Add baselineUserLocationsDuration to Impossible Travel rule options (#3555)

api-clients-generation-pipeline[bot] · ci.datadog-api-spec · web-flow · commit 4d784322e436 · 2026-05-21T09:30:40.000Z
Co-authored-by: ci.datadog-api-spec &lt;packages@datadoghq.com&gt;
diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml
@@ -70685,11 +70685,20 @@ components:
       properties:
         baselineUserLocations:
           $ref: "#/components/schemas/SecurityMonitoringRuleImpossibleTravelOptionsBaselineUserLocations"
+        baselineUserLocationsDuration:
+          $ref: "#/components/schemas/SecurityMonitoringRuleImpossibleTravelOptionsBaselineUserLocationsDuration"
       type: object
     SecurityMonitoringRuleImpossibleTravelOptionsBaselineUserLocations:
       description: "If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular\naccess locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access."
       example: true
       type: boolean
+    SecurityMonitoringRuleImpossibleTravelOptionsBaselineUserLocationsDuration:
+      description: The duration in days during which Datadog learns the user's regular access locations. After this period, signals are generated for accesses from unknown locations.
+      format: int32
+      maximum: 30
+      minimum: 1
+      nullable: true
+      type: integer
     SecurityMonitoringRuleInstantaneousBaseline:
       description: When set to true, Datadog uses previous values that fall within the defined learning window to construct the baseline, enabling the system to establish an accurate baseline more rapidly rather than relying solely on gradual learning over time.
       example: false
@@ -143305,6 +143314,7 @@ paths:
                     hardcodedEvaluatorType: log4shell
                     impossibleTravelOptions:
                       baselineUserLocations: true
+                      baselineUserLocationsDuration: 7
                     newValueOptions:
                       instantaneousBaseline: false
                       learningMethod: duration
@@ -144061,6 +144071,7 @@ paths:
                     hardcodedEvaluatorType: log4shell
                     impossibleTravelOptions:
                       baselineUserLocations: true
+                      baselineUserLocationsDuration: 7
                     keepAlive: 3600
                     maxSignalDuration: 86400
                     newValueOptions:
@@ -144162,6 +144173,7 @@ paths:
                       hardcodedEvaluatorType: log4shell
                       impossibleTravelOptions:
                         baselineUserLocations: true
+                        baselineUserLocationsDuration: 7
                       keepAlive: 0
                       maxSignalDuration: 0
                       newValueOptions:
@@ -144275,6 +144287,7 @@ paths:
                     hardcodedEvaluatorType: log4shell
                     impossibleTravelOptions:
                       baselineUserLocations: true
+                      baselineUserLocationsDuration: 7
                     keepAlive: 1800
                     maxSignalDuration: 1800
                     newValueOptions:
diff --git a/examples/v2/security-monitoring/CreateSecurityMonitoringRule_3243059428.py b/examples/v2/security-monitoring/CreateSecurityMonitoringRule_3243059428.py
@@ -0,0 +1,73 @@
+"""
+Create a detection rule with type 'impossible_travel' and baselineUserLocationsDuration returns "OK" response
+"""
+
+from datadog_api_client import ApiClient, Configuration
+from datadog_api_client.v2.api.security_monitoring_api import SecurityMonitoringApi
+from datadog_api_client.v2.model.security_monitoring_rule_case_create import SecurityMonitoringRuleCaseCreate
+from datadog_api_client.v2.model.security_monitoring_rule_detection_method import SecurityMonitoringRuleDetectionMethod
+from datadog_api_client.v2.model.security_monitoring_rule_evaluation_window import (
+    SecurityMonitoringRuleEvaluationWindow,
+)
+from datadog_api_client.v2.model.security_monitoring_rule_impossible_travel_options import (
+    SecurityMonitoringRuleImpossibleTravelOptions,
+)
+from datadog_api_client.v2.model.security_monitoring_rule_keep_alive import SecurityMonitoringRuleKeepAlive
+from datadog_api_client.v2.model.security_monitoring_rule_max_signal_duration import (
+    SecurityMonitoringRuleMaxSignalDuration,
+)
+from datadog_api_client.v2.model.security_monitoring_rule_options import SecurityMonitoringRuleOptions
+from datadog_api_client.v2.model.security_monitoring_rule_query_aggregation import (
+    SecurityMonitoringRuleQueryAggregation,
+)
+from datadog_api_client.v2.model.security_monitoring_rule_severity import SecurityMonitoringRuleSeverity
+from datadog_api_client.v2.model.security_monitoring_rule_type_create import SecurityMonitoringRuleTypeCreate
+from datadog_api_client.v2.model.security_monitoring_standard_rule_create_payload import (
+    SecurityMonitoringStandardRuleCreatePayload,
+)
+from datadog_api_client.v2.model.security_monitoring_standard_rule_query import SecurityMonitoringStandardRuleQuery
+
+body = SecurityMonitoringStandardRuleCreatePayload(
+    queries=[
+        SecurityMonitoringStandardRuleQuery(
+            aggregation=SecurityMonitoringRuleQueryAggregation.GEO_DATA,
+            group_by_fields=[
+                "@usr.id",
+            ],
+            distinct_fields=[],
+            metric="@network.client.geoip",
+            query="*",
+        ),
+    ],
+    cases=[
+        SecurityMonitoringRuleCaseCreate(
+            name="",
+            status=SecurityMonitoringRuleSeverity.INFO,
+            notifications=[],
+        ),
+    ],
+    has_extended_title=True,
+    message="test",
+    is_enabled=True,
+    options=SecurityMonitoringRuleOptions(
+        max_signal_duration=SecurityMonitoringRuleMaxSignalDuration.ONE_DAY,
+        evaluation_window=SecurityMonitoringRuleEvaluationWindow.FIFTEEN_MINUTES,
+        keep_alive=SecurityMonitoringRuleKeepAlive.ONE_HOUR,
+        detection_method=SecurityMonitoringRuleDetectionMethod.IMPOSSIBLE_TRAVEL,
+        impossible_travel_options=SecurityMonitoringRuleImpossibleTravelOptions(
+            baseline_user_locations=True,
+            baseline_user_locations_duration=7,
+        ),
+    ),
+    name="Example-Security-Monitoring",
+    type=SecurityMonitoringRuleTypeCreate.LOG_DETECTION,
+    tags=[],
+    filters=[],
+)
+
+configuration = Configuration()
+with ApiClient(configuration) as api_client:
+    api_instance = SecurityMonitoringApi(api_client)
+    response = api_instance.create_security_monitoring_rule(body=body)
+
+    print(response)
diff --git a/src/datadog_api_client/v2/model/security_monitoring_rule_impossible_travel_options.py b/src/datadog_api_client/v2/model/security_monitoring_rule_impossible_travel_options.py
@@ -8,30 +8,50 @@
 from datadog_api_client.model_utils import (
     ModelNormal,
     cached_property,
+    none_type,
     unset,
     UnsetType,
 )
 
 
 class SecurityMonitoringRuleImpossibleTravelOptions(ModelNormal):
+    validations = {
+        "baseline_user_locations_duration": {
+            "inclusive_maximum": 30,
+            "inclusive_minimum": 1,
+        },
+    }
+
     @cached_property
     def openapi_types(_):
         return {
             "baseline_user_locations": (bool,),
+            "baseline_user_locations_duration": (int,),
         }
 
     attribute_map = {
         "baseline_user_locations": "baselineUserLocations",
+        "baseline_user_locations_duration": "baselineUserLocationsDuration",
     }
 
-    def __init__(self_, baseline_user_locations: Union[bool, UnsetType] = unset, **kwargs):
+    def __init__(
+        self_,
+        baseline_user_locations: Union[bool, UnsetType] = unset,
+        baseline_user_locations_duration: Union[int, none_type, UnsetType] = unset,
+        **kwargs,
+    ):
         """
         Options on impossible travel detection method.
 
         :param baseline_user_locations: If true, signals are suppressed for the first 24 hours. In that time, Datadog learns the user's regular
             access locations. This can be helpful to reduce noise and infer VPN usage or credentialed API access.
         :type baseline_user_locations: bool, optional
+
+        :param baseline_user_locations_duration: The duration in days during which Datadog learns the user's regular access locations. After this period, signals are generated for accesses from unknown locations.
+        :type baseline_user_locations_duration: int, none_type, optional
         """
         if baseline_user_locations is not unset:
             kwargs["baseline_user_locations"] = baseline_user_locations
+        if baseline_user_locations_duration is not unset:
+            kwargs["baseline_user_locations_duration"] = baseline_user_locations_duration
         super().__init__(kwargs)
diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_detection_rule_with_type_impossible_travel_and_baselineuserlocationsduration_returns_ok_response.frozen b/tests/v2/cassettes/test_scenarios/test_create_a_detection_rule_with_type_impossible_travel_and_baselineuserlocationsduration_returns_ok_response.frozen
@@ -0,0 +1 @@
+2026-05-20T15:12:27.397Z
diff --git a/tests/v2/cassettes/test_scenarios/test_create_a_detection_rule_with_type_impossible_travel_and_baselineuserlocationsduration_returns_ok_response.yaml b/tests/v2/cassettes/test_scenarios/test_create_a_detection_rule_with_type_impossible_travel_and_baselineuserlocationsduration_returns_ok_response.yaml
@@ -0,0 +1,35 @@
+interactions:
+- request:
+    body: '{"cases":[{"name":"","notifications":[],"status":"info"}],"filters":[],"hasExtendedTitle":true,"isEnabled":true,"message":"test","name":"Test-Create_a_detection_rule_with_type_impossible_travel_and_baselineUserLocationsDuration_returns_OK_res-1779289947","options":{"detectionMethod":"impossible_travel","evaluationWindow":900,"impossibleTravelOptions":{"baselineUserLocations":true,"baselineUserLocationsDuration":7},"keepAlive":3600,"maxSignalDuration":86400},"queries":[{"aggregation":"geo_data","distinctFields":[],"groupByFields":["@usr.id"],"metric":"@network.client.geoip","query":"*"}],"tags":[],"type":"log_detection"}'
+    headers:
+      accept:
+      - application/json
+      content-type:
+      - application/json
+    method: POST
+    uri: https://api.datadoghq.com/api/v2/security_monitoring/rules
+  response:
+    body:
+      string: '{"name":"Test-Create_a_detection_rule_with_type_impossible_travel_and_baselineUserLocationsDuration_returns_OK_res-1779289947","createdAt":1779289949181,"isDefault":false,"isPartner":false,"isEnabled":true,"isBeta":false,"isDeleted":false,"isDeprecated":false,"queries":[{"query":"*","groupByFields":["@usr.id"],"hasOptionalGroupByFields":false,"distinctFields":[],"metric":"@network.client.geoip","metrics":["@network.client.geoip"],"aggregation":"geo_data","name":"","dataSource":"logs"}],"options":{"evaluationWindow":900,"detectionMethod":"impossible_travel","maxSignalDuration":86400,"keepAlive":3600,"impossibleTravelOptions":{"baselineUserLocations":true,"baselineUserLocationsDuration":7,"detectIpTransition":false}},"cases":[{"name":"","status":"info","notifications":[]}],"message":"test","tags":[],"hasExtendedTitle":true,"type":"log_detection","filters":[],"version":1,"id":"v2k-viu-svz","blocking":false,"metadata":{"entities":null,"sources":null},"creationAuthorId":2320499,"creator":{"handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","name":"CI
+        Account"},"updater":{"handle":"","name":""}}'
+    headers:
+      content-type:
+      - application/json
+    status:
+      code: 200
+      message: OK
+- request:
+    body: null
+    headers:
+      accept:
+      - '*/*'
+    method: DELETE
+    uri: https://api.datadoghq.com/api/v2/security_monitoring/rules/v2k-viu-svz
+  response:
+    body:
+      string: ''
+    headers: {}
+    status:
+      code: 204
+      message: No Content
+version: 1
diff --git a/tests/v2/features/security_monitoring.feature b/tests/v2/features/security_monitoring.feature
@@ -559,6 +559,19 @@ Feature: Security Monitoring
     And the response "type" is equal to "application_security"
     And the response "message" is equal to "Test rule"
 
+  @skip-validation @team:DataDog/k9-cloud-siem
+  Scenario: Create a detection rule with type 'impossible_travel' and baselineUserLocationsDuration returns "OK" response
+    Given new "CreateSecurityMonitoringRule" request
+    And body with value {"queries":[{"aggregation":"geo_data","groupByFields":["@usr.id"],"distinctFields":[],"metric":"@network.client.geoip","query":"*"}],"cases":[{"name":"","status":"info","notifications":[]}],"hasExtendedTitle":true,"message":"test","isEnabled":true,"options":{"maxSignalDuration":86400,"evaluationWindow":900,"keepAlive":3600,"detectionMethod":"impossible_travel","impossibleTravelOptions":{"baselineUserLocations":true,"baselineUserLocationsDuration":7}},"name":"{{ unique }}","type":"log_detection","tags":[],"filters":[]}
+    When the request is sent
+    Then the response status is 200 OK
+    And the response "name" is equal to "{{ unique }}"
+    And the response "type" is equal to "log_detection"
+    And the response "message" is equal to "test"
+    And the response "options.detectionMethod" is equal to "impossible_travel"
+    And the response "options.impossibleTravelOptions.baselineUserLocations" is equal to true
+    And the response "options.impossibleTravelOptions.baselineUserLocationsDuration" is equal to 7
+
   @skip-validation @team:DataDog/k9-cloud-siem
   Scenario: Create a detection rule with type 'impossible_travel' returns "OK" response
     Given new "CreateSecurityMonitoringRule" request
