"))
+                            .hasOptionalGroupByFields(false)
+                            .name("")
+                            .query("service:app status:error")))
+                .cases(
+                    Collections.singletonList(
+                        new SecurityMonitoringRuleCaseCreate()
+                            .name("")
+                            .status(SecurityMonitoringRuleSeverity.INFO)
+                            .condition("a > 0.995")))
+                .message("An anomaly detection rule")
+                .options(
+                    new SecurityMonitoringRuleOptions()
+                        .detectionMethod(SecurityMonitoringRuleDetectionMethod.ANOMALY_DETECTION)
+                        .evaluationWindow(SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES)
+                        .keepAlive(SecurityMonitoringRuleKeepAlive.ONE_HOUR)
+                        .maxSignalDuration(SecurityMonitoringRuleMaxSignalDuration.ONE_DAY)
+                        .anomalyDetectionOptions(
+                            new SecurityMonitoringRuleAnomalyDetectionOptions()
+                                .bucketDuration(
+                                    SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration
+                                        .FIVE_MINUTES)
+                                .learningDuration(
+                                    SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration
+                                        .ONE_DAY)
+                                .detectionTolerance(
+                                    SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance
+                                        .THREE)
+                                .instantaneousBaseline(true))));
+
+    try {
+      SecurityMonitoringRuleResponse result = apiInstance.createSecurityMonitoringRule(body);
+      System.out.println(result);
+    } catch (ApiException e) {
+      System.err.println(
+          "Exception when calling SecurityMonitoringApi#createSecurityMonitoringRule");
+      System.err.println("Status code: " + e.getCode());
+      System.err.println("Reason: " + e.getResponseBody());
+      System.err.println("Response headers: " + e.getResponseHeaders());
+      e.printStackTrace();
+    }
+  }
+}

src/main/java/com/datadog/api/client/v2/model/ObservabilityPipelineMemoryBufferOptions.java

@@ -19,8 +19,7 @@
 /** Options for configuring a memory buffer by byte size. */
 @JsonPropertyOrder({
   ObservabilityPipelineMemoryBufferOptions.JSON_PROPERTY_MAX_SIZE,
-  ObservabilityPipelineMemoryBufferOptions.JSON_PROPERTY_TYPE,
-  ObservabilityPipelineMemoryBufferOptions.JSON_PROPERTY_WHEN_FULL
+  ObservabilityPipelineMemoryBufferOptions.JSON_PROPERTY_TYPE
 })
 @jakarta.annotation.Generated(
     value = "https://github.com/DataDog/datadog-api-client-java/blob/master/.generator")
@@ -33,10 +32,6 @@ public class ObservabilityPipelineMemoryBufferOptions {
   private ObservabilityPipelineBufferOptionsMemoryType type =
       ObservabilityPipelineBufferOptionsMemoryType.MEMORY;
 
-  public static final String JSON_PROPERTY_WHEN_FULL = "when_full";
-  private ObservabilityPipelineBufferOptionsWhenFull whenFull =
-      ObservabilityPipelineBufferOptionsWhenFull.BLOCK;
-
   public ObservabilityPipelineMemoryBufferOptions maxSize(Long maxSize) {
     this.maxSize = maxSize;
     return this;
@@ -84,32 +79,6 @@ public void setType(ObservabilityPipelineBufferOptionsMemoryType type) {
     this.type = type;
   }
 
-  public ObservabilityPipelineMemoryBufferOptions whenFull(
-      ObservabilityPipelineBufferOptionsWhenFull whenFull) {
-    this.whenFull = whenFull;
-    this.unparsed |= !whenFull.isValid();
-    return this;
-  }
-
-  /**
-   * Behavior when the buffer is full (block and stop accepting new events, or drop new events)
-   *
-   * @return whenFull
-   */
-  @jakarta.annotation.Nullable
-  @JsonProperty(JSON_PROPERTY_WHEN_FULL)
-  @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS)
-  public ObservabilityPipelineBufferOptionsWhenFull getWhenFull() {
-    return whenFull;
-  }
-
-  public void setWhenFull(ObservabilityPipelineBufferOptionsWhenFull whenFull) {
-    if (!whenFull.isValid()) {
-      this.unparsed = true;
-    }
-    this.whenFull = whenFull;
-  }
-
   /**
    * A container for additional, undeclared properties. This is a holder for any undeclared
    * properties as specified with the 'additionalProperties' keyword in the OAS document.
@@ -169,15 +138,14 @@ public boolean equals(Object o) {
         (ObservabilityPipelineMemoryBufferOptions) o;
     return Objects.equals(this.maxSize, observabilityPipelineMemoryBufferOptions.maxSize)
         && Objects.equals(this.type, observabilityPipelineMemoryBufferOptions.type)
-        && Objects.equals(this.whenFull, observabilityPipelineMemoryBufferOptions.whenFull)
         && Objects.equals(
             this.additionalProperties,
             observabilityPipelineMemoryBufferOptions.additionalProperties);
   }
 
   @Override
   public int hashCode() {
-    return Objects.hash(maxSize, type, whenFull, additionalProperties);
+    return Objects.hash(maxSize, type, additionalProperties);
   }
 
   @Override
@@ -186,7 +154,6 @@ public String toString() {
     sb.append("class ObservabilityPipelineMemoryBufferOptions {\n");
     sb.append("    maxSize: ").append(toIndentedString(maxSize)).append("\n");
     sb.append("    type: ").append(toIndentedString(type)).append("\n");
-    sb.append("    whenFull: ").append(toIndentedString(whenFull)).append("\n");
     sb.append("    additionalProperties: ")
         .append(toIndentedString(additionalProperties))
         .append("\n");

src/main/java/com/datadog/api/client/v2/model/ObservabilityPipelineMemoryBufferSizeOptions.java

@@ -19,8 +19,7 @@
 /** Options for configuring a memory buffer by queue length. */
 @JsonPropertyOrder({
   ObservabilityPipelineMemoryBufferSizeOptions.JSON_PROPERTY_MAX_EVENTS,
-  ObservabilityPipelineMemoryBufferSizeOptions.JSON_PROPERTY_TYPE,
-  ObservabilityPipelineMemoryBufferSizeOptions.JSON_PROPERTY_WHEN_FULL
+  ObservabilityPipelineMemoryBufferSizeOptions.JSON_PROPERTY_TYPE
 })
 @jakarta.annotation.Generated(
     value = "https://github.com/DataDog/datadog-api-client-java/blob/master/.generator")
@@ -33,10 +32,6 @@ public class ObservabilityPipelineMemoryBufferSizeOptions {
   private ObservabilityPipelineBufferOptionsMemoryType type =
       ObservabilityPipelineBufferOptionsMemoryType.MEMORY;
 
-  public static final String JSON_PROPERTY_WHEN_FULL = "when_full";
-  private ObservabilityPipelineBufferOptionsWhenFull whenFull =
-      ObservabilityPipelineBufferOptionsWhenFull.BLOCK;
-
   public ObservabilityPipelineMemoryBufferSizeOptions maxEvents(Long maxEvents) {
     this.maxEvents = maxEvents;
     return this;
@@ -84,32 +79,6 @@ public void setType(ObservabilityPipelineBufferOptionsMemoryType type) {
     this.type = type;
   }
 
-  public ObservabilityPipelineMemoryBufferSizeOptions whenFull(
-      ObservabilityPipelineBufferOptionsWhenFull whenFull) {
-    this.whenFull = whenFull;
-    this.unparsed |= !whenFull.isValid();
-    return this;
-  }
-
-  /**
-   * Behavior when the buffer is full (block and stop accepting new events, or drop new events)
-   *
-   * @return whenFull
-   */
-  @jakarta.annotation.Nullable
-  @JsonProperty(JSON_PROPERTY_WHEN_FULL)
-  @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS)
-  public ObservabilityPipelineBufferOptionsWhenFull getWhenFull() {
-    return whenFull;
-  }
-
-  public void setWhenFull(ObservabilityPipelineBufferOptionsWhenFull whenFull) {
-    if (!whenFull.isValid()) {
-      this.unparsed = true;
-    }
-    this.whenFull = whenFull;
-  }
-
   /**
    * A container for additional, undeclared properties. This is a holder for any undeclared
    * properties as specified with the 'additionalProperties' keyword in the OAS document.
@@ -170,15 +139,14 @@ public boolean equals(Object o) {
         (ObservabilityPipelineMemoryBufferSizeOptions) o;
     return Objects.equals(this.maxEvents, observabilityPipelineMemoryBufferSizeOptions.maxEvents)
         && Objects.equals(this.type, observabilityPipelineMemoryBufferSizeOptions.type)
-        && Objects.equals(this.whenFull, observabilityPipelineMemoryBufferSizeOptions.whenFull)
         && Objects.equals(
             this.additionalProperties,
             observabilityPipelineMemoryBufferSizeOptions.additionalProperties);
   }
 
   @Override
   public int hashCode() {
-    return Objects.hash(maxEvents, type, whenFull, additionalProperties);
+    return Objects.hash(maxEvents, type, additionalProperties);
   }
 
   @Override
@@ -187,7 +155,6 @@ public String toString() {
     sb.append("class ObservabilityPipelineMemoryBufferSizeOptions {\n");
     sb.append("    maxEvents: ").append(toIndentedString(maxEvents)).append("\n");
     sb.append("    type: ").append(toIndentedString(type)).append("\n");
-    sb.append("    whenFull: ").append(toIndentedString(whenFull)).append("\n");
     sb.append("    additionalProperties: ")
         .append(toIndentedString(additionalProperties))
         .append("\n");

src/main/java/com/datadog/api/client/v2/model/SecurityMonitoringRuleAnomalyDetectionOptions.java

@@ -20,6 +20,7 @@
 @JsonPropertyOrder({
   SecurityMonitoringRuleAnomalyDetectionOptions.JSON_PROPERTY_BUCKET_DURATION,
   SecurityMonitoringRuleAnomalyDetectionOptions.JSON_PROPERTY_DETECTION_TOLERANCE,
+  SecurityMonitoringRuleAnomalyDetectionOptions.JSON_PROPERTY_INSTANTANEOUS_BASELINE,
   SecurityMonitoringRuleAnomalyDetectionOptions.JSON_PROPERTY_LEARNING_DURATION,
   SecurityMonitoringRuleAnomalyDetectionOptions.JSON_PROPERTY_LEARNING_PERIOD_BASELINE
 })
@@ -33,6 +34,9 @@ public class SecurityMonitoringRuleAnomalyDetectionOptions {
   public static final String JSON_PROPERTY_DETECTION_TOLERANCE = "detectionTolerance";
   private SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance detectionTolerance;
 
+  public static final String JSON_PROPERTY_INSTANTANEOUS_BASELINE = "instantaneousBaseline";
+  private Boolean instantaneousBaseline;
+
   public static final String JSON_PROPERTY_LEARNING_DURATION = "learningDuration";
   private SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration learningDuration;
 
@@ -95,6 +99,30 @@ public void setDetectionTolerance(
     this.detectionTolerance = detectionTolerance;
   }
 
+  public SecurityMonitoringRuleAnomalyDetectionOptions instantaneousBaseline(
+      Boolean instantaneousBaseline) {
+    this.instantaneousBaseline = instantaneousBaseline;
+    return this;
+  }
+
+  /**
+   * When set to true, Datadog uses previous values that fall within the defined learning window to
+   * construct the baseline, enabling the system to establish an accurate baseline more rapidly
+   * rather than relying solely on gradual learning over time.
+   *
+   * @return instantaneousBaseline
+   */
+  @jakarta.annotation.Nullable
+  @JsonProperty(JSON_PROPERTY_INSTANTANEOUS_BASELINE)
+  @JsonInclude(value = JsonInclude.Include.USE_DEFAULTS)
+  public Boolean getInstantaneousBaseline() {
+    return instantaneousBaseline;
+  }
+
+  public void setInstantaneousBaseline(Boolean instantaneousBaseline) {
+    this.instantaneousBaseline = instantaneousBaseline;
+  }
+
   public SecurityMonitoringRuleAnomalyDetectionOptions learningDuration(
       SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration learningDuration) {
     this.learningDuration = learningDuration;
@@ -209,6 +237,9 @@ public boolean equals(Object o) {
         && Objects.equals(
             this.detectionTolerance,
             securityMonitoringRuleAnomalyDetectionOptions.detectionTolerance)
+        && Objects.equals(
+            this.instantaneousBaseline,
+            securityMonitoringRuleAnomalyDetectionOptions.instantaneousBaseline)
         && Objects.equals(
             this.learningDuration, securityMonitoringRuleAnomalyDetectionOptions.learningDuration)
         && Objects.equals(
@@ -224,6 +255,7 @@ public int hashCode() {
     return Objects.hash(
         bucketDuration,
         detectionTolerance,
+        instantaneousBaseline,
         learningDuration,
         learningPeriodBaseline,
         additionalProperties);
@@ -235,6 +267,9 @@ public String toString() {
     sb.append("class SecurityMonitoringRuleAnomalyDetectionOptions {\n");
     sb.append("    bucketDuration: ").append(toIndentedString(bucketDuration)).append("\n");
     sb.append("    detectionTolerance: ").append(toIndentedString(detectionTolerance)).append("\n");
+    sb.append("    instantaneousBaseline: ")
+        .append(toIndentedString(instantaneousBaseline))
+        .append("\n");
     sb.append("    learningDuration: ").append(toIndentedString(learningDuration)).append("\n");
     sb.append("    learningPeriodBaseline: ")
         .append(toIndentedString(learningPeriodBaseline))

src/test/resources/cassettes/features/v2/Create_a_detection_rule_with_detection_method_anomaly_detection_with_enabled_feature_instantaneousBaseline_returns_OK_response.freeze

@@ -0,0 +1 @@
+2026-02-10T14:48:33.727Z