Add anomaly detection options to security monitoring rules (#3135)

api-clients-generation-pipeline[bot] · ci.datadog-api-spec · web-flow · commit 4dc50fe836e8 · 2025-12-17T19:48:06.000Z
Co-authored-by: ci.datadog-api-spec &lt;packages@datadoghq.com&gt;
diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml
@@ -47320,6 +47320,86 @@ components:
           description: The name of the reference table.
           type: string
       type: object
+    SecurityMonitoringRuleAnomalyDetectionOptions:
+      additionalProperties: {}
+      description: Options on anomaly detection method.
+      properties:
+        bucketDuration:
+          $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration'
+        detectionTolerance:
+          $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance'
+        learningDuration:
+          $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration'
+        learningPeriodBaseline:
+          description: An optional override baseline to apply while the rule is in
+            the learning period. Must be greater than or equal to 0.
+          format: int64
+          minimum: 0
+          type: integer
+      type: object
+    SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration:
+      description: 'Duration in seconds of the time buckets used to aggregate events
+        matched by the rule.
+
+        Must be greater than or equal to 300.'
+      enum:
+      - 300
+      - 600
+      - 900
+      - 1800
+      - 3600
+      - 10800
+      example: 300
+      format: int32
+      type: integer
+      x-enum-varnames:
+      - FIVE_MINUTES
+      - TEN_MINUTES
+      - FIFTEEN_MINUTES
+      - THIRTY_MINUTES
+      - ONE_HOUR
+      - THREE_HOURS
+    SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance:
+      description: 'An optional parameter that sets how permissive anomaly detection
+        is.
+
+        Higher values require higher deviations before triggering a signal.'
+      enum:
+      - 1
+      - 2
+      - 3
+      - 4
+      - 5
+      example: 5
+      format: int32
+      type: integer
+      x-enum-varnames:
+      - ONE
+      - TWO
+      - THREE
+      - FOUR
+      - FIVE
+    SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration:
+      description: Learning duration in hours. Anomaly detection waits for at least
+        this amount of historical data before it starts evaluating.
+      enum:
+      - 1
+      - 6
+      - 12
+      - 24
+      - 48
+      - 168
+      - 336
+      format: int32
+      type: integer
+      x-enum-varnames:
+      - ONE_HOUR
+      - SIX_HOURS
+      - TWELVE_HOURS
+      - ONE_DAY
+      - TWO_DAYS
+      - ONE_WEEK
+      - TWO_WEEKS
     SecurityMonitoringRuleCase:
       description: Case when signal is generated.
       properties:
@@ -47685,6 +47765,8 @@ components:
     SecurityMonitoringRuleOptions:
       description: Options.
       properties:
+        anomalyDetectionOptions:
+          $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptions'
         complianceRuleOptions:
           $ref: '#/components/schemas/CloudConfigurationComplianceRuleOptions'
         decreaseCriticalityBasedOnEnv:
@@ -55124,6 +55206,8 @@ components:
     ThreatHuntingJobOptions:
       description: Job options.
       properties:
+        anomalyDetectionOptions:
+          $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptions'
         detectionMethod:
           $ref: '#/components/schemas/SecurityMonitoringRuleDetectionMethod'
         evaluationWindow:
diff --git a/cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-detection-method-anomaly_detection-returns-OK-response_2285159328/frozen.json b/cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-detection-method-anomaly_detection-returns-OK-response_2285159328/frozen.json
@@ -0,0 +1 @@
+"2025-12-16T15:19:00.493Z"
diff --git a/cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-detection-method-anomaly_detection-returns-OK-response_2285159328/recording.har b/cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-detection-method-anomaly_detection-returns-OK-response_2285159328/recording.har
@@ -0,0 +1,104 @@
+{
+  "log": {
+    "_recordingName": "Security Monitoring/Create a detection rule with detection method 'anomaly_detection' returns \"OK\" response",
+    "creator": {
+      "comment": "persister:fs",
+      "name": "Polly.JS",
+      "version": "6.0.5"
+    },
+    "entries": [
+      {
+        "_id": "ceeb4640e238fd2dfaea833262b811c7",
+        "_order": 0,
+        "cache": {},
+        "request": {
+          "bodySize": 736,
+          "cookies": [],
+          "headers": [
+            {
+              "_fromType": "array",
+              "name": "accept",
+              "value": "application/json"
+            },
+            {
+              "_fromType": "array",
+              "name": "content-type",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 586,
+          "httpVersion": "HTTP/1.1",
+          "method": "POST",
+          "postData": {
+            "mimeType": "application/json",
+            "params": [],
+            "text": "{\"cases\":[{\"condition\":\"a > 0.995\",\"name\":\"\",\"notifications\":[],\"status\":\"info\"}],\"filters\":[],\"isEnabled\":true,\"message\":\"An anomaly detection rule\",\"name\":\"Test-Create_a_detection_rule_with_detection_method_anomaly_detection_returns_OK_response-1765898340\",\"options\":{\"anomalyDetectionOptions\":{\"bucketDuration\":300,\"detectionTolerance\":3,\"learningDuration\":24,\"learningPeriodBaseline\":10},\"detectionMethod\":\"anomaly_detection\",\"evaluationWindow\":900,\"keepAlive\":3600,\"maxSignalDuration\":86400},\"queries\":[{\"aggregation\":\"count\",\"dataSource\":\"logs\",\"distinctFields\":[],\"groupByFields\":[\"@usr.email\",\"@network.client.ip\"],\"hasOptionalGroupByFields\":false,\"name\":\"\",\"query\":\"service:app status:error\"}],\"tags\":[],\"type\":\"log_detection\"}"
+          },
+          "queryString": [],
+          "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules"
+        },
+        "response": {
+          "bodySize": 1163,
+          "content": {
+            "mimeType": "application/json",
+            "size": 1163,
+            "text": "{\"name\":\"Test-Create_a_detection_rule_with_detection_method_anomaly_detection_returns_OK_response-1765898340\",\"createdAt\":1765898340611,\"isDefault\":false,\"isPartner\":false,\"isEnabled\":true,\"isBeta\":false,\"isDeleted\":false,\"isDeprecated\":false,\"queries\":[{\"query\":\"service:app status:error\",\"groupByFields\":[\"@usr.email\",\"@network.client.ip\"],\"hasOptionalGroupByFields\":false,\"distinctFields\":[],\"aggregation\":\"count\",\"name\":\"\",\"dataSource\":\"logs\"}],\"options\":{\"evaluationWindow\":1800,\"detectionMethod\":\"anomaly_detection\",\"maxSignalDuration\":86400,\"keepAlive\":3600,\"anomalyDetectionOptions\":{\"bucketDuration\":300,\"learningDuration\":24,\"detectionTolerance\":3,\"instantaneousBaseline\":false,\"instantaneousBaselineTimeoutMinutes\":30,\"learningPeriodBaseline\":10}},\"cases\":[{\"name\":\"\",\"status\":\"info\",\"notifications\":[],\"condition\":\"a \\u003e 0.995\"}],\"message\":\"An anomaly detection rule\",\"tags\":[],\"hasExtendedTitle\":false,\"type\":\"log_detection\",\"filters\":[],\"version\":1,\"id\":\"0vk-kph-3ri\",\"blocking\":false,\"metadata\":{\"entities\":null,\"sources\":null},\"creationAuthorId\":1445416,\"creator\":{\"handle\":\"frog@datadoghq.com\",\"name\":\"frog\"},\"updater\":{\"handle\":\"\",\"name\":\"\"}}"
+          },
+          "cookies": [],
+          "headers": [
+            {
+              "name": "content-type",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 656,
+          "httpVersion": "HTTP/1.1",
+          "redirectURL": "",
+          "status": 200,
+          "statusText": "OK"
+        },
+        "startedDateTime": "2025-12-16T15:19:00.497Z",
+        "time": 129
+      },
+      {
+        "_id": "903a73a28dbeebf5cd6c473010faf924",
+        "_order": 0,
+        "cache": {},
+        "request": {
+          "bodySize": 0,
+          "cookies": [],
+          "headers": [
+            {
+              "_fromType": "array",
+              "name": "accept",
+              "value": "*/*"
+            }
+          ],
+          "headersSize": 534,
+          "httpVersion": "HTTP/1.1",
+          "method": "DELETE",
+          "queryString": [],
+          "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules/0vk-kph-3ri"
+        },
+        "response": {
+          "bodySize": 0,
+          "content": {
+            "mimeType": "text/plain",
+            "size": 0
+          },
+          "cookies": [],
+          "headers": [],
+          "headersSize": 602,
+          "httpVersion": "HTTP/1.1",
+          "redirectURL": "",
+          "status": 204,
+          "statusText": "No Content"
+        },
+        "startedDateTime": "2025-12-16T15:19:00.633Z",
+        "time": 119
+      }
+    ],
+    "pages": [],
+    "version": "1.2"
+  }
+}
diff --git a/features/v2/security_monitoring.feature b/features/v2/security_monitoring.feature
@@ -333,6 +333,20 @@ Feature: Security Monitoring
     And the response "message" is equal to "Test rule"
     And the response "referenceTables" is equal to [{"tableName": "synthetics_test_reference_table_dont_delete", "columnName": "value", "logFieldPath":"testtag", "checkPresence":true, "ruleQueryName":"a"}]
 
+  @team:DataDog/k9-cloud-security-platform
+  Scenario: Create a detection rule with detection method 'anomaly_detection' returns "OK" response
+    Given new "CreateSecurityMonitoringRule" request
+    And body with value {"name":"{{ unique }}","type":"log_detection","isEnabled":true,"queries":[{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":["@usr.email","@network.client.ip"],"hasOptionalGroupByFields":false,"name":"","query":"service:app status:error"}],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 0.995"}],"message":"An anomaly detection rule","options":{"detectionMethod":"anomaly_detection","evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400,"anomalyDetectionOptions":{"bucketDuration":300,"learningDuration":24,"detectionTolerance":3,"learningPeriodBaseline":10}},"tags":[],"filters":[]}
+    When the request is sent
+    Then the response status is 200 OK
+    And the response "name" is equal to "{{ unique }}"
+    And the response "type" is equal to "log_detection"
+    And the response "options.detectionMethod" is equal to "anomaly_detection"
+    And the response "options.anomalyDetectionOptions.bucketDuration" is equal to 300
+    And the response "options.anomalyDetectionOptions.learningDuration" is equal to 24
+    And the response "options.anomalyDetectionOptions.learningPeriodBaseline" is equal to 10
+    And the response "options.anomalyDetectionOptions.detectionTolerance" is equal to 3
+
   @team:DataDog/k9-cloud-security-platform
   Scenario: Create a detection rule with detection method 'sequence_detection' returns "OK" response
     Given new "CreateSecurityMonitoringRule" request
diff --git a/services/security_monitoring/src/v2/index.ts b/services/security_monitoring/src/v2/index.ts
@@ -283,6 +283,10 @@ export { SecurityMonitoringFilter } from "./models/SecurityMonitoringFilter";
 export { SecurityMonitoringFilterAction } from "./models/SecurityMonitoringFilterAction";
 export { SecurityMonitoringListRulesResponse } from "./models/SecurityMonitoringListRulesResponse";
 export { SecurityMonitoringReferenceTable } from "./models/SecurityMonitoringReferenceTable";
+export { SecurityMonitoringRuleAnomalyDetectionOptions } from "./models/SecurityMonitoringRuleAnomalyDetectionOptions";
+export { SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration } from "./models/SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration";
+export { SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance } from "./models/SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance";
+export { SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration } from "./models/SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration";
 export { SecurityMonitoringRuleCase } from "./models/SecurityMonitoringRuleCase";
 export { SecurityMonitoringRuleCaseAction } from "./models/SecurityMonitoringRuleCaseAction";
 export { SecurityMonitoringRuleCaseActionOptions } from "./models/SecurityMonitoringRuleCaseActionOptions";
diff --git a/services/security_monitoring/src/v2/models/SecurityMonitoringRuleAnomalyDetectionOptions.ts b/services/security_monitoring/src/v2/models/SecurityMonitoringRuleAnomalyDetectionOptions.ts
@@ -0,0 +1,78 @@
+import { AttributeTypeMap } from "@datadog/datadog-api-client";
+
+import { SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration } from "./SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration";
+import { SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance } from "./SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance";
+import { SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration } from "./SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration";
+
+/**
+ * Options on anomaly detection method.
+ */
+export class SecurityMonitoringRuleAnomalyDetectionOptions {
+  /**
+   * Duration in seconds of the time buckets used to aggregate events matched by the rule.
+   * Must be greater than or equal to 300.
+   */
+  "bucketDuration"?: SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration;
+  /**
+   * An optional parameter that sets how permissive anomaly detection is.
+   * Higher values require higher deviations before triggering a signal.
+   */
+  "detectionTolerance"?: SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance;
+  /**
+   * Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating.
+   */
+  "learningDuration"?: SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration;
+  /**
+   * An optional override baseline to apply while the rule is in the learning period. Must be greater than or equal to 0.
+   */
+  "learningPeriodBaseline"?: number;
+  /**
+   * A container for additional, undeclared properties.
+   * This is a holder for any undeclared properties as specified with
+   * the 'additionalProperties' keyword in the OAS document.
+   */
+  "additionalProperties"?: { [key: string]: any };
+  /**
+   * @ignore
+   */
+  "_unparsed"?: boolean;
+
+  /**
+   * @ignore
+   */
+  static readonly attributeTypeMap: AttributeTypeMap = {
+    bucketDuration: {
+      baseName: "bucketDuration",
+      type: "SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration",
+      format: "int32",
+    },
+    detectionTolerance: {
+      baseName: "detectionTolerance",
+      type: "SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance",
+      format: "int32",
+    },
+    learningDuration: {
+      baseName: "learningDuration",
+      type: "SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration",
+      format: "int32",
+    },
+    learningPeriodBaseline: {
+      baseName: "learningPeriodBaseline",
+      type: "number",
+      format: "int64",
+    },
+    additionalProperties: {
+      baseName: "additionalProperties",
+      type: "{ [key: string]: any; }",
+    },
+  };
+
+  /**
+   * @ignore
+   */
+  static getAttributeTypeMap(): AttributeTypeMap {
+    return SecurityMonitoringRuleAnomalyDetectionOptions.attributeTypeMap;
+  }
+
+  public constructor() {}
+}
diff --git a/services/security_monitoring/src/v2/models/SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration.ts b/services/security_monitoring/src/v2/models/SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration.ts
@@ -0,0 +1,20 @@
+import { UnparsedObject } from "@datadog/datadog-api-client";
+
+/**
+ * Duration in seconds of the time buckets used to aggregate events matched by the rule.
+ * Must be greater than or equal to 300.
+ */
+export type SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration =
+  | typeof FIVE_MINUTES
+  | typeof TEN_MINUTES
+  | typeof FIFTEEN_MINUTES
+  | typeof THIRTY_MINUTES
+  | typeof ONE_HOUR
+  | typeof THREE_HOURS
+  | UnparsedObject;
+export const FIVE_MINUTES = 300;
+export const TEN_MINUTES = 600;
+export const FIFTEEN_MINUTES = 900;
+export const THIRTY_MINUTES = 1800;
+export const ONE_HOUR = 3600;
+export const THREE_HOURS = 10800;
diff --git a/services/security_monitoring/src/v2/models/SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance.ts b/services/security_monitoring/src/v2/models/SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance.ts
@@ -0,0 +1,18 @@
+import { UnparsedObject } from "@datadog/datadog-api-client";
+
+/**
+ * An optional parameter that sets how permissive anomaly detection is.
+ * Higher values require higher deviations before triggering a signal.
+ */
+export type SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance =
+  | typeof ONE
+  | typeof TWO
+  | typeof THREE
+  | typeof FOUR
+  | typeof FIVE
+  | UnparsedObject;
+export const ONE = 1;
+export const TWO = 2;
+export const THREE = 3;
+export const FOUR = 4;
+export const FIVE = 5;
diff --git a/services/security_monitoring/src/v2/models/SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration.ts b/services/security_monitoring/src/v2/models/SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration.ts
@@ -0,0 +1,21 @@
+import { UnparsedObject } from "@datadog/datadog-api-client";
+
+/**
+ * Learning duration in hours. Anomaly detection waits for at least this amount of historical data before it starts evaluating.
+ */
+export type SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration =
+  | typeof ONE_HOUR
+  | typeof SIX_HOURS
+  | typeof TWELVE_HOURS
+  | typeof ONE_DAY
+  | typeof TWO_DAYS
+  | typeof ONE_WEEK
+  | typeof TWO_WEEKS
+  | UnparsedObject;
+export const ONE_HOUR = 1;
+export const SIX_HOURS = 6;
+export const TWELVE_HOURS = 12;
+export const ONE_DAY = 24;
+export const TWO_DAYS = 48;
+export const ONE_WEEK = 168;
+export const TWO_WEEKS = 336;
diff --git a/services/security_monitoring/src/v2/models/SecurityMonitoringRuleOptions.ts b/services/security_monitoring/src/v2/models/SecurityMonitoringRuleOptions.ts
diff --git a/services/security_monitoring/src/v2/models/ThreatHuntingJobOptions.ts b/services/security_monitoring/src/v2/models/ThreatHuntingJobOptions.ts
diff --git a/services/security_monitoring/src/v2/models/TypingInfo.ts b/services/security_monitoring/src/v2/models/TypingInfo.ts
