Cloud SIEM - Add instantaneousBaseline feature parameter. (#3081)

api-clients-generation-pipeline[bot] · ci.datadog-api-spec · web-flow · commit 0f443658a593 · 2025-12-17T09:47:59.000Z
Co-authored-by: ci.datadog-api-spec &lt;packages@datadoghq.com&gt;
diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml
@@ -47596,6 +47596,8 @@ components:
       properties:
         forgetAfter:
           $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsForgetAfter'
+        instantaneousBaseline:
+          $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsInstantaneousBaseline'
         learningDuration:
           $ref: '#/components/schemas/SecurityMonitoringRuleNewValueOptionsLearningDuration'
         learningMethod:
@@ -47621,6 +47623,13 @@ components:
       - TWO_WEEKS
       - THREE_WEEKS
       - FOUR_WEEKS
+    SecurityMonitoringRuleNewValueOptionsInstantaneousBaseline:
+      description: When set to true, Datadog uses previous values that fall within
+        the defined learning window to construct the baseline, enabling the system
+        to establish an accurate baseline more rapidly rather than relying solely
+        on gradual learning over time.
+      example: false
+      type: boolean
     SecurityMonitoringRuleNewValueOptionsLearningDuration:
       default: 0
       description: 'The duration in days during which values are learned, and after
diff --git a/cassettes/v2/Security-Monitoring_1187227211/Validate-a-detection-rule-with-detection-method-new_value-with-enabled-feature-instantaneo_524919511/frozen.json b/cassettes/v2/Security-Monitoring_1187227211/Validate-a-detection-rule-with-detection-method-new_value-with-enabled-feature-instantaneo_524919511/frozen.json
@@ -0,0 +1 @@
+"2025-12-10T08:37:17.537Z"
diff --git a/cassettes/v2/Security-Monitoring_1187227211/Validate-a-detection-rule-with-detection-method-new_value-with-enabled-feature-instantaneo_524919511/recording.har b/cassettes/v2/Security-Monitoring_1187227211/Validate-a-detection-rule-with-detection-method-new_value-with-enabled-feature-instantaneo_524919511/recording.har
@@ -0,0 +1,61 @@
+{
+  "log": {
+    "_recordingName": "Security Monitoring/Validate a detection rule with detection method 'new_value' with enabled feature 'instantaneousBaseline' returns \"OK\" response",
+    "creator": {
+      "comment": "persister:fs",
+      "name": "Polly.JS",
+      "version": "6.0.5"
+    },
+    "entries": [
+      {
+        "_id": "cbc721010d20de2d84fcd5191be021fe",
+        "_order": 0,
+        "cache": {},
+        "request": {
+          "bodySize": 675,
+          "cookies": [],
+          "headers": [
+            {
+              "_fromType": "array",
+              "name": "accept",
+              "value": "*/*"
+            },
+            {
+              "_fromType": "array",
+              "name": "content-type",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 588,
+          "httpVersion": "HTTP/1.1",
+          "method": "POST",
+          "postData": {
+            "mimeType": "application/json",
+            "params": [],
+            "text": "{\"cases\":[{\"name\":\"\",\"notifications\":[],\"status\":\"info\"}],\"hasExtendedTitle\":true,\"isEnabled\":true,\"message\":\"My security monitoring rule\",\"name\":\"My security monitoring rule\",\"options\":{\"detectionMethod\":\"new_value\",\"evaluationWindow\":0,\"keepAlive\":300,\"maxSignalDuration\":600,\"newValueOptions\":{\"forgetAfter\":7,\"instantaneousBaseline\":true,\"learningDuration\":1,\"learningMethod\":\"duration\",\"learningThreshold\":0}},\"queries\":[{\"aggregation\":\"new_value\",\"dataSource\":\"logs\",\"distinctFields\":[],\"groupByFields\":[\"@userIdentity.assumed_role\"],\"metric\":\"name\",\"metrics\":[\"name\"],\"name\":\"\",\"query\":\"source:source_here\"}],\"tags\":[\"env:prod\",\"team:security\"],\"type\":\"log_detection\"}"
+          },
+          "queryString": [],
+          "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules/validation"
+        },
+        "response": {
+          "bodySize": 0,
+          "content": {
+            "mimeType": "text/plain",
+            "size": 0
+          },
+          "cookies": [],
+          "headers": [],
+          "headersSize": 601,
+          "httpVersion": "HTTP/1.1",
+          "redirectURL": "",
+          "status": 204,
+          "statusText": "No Content"
+        },
+        "startedDateTime": "2025-12-10T08:37:18.179Z",
+        "time": 297
+      }
+    ],
+    "pages": [],
+    "version": "1.2"
+  }
+}
diff --git a/features/v2/security_monitoring.feature b/features/v2/security_monitoring.feature
@@ -1764,6 +1764,13 @@ Feature: Security Monitoring
     When the request is sent
     Then the response status is 204 OK
 
+  @team:DataDog/k9-cloud-security-platform
+  Scenario: Validate a detection rule with detection method 'new_value' with enabled feature 'instantaneousBaseline' returns "OK" response
+    Given new "ValidateSecurityMonitoringRule" request
+    And body with value {"cases":[{"name":"","status":"info","notifications":[]}],"hasExtendedTitle":true,"isEnabled":true,"message":"My security monitoring rule","name":"My security monitoring rule","options":{"evaluationWindow":0,"keepAlive":300,"maxSignalDuration":600,"detectionMethod":"new_value","newValueOptions":{"forgetAfter":7,"instantaneousBaseline":true,"learningDuration":1,"learningThreshold":0,"learningMethod":"duration"}},"queries":[{"query":"source:source_here","groupByFields":["@userIdentity.assumed_role"],"distinctFields":[],"metric":"name","metrics":["name"],"aggregation":"new_value","name":"","dataSource":"logs"}],"tags":["env:prod","team:security"],"type":"log_detection"}
+    When the request is sent
+    Then the response status is 204 OK
+
   @team:DataDog/k9-cloud-security-platform
   Scenario: Validate a detection rule with detection method 'sequence_detection' returns "OK" response
     Given new "ValidateSecurityMonitoringRule" request
diff --git a/services/security_monitoring/src/v2/models/SecurityMonitoringRuleNewValueOptions.ts b/services/security_monitoring/src/v2/models/SecurityMonitoringRuleNewValueOptions.ts
@@ -13,6 +13,10 @@ export class SecurityMonitoringRuleNewValueOptions {
    * The duration in days after which a learned value is forgotten.
    */
   "forgetAfter"?: SecurityMonitoringRuleNewValueOptionsForgetAfter;
+  /**
+   * When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time.
+   */
+  "instantaneousBaseline"?: boolean;
   /**
    * The duration in days during which values are learned, and after which signals will be generated for values that
    * weren't learned. If set to 0, a signal will be generated for all new values after the first value is learned.
@@ -46,6 +50,10 @@ export class SecurityMonitoringRuleNewValueOptions {
       type: "SecurityMonitoringRuleNewValueOptionsForgetAfter",
       format: "int32",
     },
+    instantaneousBaseline: {
+      baseName: "instantaneousBaseline",
+      type: "boolean",
+    },
     learningDuration: {
       baseName: "learningDuration",
       type: "SecurityMonitoringRuleNewValueOptionsLearningDuration",
