diff --git a/.generated-info b/.generated-info
index 6aeaeb58e5e8..6da924e78fa6 100644
--- a/.generated-info
+++ b/.generated-info
@@ -1,4 +1,4 @@
 {
-  "spec_repo_commit": "2ffdc3f",
-  "generated": "2025-07-16 19:14:13.100"
+  "spec_repo_commit": "31a6042",
+  "generated": "2025-07-17 09:23:14.468"
 }
diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml
index 2ee20dab08f3..238cfbd19da5 100644
--- a/.generator/schemas/v2/openapi.yaml
+++ b/.generator/schemas/v2/openapi.yaml
@@ -33903,9 +33903,22 @@ components:
           format: int64
           minimum: 0
           type: integer
+        flaggedIPType:
+          $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionOptionsFlaggedIPType'
         userBehaviorName:
           $ref: '#/components/schemas/SecurityMonitoringRuleCaseActionOptionsUserBehaviorName'
       type: object
+    SecurityMonitoringRuleCaseActionOptionsFlaggedIPType:
+      description: Used with the case action of type 'flag_ip'. The value specified
+        in this field is applied as a flag to the IPs addresses.
+      enum:
+      - SUSPICIOUS
+      - FLAGGED
+      example: FLAGGED
+      type: string
+      x-enum-varnames:
+      - SUSPICIOUS
+      - FLAGGED
     SecurityMonitoringRuleCaseActionOptionsUserBehaviorName:
       description: Used with the case action of type 'user_behavior'. The value specified
         in this field is applied as a risk tag to all users affected by the rule.
@@ -33916,11 +33929,13 @@ components:
       - block_ip
       - block_user
       - user_behavior
+      - flag_ip
       type: string
       x-enum-varnames:
       - BLOCK_IP
       - BLOCK_USER
       - USER_BEHAVIOR
+      - FLAG_IP
     SecurityMonitoringRuleCaseCreate:
       description: Case when signal is generated.
       properties:
diff --git a/examples/v2/security-monitoring/CreateSecurityMonitoringRule_1965169892.rb b/examples/v2/security-monitoring/CreateSecurityMonitoringRule_1965169892.rb
index 93047938b2bc..042b2d32f753 100644
--- a/examples/v2/security-monitoring/CreateSecurityMonitoringRule_1965169892.rb
+++ b/examples/v2/security-monitoring/CreateSecurityMonitoringRule_1965169892.rb
@@ -37,6 +37,12 @@
             user_behavior_name: "behavior",
           }),
         }),
+        DatadogAPIClient::V2::SecurityMonitoringRuleCaseAction.new({
+          type: DatadogAPIClient::V2::SecurityMonitoringRuleCaseActionType::FLAG_IP,
+          options: DatadogAPIClient::V2::SecurityMonitoringRuleCaseActionOptions.new({
+            flagged_ip_type: DatadogAPIClient::V2::SecurityMonitoringRuleCaseActionOptionsFlaggedIPType::FLAGGED,
+          }),
+        }),
       ],
     }),
   ],
diff --git a/features/v2/security_monitoring.feature b/features/v2/security_monitoring.feature
index 1ec6ed14e58c..beffeae8be75 100644
--- a/features/v2/security_monitoring.feature
+++ b/features/v2/security_monitoring.feature
@@ -225,7 +225,7 @@ Feature: Security Monitoring
   @skip-validation @team:DataDog/k9-cloud-security-platform
   Scenario: Create a detection rule with type 'application_security 'returns "OK" response
     Given new "CreateSecurityMonitoringRule" request
-    And body with value {"type":"application_security","name":"{{unique}}_appsec_rule","queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","aggregation":"count","groupByFields":["service","@http.client_ip"],"distinctFields":[]}],"filters":[],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 100000","actions":[{"type":"block_ip","options":{"duration":900}}, {"type":"user_behavior","options":{"userBehaviorName":"behavior"}}]}],"options":{"keepAlive":3600,"maxSignalDuration":86400,"evaluationWindow":900,"detectionMethod":"threshold"},"isEnabled":true,"message":"Test rule","tags":[],"groupSignalsBy":["service"]}
+    And body with value {"type":"application_security","name":"{{unique}}_appsec_rule","queries":[{"query":"@appsec.security_activity:business_logic.users.login.failure","aggregation":"count","groupByFields":["service","@http.client_ip"],"distinctFields":[]}],"filters":[],"cases":[{"name":"","status":"info","notifications":[],"condition":"a > 100000","actions":[{"type":"block_ip","options":{"duration":900}}, {"type":"user_behavior","options":{"userBehaviorName":"behavior"}},{"type":"flag_ip","options":{"flaggedIPType":"FLAGGED"}}]}],"options":{"keepAlive":3600,"maxSignalDuration":86400,"evaluationWindow":900,"detectionMethod":"threshold"},"isEnabled":true,"message":"Test rule","tags":[],"groupSignalsBy":["service"]}
     When the request is sent
     Then the response status is 200 OK
     And the response "name" is equal to "{{ unique }}_appsec_rule"
diff --git a/lib/datadog_api_client/inflector.rb b/lib/datadog_api_client/inflector.rb
index a94cb5e2b044..0d7b4d6adae4 100644
--- a/lib/datadog_api_client/inflector.rb
+++ b/lib/datadog_api_client/inflector.rb
@@ -3031,6 +3031,7 @@ def overrides
           "v2.security_monitoring_rule_case" => "SecurityMonitoringRuleCase",
           "v2.security_monitoring_rule_case_action" => "SecurityMonitoringRuleCaseAction",
           "v2.security_monitoring_rule_case_action_options" => "SecurityMonitoringRuleCaseActionOptions",
+          "v2.security_monitoring_rule_case_action_options_flagged_ip_type" => "SecurityMonitoringRuleCaseActionOptionsFlaggedIPType",
           "v2.security_monitoring_rule_case_action_type" => "SecurityMonitoringRuleCaseActionType",
           "v2.security_monitoring_rule_case_create" => "SecurityMonitoringRuleCaseCreate",
           "v2.security_monitoring_rule_convert_payload" => "SecurityMonitoringRuleConvertPayload",
diff --git a/lib/datadog_api_client/v2/models/security_monitoring_rule_case_action_options.rb b/lib/datadog_api_client/v2/models/security_monitoring_rule_case_action_options.rb
index 848bf9466286..114222593c0d 100644
--- a/lib/datadog_api_client/v2/models/security_monitoring_rule_case_action_options.rb
+++ b/lib/datadog_api_client/v2/models/security_monitoring_rule_case_action_options.rb
@@ -24,6 +24,9 @@ class SecurityMonitoringRuleCaseActionOptions
     # Duration of the action in seconds. 0 indicates no expiration.
     attr_reader :duration
 
+    # Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IPs addresses.
+    attr_accessor :flagged_ip_type
+
     # Used with the case action of type 'user_behavior'. The value specified in this field is applied as a risk tag to all users affected by the rule.
     attr_accessor :user_behavior_name
 
@@ -34,6 +37,7 @@ class SecurityMonitoringRuleCaseActionOptions
     def self.attribute_map
       {
         :'duration' => :'duration',
+        :'flagged_ip_type' => :'flaggedIPType',
         :'user_behavior_name' => :'userBehaviorName'
       }
     end
@@ -43,6 +47,7 @@ def self.attribute_map
     def self.openapi_types
       {
         :'duration' => :'Integer',
+        :'flagged_ip_type' => :'SecurityMonitoringRuleCaseActionOptionsFlaggedIPType',
         :'user_behavior_name' => :'String'
       }
     end
@@ -69,6 +74,10 @@ def initialize(attributes = {})
         self.duration = attributes[:'duration']
       end
 
+      if attributes.key?(:'flagged_ip_type')
+        self.flagged_ip_type = attributes[:'flagged_ip_type']
+      end
+
       if attributes.key?(:'user_behavior_name')
         self.user_behavior_name = attributes[:'user_behavior_name']
       end
@@ -119,6 +128,7 @@ def ==(o)
       return true if self.equal?(o)
       self.class == o.class &&
           duration == o.duration &&
+          flagged_ip_type == o.flagged_ip_type &&
           user_behavior_name == o.user_behavior_name &&
           additional_properties == o.additional_properties
     end
@@ -127,7 +137,7 @@ def ==(o)
     # @return [Integer] Hash code
     # @!visibility private
     def hash
-      [duration, user_behavior_name, additional_properties].hash
+      [duration, flagged_ip_type, user_behavior_name, additional_properties].hash
     end
   end
 end
diff --git a/lib/datadog_api_client/v2/models/security_monitoring_rule_case_action_options_flagged_ip_type.rb b/lib/datadog_api_client/v2/models/security_monitoring_rule_case_action_options_flagged_ip_type.rb
new file mode 100644
index 000000000000..6b403133ccaf
--- /dev/null
+++ b/lib/datadog_api_client/v2/models/security_monitoring_rule_case_action_options_flagged_ip_type.rb
@@ -0,0 +1,27 @@
+=begin
+#Datadog API V2 Collection
+
+#Collection of all Datadog Public endpoints.
+
+The version of the OpenAPI document: 1.0
+Contact: support@datadoghq.com
+Generated by: https://github.com/DataDog/datadog-api-client-ruby/tree/master/.generator
+
+ Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License.
+ This product includes software developed at Datadog (https://www.datadoghq.com/).
+ Copyright 2020-Present Datadog, Inc.
+
+=end
+
+require 'date'
+require 'time'
+
+module DatadogAPIClient::V2
+  # Used with the case action of type 'flag_ip'. The value specified in this field is applied as a flag to the IPs addresses.
+  class SecurityMonitoringRuleCaseActionOptionsFlaggedIPType
+    include BaseEnumModel
+
+    SUSPICIOUS = "SUSPICIOUS".freeze
+    FLAGGED = "FLAGGED".freeze
+  end
+end
diff --git a/lib/datadog_api_client/v2/models/security_monitoring_rule_case_action_type.rb b/lib/datadog_api_client/v2/models/security_monitoring_rule_case_action_type.rb
index 5bf450359fc1..b29dbe01fcc5 100644
--- a/lib/datadog_api_client/v2/models/security_monitoring_rule_case_action_type.rb
+++ b/lib/datadog_api_client/v2/models/security_monitoring_rule_case_action_type.rb
@@ -24,5 +24,6 @@ class SecurityMonitoringRuleCaseActionType
     BLOCK_IP = "block_ip".freeze
     BLOCK_USER = "block_user".freeze
     USER_BEHAVIOR = "user_behavior".freeze
+    FLAG_IP = "flag_ip".freeze
   end
 end