Cloud SIEM - Add instantaneousBaseline feature parameter. (#1063)

api-clients-generation-pipeline[bot] · ci.datadog-api-spec · web-flow · commit 3a4e8ab6f95f · 2025-12-17T09:47:45.000Z
Co-authored-by: ci.datadog-api-spec &lt;packages@datadoghq.com&gt;
diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml
@@ -47596,6 +47596,8 @@ components:
       properties:
         forgetAfter:
           $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsForgetAfter'
+        instantaneousBaseline:
+          $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsInstantaneousBaseline'
         learningDuration:
           $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsLearningDuration'
         learningMethod:
@@ -47621,6 +47623,13 @@ components:
       - TWO_WEEKS
       - THREE_WEEKS
       - FOUR_WEEKS
+    SecurityMonitoringRuleNewValueOptionsInstantaneousBaseline:
+      description: When set to true, Datadog uses previous values that fall within
+        the defined learning window to construct the baseline, enabling the system
+        to establish an accurate baseline more rapidly rather than relying solely
+        on gradual learning over time.
+      example: false
+      type: boolean
     SecurityMonitoringRuleNewValueOptionsLearningDuration:
       default: 0
       description: 'The duration in days during which values are learned, and after
diff --git a/examples/v2_security-monitoring_ValidateSecurityMonitoringRule_2609327779.rs b/examples/v2_security-monitoring_ValidateSecurityMonitoringRule_2609327779.rs
@@ -0,0 +1,78 @@
+// Validate a detection rule with detection method 'new_value' with enabled
+// feature 'instantaneousBaseline' returns "OK" response
+use datadog_api_client::datadog;
+use datadog_api_client::datadogV2::api_security_monitoring::SecurityMonitoringAPI;
+use datadog_api_client::datadogV2::model::SecurityMonitoringRuleCaseCreate;
+use datadog_api_client::datadogV2::model::SecurityMonitoringRuleDetectionMethod;
+use datadog_api_client::datadogV2::model::SecurityMonitoringRuleEvaluationWindow;
+use datadog_api_client::datadogV2::model::SecurityMonitoringRuleKeepAlive;
+use datadog_api_client::datadogV2::model::SecurityMonitoringRuleMaxSignalDuration;
+use datadog_api_client::datadogV2::model::SecurityMonitoringRuleNewValueOptions;
+use datadog_api_client::datadogV2::model::SecurityMonitoringRuleNewValueOptionsForgetAfter;
+use datadog_api_client::datadogV2::model::SecurityMonitoringRuleNewValueOptionsLearningDuration;
+use datadog_api_client::datadogV2::model::SecurityMonitoringRuleNewValueOptionsLearningMethod;
+use datadog_api_client::datadogV2::model::SecurityMonitoringRuleNewValueOptionsLearningThreshold;
+use datadog_api_client::datadogV2::model::SecurityMonitoringRuleOptions;
+use datadog_api_client::datadogV2::model::SecurityMonitoringRuleQueryAggregation;
+use datadog_api_client::datadogV2::model::SecurityMonitoringRuleSeverity;
+use datadog_api_client::datadogV2::model::SecurityMonitoringRuleTypeCreate;
+use datadog_api_client::datadogV2::model::SecurityMonitoringRuleValidatePayload;
+use datadog_api_client::datadogV2::model::SecurityMonitoringStandardDataSource;
+use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRulePayload;
+use datadog_api_client::datadogV2::model::SecurityMonitoringStandardRuleQuery;
+
+#[tokio::main]
+async fn main() {
+    let body =
+        SecurityMonitoringRuleValidatePayload::SecurityMonitoringStandardRulePayload(
+            Box::new(
+                SecurityMonitoringStandardRulePayload::new(
+                    vec![
+                        SecurityMonitoringRuleCaseCreate::new(SecurityMonitoringRuleSeverity::INFO)
+                            .name("".to_string())
+                            .notifications(vec![])
+                    ],
+                    true,
+                    "My security monitoring rule".to_string(),
+                    "My security monitoring rule".to_string(),
+                    SecurityMonitoringRuleOptions::new()
+                        .detection_method(SecurityMonitoringRuleDetectionMethod::NEW_VALUE)
+                        .evaluation_window(SecurityMonitoringRuleEvaluationWindow::ZERO_MINUTES)
+                        .keep_alive(SecurityMonitoringRuleKeepAlive::FIVE_MINUTES)
+                        .max_signal_duration(SecurityMonitoringRuleMaxSignalDuration::TEN_MINUTES)
+                        .new_value_options(
+                            SecurityMonitoringRuleNewValueOptions::new()
+                                .forget_after(SecurityMonitoringRuleNewValueOptionsForgetAfter::ONE_WEEK)
+                                .instantaneous_baseline(true)
+                                .learning_duration(SecurityMonitoringRuleNewValueOptionsLearningDuration::ONE_DAY)
+                                .learning_method(SecurityMonitoringRuleNewValueOptionsLearningMethod::DURATION)
+                                .learning_threshold(
+                                    SecurityMonitoringRuleNewValueOptionsLearningThreshold::ZERO_OCCURRENCES,
+                                ),
+                        ),
+                    vec![
+                        SecurityMonitoringStandardRuleQuery::new()
+                            .aggregation(SecurityMonitoringRuleQueryAggregation::NEW_VALUE)
+                            .data_source(SecurityMonitoringStandardDataSource::LOGS)
+                            .distinct_fields(vec![])
+                            .group_by_fields(vec!["@userIdentity.assumed_role".to_string()])
+                            .metric("name".to_string())
+                            .metrics(vec!["name".to_string()])
+                            .name("".to_string())
+                            .query("source:source_here".to_string())
+                    ],
+                )
+                    .has_extended_title(true)
+                    .tags(vec!["env:prod".to_string(), "team:security".to_string()])
+                    .type_(SecurityMonitoringRuleTypeCreate::LOG_DETECTION),
+            ),
+        );
+    let configuration = datadog::Configuration::new();
+    let api = SecurityMonitoringAPI::with_config(configuration);
+    let resp = api.validate_security_monitoring_rule(body).await;
+    if let Ok(value) = resp {
+        println!("{:#?}", value);
+    } else {
+        println!("{:#?}", resp.unwrap_err());
+    }
+}
diff --git a/src/datadogV2/model/model_security_monitoring_rule_new_value_options.rs b/src/datadogV2/model/model_security_monitoring_rule_new_value_options.rs
@@ -15,6 +15,9 @@ pub struct SecurityMonitoringRuleNewValueOptions {
     #[serde(rename = "forgetAfter")]
     pub forget_after:
         Option<crate::datadogV2::model::SecurityMonitoringRuleNewValueOptionsForgetAfter>,
+    /// When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time.
+    #[serde(rename = "instantaneousBaseline")]
+    pub instantaneous_baseline: Option<bool>,
     /// The duration in days during which values are learned, and after which signals will be generated for values that
     /// weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
     #[serde(rename = "learningDuration")]
@@ -39,6 +42,7 @@ impl SecurityMonitoringRuleNewValueOptions {
     pub fn new() -> SecurityMonitoringRuleNewValueOptions {
         SecurityMonitoringRuleNewValueOptions {
             forget_after: None,
+            instantaneous_baseline: None,
             learning_duration: None,
             learning_method: None,
             learning_threshold: None,
@@ -55,6 +59,11 @@ impl SecurityMonitoringRuleNewValueOptions {
         self
     }
 
+    pub fn instantaneous_baseline(mut self, value: bool) -> Self {
+        self.instantaneous_baseline = Some(value);
+        self
+    }
+
     pub fn learning_duration(
         mut self,
         value: crate::datadogV2::model::SecurityMonitoringRuleNewValueOptionsLearningDuration,
@@ -114,6 +123,7 @@ impl<'de> Deserialize<'de> for SecurityMonitoringRuleNewValueOptions {
                 let mut forget_after: Option<
                     crate::datadogV2::model::SecurityMonitoringRuleNewValueOptionsForgetAfter,
                 > = None;
+                let mut instantaneous_baseline: Option<bool> = None;
                 let mut learning_duration: Option<
                     crate::datadogV2::model::SecurityMonitoringRuleNewValueOptionsLearningDuration,
                 > = None;
@@ -146,6 +156,13 @@ impl<'de> Deserialize<'de> for SecurityMonitoringRuleNewValueOptions {
                                 }
                             }
                         }
+                        "instantaneousBaseline" => {
+                            if v.is_null() {
+                                continue;
+                            }
+                            instantaneous_baseline =
+                                Some(serde_json::from_value(v).map_err(M::Error::custom)?);
+                        }
                         "learningDuration" => {
                             if v.is_null() {
                                 continue;
@@ -201,6 +218,7 @@ impl<'de> Deserialize<'de> for SecurityMonitoringRuleNewValueOptions {
 
                 let content = SecurityMonitoringRuleNewValueOptions {
                     forget_after,
+                    instantaneous_baseline,
                     learning_duration,
                     learning_method,
                     learning_threshold,
diff --git a/tests/scenarios/cassettes/v2/security_monitoring/Validate-a-detection-rule-with-detection-method-new-value-with-enabled-feature-instantaneousBaseline-returns-OK-response.frozen b/tests/scenarios/cassettes/v2/security_monitoring/Validate-a-detection-rule-with-detection-method-new-value-with-enabled-feature-instantaneousBaseline-returns-OK-response.frozen
@@ -0,0 +1 @@
+2025-12-10T08:37:17.537Z
diff --git a/tests/scenarios/cassettes/v2/security_monitoring/Validate-a-detection-rule-with-detection-method-new-value-with-enabled-feature-instantaneousBaseline-returns-OK-response.json b/tests/scenarios/cassettes/v2/security_monitoring/Validate-a-detection-rule-with-detection-method-new-value-with-enabled-feature-instantaneousBaseline-returns-OK-response.json
@@ -0,0 +1,35 @@
+{
+  "http_interactions": [
+    {
+      "request": {
+        "body": {
+          "string": "{\"cases\":[{\"name\":\"\",\"notifications\":[],\"status\":\"info\"}],\"hasExtendedTitle\":true,\"isEnabled\":true,\"message\":\"My security monitoring rule\",\"name\":\"My security monitoring rule\",\"options\":{\"detectionMethod\":\"new_value\",\"evaluationWindow\":0,\"keepAlive\":300,\"maxSignalDuration\":600,\"newValueOptions\":{\"forgetAfter\":7,\"instantaneousBaseline\":true,\"learningDuration\":1,\"learningMethod\":\"duration\",\"learningThreshold\":0}},\"queries\":[{\"aggregation\":\"new_value\",\"dataSource\":\"logs\",\"distinctFields\":[],\"groupByFields\":[\"@userIdentity.assumed_role\"],\"metric\":\"name\",\"metrics\":[\"name\"],\"name\":\"\",\"query\":\"source:source_here\"}],\"tags\":[\"env:prod\",\"team:security\"],\"type\":\"log_detection\"}",
+          "encoding": null
+        },
+        "headers": {
+          "Accept": [
+            "*/*"
+          ],
+          "Content-Type": [
+            "application/json"
+          ]
+        },
+        "method": "post",
+        "uri": "https://api.datadoghq.com/api/v2/security_monitoring/rules/validation"
+      },
+      "response": {
+        "body": {
+          "string": "",
+          "encoding": null
+        },
+        "headers": {},
+        "status": {
+          "code": 204,
+          "message": "No Content"
+        }
+      },
+      "recorded_at": "Wed, 10 Dec 2025 08:37:17 GMT"
+    }
+  ],
+  "recorded_with": "VCR 6.0.0"
+}
diff --git a/tests/scenarios/features/v2/security_monitoring.feature b/tests/scenarios/features/v2/security_monitoring.feature
@@ -1764,6 +1764,13 @@ Feature: Security Monitoring
     When the request is sent
     Then the response status is 204 OK
 
+  @team:DataDog/k9-cloud-security-platform
+  Scenario: Validate a detection rule with detection method 'new_value' with enabled feature 'instantaneousBaseline' returns "OK" response
+    Given new "ValidateSecurityMonitoringRule" request
+    And body with value {"cases":[{"name":"","status":"info","notifications":[]}],"hasExtendedTitle":true,"isEnabled":true,"message":"My security monitoring rule","name":"My security monitoring rule","options":{"evaluationWindow":0,"keepAlive":300,"maxSignalDuration":600,"detectionMethod":"new_value","newValueOptions":{"forgetAfter":7,"instantaneousBaseline":true,"learningDuration":1,"learningThreshold":0,"learningMethod":"duration"}},"queries":[{"query":"source:source_here","groupByFields":["@userIdentity.assumed_role"],"distinctFields":[],"metric":"name","metrics":["name"],"aggregation":"new_value","name":"","dataSource":"logs"}],"tags":["env:prod","team:security"],"type":"log_detection"}
+    When the request is sent
+    Then the response status is 204 OK
+
   @team:DataDog/k9-cloud-security-platform
   Scenario: Validate a detection rule with detection method 'sequence_detection' returns "OK" response
     Given new "ValidateSecurityMonitoringRule" request
