Add anomaly detection options to security monitoring rules (#3136)

Co-authored-by: ci.datadog-api-spec <packages@datadoghq.com>

Author: api-clients-generation-pipeline[bot]

.generator/schemas/v2/openapi.yaml

@@ -47320,6 +47320,86 @@ components:
           description: The name of the reference table.
           type: string
       type: object
+    SecurityMonitoringRuleAnomalyDetectionOptions:
+      additionalProperties: {}
+      description: Options on anomaly detection method.
+      properties:
+        bucketDuration:
+          $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration'
+        detectionTolerance:
+          $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance'
+        learningDuration:
+          $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration'
+        learningPeriodBaseline:
+          description: An optional override baseline to apply while the rule is in
+            the learning period. Must be greater than or equal to 0.
+          format: int64
+          minimum: 0
+          type: integer
+      type: object
+    SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration:
+      description: 'Duration in seconds of the time buckets used to aggregate events
+        matched by the rule.
+
+        Must be greater than or equal to 300.'
+      enum:
+      - 300
+      - 600
+      - 900
+      - 1800
+      - 3600
+      - 10800
+      example: 300
+      format: int32
+      type: integer
+      x-enum-varnames:
+      - FIVE_MINUTES
+      - TEN_MINUTES
+      - FIFTEEN_MINUTES
+      - THIRTY_MINUTES
+      - ONE_HOUR
+      - THREE_HOURS
+    SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance:
+      description: 'An optional parameter that sets how permissive anomaly detection
+        is.
+
+        Higher values require higher deviations before triggering a signal.'
+      enum:
+      - 1
+      - 2
+      - 3
+      - 4
+      - 5
+      example: 5
+      format: int32
+      type: integer
+      x-enum-varnames:
+      - ONE
+      - TWO
+      - THREE
+      - FOUR
+      - FIVE
+    SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration:
+      description: Learning duration in hours. Anomaly detection waits for at least
+        this amount of historical data before it starts evaluating.
+      enum:
+      - 1
+      - 6
+      - 12
+      - 24
+      - 48
+      - 168
+      - 336
+      format: int32
+      type: integer
+      x-enum-varnames:
+      - ONE_HOUR
+      - SIX_HOURS
+      - TWELVE_HOURS
+      - ONE_DAY
+      - TWO_DAYS
+      - ONE_WEEK
+      - TWO_WEEKS
     SecurityMonitoringRuleCase:
       description: Case when signal is generated.
       properties:
@@ -47685,6 +47765,8 @@ components:
     SecurityMonitoringRuleOptions:
       description: Options.
       properties:
+        anomalyDetectionOptions:
+          $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptions'
         complianceRuleOptions:
           $ref: '#/components/schemas/CloudConfigurationComplianceRuleOptions'
         decreaseCriticalityBasedOnEnv:
@@ -55124,6 +55206,8 @@ components:
     ThreatHuntingJobOptions:
       description: Job options.
       properties:
+        anomalyDetectionOptions:
+          $ref: '#/components/schemas/SecurityMonitoringRuleAnomalyDetectionOptions'
         detectionMethod:
           $ref: '#/components/schemas/SecurityMonitoringRuleDetectionMethod'
         evaluationWindow:

cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-detection-method-anomaly_detection-returns-OK-response_2285159328/frozen.json

@@ -0,0 +1 @@
+"2025-12-16T15:19:00.493Z"

cassettes/v2/Security-Monitoring_1187227211/Create-a-detection-rule-with-detection-method-anomaly_detection-returns-OK-response_2285159328/recording.har

@@ -0,0 +1,104 @@
+{
+  "log": {
+    "_recordingName": "Security Monitoring/Create a detection rule with detection method 'anomaly_detection' returns \"OK\" response",
+    "creator": {
+      "comment": "persister:fs",
+      "name": "Polly.JS",
+      "version": "6.0.5"
+    },
+    "entries": [
+      {
+        "_id": "ceeb4640e238fd2dfaea833262b811c7",
+        "_order": 0,
+        "cache": {},
+        "request": {
+          "bodySize": 736,
+          "cookies": [],
+          "headers": [
+            {
+              "_fromType": "array",
+              "name": "accept",
+              "value": "application/json"
+            },
+            {
+              "_fromType": "array",
+              "name": "content-type",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 586,
+          "httpVersion": "HTTP/1.1",
+          "method": "POST",
+          "postData": {
+            "mimeType": "application/json",
+            "params": [],
+            "text": "{\"cases\":[{\"condition\":\"a > 0.995\",\"name\":\"\",\"notifications\":[],\"status\":\"info\"}],\"filters\":[],\"isEnabled\":true,\"message\":\"An anomaly detection rule\",\"name\":\"Test-Create_a_detection_rule_with_detection_method_anomaly_detection_returns_OK_response-1765898340\",\"options\":{\"anomalyDetectionOptions\":{\"bucketDuration\":300,\"detectionTolerance\":3,\"learningDuration\":24,\"learningPeriodBaseline\":10},\"detectionMethod\":\"anomaly_detection\",\"evaluationWindow\":900,\"keepAlive\":3600,\"maxSignalDuration\":86400},\"queries\":[{\"aggregation\":\"count\",\"dataSource\":\"logs\",\"distinctFields\":[],\"groupByFields\":[\"@usr.email\",\"@network.client.ip\"],\"hasOptionalGroupByFields\":false,\"name\":\"\",\"query\":\"service:app status:error\"}],\"tags\":[],\"type\":\"log_detection\"}"
+          },
+          "queryString": [],
+          "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules"
+        },
+        "response": {
+          "bodySize": 1163,
+          "content": {
+            "mimeType": "application/json",
+            "size": 1163,
+            "text": "{\"name\":\"Test-Create_a_detection_rule_with_detection_method_anomaly_detection_returns_OK_response-1765898340\",\"createdAt\":1765898340611,\"isDefault\":false,\"isPartner\":false,\"isEnabled\":true,\"isBeta\":false,\"isDeleted\":false,\"isDeprecated\":false,\"queries\":[{\"query\":\"service:app status:error\",\"groupByFields\":[\"@usr.email\",\"@network.client.ip\"],\"hasOptionalGroupByFields\":false,\"distinctFields\":[],\"aggregation\":\"count\",\"name\":\"\",\"dataSource\":\"logs\"}],\"options\":{\"evaluationWindow\":1800,\"detectionMethod\":\"anomaly_detection\",\"maxSignalDuration\":86400,\"keepAlive\":3600,\"anomalyDetectionOptions\":{\"bucketDuration\":300,\"learningDuration\":24,\"detectionTolerance\":3,\"instantaneousBaseline\":false,\"instantaneousBaselineTimeoutMinutes\":30,\"learningPeriodBaseline\":10}},\"cases\":[{\"name\":\"\",\"status\":\"info\",\"notifications\":[],\"condition\":\"a \\u003e 0.995\"}],\"message\":\"An anomaly detection rule\",\"tags\":[],\"hasExtendedTitle\":false,\"type\":\"log_detection\",\"filters\":[],\"version\":1,\"id\":\"0vk-kph-3ri\",\"blocking\":false,\"metadata\":{\"entities\":null,\"sources\":null},\"creationAuthorId\":1445416,\"creator\":{\"handle\":\"frog@datadoghq.com\",\"name\":\"frog\"},\"updater\":{\"handle\":\"\",\"name\":\"\"}}"
+          },
+          "cookies": [],
+          "headers": [
+            {
+              "name": "content-type",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 656,
+          "httpVersion": "HTTP/1.1",
+          "redirectURL": "",
+          "status": 200,
+          "statusText": "OK"
+        },
+        "startedDateTime": "2025-12-16T15:19:00.497Z",
+        "time": 129
+      },
+      {
+        "_id": "903a73a28dbeebf5cd6c473010faf924",
+        "_order": 0,
+        "cache": {},
+        "request": {
+          "bodySize": 0,
+          "cookies": [],
+          "headers": [
+            {
+              "_fromType": "array",
+              "name": "accept",
+              "value": "*/*"
+            }
+          ],
+          "headersSize": 534,
+          "httpVersion": "HTTP/1.1",
+          "method": "DELETE",
+          "queryString": [],
+          "url": "https://api.datadoghq.com/api/v2/security_monitoring/rules/0vk-kph-3ri"
+        },
+        "response": {
+          "bodySize": 0,
+          "content": {
+            "mimeType": "text/plain",
+            "size": 0
+          },
+          "cookies": [],
+          "headers": [],
+          "headersSize": 602,
+          "httpVersion": "HTTP/1.1",
+          "redirectURL": "",
+          "status": 204,
+          "statusText": "No Content"
+        },
+        "startedDateTime": "2025-12-16T15:19:00.633Z",
+        "time": 119
+      }
+    ],
+    "pages": [],
+    "version": "1.2"
+  }
+}

examples/v2/security-monitoring/CreateSecurityMonitoringRule_2323193894.ts

@@ -0,0 +1,59 @@
+/**
+ * Create a detection rule with detection method 'anomaly_detection' returns "OK" response
+ */
+
+import { client, v2 } from "@datadog/datadog-api-client";
+
+const configuration = client.createConfiguration();
+const apiInstance = new v2.SecurityMonitoringApi(configuration);
+
+const params: v2.SecurityMonitoringApiCreateSecurityMonitoringRuleRequest = {
+  body: {
+    name: "Example-Security-Monitoring",
+    type: "log_detection",
+    isEnabled: true,
+    queries: [
+      {
+        aggregation: "count",
+        dataSource: "logs",
+        distinctFields: [],
+        groupByFields: ["@usr.email", "@network.client.ip"],
+        hasOptionalGroupByFields: false,
+        name: "",
+        query: "service:app status:error",
+      },
+    ],
+    cases: [
+      {
+        name: "",
+        status: "info",
+        notifications: [],
+        condition: "a > 0.995",
+      },
+    ],
+    message: "An anomaly detection rule",
+    options: {
+      detectionMethod: "anomaly_detection",
+      evaluationWindow: 900,
+      keepAlive: 3600,
+      maxSignalDuration: 86400,
+      anomalyDetectionOptions: {
+        bucketDuration: 300,
+        learningDuration: 24,
+        detectionTolerance: 3,
+        learningPeriodBaseline: 10,
+      },
+    },
+    tags: [],
+    filters: [],
+  },
+};
+
+apiInstance
+  .createSecurityMonitoringRule(params)
+  .then((data: v2.SecurityMonitoringRuleResponse) => {
+    console.log(
+      "API called successfully. Returned data: " + JSON.stringify(data)
+    );
+  })
+  .catch((error: any) => console.error(error));

features/v2/security_monitoring.feature

@@ -333,6 +333,20 @@ Feature: Security Monitoring
     And the response "message" is equal to "Test rule"
     And the response "referenceTables" is equal to [{"tableName": "synthetics_test_reference_table_dont_delete", "columnName": "value", "logFieldPath":"testtag", "checkPresence":true, "ruleQueryName":"a"}]
 
+  @team:DataDog/k9-cloud-security-platform
+  Scenario: Create a detection rule with detection method 'anomaly_detection' returns "OK" response
+    Given new "CreateSecurityMonitoringRule" request
+    And body with value {"name":"{{ unique }}","type":"log_detection","isEnabled":true,"queries":[{"aggregation":"count","dataSource":"logs","distinctFields":[],"groupByFields":["@usr.email","@network.client.ip"],"hasOptionalGroupByFields":false,"name":"","query":"service:app status:error"}],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 0.995"}],"message":"An anomaly detection rule","options":{"detectionMethod":"anomaly_detection","evaluationWindow":900,"keepAlive":3600,"maxSignalDuration":86400,"anomalyDetectionOptions":{"bucketDuration":300,"learningDuration":24,"detectionTolerance":3,"learningPeriodBaseline":10}},"tags":[],"filters":[]}
+    When the request is sent
+    Then the response status is 200 OK
+    And the response "name" is equal to "{{ unique }}"
+    And the response "type" is equal to "log_detection"
+    And the response "options.detectionMethod" is equal to "anomaly_detection"
+    And the response "options.anomalyDetectionOptions.bucketDuration" is equal to 300
+    And the response "options.anomalyDetectionOptions.learningDuration" is equal to 24
+    And the response "options.anomalyDetectionOptions.learningPeriodBaseline" is equal to 10
+    And the response "options.anomalyDetectionOptions.detectionTolerance" is equal to 3
+
   @team:DataDog/k9-cloud-security-platform
   Scenario: Create a detection rule with detection method 'sequence_detection' returns "OK" response
     Given new "CreateSecurityMonitoringRule" request

packages/datadog-api-client-v2/index.ts

@@ -3956,6 +3956,10 @@ export { SecurityMonitoringFilter } from "./models/SecurityMonitoringFilter";
 export { SecurityMonitoringFilterAction } from "./models/SecurityMonitoringFilterAction";
 export { SecurityMonitoringListRulesResponse } from "./models/SecurityMonitoringListRulesResponse";
 export { SecurityMonitoringReferenceTable } from "./models/SecurityMonitoringReferenceTable";
+export { SecurityMonitoringRuleAnomalyDetectionOptions } from "./models/SecurityMonitoringRuleAnomalyDetectionOptions";
+export { SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration } from "./models/SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration";
+export { SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance } from "./models/SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance";
+export { SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration } from "./models/SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration";
 export { SecurityMonitoringRuleCase } from "./models/SecurityMonitoringRuleCase";
 export { SecurityMonitoringRuleCaseAction } from "./models/SecurityMonitoringRuleCaseAction";
 export { SecurityMonitoringRuleCaseActionOptions } from "./models/SecurityMonitoringRuleCaseActionOptions";

packages/datadog-api-client-v2/models/ObjectSerializer.ts

@@ -2247,6 +2247,7 @@ import { SecurityFiltersResponse } from "./SecurityFiltersResponse";
 import { SecurityMonitoringFilter } from "./SecurityMonitoringFilter";
 import { SecurityMonitoringListRulesResponse } from "./SecurityMonitoringListRulesResponse";
 import { SecurityMonitoringReferenceTable } from "./SecurityMonitoringReferenceTable";
+import { SecurityMonitoringRuleAnomalyDetectionOptions } from "./SecurityMonitoringRuleAnomalyDetectionOptions";
 import { SecurityMonitoringRuleCase } from "./SecurityMonitoringRuleCase";
 import { SecurityMonitoringRuleCaseAction } from "./SecurityMonitoringRuleCaseAction";
 import { SecurityMonitoringRuleCaseActionOptions } from "./SecurityMonitoringRuleCaseActionOptions";
@@ -4048,6 +4049,15 @@ const enumsMap: { [key: string]: any[] } = {
   SecurityFilterFilteredDataType: ["logs"],
   SecurityFilterType: ["security_filters"],
   SecurityMonitoringFilterAction: ["require", "suppress"],
+  SecurityMonitoringRuleAnomalyDetectionOptionsBucketDuration: [
+    300, 600, 900, 1800, 3600, 10800,
+  ],
+  SecurityMonitoringRuleAnomalyDetectionOptionsDetectionTolerance: [
+    1, 2, 3, 4, 5,
+  ],
+  SecurityMonitoringRuleAnomalyDetectionOptionsLearningDuration: [
+    1, 6, 12, 24, 48, 168, 336,
+  ],
   SecurityMonitoringRuleCaseActionOptionsFlaggedIPType: [
     "SUSPICIOUS",
     "FLAGGED",
@@ -7083,6 +7093,8 @@ const typeMap: { [index: string]: any } = {
   SecurityMonitoringFilter: SecurityMonitoringFilter,
   SecurityMonitoringListRulesResponse: SecurityMonitoringListRulesResponse,
   SecurityMonitoringReferenceTable: SecurityMonitoringReferenceTable,
+  SecurityMonitoringRuleAnomalyDetectionOptions:
+    SecurityMonitoringRuleAnomalyDetectionOptions,
   SecurityMonitoringRuleCase: SecurityMonitoringRuleCase,
   SecurityMonitoringRuleCaseAction: SecurityMonitoringRuleCaseAction,
   SecurityMonitoringRuleCaseActionOptions: