diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml index 82aecd68139a..3ed5485e6f0b 100644 --- a/.generator/schemas/v2/openapi.yaml +++ b/.generator/schemas/v2/openapi.yaml @@ -9472,6 +9472,10 @@ components: description: The name of the policy example: my_agent_policy type: string + pinned: + description: Whether the policy is pinned + example: false + type: boolean policyVersion: description: The version of the policy example: '1' @@ -9499,6 +9503,8 @@ components: type: integer updater: $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyUpdaterAttributes' + versions: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyVersions' type: object CloudWorkloadSecurityAgentPolicyCreateAttributes: description: Create a new Cloud Workload Security Agent policy @@ -9645,6 +9651,23 @@ components: nullable: true type: string type: object + CloudWorkloadSecurityAgentPolicyVersion: + description: The versions of the policy + properties: + Date: + description: The date and time the version was created + nullable: true + type: string + Name: + description: The version of the policy + example: 1.47.0-rc2 + type: string + type: object + CloudWorkloadSecurityAgentPolicyVersions: + description: The versions of the policy + items: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentPolicyVersion' + type: array CloudWorkloadSecurityAgentRuleAction: description: The action the rule can perform if triggered properties: @@ -9682,23 +9705,32 @@ components: description: The set action applied on the scope matching the rule properties: append: - description: Whether the value should be appended to the field + description: Whether the value should be appended to the field. type: boolean + default_value: + description: The default value of the set action + type: string + expression: + description: The expression of the set action. + type: string field: description: The field of the set action type: string + inherited: + description: Whether the value should be inherited. + type: boolean name: description: The name of the set action type: string scope: - description: The scope of the set action + description: The scope of the set action. type: string size: - description: The size of the set action + description: The size of the set action. format: int64 type: integer ttl: - description: The time to live of the set action + description: The time to live of the set action. format: int64 type: integer value: @@ -9779,6 +9811,10 @@ components: items: type: string type: array + silent: + description: Whether the rule is silent. + example: false + type: boolean updateAuthorUuId: description: The ID of the user who updated the rule example: e51c9744-d158-11ec-ad23-da7ad0900002 @@ -9806,8 +9842,11 @@ components: properties: actions: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleActions' + agent_version: + description: Constrain the rule to specific versions of the Datadog Agent. + type: string blocking: - description: The blocking policies that the rule belongs to + description: The blocking policies that the rule belongs to. items: type: string type: array @@ -9816,12 +9855,12 @@ components: example: My Agent rule type: string disabled: - description: The disabled policies that the rule belongs to + description: The disabled policies that the rule belongs to. items: type: string type: array enabled: - description: Whether the Agent rule is enabled + description: Whether the Agent rule is enabled. example: true type: boolean expression: @@ -9829,12 +9868,12 @@ components: example: exec.file.name == "sh" type: string filters: - description: The platforms the Agent rule is supported on + description: The platforms the Agent rule is supported on. items: type: string type: array monitoring: - description: The monitoring policies that the rule belongs to + description: The monitoring policies that the rule belongs to. items: type: string type: array @@ -9843,14 +9882,18 @@ components: example: my_agent_rule type: string policy_id: - description: The ID of the policy where the Agent rule is saved + description: The ID of the policy where the Agent rule is saved. example: a8c8e364-6556-434d-b798-a4c23de29c0b type: string product_tags: - description: The list of product tags associated with the rule + description: The list of product tags associated with the rule. items: type: string type: array + silent: + description: Whether the rule is silent. + example: false + type: boolean required: - name - expression @@ -9930,6 +9973,9 @@ components: properties: actions: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleActions' + agent_version: + description: Constrain the rule to specific versions of the Datadog Agent + type: string blocking: description: The blocking policies that the rule belongs to items: @@ -9966,6 +10012,10 @@ components: items: type: string type: array + silent: + description: Whether the rule is silent. + example: false + type: boolean type: object CloudWorkloadSecurityAgentRuleUpdateData: description: Object for a single Agent rule diff --git a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-Bad-Request-response.frozen b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-Bad-Request-response.frozen index 4f0c59366fed..3e948e09cbb1 100644 --- a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-Bad-Request-response.frozen +++ b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-Bad-Request-response.frozen @@ -1 +1 @@ -2025-05-27T10:24:52.127Z \ No newline at end of file +2025-10-10T15:20:39.566Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-Bad-Request-response.yml b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-Bad-Request-response.yml index 30525fe5246a..fb1cea9c31f5 100644 --- a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-Bad-Request-response.yml +++ b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-Bad-Request-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Tue, 27 May 2025 10:24:52 GMT +- recorded_at: Fri, 10 Oct 2025 15:20:39 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testcreateaworkloadprotectionagentrulereturnsbadrequestresponse1748341492"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testcreateaworkloadprotectionagentrulereturnsbadrequestresponse1760109639"},"type":"policy"}}' headers: Accept: - application/json @@ -14,19 +14,19 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"wqi-kze-rt7","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testcreateaworkloadprotectionagentrulereturnsbadrequestresponse1748341492","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1748341492528,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + string: '{"data":{"id":"sr5-i0h-lty","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testcreateaworkloadprotectionagentrulereturnsbadrequestresponse1760109639","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760109639958,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Tue, 27 May 2025 10:24:52 GMT +- recorded_at: Fri, 10 Oct 2025 15:20:39 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name","filters":[],"name":"my_agent_rule","policy_id":"wqi-kze-rt7","product_tags":[]},"type":"agent_rule"}}' + string: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name","filters":[],"name":"my_agent_rule","policy_id":"sr5-i0h-lty","product_tags":[]},"type":"agent_rule"}}' headers: Accept: - application/json @@ -37,22 +37,22 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"errors":["input_validation_error(Field ''expression'' is invalid: - rule `my_agent_rule` error: rule syntax error: bool expected: 1:1: exec.file.name\n^)"]}' + string: '{"errors":["input_validation_error(Field ''name'' is invalid: the name + ''my_agent_rule'' is already used by a custom rule)"]}' headers: Content-Type: - application/json status: code: 400 message: Bad Request -- recorded_at: Tue, 27 May 2025 10:24:52 GMT +- recorded_at: Fri, 10 Oct 2025 15:20:39 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/wqi-kze-rt7 + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/sr5-i0h-lty response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-OK-response.frozen index 420c5a154653..dded21a6a084 100644 --- a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-OK-response.frozen @@ -1 +1 @@ -2025-05-27T10:24:54.068Z \ No newline at end of file +2025-10-10T15:20:41.757Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-OK-response.yml index 7815a70f282c..55223f867aa5 100644 --- a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-returns-OK-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Tue, 27 May 2025 10:24:54 GMT +- recorded_at: Fri, 10 Oct 2025 15:20:41 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testcreateaworkloadprotectionagentrulereturnsokresponse1748341494"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testcreateaworkloadprotectionagentrulereturnsokresponse1760109641"},"type":"policy"}}' headers: Accept: - application/json @@ -14,20 +14,20 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"zkg-owo-mcp","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testcreateaworkloadprotectionagentrulereturnsokresponse1748341494","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1748341494354,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + string: '{"data":{"id":"cwy-qfn-4k8","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testcreateaworkloadprotectionagentrulereturnsokresponse1760109641","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760109642133,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Tue, 27 May 2025 10:24:54 GMT +- recorded_at: Fri, 10 Oct 2025 15:20:41 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","filters":[],"name":"testcreateaworkloadprotectionagentrulereturnsokresponse1748341494","policy_id":"zkg-owo-mcp","product_tags":[]},"type":"agent_rule"}}' + string: '{"data":{"attributes":{"agent_version":"> 7.60","description":"My Agent + rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testcreateaworkloadprotectionagentrulereturnsokresponse1760109641","policy_id":"cwy-qfn-4k8","product_tags":[]},"type":"agent_rule"}}' headers: Accept: - application/json @@ -38,24 +38,24 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"ymx-atn-xux","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1748341495064,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + string: '{"data":{"id":"iua-dxr-uvh","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1760109643225,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["zkg-owo-mcp"],"name":"testcreateaworkloadprotectionagentrulereturnsokresponse1748341494","product_tags":[],"updateDate":1748341495064,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + == \"linux\""],"monitoring":["cwy-qfn-4k8"],"name":"testcreateaworkloadprotectionagentrulereturnsokresponse1760109641","product_tags":[],"updateDate":1760109643225,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Tue, 27 May 2025 10:24:54 GMT +- recorded_at: Fri, 10 Oct 2025 15:20:41 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/ymx-atn-xux + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/iua-dxr-uvh response: body: encoding: UTF-8 @@ -66,14 +66,14 @@ http_interactions: status: code: 204 message: No Content -- recorded_at: Tue, 27 May 2025 10:24:54 GMT +- recorded_at: Fri, 10 Oct 2025 15:20:41 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/zkg-owo-mcp + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/cwy-qfn-4k8 response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-with-set-action-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-with-set-action-returns-OK-response.frozen index 07075ecafcf7..65beb25fa105 100644 --- a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-with-set-action-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-with-set-action-returns-OK-response.frozen @@ -1 +1 @@ -2025-06-13T15:16:58.034Z \ No newline at end of file +2025-10-10T15:20:46.004Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-with-set-action-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-with-set-action-returns-OK-response.yml index e9553f059ccf..7d23cd825e7a 100644 --- a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-with-set-action-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-with-set-action-returns-OK-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Fri, 13 Jun 2025 15:16:58 GMT +- recorded_at: Fri, 10 Oct 2025 15:20:46 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1749827818"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1760109646"},"type":"policy"}}' headers: Accept: - application/json @@ -14,21 +14,21 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"alt-4q4-baa","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1749827818","policyVersion":"1","priority":1000000013,"ruleCount":226,"updateDate":1749827818428,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + string: '{"data":{"id":"c85-dqa-6no","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1760109646","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760109646385,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 13 Jun 2025 15:16:58 GMT +- recorded_at: Fri, 10 Oct 2025 15:20:46 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"actions":[{"set":{"name":"test_set","scope":"process","value":"test_value"}},{"hash":{}}],"description":"My + string: '{"data":{"attributes":{"actions":[{"set":{"inherited":true,"name":"test_set","scope":"process","value":"test_value"}},{"hash":{}}],"description":"My Agent rule with set action","enabled":true,"expression":"exec.file.name == - \"sh\"","filters":[],"name":"testcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1749827818","policy_id":"alt-4q4-baa","product_tags":[]},"type":"agent_rule"}}' + \"sh\"","filters":[],"name":"testcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1760109646","policy_id":"c85-dqa-6no","product_tags":[]},"type":"agent_rule"}}' headers: Accept: - application/json @@ -39,24 +39,24 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"ps3-64e-shx","type":"agent_rule","attributes":{"actions":[{"set":{"name":"test_set","value":"test_value","scope":"process"},"disabled":false},{"hash":{},"disabled":false}],"category":"Process - Activity","creationDate":1749827819065,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + string: '{"data":{"id":"ak5-bk0-dxq","type":"agent_rule","attributes":{"actions":[{"set":{"name":"test_set","value":"test_value","scope":"process","inherited":true},"disabled":false},{"hash":{},"disabled":false}],"category":"Process + Activity","creationDate":1760109647450,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule with set action","enabled":true,"expression":"exec.file.name == - \"sh\"","filters":["os == \"linux\""],"monitoring":["alt-4q4-baa"],"name":"testcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1749827818","product_tags":[],"updateDate":1749827819065,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + \"sh\"","filters":["os == \"linux\""],"monitoring":["c85-dqa-6no"],"name":"testcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1760109646","product_tags":[],"updateDate":1760109647450,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 13 Jun 2025 15:16:58 GMT +- recorded_at: Fri, 10 Oct 2025 15:20:46 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/ps3-64e-shx + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/ak5-bk0-dxq response: body: encoding: UTF-8 @@ -67,14 +67,14 @@ http_interactions: status: code: 204 message: No Content -- recorded_at: Fri, 13 Jun 2025 15:16:58 GMT +- recorded_at: Fri, 10 Oct 2025 15:20:46 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/alt-4q4-baa + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/c85-dqa-6no response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-with-set-action-with-expression-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-with-set-action-with-expression-returns-OK-response.frozen new file mode 100644 index 000000000000..58f99083554f --- /dev/null +++ b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-with-set-action-with-expression-returns-OK-response.frozen @@ -0,0 +1 @@ +2025-10-10T15:20:50.578Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-with-set-action-with-expression-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-with-set-action-with-expression-returns-OK-response.yml new file mode 100644 index 000000000000..0ca872a4b02e --- /dev/null +++ b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-agent-rule-with-set-action-with-expression-returns-OK-response.yml @@ -0,0 +1,88 @@ +http_interactions: +- recorded_at: Fri, 10 Oct 2025 15:20:50 GMT + request: + body: + encoding: UTF-8 + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testcreateaworkloadprotectionagentrulewithsetactionwithexpressionreturnsokresponse1760109650"},"type":"policy"}}' + headers: + Accept: + - application/json + Content-Type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy + response: + body: + encoding: UTF-8 + string: '{"data":{"id":"lrl-nbx-opl","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testcreateaworkloadprotectionagentrulewithsetactionwithexpressionreturnsokresponse1760109650","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760109650938,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + headers: + Content-Type: + - application/json + status: + code: 200 + message: OK +- recorded_at: Fri, 10 Oct 2025 15:20:50 GMT + request: + body: + encoding: UTF-8 + string: '{"data":{"attributes":{"actions":[{"set":{"default_value":"/dev/null","expression":"open.file.path","name":"test_set","scope":"process"}}],"description":"My + Agent rule with set action with expression","enabled":true,"expression":"exec.file.name + == \"sh\"","filters":[],"name":"testcreateaworkloadprotectionagentrulewithsetactionwithexpressionreturnsokresponse1760109650","policy_id":"lrl-nbx-opl","product_tags":[]},"type":"agent_rule"}}' + headers: + Accept: + - application/json + Content-Type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules + response: + body: + encoding: UTF-8 + string: '{"data":{"id":"ye3-8k9-6ut","type":"agent_rule","attributes":{"actions":[{"set":{"name":"test_set","default_value":"/dev/null","scope":"process","expression":"open.file.path","inherited":false},"disabled":false}],"category":"Process + Activity","creationDate":1760109651835,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule with set action with expression","enabled":true,"expression":"exec.file.name + == \"sh\"","filters":["os == \"linux\""],"monitoring":["lrl-nbx-opl"],"name":"testcreateaworkloadprotectionagentrulewithsetactionwithexpressionreturnsokresponse1760109650","product_tags":[],"updateDate":1760109651835,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + headers: + Content-Type: + - application/json + status: + code: 200 + message: OK +- recorded_at: Fri, 10 Oct 2025 15:20:50 GMT + request: + body: null + headers: + Accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/ye3-8k9-6ut + response: + body: + encoding: UTF-8 + string: '' + headers: + Content-Type: + - application/json + status: + code: 204 + message: No Content +- recorded_at: Fri, 10 Oct 2025 15:20:50 GMT + request: + body: null + headers: + Accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/lrl-nbx-opl + response: + body: + encoding: UTF-8 + string: '' + headers: + Content-Type: + - application/json + status: + code: 204 + message: No Content +recorded_with: VCR 6.0.0 diff --git a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-Bad-Request-response.frozen b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-Bad-Request-response.frozen index e998e87f4b10..54a7e9471ae5 100644 --- a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-Bad-Request-response.frozen +++ b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-Bad-Request-response.frozen @@ -1 +1 @@ -2025-05-27T10:25:00.102Z \ No newline at end of file +2025-10-10T15:20:54.465Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-Bad-Request-response.yml b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-Bad-Request-response.yml index 254c24bf1e6e..bd7d9b81b328 100644 --- a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-Bad-Request-response.yml +++ b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-Bad-Request-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Tue, 27 May 2025 10:25:00 GMT +- recorded_at: Fri, 10 Oct 2025 15:20:54 GMT request: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-OK-response.frozen index f394d130a705..082197c3c7f2 100644 --- a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-OK-response.frozen @@ -1 +1 @@ -2025-05-27T10:25:00.463Z \ No newline at end of file +2025-10-10T15:20:54.885Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-OK-response.yml index d067ac566137..fbff7f28ce2b 100644 --- a/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Create-a-Workload-Protection-policy-returns-OK-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Tue, 27 May 2025 10:25:00 GMT +- recorded_at: Fri, 10 Oct 2025 15:20:54 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTagsLists":[["env:test"]],"name":"my_agent_policy"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTagsLists":[["env:test"]],"name":"my_agent_policy_2"},"type":"policy"}}' headers: Accept: - application/json @@ -14,22 +14,22 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"sw9-gtj-ll2","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:test"]],"monitoringRulesCount":225,"name":"my_agent_policy","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1748341500859,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + string: '{"data":{"id":"fwg-18e-cfb","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:test"]],"monitoringRulesCount":7,"name":"my_agent_policy_2","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760109655264,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Tue, 27 May 2025 10:25:00 GMT +- recorded_at: Fri, 10 Oct 2025 15:20:54 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/sw9-gtj-ll2 + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/fwg-18e-cfb response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-Not-Found-response.frozen b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-Not-Found-response.frozen index fc02242c0124..305ade4fefea 100644 --- a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-Not-Found-response.frozen +++ b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-05-27T10:25:01.784Z \ No newline at end of file +2025-10-10T15:20:56.705Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-Not-Found-response.yml b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-Not-Found-response.yml index 9f6a16d53a93..e76365f49d10 100644 --- a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-Not-Found-response.yml +++ b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-Not-Found-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Tue, 27 May 2025 10:25:01 GMT +- recorded_at: Fri, 10 Oct 2025 15:20:56 GMT request: body: null headers: diff --git a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-OK-response.frozen index 965ca7d54074..87d2cb8ed44b 100644 --- a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-OK-response.frozen @@ -1 +1 @@ -2025-06-13T15:16:43.100Z \ No newline at end of file +2025-10-10T15:20:57.428Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-OK-response.yml index 713947d4f694..a8d6fe464337 100644 --- a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-agent-rule-returns-OK-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Fri, 13 Jun 2025 15:16:43 GMT +- recorded_at: Fri, 10 Oct 2025 15:20:57 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testdeleteaworkloadprotectionagentrulereturnsokresponse1749827803"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testdeleteaworkloadprotectionagentrulereturnsokresponse1760109657"},"type":"policy"}}' headers: Accept: - application/json @@ -14,20 +14,20 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"tn0-tjy-vwh","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testdeleteaworkloadprotectionagentrulereturnsokresponse1749827803","policyVersion":"1","priority":1000000013,"ruleCount":226,"updateDate":1749827803539,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + string: '{"data":{"id":"xm5-r6n-xej","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testdeleteaworkloadprotectionagentrulereturnsokresponse1760109657","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760109657799,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 13 Jun 2025 15:16:43 GMT +- recorded_at: Fri, 10 Oct 2025 15:20:57 GMT request: body: encoding: UTF-8 string: '{"data":{"attributes":{"actions":[{"set":{"name":"test_set","scope":"process","value":"test_value"}},{"hash":{}}],"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testdeleteaworkloadprotectionagentrulereturnsokresponse1749827803","policy_id":"tn0-tjy-vwh","product_tags":["security:attack","technique:T1059"]},"type":"agent_rule"}}' + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testdeleteaworkloadprotectionagentrulereturnsokresponse1760109657","policy_id":"xm5-r6n-xej","product_tags":["security:attack","technique:T1059"]},"type":"agent_rule"}}' headers: Accept: - application/json @@ -38,24 +38,24 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"hm0-n7p-hq7","type":"agent_rule","attributes":{"actions":[{"set":{"name":"test_set","value":"test_value","scope":"process"},"disabled":false},{"hash":{},"disabled":false}],"category":"Process - Activity","creationDate":1749827804150,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + string: '{"data":{"id":"tpa-28k-utt","type":"agent_rule","attributes":{"actions":[{"set":{"name":"test_set","value":"test_value","scope":"process","inherited":false},"disabled":false},{"hash":{},"disabled":false}],"category":"Process + Activity","creationDate":1760109658753,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["tn0-tjy-vwh"],"name":"testdeleteaworkloadprotectionagentrulereturnsokresponse1749827803","product_tags":["security:attack","technique:T1059"],"updateDate":1749827804150,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + == \"linux\""],"monitoring":["xm5-r6n-xej"],"name":"testdeleteaworkloadprotectionagentrulereturnsokresponse1760109657","product_tags":["security:attack","technique:T1059"],"updateDate":1760109658753,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 13 Jun 2025 15:16:43 GMT +- recorded_at: Fri, 10 Oct 2025 15:20:57 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/hm0-n7p-hq7?policy_id=tn0-tjy-vwh + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/tpa-28k-utt?policy_id=xm5-r6n-xej response: body: encoding: UTF-8 @@ -66,14 +66,14 @@ http_interactions: status: code: 204 message: No Content -- recorded_at: Fri, 13 Jun 2025 15:16:43 GMT +- recorded_at: Fri, 10 Oct 2025 15:20:57 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/hm0-n7p-hq7 + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/tpa-28k-utt response: body: encoding: UTF-8 @@ -86,14 +86,14 @@ http_interactions: status: code: 404 message: Not Found -- recorded_at: Fri, 13 Jun 2025 15:16:43 GMT +- recorded_at: Fri, 10 Oct 2025 15:20:57 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/tn0-tjy-vwh + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/xm5-r6n-xej response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-Not-Found-response.frozen b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-Not-Found-response.frozen index 47f79afb0a54..de2709ec9c4f 100644 --- a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-Not-Found-response.frozen +++ b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-05-27T10:25:05.781Z \ No newline at end of file +2025-10-10T15:21:03.071Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-Not-Found-response.yml b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-Not-Found-response.yml index fc790ad08adc..99ddbc7d184e 100644 --- a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-Not-Found-response.yml +++ b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-Not-Found-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Tue, 27 May 2025 10:25:05 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:03 GMT request: body: null headers: diff --git a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-OK-response.frozen index 4fc00c20a67e..297fc82a10ff 100644 --- a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-OK-response.frozen @@ -1 +1 @@ -2025-05-27T10:25:06.233Z \ No newline at end of file +2025-10-10T15:21:03.805Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-OK-response.yml index 754cd42517d8..e04e84b92489 100644 --- a/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Delete-a-Workload-Protection-policy-returns-OK-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Tue, 27 May 2025 10:25:06 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:03 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testdeleteaworkloadprotectionpolicyreturnsokresponse1748341506"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testdeleteaworkloadprotectionpolicyreturnsokresponse1760109663"},"type":"policy"}}' headers: Accept: - application/json @@ -14,22 +14,22 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"1a4-eoy-qob","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testdeleteaworkloadprotectionpolicyreturnsokresponse1748341506","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1748341506537,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + string: '{"data":{"id":"qdn-itt-2ed","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testdeleteaworkloadprotectionpolicyreturnsokresponse1760109663","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760109664181,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Tue, 27 May 2025 10:25:06 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:03 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/1a4-eoy-qob + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/qdn-itt-2ed response: body: encoding: UTF-8 @@ -40,14 +40,14 @@ http_interactions: status: code: 204 message: No Content -- recorded_at: Tue, 27 May 2025 10:25:06 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:03 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/1a4-eoy-qob + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/qdn-itt-2ed response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-US1-FED-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-US1-FED-returns-OK-response.frozen index 29ef0a52fb33..4bafa3fab2b9 100644 --- a/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-US1-FED-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-US1-FED-returns-OK-response.frozen @@ -1 +1 @@ -2025-05-27T10:25:07.908Z \ No newline at end of file +2025-10-10T15:21:06.447Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-US1-FED-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-US1-FED-returns-OK-response.yml index 2095177f6006..14df3962f7df 100644 --- a/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-US1-FED-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-US1-FED-returns-OK-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Tue, 27 May 2025 10:25:07 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:06 GMT request: body: null headers: @@ -12,7 +12,7 @@ http_interactions: encoding: UTF-8 string: "# IMPORTANT: Edits to this file will not be reflected in the Datadog\ \ App and will be overwritten with new policy file downloads. Please modify\ - \ rules in the Datadog App for full functionality.\nversion: '1748341508354'\n\ + \ rules in the Datadog App for full functionality.\nversion: '1760109666865'\n\ rules:\n- id: apparmor_modified_tty\n version: a7f3b5c2\n description: An\ \ AppArmor profile was modified in an interactive session\n expression: exec.file.name\ \ in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] && exec.tty_name\n \ @@ -22,16 +22,17 @@ http_interactions: \ not in [\"s\", \"l\"]\n agent_version: ''\n filters:\n - os == \"linux\"\ \n- id: auditd_config_modified\n version: c7f52a7a\n description: The auditd\ \ configuration file was modified without using auditctl\n expression: open.file.path\ - \ == \"/etc/audit/auditd.conf\" && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\n\ - \ > 0 && process.file.name != \"auditctl\"\n agent_version: ''\n filters:\ - \ []\n- id: auditd_rule_file_modified\n version: c533115d\n description:\ - \ The auditd rules file was modified without using auditctl\n expression:\ - \ open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"\ - ]\n && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.name\ - \ !=\n \"auditctl\"\n agent_version: ''\n filters: []\n- id: aws_eks_service_account_token_accessed\n\ - \ version: d6a7a4a0\n description: The AWS EKS service account token was\ - \ accessed\n expression: open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\"\ - \n && open.file.name == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\"\ + \ == \"/etc/audit/auditd.conf\" && open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY)\n\ + \ > 0 && process.file.name != \"auditctl\"\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: auditd_rule_file_modified\n version: c533115d\n\ + \ description: The auditd rules file was modified without using auditctl\n\ + \ expression: open.file.path in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"\ + ]\n && open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 && process.file.name\n\ + \ != \"auditctl\"\n agent_version: ''\n filters:\n - os == \"linux\"\ + \n- id: aws_eks_service_account_token_accessed\n version: d6a7a4a0\n description:\ + \ The AWS EKS service account token was accessed\n expression: open.file.path\ + \ =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\"\n && open.file.name\ + \ == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\"\ ,\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\"\ ,\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\"\ ,\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\"\ @@ -60,25 +61,54 @@ http_interactions: \ f41c1e36\n description: A compiler wrote a suspicious file in a container\n\ \ expression: |-\n open.flags & O_CREAT > 0\n && (\n (open.file.path\ \ =~ \"/tmp/**\" && open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path\ - \ in [~\"/var/tmp/**\", ~\"/dev/shm/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"\ - /usr/local/lib/**\"]\n )\n && (process.comm in [\"javac\", \"clang\"\ - , \"gcc\",\"bcc\"] || process.ancestors.comm in [\"javac\", \"clang\", \"\ - gcc\",\"bcc\"])\n && process.file.name not in [\"pip\", ~\"python*\"]\n\ - \ && container.id != \"\"\n agent_version: ''\n filters: []\n- id: compiler_in_container\n\ + \ in [~\"/var/tmp/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"\ + ]\n )\n && (process.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"\ + ] || process.ancestors.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] ||\ + \ process.file.name in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.ancestors.file.name\ + \ in [\"javac\", \"clang\", \"gcc\", \"bcc\"])\n && process.file.name not\ + \ in [\"pip\", ~\"python*\"]\n && container.id != \"\"\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n actions:\n - hash: {}\n- id: compiler_in_container\n\ \ version: 441a7e85\n description: Compiler Executed in Container\n expression:\ \ (exec.file.name in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || (exec.file.name\n\ \ == \"go\" && exec.args in [~\"*build*\", ~\"*run*\"])) && container.id\ \ !=\"\" && process.ancestors.file.path\n != \"/usr/bin/cilium-agent\"\n\ - \ agent_version: ''\n filters: []\n- id: credential_modified_chmod\n version:\ - \ 7e14d921\n description: Sensitive credential files were modified using\ - \ a non-standard tool\n expression: |-\n (\n (chmod.file.path in\ - \ [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not\ - \ in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\"\ - , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ - , \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\"\ - , \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\"\ - , \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + \ agent_version: ''\n filters: []\n- id: container_breakout_enumeration_tool\n\ + \ version: b14ba979\n description: A container performed various enumeration\ + \ activities including checking\n container runtime, process privileges,\ + \ user namespace mappings, Linux Security\n Modules, mount points, and\ + \ network namespaces.\n expression: \"container.id != \\\"\\\" && (\\n open.file.path\ + \ in [~\\\"/run/systemd/container\\\"\\\n ] ||\\n open.file.path in [~\\\ + \"/proc/*/status\\\", ~\\\"/proc/*/task/*/status\\\"] ||\\n\\\n \\ (open.file.path\ + \ in [~\\\"/proc/*/uid_map\\\"] && process.file.name not in [\\\"runc\\\"\\\ + \n ]) ||\\n open.file.path in [~\\\"/proc/*/attr/current\\\"] ||\\n open.file.path\ + \ in\\\n \\ [~\\\"/proc/*/mountinfo\\\"] ||\\n open.file.path in [~\\\"\ + /proc/*/cgroup\\\"] ||\\n\\\n \\ open.file.path in [~\\\"/proc/net/unix\\\ + \"]\\n) &&\\nprocess.file.in_upper_layer\\\n \\ && \\nprocess.file.path\ + \ not in [\\\"/opt/datadog-agent/embedded/bin/agent\\\", \\\"\\\n /opt/datadog-agent/embedded/bin/system-probe\\\ + \", \\\"/opt/datadog-agent/embedded/bin/security-agent\\\"\\\n , \\\"/opt/datadog-agent/embedded/bin/process-agent\\\ + \", \\\"/opt/datadog-agent/embedded/bin/trace-agent\\\"\\\n , \\\"/opt/datadog-agent/bin/agent/agent\\\ + \", \\\"/opt/datadog/apm/inject/auto_inject_runc\\\"\\\n , \\\"/usr/bin/dd-host-install\\\ + \", \\\"/usr/bin/dd-host-container-install\\\", \\\"/usr/bin/dd-container-install\\\ + \"\\\n , \\\"/opt/datadog-agent/bin/datadog-cluster-agent\\\", ~\\\"/opt/datadog-packages/**\\\ + \"\\\n , ~\\\"/opt/datadog-installer/**\\\"] \"\n agent_version: ''\n\ + \ filters:\n - os == \"linux\"\n- id: core_pattern_write\n version: c6fdee59\n\ + \ description: Detect any attempt to modify /proc/sys/kernel/core_pattern\ + \ from a container,\n which might result to escape to host when a core\ + \ dump is triggered.\n expression: \"open.file.name == \\\"core_pattern\\\ + \" &&\\nopen.file.filesystem == \\\"proc\\\"\\\n \\ &&\\nopen.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY)\ + \ > 0 && \\ncontainer.id\\\n \\ != \\\"\\\"\"\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n actions:\n - set:\n field: container.id\n \ + \ name: core_pattern_write_container_id\n scope: container\n \ + \ ttl: 1800000000000\n- id: credential_modified_chmod\n version: 7e14d921\n\ + \ description: Sensitive credential files were modified using a non-standard\ + \ tool\n expression: |-\n (\n (chmod.file.path in [ \"/etc/shadow\"\ + , \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\"\ + , \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\"\ + , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\"\ + , \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"\ + /usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\"\ + , \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"\ + /usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ /usr/lib/snapd/snapd\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n\ \ agent_version: ''\n filters: []\n- id: credential_modified_chown\n version:\ @@ -91,14 +121,27 @@ http_interactions: , \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\"\ , \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path\ \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid\ - \ || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n\ - \ filters: []\n- id: credential_modified_link\n version: 7594ec54\n description:\ - \ Sensitive credential files were modified using a non-standard tool\n expression:\ - \ |-\n (\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\"\ - \ ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\"\ - \ ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\"\ + , \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid\ + \ != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: credential_modified_link\n version:\ + \ 7594ec54\n description: Sensitive credential files were modified using\ + \ a non-standard tool\n expression: |-\n (\n (link.file.path in\ + \ [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path\ + \ in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path\ + \ not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\"\ + , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ + , \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\"\ + , \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\"\ + , \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\"\ + , \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n \ + \ filters:\n - os == \"linux\"\n- id: credential_modified_open_v2\n version:\ + \ 5aec9afe\n description: Sensitive credential files were modified using\ + \ a non-standard tool\n expression: |-\n (\n open.flags & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC))\ + \ > 0 &&\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n\ + \ && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\"\ , \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\"\ , \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\"\ , \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"\ @@ -106,25 +149,25 @@ http_interactions: \ ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"\ /usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ , ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ - ]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_open_v2\n\ - \ version: 5aec9afe\n description: Sensitive credential files were modified\ - \ using a non-standard tool\n expression: |-\n (\n open.flags &\ - \ ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) > 0 &&\n (open.file.path in [\ - \ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in\ - \ [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\"\ - , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ - , \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\"\ - , \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\"\ - , \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"]\n ) && container.created_at > 90s\n agent_version:\ - \ ''\n filters:\n - os == \"linux\"\n- id: credential_modified_rename\n\ - \ version: 8bb8242b\n description: Sensitive credential files were modified\ - \ using a non-standard tool\n expression: |-\n (\n (rename.file.path\ - \ in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path\ - \ in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path\ - \ not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\"\ + ]\n ) && container.created_at > 90s\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: credential_modified_rename\n version: 8bb8242b\n\ + \ description: Sensitive credential files were modified using a non-standard\ + \ tool\n expression: |-\n (\n (rename.file.path in [ \"/etc/shadow\"\ + , \"/etc/gshadow\" ]\n || rename.file.destination.path in [ \"/etc/shadow\"\ + , \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\"\ + , \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\"\ + , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\"\ + , \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"\ + /usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\"\ + , \"/usr/bin/passwd\" ]\n && process.ancestors.file.path not in [~\"\ + /usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\"\ + , \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n \ + \ filters:\n - os == \"linux\"\n- id: credential_modified_unlink\n version:\ + \ 5af577d\n description: Sensitive credential files were modified using a\ + \ non-standard tool\n expression: |-\n (\n (unlink.file.path in\ + \ [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not\ + \ in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\"\ , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ , \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\"\ , \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\"\ @@ -132,9 +175,9 @@ http_interactions: \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ /usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id:\ - \ credential_modified_unlink\n version: 5af577d\n description: Sensitive\ + \ credential_modified_utimes\n version: 1c101338\n description: Sensitive\ \ credential files were modified using a non-standard tool\n expression:\ - \ |-\n (\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\"\ + \ |-\n (\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\"\ \ ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\"\ , \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\"\ , \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\"\ @@ -142,89 +185,88 @@ http_interactions: /usr/bin/gpasswd\", \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\"\ \ ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"\ /usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ - , ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ - ]\n )\n agent_version: ''\n filters: []\n- id: credential_modified_utimes\n\ - \ version: 1c101338\n description: Sensitive credential files were modified\ - \ using a non-standard tool\n expression: |-\n (\n (utimes.file.path\ - \ in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path\ - \ not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\"\ - , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ - , \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\"\ - , \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\"\ - , \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n\ - \ )\n agent_version: ''\n filters: []\n- id: cron_at_job_creation_chmod\n\ - \ version: 13512ebc\n description: An unauthorized job was added to cron\ - \ scheduling\n expression: |-\n (\n (chmod.file.path in [ ~\"/var/spool/cron/**\"\ - , ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path\ + , ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"\ + , \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters:\n - os\ + \ == \"linux\"\n- id: critical_windows_files_modified\n version: e96784de\n\ + \ description: a critical windows file was modified\n expression: write.file.device_path\ + \ in [~\"\\Device\\*\\windows\\system32\\**\"]\n agent_version: ''\n filters:\n\ + \ - os == \"windows\"\n- id: cron_at_job_creation_chmod\n version: 13512ebc\n\ + \ description: An unauthorized job was added to cron scheduling\n expression:\ + \ |-\n (\n (chmod.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\"\ + , ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n && process.file.path\ \ not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n ) && chmod.file.destination.mode\ \ != chmod.file.mode\n && process.file.path not in [~\"/usr/bin/apt*\"\ , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"\ /usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n\ - - id: cron_at_job_creation_chown\n version: ee7b306c\n description: An unauthorized\ - \ job was added to cron scheduling\n expression: |-\n (\n (chown.file.path\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: cron_at_job_creation_chown\n\ + \ version: ee7b306c\n description: An unauthorized job was added to cron\ + \ scheduling\n expression: |-\n (\n (chown.file.path in [ ~\"/var/spool/cron/**\"\ + , ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path\ + \ not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n ) && (chown.file.destination.uid\ + \ != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n \ + \ && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\"\ + , \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\"\ + , \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version:\ + \ ''\n filters: []\n- id: cron_at_job_creation_link\n version: b83e03f6\n\ + \ description: An unauthorized job was added to cron scheduling\n expression:\ + \ |-\n (\n (link.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\"\ + , ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || link.file.destination.path\ \ in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n\ \ && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\"\ - \ ]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid\ - \ != chown.file.gid)\n && process.file.path not in [~\"/usr/bin/apt*\"\ - , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"\ - /usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n\ - - id: cron_at_job_creation_link\n version: b83e03f6\n description: An unauthorized\ - \ job was added to cron scheduling\n expression: |-\n (\n (link.file.path\ - \ in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n\ - \ || link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\"\ + \ ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ + , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: cron_at_job_creation_open\n version: 561ad06\n\ + \ description: An unauthorized job was added to cron scheduling\n expression:\ + \ |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n \ + \ (open.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"\ + /etc/crontab\", ~\"/etc/crontabs/**\"])\n && process.file.path not\ + \ in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: cron_at_job_creation_rename\n\ + \ version: 59b739d8\n description: An unauthorized job was added to cron\ + \ scheduling\n expression: |-\n (\n (rename.file.path in [ ~\"\ + /var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n ||\ + \ rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\"\ , ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\"\ , \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\"\ , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"\ /usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n\ - - id: cron_at_job_creation_open\n version: 561ad06\n description: An unauthorized\ - \ job was added to cron scheduling\n expression: |-\n (\n open.flags\ - \ & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/var/spool/cron/**\"\ - , ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path\ - \ not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n\ - - id: cron_at_job_creation_rename\n version: 59b739d8\n description: An\ + - id: cron_at_job_creation_unlink\n version: 82b6d187\n description: An\ \ unauthorized job was added to cron scheduling\n expression: |-\n (\n\ - \ (rename.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\"\ - , ~\"/etc/crontab\" ]\n || rename.file.destination.path in [ ~\"/var/spool/cron/**\"\ - , ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path\ + \ (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\"\ + , ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n && process.file.path\ \ not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n )\n && process.file.path\ \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n\ - - id: cron_at_job_creation_unlink\n version: 82b6d187\n description: An\ - \ unauthorized job was added to cron scheduling\n expression: |-\n (\n\ - \ (unlink.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\"\ - , ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\"\ - , \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\"\ - , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"\ - /usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n\ - - id: cron_at_job_creation_utimes\n version: d460ba68\n description: An\ - \ unauthorized job was added to cron scheduling\n expression: |-\n (\n\ - \ (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\"\ - , ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\"\ - , \"/usr/bin/crontab\" ]\n )\n && process.file.path not in [~\"/usr/bin/apt*\"\ - , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"\ - /usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n agent_version: ''\n filters: []\n\ - - id: cryptominer_args\n version: fc017137\n description: A process launched\ - \ with arguments associated with cryptominers\n expression: exec.args_options\ - \ in [~\"cpu-priority*\", ~\"donate-level*\"] || exec.args\n in [~\"*stratum+tcp*\"\ - ]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: cryptominer_envs\n\ - \ version: 654a00aa\n description: Process environment variables match cryptocurrency\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: cron_at_job_creation_utimes\n\ + \ version: d460ba68\n description: An unauthorized job was added to cron\ + \ scheduling\n expression: |-\n (\n (utimes.file.path in [ ~\"\ + /var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n &&\ + \ process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n \ + \ )\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ + , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: cryptominer_args\n\ + \ version: fc017137\n description: A process launched with arguments associated\ + \ with cryptominers\n expression: exec.args_options in [~\"cpu-priority*\"\ + , ~\"donate-level*\"] || exec.args\n in [~\"*stratum+tcp*\"]\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: cryptominer_envs\n version:\ + \ 654a00aa\n description: Process environment variables match cryptocurrency\ \ miner\n expression: exec.envs in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\"\ , \"DONATE_LEVEL\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n\ - - id: curl_docker_socket\n version: f736b6e6\n description: The Docker socket\ - \ was referenced in a cURL command\n expression: exec.file.name == \"curl\"\ - \ && exec.args_flags in [\"unix-socket\"] && exec.args\n in [\"*docker.sock*\"\ - ] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: database_shell_execution\n\ + - id: curl_mgmt_socket\n version: f736b6e6\n description: A container management\ + \ socket was referenced in a cURL command\n expression: exec.file.name ==\ + \ \"curl\" && exec.args_flags in [\"unix-socket\"] && exec.args\n in [~\"\ + *docker.sock*\", ~\"*dockershim.sock*\", ~\"*containerd.sock*\", ~\"*crio.sock*\"\ + ,\n ~\"*frakti.sock*\", ~\"*rktlet.sock*\"] && container.id != \"\"\n \ + \ agent_version: ''\n filters:\n - os == \"linux\"\n- id: database_shell_execution\n\ \ version: 3508c713\n description: A database application spawned a shell,\ \ shell utility, or HTTP utility\n expression: |-\n (exec.file.path in\ \ [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"\ @@ -265,10 +307,20 @@ http_interactions: \ in [\"mysqld\", \"mongod\", \"postgres\"] &&\n !(process.parent.file.name\ \ == \"initdb\" &&\n exec.args == \"-c locale -a\") &&\n !(process.parent.file.name\ \ == \"postgres\" &&\n exec.args == ~\"*pg_wal*\")\n agent_version: ''\n\ - \ filters:\n - os == \"linux\"\n- id: deploy_priv_container\n version:\ - \ 356d5ee7\n description: A privileged container was created\n expression:\ - \ exec.file.name != \"\" && container.created_at < 1s && process.cap_permitted\n\ - \ & CAP_SYS_ADMIN > 0\n agent_version: ''\n filters: []\n- id: dirty_pipe_attempt\n\ + \ filters:\n - os == \"linux\"\n- id: delete_new_process\n version: f1ba8f89\n\ + \ description: A file was deleted shortly after it was executed\n expression:\ + \ unlink.file.path in ${cgroup.chain_exec_unlink}\n agent_version: ''\n \ + \ filters:\n - os == \"linux\"\n actions:\n - set:\n field: unlink.file.path\n\ + \ name: correlation_key_file_path\n scope: cgroup\n- id: deploy_priv_container\n\ + \ version: 356d5ee7\n description: A privileged container was created\n\ + \ expression: exec.file.name != \"\" && container.id != \"\" && container.created_at\ + \ <\n 1s && process.cap_permitted & CAP_SYS_ADMIN > 0 && container.id !=\ + \ ${container.ratelimit_priv_container}\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n actions:\n - set:\n field: container.id\n \ + \ name: ratelimit_priv_container\n scope: container\n ttl: 10000000000\n\ + - id: devshm_execution\n version: 9850af87\n description: A file executed\ + \ from /dev/shm/ directory\n expression: exec.file.path == ~\"/dev/shm/**\"\ + \n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dirty_pipe_attempt\n\ \ version: 8814807c\n description: Potential Dirty pipe exploitation attempt\n\ \ expression: (splice.pipe_entry_flag & PIPE_BUF_FLAG_CAN_MERGE) != 0 &&\ \ (splice.pipe_exit_flag\n & PIPE_BUF_FLAG_CAN_MERGE) == 0 && (process.uid\ @@ -276,99 +328,107 @@ http_interactions: \ version: 9bcacfe3\n description: Potential Dirty pipe exploitation\n \ \ expression: (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) > 0 && (process.uid\n\ \ != 0 && process.gid != 0)\n agent_version: ''\n filters: []\n- id:\ - \ dummy_rule\n version: 28ba1078\n description: Execution of a java process\n\ - \ expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\ - \ []\n- id: dummy_rule_AszwF\n version: 28ba1078\n description: Execution\ + \ dotnet_dump_execution\n version: ba3fb472\n description: Dotnet_dump was\ + \ used to dump a process memory\n expression: exec.cmdline =~ \"*dotnet-dump*\"\ + \ && exec.cmdline =~ \"*collect*\"\n agent_version: ''\n filters:\n - os\ + \ == \"windows\"\n- id: drop_caches\n version: 9eff40a5\n description: A\ + \ process cleared the system cache\n expression: open.file.path == \"/proc/sys/vm/drop_caches\"\ + \n agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule\n\ + \ version: 28ba1078\n description: Execution of a java process\n expression:\ + \ exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_AszwF\n\ + \ version: 28ba1078\n description: Execution of a java process\n expression:\ + \ exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"\ + linux\"\n- id: dummy_rule_BAiZP\n version: 28ba1078\n description: Execution\ \ of a java process\n expression: exec.file.name == \"java\"\n agent_version:\ - \ ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_BAiZP\n version:\ - \ 28ba1078\n description: Execution of a java process\n expression: exec.file.name\ - \ == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_CpDMZ\n\ + \ ''\n filters: []\n- id: dummy_rule_CpDMZ\n version: 28ba1078\n description:\ + \ Execution of a java process\n expression: exec.file.name == \"java\"\n\ + \ agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_DBtCK\n\ \ version: 28ba1078\n description: Execution of a java process\n expression:\ \ exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"\ - linux\"\n- id: dummy_rule_DBtCK\n version: 28ba1078\n description: Execution\ + linux\"\n- id: dummy_rule_HfYXr\n version: 28ba1078\n description: Execution\ \ of a java process\n expression: exec.file.name == \"java\"\n agent_version:\ - \ ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_HfYXr\n version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_JAnCe\n version:\ \ 28ba1078\n description: Execution of a java process\n expression: exec.file.name\ \ == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id:\ - \ dummy_rule_JAnCe\n version: 28ba1078\n description: Execution of a java\ + \ dummy_rule_KJInv\n version: 28ba1078\n description: Execution of a java\ \ process\n expression: exec.file.name == \"java\"\n agent_version: ''\n\ - \ filters:\n - os == \"linux\"\n- id: dummy_rule_KJInv\n version: 28ba1078\n\ + \ filters:\n - os == \"linux\"\n- id: dummy_rule_KSDPb\n version: 28ba1078\n\ \ description: Execution of a java process\n expression: exec.file.name\ \ == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id:\ - \ dummy_rule_KSDPb\n version: 28ba1078\n description: Execution of a java\ + \ dummy_rule_LPRxi\n version: 28ba1078\n description: Execution of a java\ \ process\n expression: exec.file.name == \"java\"\n agent_version: ''\n\ - \ filters:\n - os == \"linux\"\n- id: dummy_rule_LPRxi\n version: 28ba1078\n\ + \ filters:\n - os == \"linux\"\n- id: dummy_rule_PkauG\n version: 28ba1078\n\ \ description: Execution of a java process\n expression: exec.file.name\ \ == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id:\ - \ dummy_rule_PkauG\n version: 28ba1078\n description: Execution of a java\ + \ dummy_rule_RMoJm\n version: 28ba1078\n description: Execution of a java\ \ process\n expression: exec.file.name == \"java\"\n agent_version: ''\n\ - \ filters:\n - os == \"linux\"\n- id: dummy_rule_RMoJm\n version: 28ba1078\n\ - \ description: Execution of a java process\n expression: exec.file.name\ - \ == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_Tjzvu\n\ + \ filters: []\n- id: dummy_rule_Tjzvu\n version: 28ba1078\n description:\ + \ Execution of a java process\n expression: exec.file.name == \"java\"\n\ + \ agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_VfQSV\n\ \ version: 28ba1078\n description: Execution of a java process\n expression:\ \ exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"\ - linux\"\n- id: dummy_rule_VfQSV\n version: 28ba1078\n description: Execution\ + linux\"\n- id: dummy_rule_VxNSK\n version: 28ba1078\n description: Execution\ \ of a java process\n expression: exec.file.name == \"java\"\n agent_version:\ - \ ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_VxNSK\n version:\ - \ 28ba1078\n description: Execution of a java process\n expression: exec.file.name\ - \ == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_XcxFr\n\ + \ ''\n filters: []\n- id: dummy_rule_XcxFr\n version: 28ba1078\n description:\ + \ Execution of a java process\n expression: exec.file.name == \"java\"\n\ + \ agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_bKkuv\n\ \ version: 28ba1078\n description: Execution of a java process\n expression:\ \ exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"\ - linux\"\n- id: dummy_rule_bKkuv\n version: 28ba1078\n description: Execution\ + linux\"\n- id: dummy_rule_bVlLJ\n version: 28ba1078\n description: Execution\ \ of a java process\n expression: exec.file.name == \"java\"\n agent_version:\ - \ ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_bVlLJ\n version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_cdxqn\n version:\ \ 28ba1078\n description: Execution of a java process\n expression: exec.file.name\ - \ == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id:\ - \ dummy_rule_cdxqn\n version: 28ba1078\n description: Execution of a java\ - \ process\n expression: exec.file.name == \"java\"\n agent_version: ''\n\ - \ filters: []\n- id: dummy_rule_fWORB\n version: 28ba1078\n description:\ - \ Execution of a java process\n expression: exec.file.name == \"java\"\n\ - \ agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_iNwDw\n\ + \ == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_fWORB\n\ \ version: 28ba1078\n description: Execution of a java process\n expression:\ - \ exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_ipyRF\n\ + \ exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"\ + linux\"\n- id: dummy_rule_iNwDw\n version: 28ba1078\n description: Execution\ + \ of a java process\n expression: exec.file.name == \"java\"\n agent_version:\ + \ ''\n filters: []\n- id: dummy_rule_ipyRF\n version: 28ba1078\n description:\ + \ Execution of a java process\n expression: exec.file.name == \"java\"\n\ + \ agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_ivMAv\n\ \ version: 28ba1078\n description: Execution of a java process\n expression:\ \ exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"\ - linux\"\n- id: dummy_rule_ivMAv\n version: 28ba1078\n description: Execution\ + linux\"\n- id: dummy_rule_jcvqK\n version: 28ba1078\n description: Execution\ \ of a java process\n expression: exec.file.name == \"java\"\n agent_version:\ - \ ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_jcvqK\n version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_lszUX\n version:\ \ 28ba1078\n description: Execution of a java process\n expression: exec.file.name\ - \ == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id:\ - \ dummy_rule_lszUX\n version: 28ba1078\n description: Execution of a java\ - \ process\n expression: exec.file.name == \"java\"\n agent_version: ''\n\ - \ filters: []\n- id: dummy_rule_mABue\n version: 28ba1078\n description:\ - \ Execution of a java process\n expression: exec.file.name == \"java\"\n\ - \ agent_version: ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_qDgvU\n\ + \ == \"java\"\n agent_version: ''\n filters: []\n- id: dummy_rule_mABue\n\ \ version: 28ba1078\n description: Execution of a java process\n expression:\ \ exec.file.name == \"java\"\n agent_version: ''\n filters:\n - os == \"\ - linux\"\n- id: dummy_rule_sUVnW\n version: 28ba1078\n description: Execution\ + linux\"\n- id: dummy_rule_qDgvU\n version: 28ba1078\n description: Execution\ \ of a java process\n expression: exec.file.name == \"java\"\n agent_version:\ - \ ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_tSfwV\n version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: dummy_rule_sUVnW\n version:\ \ 28ba1078\n description: Execution of a java process\n expression: exec.file.name\ \ == \"java\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id:\ - \ dummy_rule_xkrhu\n version: 28ba1078\n description: Execution of a java\ + \ dummy_rule_tSfwV\n version: 28ba1078\n description: Execution of a java\ \ process\n expression: exec.file.name == \"java\"\n agent_version: ''\n\ - \ filters: []\n- id: dynamic_linker_config_unlink\n version: 1924611e\n\ - \ description: A process unlinked a dynamic linker config file\n expression:\ - \ unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"\ - ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ - , ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\"]\n agent_version:\ - \ ''\n filters: []\n- id: dynamic_linker_config_write\n version: 764fc516\n\ - \ description: A process wrote to a dynamic linker config file\n expression:\ - \ open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"\ - ]\n && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.path\ - \ not\n in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"\ - /usr/bin/unattended-upgrade\",\n \"/usr/bin/containerd\", \"/usr/local/bin/containerd\"\ - , \"/usr/bin/dockerd\", \"/usr/bin/npm\",\n ~\"/usr/bin/pip*\"] && process.ancestors.file.path\ - \ not in [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\"\ - , \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\"\ - , \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\"\ - , \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n\ - \ \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"\ - ]\n agent_version: ''\n filters: []\n- id: example_agent_rule\n version:\ - \ 28ba1078\n description: An example agent rule generated in terraform\n\ - \ expression: exec.file.name == \"java\"\n agent_version: ''\n filters:\ - \ []\n- id: examplecreateacloudworkloadsecurityagentrulereturnsokresponse1667938921\n\ + \ filters:\n - os == \"linux\"\n- id: dummy_rule_xkrhu\n version: 28ba1078\n\ + \ description: Execution of a java process\n expression: exec.file.name\ + \ == \"java\"\n agent_version: ''\n filters: []\n- id: dynamic_linker_config_unlink\n\ + \ version: 1924611e\n description: A process unlinked a dynamic linker config\ + \ file\n expression: unlink.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\"\ + , ~\"/etc/ld.so.conf.d/*.conf\"]\n && process.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\"\ + ]\n agent_version: ''\n filters: []\n- id: dynamic_linker_config_write\n\ + \ version: 764fc516\n description: A process wrote to a dynamic linker config\ + \ file\n expression: open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\"\ + , ~\"/etc/ld.so.conf.d/*.conf\"]\n && open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY)\ + \ > 0 && process.file.path\n not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/containerd\"\ + , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\",\n\ + \ ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"] && process.ancestors.file.path\ + \ not in\n [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\"\ + ,\n \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\"\ + ,\n \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\"\ + ,\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\"\ + , \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\"\ + , \"/opt/datadog-agent/bin/datadog-cluster-agent\",\n ~\"/opt/datadog-packages/**\"\ + , ~\"/opt/datadog-installer/**\"] && process.argv0 not\n in [\"runc\",\ + \ \"/usr/bin/runc\", \"/usr/sbin/runc\"]\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: example_agent_rule\n version: 28ba1078\n description:\ + \ An example agent rule generated in terraform\n expression: exec.file.name\ + \ == \"java\"\n agent_version: ''\n filters: []\n- id: examplecreateacloudworkloadsecurityagentrulereturnsokresponse1667938921\n\ \ version: f43786f8\n description: Test Agent rule\n expression: exec.file.name\ \ == \"sh\"\n agent_version: ''\n filters: []\n- id: examplegetacloudworkloadsecurityagentrulereturnsokresponse1656001148\n\ \ version: f43786f8\n description: My Agent rule\n expression: exec.file.name\ @@ -391,21 +451,128 @@ http_interactions: \ == \"sh\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: exec_lsmod\n\ \ version: 1a14c811\n description: Kernel modules were listed using the\ \ lsmod command\n expression: exec.comm == \"lsmod\"\n agent_version: ''\n\ - \ filters: []\n- id: exec_whoami\n version: 90ea91b6\n description: The\ - \ whoami command was executed\n expression: exec.comm == \"whoami\"\n agent_version:\ - \ ''\n filters: []\n- id: gcp_imds\n version: 3035dbbf\n description: An\ - \ GCP IMDS was called via a network utility\n expression: exec.comm in [\"\ - wget\", \"curl\", \"lwp-download\"] && exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\"\ - ,\n ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"\ - ]\n agent_version: ''\n filters: []\n- id: hidden_file_executed\n version:\ - \ 60fd84a9\n description: A hidden file was executed in a suspicious folder\n\ - \ expression: exec.file.name =~ \".*\" && exec.file.path in [~\"/home/**\"\ - , ~\"/tmp/**\",\n ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n agent_version:\ - \ ''\n filters: []\n- id: interactive_shell_in_container\n version: 757f83d3\n\ - \ description: An interactive shell was started inside of a container\n \ - \ expression: |-\n exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\"\ - ,\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n\ - \ \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\"\ + \ filters: []\n- id: exec_new_file\n version: 2748d900\n description: A\ + \ recently modified file was executed\n expression: exec.file.change_time\ + \ < 30s && cgroup.file.inode != 0 && exec.file.path\n not in ${cgroup.exec_new_file_in_cgroup}\ + \ && exec.file.in_upper_layer != false\n && container.created_at > 1m\n\ + \ agent_version: ''\n filters:\n - os == \"linux\"\n actions:\n - set:\n\ + \ append: true\n field: exec.file.path\n name: chain_exec_unlink\n\ + \ scope: cgroup\n ttl: 30000000000\n - set:\n append: true\n\ + \ field: exec.file.path\n name: exec_new_file_in_cgroup\n scope:\ + \ cgroup\n size: 10000\n ttl: 1800000000000\n - set:\n field:\ + \ exec.file.path\n name: correlation_key_file_path\n scope: cgroup\n\ + - id: exec_whoami\n version: 90ea91b6\n description: The whoami command\ + \ was executed\n expression: exec.comm == \"whoami\"\n agent_version: ''\n\ + \ filters: []\n- id: execution_context_auid\n version: f26b612e\n description:\ + \ Track execution context from auid\n expression: exec.auid >= 0 && exec.auid\ + \ != AUDIT_AUID_UNSET && ${process.correlation_key}\n in [\"\", ~\"cgroup_*\"\ + ]\n agent_version: ''\n filters:\n - os == \"linux\"\n actions:\n - filter:\ + \ ${process.correlation_key} != \"\"\n set:\n append: true\n \ + \ default_value: ''\n expression: ${process.correlation_key}\n inherited:\ + \ true\n name: parent_correlation_keys\n scope: process\n - set:\n\ + \ default_value: ''\n expression: '\"auid_${builtins.uuid4}\"'\n\ + \ inherited: true\n name: correlation_key\n scope: process\n\ + - id: execution_context_cgroup\n version: a70f0019\n description: Track\ + \ execution context from cgroup\n expression: exec.cgroup.id != process.parent.cgroup.id\ + \ && ${process.correlation_key}\n in [\"\", ~\"cgroup_*\"]\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n actions:\n - filter: ${process.correlation_key}\ + \ != \"\"\n set:\n append: true\n default_value: ''\n expression:\ + \ ${process.correlation_key}\n inherited: true\n name: parent_correlation_keys\n\ + \ scope: process\n - set:\n default_value: ''\n expression:\ + \ '\"cgroup_${builtins.uuid4}\"'\n inherited: true\n name: correlation_key\n\ + \ scope: process\n- id: execution_context_cgroup_write\n version: 87d33061\n\ + \ description: Track execution context from cgroup write\n expression: cgroup_write.pid\ + \ > 0 && ${process.correlation_key} in [\"\", ~\"cgroup_*\"]\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n actions:\n - filter: ${process.correlation_key}\ + \ != \"\"\n set:\n append: true\n default_value: ''\n expression:\ + \ ${process.correlation_key}\n inherited: true\n name: parent_correlation_keys\n\ + \ scope: process\n scope_field: cgroup_write.pid\n - set:\n \ + \ default_value: ''\n expression: '\"cgroup_${builtins.uuid4}\"'\n\ + \ inherited: true\n name: correlation_key\n scope: process\n\ + \ scope_field: cgroup_write.pid\n- id: execution_context_interactive_shell\n\ + \ version: 673abb40\n description: Track execution context from interactive\ + \ shell\n expression: |-\n exec.file.path in [ \"/bin/dash\",\n \"\ + /usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"\ + /usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\"\ + ,\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\"\ + ,\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\"\ + ,\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\"\ + ,\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \ + \ \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\"\ + ,\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \ + \ \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\"\ + \ ] && (process.tty_name != \"\" || exec.args_flags in [\"i\"]) && ${process.correlation_key}\ + \ in [\"\", ~\"cgroup_*\", ~\"auid_*\", ~\"service_*\", ~\"service_new_cgroup_*\"\ + ]\n agent_version: ''\n filters:\n - os == \"linux\"\n actions:\n - filter:\ + \ ${process.correlation_key} != \"\"\n set:\n append: true\n \ + \ default_value: ''\n expression: ${process.correlation_key}\n inherited:\ + \ true\n name: parent_correlation_keys\n scope: process\n - set:\n\ + \ default_value: ''\n expression: '\"interactive_shell_${builtins.uuid4}\"\ + '\n inherited: true\n name: correlation_key\n scope: process\n\ + - id: execution_context_k8s_usersession_entrypoint\n version: '40945946'\n\ + \ description: Track execution context from k8s user session\n expression:\ + \ exec.user_session.k8s_username != \"\" && ${process.correlation_key}\n\ + \ in [\"\", ~\"cgroup_*\", ~\"auid_*\", ~\"service_*\", ~\"service_new_cgroup_*\"\ + , ~\"interactive_shell_*\"]\n agent_version: ''\n filters:\n - os == \"\ + linux\"\n actions:\n - filter: ${process.correlation_key} != \"\"\n set:\n\ + \ append: true\n default_value: ''\n expression: ${process.correlation_key}\n\ + \ inherited: true\n name: parent_correlation_keys\n scope:\ + \ process\n - set:\n default_value: ''\n expression: '\"k8s_session_${builtins.uuid4}\"\ + '\n inherited: true\n name: correlation_key\n scope: process\n\ + - id: execution_context_npm_install\n version: cc0b703a\n description: Track\ + \ execution context from npm install\n expression: \"exec.file.name in [~\\\ + \"node\\\", ~\\\"npm\\\"] && \\n(process.args =~ \\\"* install\\\n \\ *\\\ + \" || process.args =~ \\\"* add *\\\" || process.args =~ \\\"* i *\\\" ||\ + \ \\n process.args\\\n \\ =~ \\\"* in *\\\" || process.args =~ \\\"* ins\ + \ *\\\" || process.args =~ \\\"* inst *\\\"\\\n \\ || \\n process.args\ + \ =~ \\\"* insta *\\\" || process.args =~ \\\"* instal *\\\" || process.args\\\ + \n \\ =~ \\\"* isnt *\\\" || \\n process.args =~ \\\"* isnta *\\\" || process.args\ + \ =~ \\\"* isntal\\\n \\ *\\\" || process.args =~ \\\"* isntall *\\\")\ + \ &&\\nnot(process.args =~ \\\"*-e *\\\") &&\\n\\\n ${process.correlation_key}\ + \ in [\\\"\\\", ~\\\"cgroup_*\\\", ~\\\"auid_*\\\", ~\\\"service_*\\\"\\\n\ + \ , ~\\\"service_new_cgroup_*\\\", ~\\\"interactive_shell_*\\\", ~\\\"\ + k8s_session_*\\\"]\"\n agent_version: ''\n filters:\n - os == \"linux\"\ + \n actions:\n - filter: ${process.correlation_key} != \"\"\n set:\n \ + \ append: true\n default_value: ''\n expression: ${process.correlation_key}\n\ + \ inherited: true\n name: parent_correlation_keys\n scope:\ + \ process\n - set:\n default_value: ''\n expression: '\"npm_install_${builtins.uuid4}\"\ + '\n inherited: true\n name: correlation_key\n scope: process\n\ + - id: execution_context_service\n version: 3fe535ef\n description: Track\ + \ execution context from service\n expression: (exec.envs in [\"DD_SERVICE\"\ + , \"OTEL_SERVICE_NAME\"] || \"tags.datadoghq.com/service\"\n in container.tags)\ + \ && ${process.correlation_key} in [\"\", ~\"cgroup_*\", ~\"auid_*\"]\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n actions:\n - filter: ${process.correlation_key}\ + \ != \"\"\n set:\n append: true\n default_value: ''\n expression:\ + \ ${process.correlation_key}\n inherited: true\n name: parent_correlation_keys\n\ + \ scope: process\n - set:\n default_value: ''\n expression:\ + \ '\"service_${builtins.uuid4}\"'\n inherited: true\n name: correlation_key\n\ + \ scope: process\n- id: execution_context_service_new_cgroup\n version:\ + \ ec46e6bb\n description: Track execution context from new service cgroup\n\ + \ expression: (exec.envs in [\"DD_SERVICE\", \"OTEL_SERVICE_NAME\"] || \"\ + tags.datadoghq.com/service\"\n in container.tags) && ${process.correlation_key}\ + \ in [~\"service_*\"] && process.cgroup.id\n != process.parent.cgroup.id\n\ + \ agent_version: ''\n filters:\n - os == \"linux\"\n actions:\n - filter:\ + \ ${process.correlation_key} != \"\"\n set:\n append: true\n \ + \ default_value: ''\n expression: ${process.correlation_key}\n inherited:\ + \ true\n name: parent_correlation_keys\n scope: process\n - set:\n\ + \ default_value: ''\n expression: '\"service_new_cgroup_${builtins.uuid4}\"\ + '\n inherited: true\n name: correlation_key\n scope: process\n\ + - id: execution_context_service_new_cgroup_write\n version: 8137122d\n description:\ + \ Track execution context from new service cgroup write\n expression: cgroup_write.pid\ + \ > 0 && (process.envs in [\"DD_SERVICE\", \"OTEL_SERVICE_NAME\"]\n ||\ + \ \"tags.datadoghq.com/service\" in container.tags) && ${process.correlation_key}\n\ + \ in [~\"service_*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\ + \n actions:\n - filter: ${process.correlation_key} != \"\"\n set:\n \ + \ append: true\n default_value: ''\n expression: ${process.correlation_key}\n\ + \ inherited: true\n name: parent_correlation_keys\n scope:\ + \ process\n scope_field: cgroup_write.pid\n - set:\n default_value:\ + \ ''\n expression: '\"service_new_cgroup_${builtins.uuid4}\"'\n \ + \ inherited: true\n name: correlation_key\n scope: process\n \ + \ scope_field: cgroup_write.pid\n- id: execution_context_spawned_shell\n\ + \ version: 89f318af\n description: Track execution context from spawned\ + \ shell\n expression: |-\n exec.file.path in [ \"/bin/dash\",\n \"\ + /usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"\ + /usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\"\ ,\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\"\ ,\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\"\ ,\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\"\ @@ -413,18 +580,67 @@ http_interactions: \ \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\"\ ,\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \ \ \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\"\ - \ ] && exec.args_flags in [\"i\"] && container.id !=\"\"\n agent_version:\ - \ ''\n filters: []\n- id: ip_check_domain\n version: 2d5285c0\n description:\ + \ ] && (process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\"\ + , \"httpd\"] || process.parent.file.name =~ \"php*\" || process.parent.file.name\ + \ in [\"mysqld\", \"mongod\", \"postgres\"] || process.parent.file.name in\ + \ [\"java\", \"jspawnhelper\"]) && ${process.correlation_key} in [\"\", ~\"\ + cgroup_*\", ~\"auid_*\", ~\"service_*\", ~\"service_new_cgroup_*\"]\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n actions:\n - filter: ${process.correlation_key}\ + \ != \"\"\n set:\n append: true\n default_value: ''\n expression:\ + \ ${process.correlation_key}\n inherited: true\n name: parent_correlation_keys\n\ + \ scope: process\n - set:\n default_value: ''\n expression:\ + \ '\"spawned_shell_${builtins.uuid4}\"'\n inherited: true\n name:\ + \ correlation_key\n scope: process\n- id: file_sync_exfil\n version:\ + \ bdcbbeb8\n description: The rclone utility was executed\n expression:\ + \ exec.file.name in [\"rclone\", \"rsync\", \"sftp\", \"ftp\", \"scp\", \"\ + dcp\", \"rcp\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id:\ + \ find_credentials\n version: c16ed3fa\n description: find command searching\ + \ for sensitive files\n expression: exec.comm == \"find\" && exec.args in\ + \ [~\"*credentials*\"]\n agent_version: ''\n filters:\n - os == \"linux\"\ + \n- id: gcp_imds\n version: 3035dbbf\n description: An GCP IMDS was called\ + \ via a network utility\n expression: exec.comm in [\"wget\", \"curl\", \"\ + lwp-download\"] && exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\"\ + ,\n ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"\ + ]\n agent_version: ''\n filters: []\n- id: github_api_contacted\n version:\ + \ d51472cf\n description: GitHub API was contacted\n expression: connect.addr.hostname\ + \ =~ \"api.github.com\"\n agent_version: ''\n filters:\n - os == \"linux\"\ + \n- id: hidden_file_executed\n version: 60fd84a9\n description: A hidden\ + \ file was executed in a suspicious folder\n expression: exec.file.name =~\ + \ \".*\" && exec.file.path in [~\"/home/**\", ~\"/tmp/**\",\n ~\"/var/tmp/**\"\ + , ~\"/dev/shm/**\"]\n agent_version: ''\n filters: []\n- id: interactive_shell_in_container\n\ + \ version: 757f83d3\n description: An interactive shell was started inside\ + \ of a container\n expression: |-\n exec.file.path in [ \"/bin/dash\"\ + ,\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\"\ + ,\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n\ + \ \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\"\ + ,\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\"\ + ,\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\"\ + ,\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n\ + \ \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \ + \ \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\"\ + ,\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n\ + \ \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && exec.args_flags in\ + \ [\"i\"] && container.id !=\"\"\n agent_version: ''\n filters: []\n- id:\ + \ inveigh_tool_usage\n version: da9cc26\n description: Process executed\ + \ with arguments common with Inveigh tool usage\n expression: exec.cmdline\ + \ in [~\"*SpooferIP*\", ~\"*ReplyToIPs*\", ~\"*ReplyToDomains*\",\n ~\"\ + *ReplyToMACs*\", ~\"*SnifferIP*\"]\n agent_version: ''\n filters:\n - os\ + \ == \"windows\"\n- id: ip_check_domain\n version: 2d5285c0\n description:\ \ A DNS lookup was done for a IP check service\n expression: dns.question.name\ \ in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\",\n \"checkip.amazonaws.com\"\ , \"whatismyip.akamai.com\"] && process.file.name != \"\"\n agent_version:\ - \ ''\n filters: []\n- id: java_shell_execution\n version: 24c2eb7c\n description:\ - \ A java process spawned a shell, shell utility, or HTTP utility\n expression:\ - \ |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n\ - \ \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \ - \ \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\"\ - ,\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\"\ - ,\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\"\ + \ ''\n filters: []\n- id: ip_lookup_domain\n version: 61534f27\n description:\ + \ A process checked the public IP address of the host\n expression: connect.addr.hostname\ + \ in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\",\n \"checkip.amazonaws.com\"\ + , \"whatismyip.akamai.com\"] && connect.addr.is_public ==\n true && connect.addr.port\ + \ in [80, 443]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id:\ + \ java_shell_execution_parent\n version: 1bcff0aa\n description: A java\ + \ process spawned a shell, shell utility, or HTTP utility\n expression: |-\n\ + \ (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \ + \ \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"\ + /bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \ + \ \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \ + \ \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\"\ ,\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\"\ ,\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \ \ \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\"\ @@ -454,134 +670,82 @@ http_interactions: /usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\"\ ,\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\"\ ,\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"\ - /usr/bin/whoami\",\"/usr/sbin/chroot\"])\n && process.ancestors.file.name\ - \ == \"java\"\n agent_version: ''\n filters: []\n- id: java_shell_execution_parent\n\ - \ version: 1bcff0aa\n description: A java process spawned a shell, shell\ - \ utility, or HTTP utility\n expression: |-\n (exec.file.path in [ \"\ - /bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\"\ - ,\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n\ - \ \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\"\ - ,\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\"\ - ,\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\"\ - ,\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n\ - \ \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \ - \ \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\"\ - ,\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n\ - \ \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] ||\n exec.comm in\ - \ [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path in [\"/bin/cat\"\ - ,\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"\ - /bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"\ - /bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\"\ - ,\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"\ - /bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\"\ - ,\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\"\ - ,\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\"\ - ,\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\"\ - ,\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\"\ - ,\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\"\ - ,\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\"\ - ,\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"\ - /usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"\ - /usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"\ - /usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\"\ - ,\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\"\ - ,\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\"\ - ,\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\"\ - ,\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\"\ - ,\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\"\ - ,\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\"\ - ,\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\"\ - ,\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"\ - /usr/sbin/chroot\"])\n && process.parent.file.name == \"java\"\n agent_version:\ - \ ''\n filters:\n - os == \"linux\"\n- id: jupyter_shell_execution\n version:\ - \ d2d9243c\n description: A Jupyter notebook executed a shell\n expression:\ - \ (exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\"\ - ,\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\"\ - ,\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\"\ - ,\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"\ - basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"\ - dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"\ - groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\"\ - ,\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"\ - numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\"\ - ,\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\"\ - ,\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\"\ - ,\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"\ - truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"\ - wc\",\"who\",\"whoami\",\"chroot\"]\n || exec.file.name in [\"wget\", \"\ - curl\", \"lwp-download\"] || exec.file.name in [\"dash\",\"sh\",\"static-sh\"\ - ,\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\"\ - ,\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"\ - lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\"\ - ,\"zsh5\",\"zsh5-static\"])\n && process.ancestors.comm in [\"jupyter-noteboo\"\ - , \"jupyter-lab\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n\ - - id: k8s_pod_service_account_token_accessed\n version: 88c0ee3a\n description:\ - \ The Kubernetes pod service account token was accessed\n expression: open.file.path\ - \ in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\",\n ~\"/run/secrets/kubernetes.io/serviceaccount/**\"\ - ] && open.file.name == \"token\"\n && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\"\ - , \"/opt/datadog-agent/embedded/bin/system-probe\",\n \"/opt/datadog-agent/embedded/bin/security-agent\"\ - , \"/opt/datadog-agent/embedded/bin/process-agent\",\n \"/opt/datadog-agent/bin/agent/agent\"\ - , \"/opt/datadog/apm/inject/auto_inject_runc\",\n \"/usr/bin/dd-host-install\"\ - , \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\"\ - ,\n \"/opt/datadog-agent/bin/datadog-cluster-agent\"] && process.file.path\ - \ not in [\"/usr/bin/cilium-agent\",\n \"/coredns\", \"/usr/bin/cilium-operator\"\ - , \"/manager\", \"/fluent-bit/bin/fluent-bit\",\n \"/usr/local/bin/cloud-node-manager\"\ - , \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\",\n\ - \ \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\"\ - ,\n \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\"\ - ,\n \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\"\ - ,\n \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\"\ - ,\n \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\"\ - , \"/usr/bin/gitlab-runner\",\n \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\"\ - , \"/usr/local/bin/registration-controller\",\n \"/usr/local/bin/cluster-autoscaler\"\ - ] && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\"\ - ,\n \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\"\ - ,\n \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\"\ - ,\n \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\"\ - , \"/usr/bin/dd-host-container-install\",\n \"/usr/bin/dd-container-install\"\ - , \"/opt/datadog-agent/bin/datadog-cluster-agent\"]\n agent_version: ''\n\ - \ filters:\n - os == \"linux\"\n- id: kernel_module_chmod\n version: 82c61c82\n\ - \ description: A new kernel module was added\n expression: |-\n (\n \ - \ (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\"\ + /usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"])\n && process.parent.file.name\ + \ in [\"java\", \"jspawnhelper\"]\n agent_version: ''\n filters:\n - os\ + \ == \"linux\"\n- id: jupyter_shell_execution\n version: d2d9243c\n description:\ + \ A Jupyter notebook executed a shell\n expression: (exec.file.name in [\"\ + cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\"\ + ,\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\"\ + ,\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\"\ + ,\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\"\ + ,\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\"\ + ,\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\"\ + ,\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\"\ + ,\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\"\ + ,\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\"\ + ,\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\"\ + ,\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\"\ + ,\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\"\ + ,\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"\ + ]\n || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name\ + \ in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\"\ + ,\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\"\ + ,\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\"\ + ,\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"])\n && process.ancestors.comm\ + \ in [\"jupyter-noteboo\", \"jupyter-lab\"]\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: k8s_user_session\n version: c8407c7f\n description:\ + \ A process was executed in a Kubernetes user session\n expression: exec.user_session.k8s_username\ + \ != \"\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_chmod\n\ + \ version: 82c61c82\n description: A new kernel module was added\n expression:\ + \ |-\n (\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\"\ + , ~\"/usr/lib/modules-load.d/**\", ~\"/etc/modules-load.d/**\", ~\"/etc/modprobe.d/**\"\ \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ - /usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n && process.ancestors.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"] &&\ - \ process.ancestors.file.path != \"/usr/bin/kmod\"\n ) && chmod.file.destination.mode\ - \ != chmod.file.mode\n agent_version: ''\n filters: []\n- id: kernel_module_chown\n\ + /usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"\ + , \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in\ + \ [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\"\ + , \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path\ + \ != \"/usr/bin/kmod\"\n ) && chmod.file.destination.mode != chmod.file.mode\n\ + \ agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_chown\n\ \ version: ca2cf124\n description: A new kernel module was added\n expression:\ \ |-\n (\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\"\ \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ - /usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ - ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ - /usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ - ] && process.ancestors.file.path != \"/usr/bin/kmod\"\n ) && (chown.file.destination.uid\ - \ != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version:\ - \ ''\n filters: []\n- id: kernel_module_link\n version: a18ca197\n description:\ - \ A new kernel module was added\n expression: |-\n (\n (link.file.path\ - \ in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path\ - \ in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path\ + /usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"\ + , \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in\ + \ [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\"\ + , \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path\ + \ != \"/usr/bin/kmod\"\n ) && (chown.file.destination.uid != chown.file.uid\ + \ || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n\ + \ filters:\n - os == \"linux\"\n- id: kernel_module_link\n version: a18ca197\n\ + \ description: A new kernel module was added\n expression: |-\n (\n \ + \ (link.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\"\ + , ~\"/usr/lib/modules-load.d/**\", ~\"/etc/modules-load.d/**\", ~\"/etc/modprobe.d/**\"\ + \ ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"\ + /usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"\ + /usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\"\ + , \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path\ \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"\ - /usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\ - \n )\n agent_version: ''\n filters: []\n- id: kernel_module_load\n version:\ - \ 904592b4\n description: A kernel module was loaded\n expression: load_module.name\ - \ not in [\"nf_tables\", \"iptable_filter\", \"ip6table_filter\",\n \"\ - bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", \"ipt_REJECT\"\ - , \"iptable_raw\"]\n && process.ancestors.file.name not in [~\"falcon*\"\ - , \"unattended-upgrade\", \"apt.systemd.daily\",\n \"xtables-legacy-multi\"\ - , \"ssm-agent-worker\"]\n agent_version: ''\n filters: []\n- id: kernel_module_load_container\n\ - \ version: 139b666a\n description: A container loaded a new kernel module\n\ - \ expression: load_module.name != \"\" && container.id !=\"\"\n agent_version:\ - \ ''\n filters: []\n- id: kernel_module_load_from_memory\n version: 78122acd\n\ - \ description: A kernel module was loaded from memory\n expression: load_module.loaded_from_memory\ - \ == true\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kernel_module_load_from_memory_container\n\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\"\ + , \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path\ + \ != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters:\n - os ==\ + \ \"linux\"\n- id: kernel_module_load\n version: 904592b4\n description:\ + \ A kernel module was loaded\n expression: load_module.loaded_from_memory\ + \ == false && load_module.name not in [\"nf_tables\",\n \"iptable_filter\"\ + , \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\",\n \ + \ \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\", \"udp_diag\", \"\ + inet_diag\"] && process.ancestors.file.name\n not in [~\"falcon*\", \"\ + unattended-upgrade\", \"apt.systemd.daily\", \"xtables-legacy-multi\",\n \ + \ \"ssm-agent-worker\"]\n agent_version: ''\n filters:\n - os == \"linux\"\ + \n- id: kernel_module_load_container\n version: 139b666a\n description:\ + \ A container loaded a new kernel module\n expression: load_module.name !=\ + \ \"\" && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: kernel_module_load_from_memory\n\ + \ version: 78122acd\n description: A kernel module was loaded from memory\n\ + \ expression: load_module.loaded_from_memory == true\n agent_version: ''\n\ + \ filters:\n - os == \"linux\"\n- id: kernel_module_load_from_memory_container\n\ \ version: a277c753\n description: A kernel module was loaded from memory\ \ inside a container\n expression: load_module.loaded_from_memory == true\ \ && container.id !=\"\"\n agent_version: ''\n filters: []\n- id: kernel_module_open\n\ @@ -597,100 +761,145 @@ http_interactions: \ ''\n filters: []\n- id: kernel_module_rename\n version: 9d8cb7d8\n description:\ \ A new kernel module was added\n expression: |-\n (\n (rename.file.path\ \ in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path\ + \ in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\", ~\"/usr/lib/modules-load.d/**\"\ + , ~\"/etc/modules-load.d/**\", ~\"/etc/modprobe.d/**\" ])\n && process.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\"\ + , \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\"\ + , \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path\ + \ != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters:\n - os ==\ + \ \"linux\"\n- id: kernel_module_unlink\n version: 652391be\n description:\ + \ A new kernel module was added\n expression: |-\n (\n (unlink.file.path\ \ in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path\ \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"\ - /usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\ - \n )\n agent_version: ''\n filters: []\n- id: kernel_module_unlink\n\ - \ version: 652391be\n description: A new kernel module was added\n expression:\ - \ |-\n (\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\"\ - \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ - /usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ - ]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ - /usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ - ] && process.ancestors.file.path != \"/usr/bin/kmod\"\n )\n agent_version:\ - \ ''\n filters: []\n- id: kernel_module_utimes\n version: 405d45e7\n description:\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\"\ + , \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\"\ + , \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path\ + \ != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters:\n - os ==\ + \ \"linux\"\n- id: kernel_module_utimes\n version: 405d45e7\n description:\ \ A new kernel module was added\n expression: |-\n (\n (utimes.file.path\ \ in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n && process.file.path\ \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"]\n && process.ancestors.file.path not in [~\"\ - /usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"] && process.ancestors.file.path != \"/usr/bin/kmod\"\ - \n )\n agent_version: ''\n filters: []\n- id: kmod_list\n version: c353a548\n\ - \ description: Kernel modules were listed using the kmod command\n expression:\ - \ exec.comm == \"kmod\" && exec.args in [~\"*list*\"]\n agent_version: ''\n\ - \ filters: []\n- id: ld_preload_unusual_library_path\n version: cc6fd0c4\n\ - \ description: The LD_PRELOAD variable is populated by a link to a suspicious\ - \ file\n directory\n expression: exec.envs in [~\"LD_PRELOAD=*/tmp/*\"\ - \ ,~\"LD_PRELOAD=/dev/shm/*\" ]\n agent_version: ''\n filters: []\n- id:\ - \ memfd_create\n version: 5908512a\n description: memfd object created\n\ - \ expression: exec.file.name =~ \"memfd*\" && exec.file.path == \"\"\n agent_version:\ - \ ''\n filters: []\n- id: mount_host_fs\n version: accb4f\n description:\ - \ The host file system was mounted in a container\n expression: mount.source.path\ - \ == \"/\" && mount.fs_type != \"overlay\" && container.id\n != \"\"\n\ - \ agent_version: ''\n filters: []\n- id: mount_proc_hide\n version: fd887e01\n\ - \ description: Process hidden using mount\n expression: mount.mountpoint.path\ - \ in [~\"/proc/1*\", ~\"/proc/2*\", ~\"/proc/3*\", ~\"/proc/4*\",\n ~\"\ - /proc/5*\", ~\"/proc/6*\", ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"]\n\ - \ agent_version: ''\n filters:\n - os == \"linux\"\n- id: net_file_download\n\ - \ version: 75b930ad\n description: A suspicious file was written by a network\ - \ utility\n expression: |-\n open.flags & O_CREAT > 0 && process.comm\ - \ in [\"wget\", \"curl\", \"lwp-download\"]\n && (\n (open.file.path\ - \ =~ \"/tmp/**\" && open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"\ - *.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\"\ - , ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n )\n agent_version: ''\n filters:\ - \ []\n- id: net_unusual_request\n version: 3df2d9ef\n description: Network\ - \ utility executed with suspicious URI\n expression: 'exec.comm in [\"wget\"\ - , \"curl\", \"lwp-download\"] && exec.args in [~\"*.php*\",\n ~\"*.jpg*\"\ - ] '\n agent_version: ''\n filters: []\n- id: net_util\n version: fc362090\n\ - \ description: A network utility was executed\n expression: |-\n (exec.comm\ - \ in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\",\ - \ \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"])\ - \ &&\n container.id == \"\" && exec.args not in [ ~\"*localhost*\", ~\"\ - *127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]\n agent_version: ''\n filters: []\n\ - - id: net_util_exfiltration\n version: 5f7c8871\n description: Exfiltration\ - \ attempt via network utility\n expression: \"exec.comm in [\\\"wget\\\"\ - , \\\"curl\\\", \\\"lwp-download\\\"] && \\nexec.args_options\\\n \\ in\ - \ [ ~\\\"post-file=*\\\", ~\\\"post-data=*\\\", ~\\\"T=*\\\", ~\\\"d=@*\\\"\ - , ~\\\"upload-file=*\\\"\\\n , ~\\\"F=file*\\\"] &&\\nexec.args not in\ - \ [~\\\"*localhost*\\\", ~\\\"*127.0.0.1*\\\"]\"\n agent_version: ''\n filters:\n\ - \ - os == \"linux\"\n- id: net_util_in_container\n version: 69e03ac1\n \ - \ description: A network utility was executed in a container\n expression:\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\"\ + , \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\"\ + , \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path\ + \ != \"/usr/bin/kmod\"\n )\n agent_version: ''\n filters:\n - os ==\ + \ \"linux\"\n- id: kernel_process_masquerade\n version: 817d4169\n description:\ + \ A process is masquerading as a kernel thread by using bracket notation\n\ + \ in its name\n expression: (exec.comm in [r\"^\\[.*\\]$\"] || exec.argv0\ + \ in [r\"^\\[.*\\]$\"]) && (process.parent.ppid\n !=2 || process.args !=\ + \ \"\")\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: kmod_list\n\ + \ version: c353a548\n description: Kernel modules were listed using the\ + \ kmod command\n expression: exec.comm == \"kmod\" && exec.args in [~\"*list*\"\ + ]\n agent_version: ''\n filters: []\n- id: known_dll_registry_key_modified\n\ + \ version: 49b8fe22\n description: Windows Known DLLs location registry\ + \ key modified\n expression: set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\\ + SYSTEM\\CurrentControlSet\\Control\\Session\n Manager\\KnownDLLs*\"]\n\ + \ agent_version: ''\n filters:\n - os == \"windows\"\n- id: ld_audit_unusual_library_path\n\ + \ version: 36430a84\n description: The LD_AUDIT variable is populated by\ + \ a link to a suspicious file directory\n expression: \"process.envs in [\\\ + \"LD_AUDIT\\\"] && \\n(\\n mmap.file.path in [~\\\"/home/*\\\"\\\n , ~\\\ + \"/tmp/*\\\", ~\\\"/dev/shm/*\\\"] || \\n mmap.file.in_upper_layer == true\\\ + n) &&\\n\\\n mmap.protection & (PROT_EXEC) > 0 \"\n agent_version: ''\n\ + \ filters:\n - os == \"linux\"\n- id: ld_preload_unusual_library_path\n\ + \ version: cc6fd0c4\n description: The LD_PRELOAD variable is populated\ + \ by a link to a suspicious file\n directory\n expression: exec.envs in\ + \ [~\"LD_PRELOAD=*/tmp/*\", ~\"LD_PRELOAD=/dev/shm/*\"]\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: memfd_create\n version: 5908512a\n\ + \ description: memfd object created\n expression: exec.file.name =~ \"memfd*\"\ + \ && exec.file.path == \"\" && process.parent.file.path\n not in [\"/usr/bin/runc\"\ + , \"/usr/sbin/runc\", \"/usr/bin/docker-runc\" , \"/run/docker/runtime-runc/moby/*\"\ + ,\n \"/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/runc\"] && !(process.comm\ + \ == \"dd-ipc-helper\"\n && exec.file.name in [\"memfd:spawn_worker_trampoline\ + \ (deleted)\", \"memfd:spawn_worker_trampoline\"])\n agent_version: ''\n\ + \ filters:\n - os == \"linux\"\n- id: mining_pool_domain\n version: 4e0f8e8d\n\ + \ description: A process connected to a cryptocurrency mining pool\n expression:\ + \ connect.addr.hostname in [~\"*.minexmr.com\", \"minexmr.com\", ~\"*.nanopool.org\"\ + ,\n \"nanopool.org\", ~\"*.supportxmr.com\", \"supportxmr.com\", ~\"*.c3pool.com\"\ + , \"c3pool.com\",\n ~\"*.p2pool.io\", \"p2pool.io\", ~\"*.ethermine.org\"\ + , \"ethermine.org\", ~\"*.f2pool.com\",\n \"f2pool.com\", ~\"*.poolin.me\"\ + , \"poolin.me\", ~\"*.rplant.xyz\", \"rplant.xyz\", ~\"*.miningocean.org\"\ + ,\n \"miningocean.org\", \"donate.v2.xmrig.com\"] && connect.addr.is_public\ + \ == true &&\n connect.addr.port not in [53, 80, 443]\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: mining_pool_lookup\n version:\ + \ 4241c309\n description: A process resolved a DNS name associated with cryptomining\ + \ activity\n expression: dns.question.name in [~\"*.minexmr.com\", \"minexmr.com\"\ + , ~\"*.nanopool.org\",\n \"nanopool.org\", ~\"*.supportxmr.com\", \"supportxmr.com\"\ + , ~\"*.c3pool.com\", \"c3pool.com\",\n ~\"*.p2pool.io\", \"p2pool.io\"\ + , ~\"*.ethermine.org\", \"ethermine.org\", ~\"*.f2pool.com\",\n \"f2pool.com\"\ + , ~\"*.poolin.me\", \"poolin.me\", ~\"*.rplant.xyz\", \"rplant.xyz\", ~\"\ + *.miningocean.org\",\n \"miningocean.org\", \"donate.v2.xmrig.com\"] &&\ + \ process.file.name != \"\"\n agent_version: ''\n filters:\n - os == \"\ + linux\"\n- id: mount_host_fs\n version: accb4f\n description: The host file\ + \ system was mounted in a container\n expression: mount.source.path == \"\ + /\" && mount.fs_type != \"overlay\" && container.id\n != \"\"\n agent_version:\ + \ ''\n filters: []\n- id: mount_proc_hide\n version: fd887e01\n description:\ + \ Process hidden using mount\n expression: mount.mountpoint.path in [~\"\ + /proc/1*\", ~\"/proc/2*\", ~\"/proc/3*\", ~\"/proc/4*\",\n ~\"/proc/5*\"\ + , ~\"/proc/6*\", ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"] && process.argv0\n\ + \ not in [\"runc\", ~\"/*/runc\"]\n agent_version: ''\n filters:\n -\ + \ os == \"linux\"\n- id: net_file_download\n version: 75b930ad\n description:\ + \ A suspicious file was written by a network utility\n expression: |-\n \ + \ open.flags & O_CREAT > 0 && process.comm in [\"wget\", \"curl\", \"lwp-download\"\ + ]\n && (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"\ + *.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"\ + /usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"\ + ]\n )\n agent_version: ''\n filters: []\n- id: net_unusual_request\n\ + \ version: 3df2d9ef\n description: Network utility executed with suspicious\ + \ URI\n expression: 'exec.comm in [\"wget\", \"curl\", \"lwp-download\"]\ + \ && exec.args in [~\"*.php*\",\n ~\"*.jpg*\"] '\n agent_version: ''\n\ + \ filters: []\n- id: net_util\n version: fc362090\n description: A network\ + \ utility was executed\n expression: |-\n (exec.comm in [\"socat\", \"\ + dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n \ + \ exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n container.id\ + \ == \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\"\ + \ ]\n agent_version: ''\n filters: []\n- id: net_util_exfiltration\n version:\ + \ 5f7c8871\n description: Exfiltration attempt via network utility\n expression:\ + \ |-\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] &&\n exec.args_options\ + \ in [ ~\"post-file=*\", ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\"\ + , ~\"F=file*\"] &&\n exec.args not in [~\"*localhost*\", ~\"*127.0.0.1*\"\ + ]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: net_util_in_container\n\ + \ version: 69e03ac1\n description: A network utility was executed in a container\n\ + \ expression: |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"\ + host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\"\ + , \"curl\", \"lwp-download\"]) &&\n container.id != \"\" && exec.args not\ + \ in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]\n agent_version:\ + \ ''\n filters: []\n- id: net_util_in_container_v2\n version: 26d8eba1\n\ + \ description: A network utility was executed in a container\n expression:\ \ |-\n (exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\"\ , ~\"nc*\", \"ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"\ ]) &&\n container.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"\ - *127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]\n agent_version: ''\n filters: []\n\ - - id: net_util_in_container_v2\n version: 26d8eba1\n description: A network\ - \ utility was executed in a container\n expression: |-\n (exec.comm in\ - \ [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"\ - ncat\"] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) &&\n\ - \ container.id != \"\" && exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\"\ - , ~\"*motd.ubuntu.com*\" ] && container.created_at > 180s\n agent_version:\ - \ ''\n filters: []\n- id: network_sniffing_tool\n version: 4ae409bf\n description:\ - \ Local account groups were enumerated after container start up\n expression:\ - \ exec.file.name in [\"tcpdump\", \"tshark\"]\n agent_version: ''\n filters:\ - \ []\n- id: new_binary_execution_in_container\n version: 9dc42e1d\n description:\ - \ A container executed a new binary not found in the container image\n expression:\ - \ container.id != \"\" && process.file.in_upper_layer && process.file.modification_time\n\ - \ < 30s && exec.file.name != \"\"\n agent_version: ''\n filters: []\n\ - - id: new_java_detect_sync_test\n version: 28ba1078\n description: Execution\ - \ of a java process\n expression: exec.file.name == \"java\"\n agent_version:\ - \ ''\n filters: []\n- id: new_java_detect_sync_test_prod\n version: 28ba1078\n\ - \ description: Execution of a java process\n expression: exec.file.name\ - \ == \"java\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test_us1_prod\n\ + *127.0.0.1*\", ~\"*motd.ubuntu.com*\" ] && container.created_at > 180s\n \ + \ agent_version: ''\n filters: []\n- id: network_sniffing_tool\n version:\ + \ 4ae409bf\n description: Local account groups were enumerated after container\ + \ start up\n expression: exec.file.name in [\"tcpdump\", \"tshark\"]\n agent_version:\ + \ ''\n filters: []\n- id: new_binary_execution_in_container\n version: 9dc42e1d\n\ + \ description: A container executed a new binary not found in the container\ + \ image\n expression: container.id != \"\" && process.file.in_upper_layer\ + \ && process.file.modification_time\n < 30s && exec.file.name != \"\"\n\ + \ agent_version: ''\n filters: []\n- id: new_java_detect_sync_test\n version:\ + \ 28ba1078\n description: Execution of a java process\n expression: exec.file.name\ + \ == \"java\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test_prod\n\ + \ version: 28ba1078\n description: Execution of a java process\n expression:\ + \ exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: new_java_detect_sync_test_us1_prod\n\ \ version: 28ba1078\n description: Execution of a java process\n expression:\ - \ exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_chmod\n\ - \ version: d301aedf\n description: nsswitch may have been modified without\ - \ authorization\n expression: |-\n (\n (chmod.file.path in [ \"\ - /etc/nsswitch.conf\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n\ - \ agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_chown\n version:\ + \ exec.file.name == \"java\"\n agent_version: ''\n filters: []\n- id: nohup_usage\n\ + \ version: 8a570532\n description: nohup was used to ignore process termination\ + \ signals\n expression: exec.comm == \"nohup\"\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: nsswitch_conf_mod_chmod\n version: d301aedf\n\ + \ description: nsswitch may have been modified without authorization\n expression:\ + \ |-\n (\n (chmod.file.path in [ \"/etc/nsswitch.conf\" ])\n \ + \ ) && chmod.file.destination.mode != chmod.file.mode && process.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: nsswitch_conf_mod_chown\n version:\ \ '69383592'\n description: nsswitch may have been modified without authorization\n\ \ expression: |-\n (\n (chown.file.path in [ \"/etc/nsswitch.conf\"\ \ ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid\ @@ -709,8 +918,12 @@ http_interactions: \ abef53c9\n description: nsswitch may have been modified without authorization\n\ \ expression: |-\n (\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT))\ \ > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n ) &&\ - \ container.created_at > 180s\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_rename\n\ - \ version: aad34176\n description: Nsswitch Configuration Modified\n expression:\ + \ container.id != \"\" && container.created_at > 90s && process.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: nsswitch_conf_mod_rename\n version:\ + \ aad34176\n description: Nsswitch Configuration Modified\n expression:\ \ |-\n (\n (rename.file.path in [ \"/etc/nsswitch.conf\" ]\n \ \ || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n \ \ )\n agent_version: ''\n filters: []\n- id: nsswitch_conf_mod_unlink\n\ @@ -727,197 +940,241 @@ http_interactions: \ in [ ~\"python*\" ] && (\"KubiScan.py\" in exec.argv ||\n \"kubestriker\"\ \ in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\"\ ,\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\"\ - ,~\"botb-*\"]\n agent_version: ''\n filters: []\n- id: package_management_in_container\n\ - \ version: c152fcaf\n description: Package management was detected in a\ - \ container\n expression: exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\"\ - , ~\"/usr/bin/pip*\", \"/usr/bin/yum\",\n \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ - ] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: pam_modification_chmod\n\ - \ version: 974a676e\n description: PAM may have been modified without authorization\n\ + ,~\"botb-*\"]\n agent_version: ''\n filters: []\n- id: overwrite_entrypoint\n\ + \ version: 38eea29c\n description: A process attempted to overwrite the\ + \ container entrypoint\n expression: open.file.path == \"/proc/self/fd/1\"\ + \ && open.flags & O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY\n > 0 && container.id\ + \ != \"\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: p2pinfect_connection\n\ + \ version: 169317f9\n description: A process made a connection to a port\ + \ associated with P2PInfect malware\n expression: (connect.addr.family ==\ + \ AF_INET || connect.addr.family == AF_INET6)\n && connect.addr.is_public\ + \ == true && connect.addr.port >= 60100 && connect.addr.port\n <= 60150\n\ + \ agent_version: ''\n filters:\n - os == \"linux\"\n actions:\n - hash:\n\ + \ field: process.file\n- id: package_management_in_container\n version:\ + \ c152fcaf\n description: Package management was detected in a container\n\ + \ expression: exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"\ + /usr/bin/rpm\",\n \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", ~\"/usr/local/bin/pip*\",\n \"/usr/bin/yum\", \"/sbin/apk\"\ + , \"/usr/lib/snapd/snapd\"] && container.id != \"\"\n agent_version: ''\n\ + \ filters:\n - os == \"linux\"\n- id: pam_modification_chmod\n version:\ + \ 974a676e\n description: PAM may have been modified without authorization\n\ \ expression: |-\n (\n (chmod.file.path in [ ~\"/etc/pam.d/**\"\ - , \"/etc/pam.conf\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n\ - \ agent_version: ''\n filters: []\n- id: pam_modification_chown\n version:\ - \ ca22d0ab\n description: PAM may have been modified without authorization\n\ + , \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", ~\"/lib64/security/*\"\ + , ~\"/usr/lib64/security/*\"])\n ) && chmod.file.destination.mode != chmod.file.mode\n\ + \ agent_version: ''\n filters:\n - os == \"linux\"\n- id: pam_modification_chown\n\ + \ version: ca22d0ab\n description: PAM may have been modified without authorization\n\ \ expression: |-\n (\n (chown.file.path in [ ~\"/etc/pam.d/**\"\ - , \"/etc/pam.conf\" ])\n ) && (chown.file.destination.uid != chown.file.uid\ + , \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", ~\"/lib64/security/*\"\ + , ~\"/usr/lib64/security/*\" ])\n ) && (chown.file.destination.uid != chown.file.uid\ \ || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n\ - \ filters: []\n- id: pam_modification_link\n version: 3d5d6b31\n description:\ - \ PAM Configuration Files Modification\n expression: |-\n (\n (link.file.path\ - \ in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ]\n || link.file.destination.path\ - \ in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n\ - \ filters: []\n- id: pam_modification_open\n version: 9440f452\n description:\ - \ PAM Configuration Files Modification\n expression: |-\n (\n open.flags\ - \ & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [\ - \ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n filters:\ - \ []\n- id: pam_modification_rename\n version: bd1d257a\n description: PAM\ - \ Configuration Files Modification\n expression: |-\n (\n (rename.file.path\ - \ in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ]\n || rename.file.destination.path\ - \ in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n\ - \ filters: []\n- id: pam_modification_unlink\n version: c3dc53e1\n description:\ - \ PAM Configuration Files Modification\n expression: |-\n (\n (unlink.file.path\ - \ in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n )\n agent_version: ''\n\ - \ filters: []\n- id: pam_modification_utimes\n version: d377b599\n description:\ - \ PAM may have been modified without authorization\n expression: |-\n \ - \ (\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\"\ + \ filters:\n - os == \"linux\"\n- id: pam_modification_link\n version:\ + \ 3d5d6b31\n description: PAM may have been modified without authorization\n\ + \ expression: |-\n (\n (link.file.path in [ ~\"/etc/pam.d/**\"\ + , \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", ~\"/lib64/security/*\"\ + , ~\"/usr/lib64/security/*\"]\n || link.file.destination.path in [\ + \ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\"\ + , ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\"])\n )\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: pam_modification_open\n version:\ + \ 9440f452\n description: PAM may have been modified without authorization\n\ + \ expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY)\ + \ > 0 &&\n (open.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\"\ + , ~\"/lib/security/*\", ~\"/usr/lib/security/*\", ~\"/lib64/security/*\",\ + \ ~\"/usr/lib64/security/*\" ])\n )\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: pam_modification_rename\n version: bd1d257a\n\ + \ description: PAM may have been modified without authorization\n expression:\ + \ |-\n (\n (rename.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\"\ + , ~\"/lib/security/*\", ~\"/usr/lib/security/*\", ~\"/lib64/security/*\",\ + \ ~\"/usr/lib64/security/*\" ]\n || rename.file.destination.path in\ + \ [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\"\ + , ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\" ])\n )\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: pam_modification_unlink\n version:\ + \ c3dc53e1\n description: PAM may have been modified without authorization\n\ + \ expression: |-\n (\n (unlink.file.path in [ ~\"/etc/pam.d/**\"\ + , \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", ~\"/lib64/security/*\"\ + , ~\"/usr/lib64/security/*\" ])\n )\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: pam_modification_utimes\n version: d377b599\n\ + \ description: PAM may have been modified without authorization\n expression:\ + \ |-\n (\n (utimes.file.path in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\"\ \ ])\n ) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ - /usr/bin/pip*\"]\n agent_version: ''\n filters: []\n- id: passwd_execution\n\ - \ version: e1d41f5e\n description: The passwd or chpasswd utility was used\ - \ to modify an account password\n expression: exec.file.path in [\"/usr/bin/passwd\"\ - , \"/usr/sbin/chpasswd\"] && exec.args_flags\n not in [\"S\", \"status\"\ - ]\n agent_version: ''\n filters: []\n- id: paste_site\n version: b528c8d4\n\ - \ description: A DNS lookup was done for a pastebin-like site\n expression:\ - \ dns.question.name in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\"\ - ,\n \"klgrth.io\"] && process.file.name != \"\"\n agent_version: ''\n\ - \ filters: []\n- id: pci_11_5_critical_binaries_chmod\n version: 1945831d\n\ + /usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: passwd_execution\n version: e1d41f5e\n description:\ + \ The passwd or chpasswd utility was used to modify an account password\n\ + \ expression: exec.file.path in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"\ + ] && exec.args_flags\n not in [\"S\", \"status\"]\n agent_version: ''\n\ + \ filters: []\n- id: paste_site\n version: b528c8d4\n description: A DNS\ + \ lookup was done for a pastebin-like site\n expression: dns.question.name\ + \ in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\",\n \"klgrth.io\"\ + , \"rentry.co\", \"transfer.sh\"] && process.file.name != \"\"\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: paste_site_domain\n version:\ + \ ed730586\n description: A process connected to a paste site\n expression:\ + \ connect.addr.hostname in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\"\ + ,\n \"klgrth.io\", \"rentry.co\", \"transfer.sh\"] && connect.addr.is_public\ + \ == true &&\n connect.addr.port in [80, 443]\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: pci_11_5_critical_binaries_chmod\n version: 1945831d\n\ \ description: Critical system binaries may have been modified\n expression:\ \ |-\n (\n (chmod.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"\ /usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\"\ , ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\"\ , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"\ /usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n\ - \ agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_chown\n\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \ + \ && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"\ + , \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.destination.mode != chmod.file.mode\n\ + \ agent_version: ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_chown\n\ \ version: 21da2189\n description: Critical system binaries may have been\ \ modified\n expression: |-\n (\n (chown.file.path in [ ~\"/bin/*\"\ , ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\",\ \ ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not\ \ in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \ + \ && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"\ + , \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid != chown.file.uid\ \ || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n\ - \ filters: []\n- id: pci_11_5_critical_binaries_link\n version: a7ac587c\n\ - \ description: Critical system binaries may have been modified\n expression:\ - \ |-\n (\n (link.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\"\ - , ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\"\ - \ ]\n || link.file.destination.path in [ ~\"/bin/*\", ~\"/sbin/*\"\ - , ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\"\ - , ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\"\ - , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"\ - /usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id:\ - \ pci_11_5_critical_binaries_open\n version: f583ba7c\n description: Critical\ - \ system binaries may have been modified\n expression: |-\n (\n \ - \ open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.path\ - \ in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\"\ - , ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not\ - \ in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id:\ - \ pci_11_5_critical_binaries_open_v2\n version: 45abd074\n description:\ - \ Critical system binaries may have been modified\n expression: |-\n (\n\ - \ open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.path\ - \ in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\"\ - , ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n && process.file.path not\ - \ in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"]\n ) && container.created_at > 90s\n agent_version:\ - \ ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_rename\n\ - \ version: e0bc0857\n description: Critical system binaries may have been\ - \ modified\n expression: |-\n (\n (rename.file.path in [ ~\"/bin/*\"\ + \ filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_link\n\ + \ version: a7ac587c\n description: Critical system binaries may have been\ + \ modified\n expression: |-\n (\n (link.file.path in [ ~\"/bin/*\"\ , ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\",\ - \ ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path\ + \ ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path\ \ in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\"\ , ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not\ \ in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id:\ - \ pci_11_5_critical_binaries_unlink\n version: 3bb086ca\n description: Critical\ - \ system binaries may have been modified\n expression: |-\n (\n \ - \ (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \ + \ && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"\ + , \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters:\n - os\ + \ == \"linux\"\n- id: pci_11_5_critical_binaries_open\n version: f583ba7c\n\ + \ description: Critical system binaries may have been modified\n expression:\ + \ |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n\ + \ open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"\ /usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\"\ - \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + \ ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ /usr/bin/pip*\"]\n && process.ancestors.file.path not in [~\"/usr/bin/apt*\"\ , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"\ /usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ - ]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: pci_11_5_critical_binaries_utimes\n\ - \ version: 6d979630\n description: Critical system binaries may have been\ - \ modified\n expression: |-\n (\n (utimes.file.path in [ ~\"/bin/*\"\ + ]\n )\n agent_version: ''\n filters: []\n- id: pci_11_5_critical_binaries_open_v2\n\ + \ version: 45abd074\n description: Critical system binaries may have been\ + \ modified\n expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY)\ + \ > 0 &&\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\"\ + , ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\"\ + \ ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ + , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\"\ + , \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && container.id != \"\"\ + \ && container.created_at > 90s\n agent_version: ''\n filters:\n - os ==\ + \ \"linux\"\n- id: pci_11_5_critical_binaries_rename\n version: e0bc0857\n\ + \ description: Critical system binaries may have been modified\n expression:\ + \ |-\n (\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"\ + /usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\"\ + , ~\"/boot/**\" ]\n || rename.file.destination.path in [ ~\"/bin/*\"\ , ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\",\ \ ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not\ \ in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters: []\n- id:\ - \ potential_cryptominer\n version: 4241c309\n description: A process resolved\ - \ a DNS name associated with cryptomining activity\n expression: dns.question.name\ - \ in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\",\n ~\"\ - *c3pool.com\", ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"\ - *poolin.me\",\n ~\"*rplant.xyz\"] && process.file.name != \"\"\n agent_version:\ - \ ''\n filters: []\n- id: potential_web_shell_parent\n version: b67ffbcd\n\ - \ description: A web application spawned a shell or shell utility\n expression:\ - \ |-\n (exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n\ - \ \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \ - \ \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\"\ - ,\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\"\ - ,\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\"\ - ,\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\"\ - ,\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \ - \ \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\"\ - ,\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \ - \ \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\"\ - \ ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path\ - \ in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\"\ - ,\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\"\ - ,\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"\ - /bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"\ - /bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\"\ - ,\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\"\ - ,\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\"\ - ,\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\"\ - ,\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\"\ - ,\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\"\ - ,\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\"\ - ,\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\"\ - ,\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\"\ - ,\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\"\ - ,\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\"\ - ,\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\"\ - ,\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\"\ - ,\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\"\ - ,\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\"\ - ,\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\"\ - ,\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\"\ - ,\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\"\ - ,\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"\ - /usr/sbin/chroot\"]) &&\n (process.parent.file.name in [\"apache2\", \"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \ + \ && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"\ + , \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters:\n - os\ + \ == \"linux\"\n- id: pci_11_5_critical_binaries_unlink\n version: 3bb086ca\n\ + \ description: Critical system binaries may have been modified\n expression:\ + \ |-\n (\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"\ + /usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\"\ + , ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"\ + /usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \ + \ && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"\ + , \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters:\n - os\ + \ == \"linux\"\n- id: pci_11_5_critical_binaries_utimes\n version: 6d979630\n\ + \ description: Critical system binaries may have been modified\n expression:\ + \ |-\n (\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"\ + /usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\"\ + , ~\"/boot/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"\ + /usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \ + \ && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"\ + , \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters:\n - os\ + \ == \"linux\"\n- id: pentest_domain\n version: c05d76a\n description: A\ + \ process connected to a penetration testing domain\n expression: connect.addr.hostname\ + \ in [~\"*.interact.sh\", ~\"*.oast.pro\", ~\"*.oast.live\",\n ~\"*.oast.fun\"\ + , ~\"*.oast.me\", ~\"*.burpcollaborator.net\", ~\"*.oastify.com\", ~\"*canarytokens.com\"\ + ,\n ~\"*.requestbin.net\", ~\"*.dnslog.cn\"] && connect.addr.is_public\ + \ == true\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: perl_shell\n\ + \ version: 2eb4b1e8\n description: Perl executed with suspicious argument\n\ + \ expression: exec.file.name == ~\"perl*\" && exec.args_flags in [\"e\"]\ + \ && (exec.args\n in [~\"*socket*\", ~\"*bind*\", ~\"*sockaddr*\", ~\"\ + *listen*\", ~\"*accept\", ~\"*stdin*\",\n ~\"*stdout\"])\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: potential_web_shell_parent\n\ + \ version: b67ffbcd\n description: A web application spawned a shell or\ + \ shell utility\n expression: |-\n (exec.file.path in [ \"/bin/dash\"\ + ,\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\"\ + ,\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n\ + \ \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\"\ + ,\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\"\ + ,\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\"\ + ,\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n\ + \ \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \ + \ \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\"\ + ,\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n\ + \ \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] || exec.comm in [\"wget\"\ + , \"curl\", \"lwp-download\"] || exec.file.path in [\"/bin/cat\",\"/bin/chgrp\"\ + ,\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\"\ + ,\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\"\ + ,\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"\ + /bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"\ + /bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\"\ + ,\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\"\ + ,\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\"\ + ,\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\"\ + ,\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\"\ + ,\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\"\ + ,\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\"\ + ,\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"\ + /usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\"\ + ,\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\"\ + ,\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\"\ + ,\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\"\ + ,\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\"\ + ,\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\"\ + ,\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"\ + /usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"\ + /usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"\ + /usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\"\ + ,\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"\ + ,\"/bin/busybox\"]) &&\n (process.parent.file.name in [\"apache2\", \"\ nginx\", ~\"tomcat*\", \"httpd\"] || process.parent.file.name =~ \"php*\"\ - )\n agent_version: ''\n filters: []\n- id: ps_discovery\n version: a0a32c4b\n\ - \ description: Processes were listed using the ps command\n expression:\ - \ exec.comm == \"ps\" && exec.argv not in [\"-p\", \"--pid\"] && process.ancestors.file.name\n\ - \ not in [\"qualys-cloud-agent\", \"amazon-ssm-agent\"] && process.parent.file.name\n\ - \ not in [\"rkhunter\", \"jspawnhelper\", ~\"vm-agent*\", \"PassengerAgent\"\ - , \"node\", \"wdavdaemon\",\n \"chkrootkit\", \"tsagentd\", \"wazuh-modulesd\"\ - , \"wdavdaemon\", \"talend-remote-engine-service\",\n \"check_procs\",\ - \ \"newrelic-daemon\"]\n agent_version: ''\n filters:\n - os == \"linux\"\ - \n- id: ptrace_antidebug\n version: a6289ff7\n description: A process uses\ - \ an anti-debugging technique to block debuggers\n expression: ptrace.request\ - \ == PTRACE_TRACEME && process.file.name != \"\"\n agent_version: ''\n filters:\ - \ []\n- id: ptrace_injection\n version: 6d290a43\n description: A process\ - \ attempted to inject code into another process\n expression: ptrace.request\ + )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ps_discovery\n\ + \ version: a0a32c4b\n description: Processes were listed using the ps command\n\ + \ expression: exec.comm == \"ps\" && exec.argv not in [\"-p\", \"--pid\"\ + ] && process.ancestors.file.name\n not in [\"qualys-cloud-agent\", \"amazon-ssm-agent\"\ + ] && process.parent.file.name\n not in [\"rkhunter\", \"jspawnhelper\"\ + , ~\"vm-agent*\", \"PassengerAgent\", \"node\", \"wdavdaemon\",\n \"chkrootkit\"\ + , \"tsagentd\", \"wazuh-modulesd\", \"wdavdaemon\", \"talend-remote-engine-service\"\ + ,\n \"check_procs\", \"newrelic-daemon\"]\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: ptrace_antidebug\n version: a6289ff7\n description:\ + \ A process uses an anti-debugging technique to block debuggers\n expression:\ + \ ptrace.request == PTRACE_TRACEME && process.file.name != \"\"\n agent_version:\ + \ ''\n filters: []\n- id: ptrace_injection\n version: 6d290a43\n description:\ + \ A process attempted to inject code into another process\n expression: ptrace.request\ \ == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA\n || ptrace.request\ \ == PTRACE_POKEUSR\n agent_version: ''\n filters: []\n- id: pwnkit_privilege_escalation\n\ \ version: c83bbabc\n description: A process was spawned with indicators\ @@ -927,61 +1184,69 @@ http_interactions: \ filters: []\n- id: python_cli_code\n version: '989474'\n description:\ \ Python code was provided on the command line\n expression: exec.file.name\ \ == ~\"python*\" && exec.args_flags in [\"c\"] && exec.args\n in [~\"\ - *-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", \"*-c*/bash*\", \"*-c*/bin/sh*\"\ - , \"*-c*pty.spawn*\"]\n && exec.args !~ \"*setuptools*\"\n agent_version:\ - \ ''\n filters: []\n- id: ransomware_note\n version: ee40f85a\n description:\ - \ Possible ransomware note created under common user directories\n expression:\ - \ |-\n open.flags & O_CREAT > 0\n && open.file.path in [~\"/home/**\"\ - , ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\"\ - , ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"\ - ]\n && open.file.name in [r\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\"\ - ] && open.file.name not in [r\".*\\.lock$\"]\n agent_version: ''\n filters:\n\ - \ - os == \"linux\"\n- id: rc_scripts_modified\n version: af295b08\n description:\ - \ RC scripts modified\n expression: (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ - \ > 0 && (open.file.path\n in [\"/etc/rc.common\", \"/etc/rc.local\"]))\ - \ && process.ancestors.file.path not in\n [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\",\n \"/usr/bin/npm\"\ - , ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ - ]\n agent_version: ''\n filters: []\n- id: read_kubeconfig\n version: '80926379'\n\ - \ description: The kubeconfig file was accessed\n expression: open.file.path\ - \ in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]\n agent_version:\ - \ ''\n filters: []\n- id: read_release_info\n version: d0cc9710\n description:\ - \ OS information was read from the /etc/lsb-release file\n expression: open.file.path\ - \ == \"/etc/lsb-release\" && open.flags & O_RDONLY > 0\n agent_version: ''\n\ - \ filters: []\n- id: redis_save_module\n version: b1cb9110\n description:\ - \ Redis module has been created\n expression: (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ - \ > 0 && open.file.path\n =~ \"/tmp/**\" && open.file.name in [~\"*.rdb\"\ - , ~\"*.aof\", ~\"*.so\"]) && process.file.name\n in [\"redis-check-rdb\"\ - , \"redis-server\"]\n agent_version: ''\n filters: []\n- id: registry_runkey_modified\n\ + *-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", ~\"*-c*/bash*\", ~\"*-c*/bin/sh*\"\ + , ~\"*-c*pty.spawn*\"]\n && exec.args !~ \"*setuptools*\"\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: ransomware_note\n version: ee40f85a\n\ + \ description: Possible ransomware note created under common user directories\n\ + \ expression: |-\n open.flags & O_CREAT > 0\n && open.file.path in\ + \ [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\"\ + , ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", ~\"/var/backup/**\"\ + , ~\"/var/www/**\"]\n && (open.file.name in [r\"(?i)(restore|recover|instruction|help|how_to|how\\\ + \ to|ransom).*(your_|recover|crypt|lock|ransom|instruction|files)\"] || open.file.name\ + \ in [r\"RECOVER.*\\.txt\"]) && open.file.name not in [r\"\\.lock$\"]\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: rc_scripts_modified\n version:\ + \ af295b08\n description: RC scripts modified\n expression: (open.flags\ + \ & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) > 0 && (open.file.path\n \ + \ in [\"/etc/rc.common\", \"/etc/rc.local\"])) && process.ancestors.file.path\ + \ not in\n [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"\ + /usr/bin/unattended-upgrade\",\n \"/usr/bin/npm\", ~\"/usr/bin/pip*\",\ + \ ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\",\n \"/usr/lib/snapd/snapd\"\ + ]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: read_kubeconfig\n\ + \ version: '80926379'\n description: The kubeconfig file was accessed\n\ + \ expression: open.file.path in [~\"/home/*/.kube/config\", \"/root/.kube/config\"\ + ]\n agent_version: ''\n filters: []\n- id: redis_save_module\n version:\ + \ b1cb9110\n description: Redis module has been created\n expression: (open.flags\ + \ & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && open.file.path\n =~ \"/tmp/**\"\ + \ && open.file.name in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) && process.file.name\n\ + \ in [\"redis-check-rdb\", \"redis-server\"]\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n actions:\n - hash: {}\n- id: registry_runkey_modified\n\ \ version: 3df7b8e9\n description: A Registry runkey has been modified\n\ - \ expression: set.registry.key_path in [~\"*\\\\HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\ - \\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\ - \\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\",\n ~\"\ - *\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\ - \\CurrentVersion\\\\Run\",\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\\ - Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal\n Server\\\\Install\\\ - \\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", ~\"*\\\\HKEY_LOCAL_MACHINE\\\ - \\Software\\\\Microsoft\\\\Windows\n NT\\\\CurrentVersion\\\\Terminal Server\\\ - \\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\"\ - ,\n ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\ - \\CurrentVersion\\\\Terminal\n Server\\\\Install\\\\Software\\\\Microsoft\\\ - \\Windows\\\\CurrentVersion\\\\RunonceEx\"]\n agent_version: ''\n filters:\n\ - \ - os == \"windows\"\n- id: runc_modification\n version: c7144439\n description:\ - \ The runc binary was modified in a non-standard way\n expression: |-\n \ - \ open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"\ - ]\n && open.flags & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY > 0\n && process.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path\ + \ expression: set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\\ + Microsoft\\Windows\\CurrentVersion\\Run\",\n ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\\ + Microsoft\\Windows\\CurrentVersion\\Runonce\", ~\"HKEY_LOCAL_MACHINE\\Software\\\ + Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\",\n ~\"HKEY_LOCAL_MACHINE\\\ + Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\\ + Software\\Microsoft\\Windows\\CurrentVersion\\Run\",\n ~\"HKEY_LOCAL_MACHINE\\\ + Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\\ + Software\\Microsoft\\Windows\\CurrentVersion\\Runonce\",\n ~\"HKEY_LOCAL_MACHINE\\\ + Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal Server\\Install\\\ + Software\\Microsoft\\Windows\\CurrentVersion\\RunonceEx\"]\n agent_version:\ + \ ''\n filters:\n - os == \"windows\"\n- id: relay_attack_tool_execution\n\ + \ version: f078acb1\n description: Process matches known relay attack tool\n\ + \ expression: exec.file.name in [~\"*PetitPotam*\", ~\"*RottenPotato*\",\ + \ ~\"*HotPotato*\",\n ~\"*JuicyPotato*\", ~\"*just_dce_*\", ~\"*Juicy Potato*\"\ + , \"rot.exe\", \"Potato.exe\",\n \"SpoolSample.exe\", \"Responder.exe\"\ + , ~\"*smbrelayx*\", ~\"*smbrelayx*\", ~\"*ntlmrelayx*\",\n ~\"*LocalPotato*\"\ + ] || exec.cmdline in [~\"*Invoke-Tater*\", ~\"*smbrelay*\", ~\"*ntlmrelay*\"\ + ,\n ~\"*cme smb*\", ~\"*ntlm:NTLMhash*\", ~\"*Invoke-PetitPotam*\"]\n \ + \ agent_version: ''\n filters:\n - os == \"windows\"\n- id: runc_modification\n\ + \ version: c7144439\n description: The runc binary was modified in a non-standard\ + \ way\n expression: |-\n open.file.path in [\"/usr/bin/runc\", \"/usr/sbin/runc\"\ + , \"/usr/bin/docker-runc\"]\n && open.flags & O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY\ + \ > 0\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\"\ + , \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n && process.ancestors.file.path\ \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: safeboot_modification\n\ - \ version: 75fb1a6f\n description: Safeboot registry modified\n expression:\ - \ set.registry.key_path =~ \"*\\\\HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\ - \\Control\\\\SafeBoot\"\n agent_version: ''\n filters:\n - os == \"windows\"\ - \n- id: scheduled_task_creation\n version: 9c3f2289\n description: A scheduled\ - \ task was created\n expression: exec.file.name in [\"at.exe\",\"schtasks.exe\"\ - ]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: selinux_disable_enforcement\n\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\"\ + , \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: safeboot_modification\n version: 75fb1a6f\n \ + \ description: Safeboot registry modified\n expression: set.registry.key_path\ + \ in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\"\ + ]\n agent_version: ''\n filters:\n - os == \"windows\"\n- id: scheduled_task_creation\n\ + \ version: 9c3f2289\n description: A scheduled task was created\n expression:\ + \ exec.cmdline in [~\"*at.exe\",~\"*schtasks*\"] && exec.cmdline =~ \"*create*\"\ + \n agent_version: ''\n filters:\n - os == \"windows\"\n- id: selinux_disable_enforcement\n\ \ version: afa9a8ba\n description: SELinux enforcement status was disabled\n\ \ expression: selinux.enforce.status in [\"permissive\", \"disabled\"] &&\ \ process.ancestors.args\n != ~\"*BECOME-SUCCESS*\"\n agent_version: ''\n\ @@ -989,27 +1254,34 @@ http_interactions: \ used to stop a service\n expression: exec.file.name == \"systemctl\" &&\ \ exec.args in [~\"*stop*\"]\n agent_version: ''\n filters: []\n- id: shell_history_deleted\n\ \ version: ff763e6\n description: Shell History was Deleted\n expression:\ - \ (unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") && process.comm\n\ - \ not in [\"dockerd\", \"containerd\"]\n agent_version: ''\n filters:\ - \ []\n- id: shell_history_symlink\n version: 31982e4d\n description: A symbolic\ + \ unlink.file.name in [\".bash_history\", \".zsh_history\", \".fish_history\"\ + ,\n \"fish_history\", \".dash_history\", \".sh_history\"] && unlink.file.path\ + \ in [~\"/root/**\",\n ~\"/home/**\"] && process.comm not in [\"dockerd\"\ + , \"containerd\"]\n agent_version: ''\n filters:\n - os == \"linux\"\n\ + - id: shell_history_symlink\n version: 31982e4d\n description: A symbolic\ \ link for shell history was created targeting /dev/null\n expression: exec.comm\ \ == \"ln\" && exec.args in [~\"*.*history*\", \"/dev/null\"]\n agent_version:\ \ ''\n filters: []\n- id: shell_history_truncated\n version: 38ec83e8\n\ - \ description: Shell History was Deleted\n expression: open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ - \ > 0 && open.file.name\n =~ r\".([dbazfi]*sh)(_history)$\" && open.file.path\ - \ in [~\"/root/*\", ~\"/home/**\"]\n && process.file.name == \"truncate\"\ - \n agent_version: ''\n filters: []\n- id: shell_profile_modification\n \ - \ version: d1cecdac\n description: Shell profile was modified\n expression:\ + \ description: Shell History was Deleted\n expression: open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY)\ + \ > 0 && open.file.name\n in [\".bash_history\", \".zsh_history\", \".fish_history\"\ + , \"fish_history\", \".dash_history\",\n \".sh_history\"] && open.file.path\ + \ in [~\"/root/*\", ~\"/home/**\"] && process.file.name\n == \"truncate\"\ + \n agent_version: ''\n filters:\n - os == \"linux\"\n- id: shell_profile_modification\n\ + \ version: d1cecdac\n description: Shell profile was modified\n expression:\ \ open.file.path in [~\"/home/*/*profile\", ~\"/home/*/*rc\"] && open.flags\n\ \ & ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) > 0\n agent_version: ''\n filters:\ - \ []\n- id: ssh_authorized_keys_chmod\n version: e4096f79\n description:\ - \ SSH modified keys may have been modified\n expression: |-\n (\n \ - \ chmod.file.name in [ \"authorized_keys\", \"authorized_keys2\" ] && (chmod.file.path\ - \ in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n\ - \ ) && chmod.file.destination.mode != chmod.file.mode\n agent_version:\ - \ ''\n filters: []\n- id: ssh_authorized_keys_chown\n version: 9639bf6\n\ - \ description: SSH modified keys may have been modified\n expression: |-\n\ - \ (\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\"\ + \ []\n- id: sliver_c2_implant_execution\n version: ec10a8b2\n description:\ + \ process arguments match sliver c2 implant\n expression: exec.cmdline =~\ + \ \"*NoExit *\" && exec.cmdline =~ \"*Command *\" && exec.cmdline\n =~\ + \ \"*[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*\"\n agent_version:\ + \ ''\n filters:\n - os == \"windows\"\n- id: ssh_authorized_keys_chmod\n\ + \ version: e4096f79\n description: SSH modified keys may have been modified\n\ + \ expression: |-\n (\n chmod.file.name in [ \"authorized_keys\"\ + , \"authorized_keys2\" ] && (chmod.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\"\ + , ~\"/var/lib/*/.ssh/*\" ])\n ) && chmod.file.destination.mode != chmod.file.mode\n\ + \ agent_version: ''\n filters: []\n- id: ssh_authorized_keys_chown\n version:\ + \ 9639bf6\n description: SSH modified keys may have been modified\n expression:\ + \ |-\n (\n chown.file.name in [ \"authorized_keys\", \"authorized_keys2\"\ \ ] && (chown.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\"\ \ ])\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid\ \ != chown.file.gid)\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_link\n\ @@ -1017,48 +1289,54 @@ http_interactions: \ |-\n (\n link.file.name == \"authorized_keys\" && (link.file.path\ \ in [ ~\"*/.ssh/*\" ]\n || link.file.destination.path in [ ~\"*/.ssh/*\"\ \ ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_open\n\ - \ version: 1ae8f7d6\n description: SSH Authorized Keys Modified\n expression:\ - \ |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n\ - \ open.file.name == \"authorized_keys\" && (open.file.path in [ ~\"\ - */.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_open_v2\n\ + \ version: 1ae8f7d6\n description: SSH modified keys may have been modified\n\ + \ expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY)\ + \ > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\"\ + \ ] && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\"\ + \ ])\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssh_authorized_keys_open_v2\n\ \ version: 513f8108\n description: SSH modified keys may have been modified\n\ - \ expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ + \ expression: |-\n (\n open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY)\ \ > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\"\ \ ] && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\"\ - \ ])\n ) && container.created_at > 180s\n agent_version: ''\n filters:\ - \ []\n- id: ssh_authorized_keys_rename\n version: fd3bdabf\n description:\ - \ SSH Authorized Keys Modified\n expression: |-\n (\n rename.file.name\ - \ == \"authorized_keys\" && (rename.file.path in [ ~\"*/.ssh/*\" ]\n \ - \ || rename.file.destination.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version:\ - \ ''\n filters: []\n- id: ssh_authorized_keys_unlink\n version: 54cf4a88\n\ - \ description: SSH Authorized Keys Modified\n expression: |-\n (\n \ - \ unlink.file.name == \"authorized_keys\" && (unlink.file.path in [ ~\"\ - */.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_utimes\n\ - \ version: 59377e61\n description: SSH Authorized Keys Modified\n expression:\ - \ |-\n (\n utimes.file.name == \"authorized_keys\" && (utimes.file.path\ + \ ])\n ) && container.id != \"\" && container.created_at > 90s\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: ssh_authorized_keys_rename\n\ + \ version: fd3bdabf\n description: SSH Authorized Keys Modified\n expression:\ + \ |-\n (\n rename.file.name == \"authorized_keys\" && (rename.file.path\ + \ in [ ~\"*/.ssh/*\" ]\n || rename.file.destination.path in [ ~\"*/.ssh/*\"\ + \ ])\n )\n agent_version: ''\n filters: []\n- id: ssh_authorized_keys_unlink\n\ + \ version: 54cf4a88\n description: SSH Authorized Keys Modified\n expression:\ + \ |-\n (\n unlink.file.name == \"authorized_keys\" && (unlink.file.path\ \ in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n filters: []\n- id:\ - \ ssh_it_tool_config_write\n version: 86ae3762\n description: The configuration\ - \ directory for an ssh worm\n expression: open.file.path in [\"/root/.prng/*\"\ - , ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\",\n ~\"/home/*/.config/prng/*\"\ - ] && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) >\n 0\n agent_version:\ - \ ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_chmod\n\ - \ version: d8ac6517\n description: SSL certificates may have been tampered\ - \ with\n expression: |-\n (\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\"\ - , ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\"\ - , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"\ - /usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ - ]\n ) && chmod.file.mode != chmod.file.destination.mode\n && process.file.path\ - \ != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path\ - \ != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version:\ - \ ''\n filters: []\n- id: ssl_certificate_tampering_chown\n version: 3d04895f\n\ + \ ssh_authorized_keys_utimes\n version: 59377e61\n description: SSH Authorized\ + \ Keys Modified\n expression: |-\n (\n utimes.file.name == \"authorized_keys\"\ + \ && (utimes.file.path in [ ~\"*/.ssh/*\" ])\n )\n agent_version: ''\n\ + \ filters: []\n- id: ssh_it_tool_config_write\n version: 86ae3762\n description:\ + \ The configuration directory for an ssh worm\n expression: open.file.path\ + \ in [\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\",\n\ + \ ~\"/home/*/.config/prng/*\"] && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ + \ >\n 0\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssh_session\n\ + \ version: 72bb35f4\n description: A process was executed in an SSH session\n\ + \ expression: exec.comm != \"\" && process.ancestors.file.name in [\"sshd\"\ + ] && process.file.name\n != \"sshd\"\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: ssl_certificate_tampering_chmod\n version: d8ac6517\n\ \ description: SSL certificates may have been tampered with\n expression:\ - \ |-\n (\n (chown.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\"\ + \ |-\n (\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\"\ \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ - /usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + /usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"\ + , \"/usr/lib/snapd/snapd\"]\n ) && chmod.file.mode != chmod.file.destination.mode\n\ + \ && process.file.path != \"/usr/sbin/update-ca-certificates\"\n &&\ + \ process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n \ + \ && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"\ + , \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_chown\n\ + \ version: 3d04895f\n description: SSL certificates may have been tampered\ + \ with\n expression: |-\n (\n (chown.file.path in [ ~\"/etc/ssl/certs/**\"\ + , ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\"\ + , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"\ + /usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ ]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid\ \ != chown.file.gid)\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\ \n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\ @@ -1072,51 +1350,54 @@ http_interactions: \ ]\n || link.file.destination.path in [ ~\"/etc/ssl/certs/**\", ~\"\ /etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\"\ , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"\ - /usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ - ]\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n\ - \ && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\ - \n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ - /usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ - ]\n && process.file.name !~ \"runc*\"\n )\n agent_version: ''\n\ - \ filters: []\n- id: ssl_certificate_tampering_open\n version: c34bcf3a\n\ - \ description: SSL certificates may have been tampered with\n expression:\ - \ |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n \ - \ (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \ - \ )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\n \ - \ && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\ - \ && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ - /usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ - ]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters:\ - \ []\n- id: ssl_certificate_tampering_open_v2\n version: a90058eb\n description:\ + /usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\"\ + , \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.path !=\ + \ \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path\ + \ != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\"\ + , \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~\ + \ \"runc*\"\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n\ + - id: ssl_certificate_tampering_open\n version: c34bcf3a\n description:\ \ SSL certificates may have been tampered with\n expression: |-\n (\n\ \ open.flags & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path\ \ in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n )\n && process.file.path\ \ != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path\ \ != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path\ \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n && container.created_at\ - \ > 180s\n agent_version: ''\n filters: []\n- id: ssl_certificate_tampering_rename\n\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\"\ + , \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"\ + runc*\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_open_v2\n\ + \ version: a90058eb\n description: SSL certificates may have been tampered\ + \ with\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY)\ + \ > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\"\ + \ ])\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\ + \n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\ + \n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"\ + , \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"runc*\"\n &&\ + \ container.id != \"\"\n && container.created_at > 90s\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_rename\n\ \ version: e42eefb4\n description: SSL certificates may have been tampered\ \ with\n expression: |-\n (\n (rename.file.path in [ ~\"/etc/ssl/certs/**\"\ , ~\"/etc/pki/**\" ]\n || rename.file.destination.path in [ ~\"/etc/ssl/certs/**\"\ , ~\"/etc/pki/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\"\ , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"\ - /usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ - ]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\ - \n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\ - \n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + /usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\"\ + , \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n && process.file.path\ + \ != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path\ + \ != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\"\ + , \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && process.file.name !~ \"\ + runc*\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: ssl_certificate_tampering_unlink\n\ + \ version: 37c40311\n description: SSL certificates may have been tampered\ + \ with\n expression: |-\n (\n (unlink.file.path in [ ~\"/etc/ssl/certs/**\"\ + \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ /usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ - ]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters:\ - \ []\n- id: ssl_certificate_tampering_unlink\n version: 37c40311\n description:\ - \ SSL certificates may have been tampered with\n expression: |-\n (\n\ - \ (unlink.file.path in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path\ - \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\ + ]\n )\n && process.file.path != \"/usr/sbin/update-ca-certificates\"\ \n && process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\ \n && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ @@ -1133,36 +1414,46 @@ http_interactions: , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ /usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ ]\n && process.file.name !~ \"runc*\"\n agent_version: ''\n filters:\ - \ []\n- id: sudoers_policy_modified_chmod\n version: ae70daab\n description:\ + \ []\n- id: static_pod_manifest_created\n version: af289296\n description:\ + \ A new static pod manifest was created in the Kubernetes manifests directory\n\ + \ expression: |-\n open.flags & O_CREAT > 0\n && open.file.path in\ + \ [~\"/etc/kubernetes/manifests/*\"]\n && open.file.extension in [\".yaml\"\ + , \".yml\"]\n && process.file.path not in [\"/usr/bin/kubelet\", \"/usr/local/bin/kubelet\"\ + , \"/opt/bin/kubelet\"]\n agent_version: ''\n filters:\n - os == \"linux\"\ + \n- id: sudoers_policy_modified_chmod\n version: ae70daab\n description:\ \ Sudoers policy file may have been modified without authorization\n expression:\ - \ \"(\\n (chmod.file.path == \\\"/etc/sudoers\\\") \\n) && chmod.file.destination.mode\\\ - \n \\ != chmod.file.mode && process.ancestors.file.path not in [~\\\"/usr/bin/apt*\\\ - \"\\\n , \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ - \", \\\"/usr/bin/npm\\\"\\\n , ~\\\"/usr/bin/pip*\\\", \\\"/usr/bin/yum\\\ - \", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\"\\\n ]\"\n agent_version:\ - \ ''\n filters: []\n- id: sudoers_policy_modified_chown\n version: 898b1aa0\n\ + \ |-\n (\n (chmod.file.path in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"\ + ])\n ) && chmod.file.destination.mode != chmod.file.mode && process.ancestors.file.path\ + \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\"\ + , \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: sudoers_policy_modified_chown\n version: 898b1aa0\n\ \ description: Sudoers policy file may have been modified without authorization\n\ - \ expression: |-\n (\n (chown.file.path == \"/etc/sudoers\")\n\ - \ ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid\ - \ != chown.file.gid)\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_link\n\ - \ version: 1f1b8962\n description: Sudoers policy file may have been modified\ - \ without authorization\n expression: |-\n (\n (link.file.path\ - \ == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\"\ - )\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_open\n\ - \ version: af2610b6\n description: Sudoers policy file may have been modified\ - \ without authorization\n expression: |2-\n\n (open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)\ - \ > 0 &&\n (open.file.path == \"/etc/sudoers\")) && process.file.path not\ - \ in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"\ - /usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_rename\n\ + \ expression: |-\n (\n (chown.file.path in [\"/etc/sudoers\", ~\"\ + /etc/sudoers.d/*\"])\n ) && (chown.file.destination.uid != chown.file.uid\ + \ || chown.file.destination.gid != chown.file.gid)\n agent_version: ''\n\ + \ filters:\n - os == \"linux\"\n- id: sudoers_policy_modified_link\n version:\ + \ 1f1b8962\n description: Sudoers policy file may have been modified without\ + \ authorization\n expression: |-\n (\n (link.file.path in [\"/etc/sudoers\"\ + , ~\"/etc/sudoers.d/*\"]\n || link.file.destination.path in [\"/etc/sudoers\"\ + , ~\"/etc/sudoers.d/*\"])\n )\n agent_version: ''\n filters:\n - os\ + \ == \"linux\"\n- id: sudoers_policy_modified_open\n version: af2610b6\n\ + \ description: Sudoers policy file may have been modified without authorization\n\ + \ expression: |-\n (open.flags & (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY)\ + \ > 0 &&\n (open.file.path in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"\ + ])) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"\ + /usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ + , ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: sudoers_policy_modified_rename\n\ \ version: 531fc9ae\n description: Sudoers policy file may have been modified\ \ without authorization\n expression: |-\n (\n (rename.file.path\ \ == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\"\ )\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_unlink\n\ \ version: 5568da57\n description: Sudoers policy file may have been modified\ \ without authorization\n expression: |-\n (\n (unlink.file.path\ - \ == \"/etc/sudoers\")\n )\n agent_version: ''\n filters: []\n- id: sudoers_policy_modified_utimes\n\ - \ version: d99c2466\n description: Sudoers policy file may have been modified\ + \ in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"])\n )\n agent_version: ''\n\ + \ filters:\n - os == \"linux\"\n- id: sudoers_policy_modified_utimes\n \ + \ version: d99c2466\n description: Sudoers policy file may have been modified\ \ without authorization\n expression: |-\n (\n (utimes.file.path\ \ == \"/etc/sudoers\")\n ) && process.file.path not in [~\"/usr/bin/apt*\"\ , \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"\ @@ -1174,73 +1465,106 @@ http_interactions: \ != \"/usr/bin/sudo\"\n agent_version: ''\n filters: []\n- id: suspicious_container_client\n\ \ version: 8b9461f4\n description: A container management utility was executed\ \ in a container\n expression: exec.file.name in [\"docker\", \"kubectl\"\ - ] && container.id != \"\"\n agent_version: ''\n filters: []\n- id: suspicious_suid_execution\n\ - \ version: 216c8207\n description: Recently written or modified suid file\ - \ has been executed\n expression: ((process.file.mode & S_ISUID > 0) && process.file.modification_time\n\ - \ < 30s) && exec.file.name != \"\" && process.ancestors.file.path not in\ + , \"ctr\"] && container.id != \"\"\n agent_version: ''\n filters:\n - os\ + \ == \"linux\"\n- id: suspicious_suid_execution\n version: 216c8207\n description:\ + \ Recently written or modified suid file has been executed\n expression:\ + \ ((process.file.mode & S_ISUID > 0) && process.file.modification_time\n \ + \ < 30s) && exec.file.name != \"\" && process.ancestors.file.path not in\ \ [\"/opt/datadog-agent/embedded/bin/agent\",\n \"/opt/datadog-agent/embedded/bin/system-probe\"\ , \"/opt/datadog-agent/embedded/bin/security-agent\",\n \"/opt/datadog-agent/embedded/bin/process-agent\"\ - , \"/opt/datadog-agent/bin/agent/agent\",\n \"/opt/datadog/apm/inject/auto_inject_runc\"\ - , \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\",\n\ - \ \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\"\ - ]\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: systemd_modification_chmod\n\ - \ version: b0643139\n description: A service may have been modified without\ - \ authorization\n expression: |-\n (\n (chmod.file.path in [ ~\"\ - /lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\"\ - \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ - /usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n ) && chmod.file.destination.mode\ - \ != chmod.file.mode\n agent_version: ''\n filters: []\n- id: systemd_modification_chown\n\ - \ version: a0497885\n description: A service may have been modified without\ - \ authorization\n expression: |-\n (\n (chown.file.path in [ ~\"\ - /lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\"\ - \ ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ - , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ - /usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ - ]\n ) && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid\ - \ != chown.file.gid)\n agent_version: ''\n filters: []\n- id: systemd_modification_link\n\ - \ version: 11a77f5b\n description: A service may have been modified without\ - \ authorization\n expression: |-\n (\n (link.file.path in [ ~\"\ - /lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\"\ - \ ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\"\ - , ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \ - \ && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"\ - /usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ - , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version:\ - \ ''\n filters: []\n- id: systemd_modification_open\n version: b6dce303\n\ - \ description: A service may have been modified without authorization\n \ - \ expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY) >\ - \ 0 &&\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\"\ + , \"/opt/datadog-agent/embedded/bin/trace-agent\",\n \"/opt/datadog-agent/bin/agent/agent\"\ + , \"/opt/datadog/apm/inject/auto_inject_runc\",\n \"/usr/bin/dd-host-install\"\ + , \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\"\ + ,\n \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\"\ + , ~\"/opt/datadog-installer/**\"]\n agent_version: ''\n filters:\n - os\ + \ == \"linux\"\n- id: systemd_modification_chmod\n version: b0643139\n description:\ + \ A service may have been modified without authorization\n expression: |-\n\ + \ (\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\"\ , ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"\ /usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n\ - \ )\n agent_version: ''\n filters: []\n- id: systemd_modification_rename\n\ - \ version: 9759ce6\n description: A service may have been modified without\ - \ authorization\n expression: |-\n (\n (rename.file.path in [ ~\"\ - /lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\"\ - \ ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\"\ - , ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \ - \ && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"\ - /usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ - , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version:\ - \ ''\n filters: []\n- id: systemd_modification_unlink\n version: 8400ece8\n\ + \ ) && chmod.file.destination.mode != chmod.file.mode\n agent_version:\ + \ ''\n filters: []\n- id: systemd_modification_chown\n version: a0497885\n\ \ description: A service may have been modified without authorization\n \ - \ expression: |-\n (\n (unlink.file.path in [ ~\"/lib/systemd/system/**\"\ - , ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \ - \ && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"\ + \ expression: |-\n (\n (chown.file.path in [ ~\"/lib/systemd/system/**\"\ + , ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", ~\"/usr/local/lib/systemd/system/**\"\ + , ~\"/run/systemd/system/**\"])\n && process.file.path not in [~\"\ + /usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ + , \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\"\ + , \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n ) && (chown.file.destination.uid\ + \ != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: systemd_modification_link\n \ + \ version: 11a77f5b\n description: A service may have been modified without\ + \ authorization\n expression: \"(\\n ( link.file.path in [ ~\\\"/lib/systemd/system/**\\\ + \", ~\\\"/usr/lib/systemd/system/**\\\"\\\n , ~\\\"/etc/systemd/system/**\\\ + \", ~\\\"/usr/local/lib/systemd/system/**\\\", ~\\\"/run/systemd/system/**\\\ + \"\\\n ]\\n || link.file.destination.path in [ ~\\\"/etc/systemd/user/**\\\ + \", ~\\\"/usr/lib/systemd/user/**\\\"\\\n , ~\\\"/home/*/.config/systemd/user/**\\\ + \", ~\\\"/home/*/.local/share/systemd/user/**\\\"\\\n , ~\\\"/run/systemd/user/**\\\ + \"] \\n || link.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\ + \"\\\n , ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\ + \", ~\\\"/usr/local/lib/systemd/system/**\\\"\\\n , ~\\\"/run/systemd/system/**\\\ + \"] \\n || link.file.path in [ ~\\\"/etc/systemd/user/**\\\"\\\n , ~\\\ + \"/usr/lib/systemd/user/**\\\", ~\\\"/home/*/.config/systemd/user/**\\\",\ + \ ~\\\"/home/*/.local/share/systemd/user/**\\\"\\\n , ~\\\"/run/systemd/user/**\\\ + \"])\\n && process.file.path not in [~\\\"/usr/bin/apt*\\\"\\\n , \\\ + \"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\", \\\"/usr/bin/unattended-upgrade\\\ + \", \\\"/usr/bin/npm\\\"\\\n , ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\ + \", \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\"\\\n , \\\"/usr/lib/snapd/snapd\\\ + \"]\\n)\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: systemd_modification_open\n\ + \ version: b6dce303\n description: A service may have been modified without\ + \ authorization\n expression: |-\n (\n open.flags & (O_CREAT|O_RDWR|O_WRONLY)\ + \ > 0 &&\n (open.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\"\ + , ~\"/etc/systemd/system/**\", ~\"/usr/local/lib/systemd/system/**\", ~\"\ + /run/systemd/system/**\"] || open.file.path in [ ~\"/etc/systemd/user/**\"\ + , ~\"/usr/lib/systemd/user/**\", ~\"/home/*/.config/systemd/user/**\", ~\"\ + /home/*/.local/share/systemd/user/**\", ~\"/run/systemd/user/**\"])\n \ + \ && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"\ /usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ - , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version:\ - \ ''\n filters: []\n- id: systemd_modification_utimes\n version: 82acf2d\n\ - \ description: A service may have been modified without authorization\n \ - \ expression: |-\n (\n (utimes.file.path in [ ~\"/lib/systemd/system/**\"\ - , ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n \ - \ && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"\ + , ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: systemd_modification_rename\n\ + \ version: 9759ce6\n description: A service may have been modified without\ + \ authorization\n expression: \"(\\n ( rename.file.path in [ ~\\\"/lib/systemd/system/**\\\ + \", ~\\\"/usr/lib/systemd/system/**\\\"\\\n , ~\\\"/etc/systemd/system/**\\\ + \", ~\\\"/usr/local/lib/systemd/system/**\\\", ~\\\"/run/systemd/system/**\\\ + \"\\\n ] \\n || rename.file.path in [ ~\\\"/etc/systemd/user/**\\\"\ + , ~\\\"/usr/lib/systemd/user/**\\\"\\\n , ~\\\"/home/*/.config/systemd/user/**\\\ + \", ~\\\"/home/*/.local/share/systemd/user/**\\\"\\\n , ~\\\"/run/systemd/user/**\\\ + \"]\\n || rename.file.destination.path in [ ~\\\"/lib/systemd/system/**\\\ + \"\\\n , ~\\\"/usr/lib/systemd/system/**\\\", ~\\\"/etc/systemd/system/**\\\ + \", ~\\\"/usr/local/lib/systemd/system/**\\\"\\\n , ~\\\"/run/systemd/system/**\\\ + \"] \\n || rename.file.destination.path in [ ~\\\"\\\n /etc/systemd/user/**\\\ + \", ~\\\"/usr/lib/systemd/user/**\\\", ~\\\"/home/*/.config/systemd/user/**\\\ + \"\\\n , ~\\\"/home/*/.local/share/systemd/user/**\\\", ~\\\"/run/systemd/user/**\\\ + \"])\\n \\\n \\ && process.file.path not in [~\\\"/usr/bin/apt*\\\",\ + \ \\\"/usr/bin/dpkg\\\", \\\"/usr/bin/rpm\\\"\\\n , \\\"/usr/bin/unattended-upgrade\\\ + \", \\\"/usr/bin/npm\\\", ~\\\"/usr/bin/pip*\\\", ~\\\"/usr/local/bin/pip*\\\ + \"\\\n , \\\"/usr/bin/yum\\\", \\\"/sbin/apk\\\", \\\"/usr/lib/snapd/snapd\\\ + \"]\\n)\"\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: systemd_modification_unlink\n\ + \ version: 8400ece8\n description: A service may have been modified without\ + \ authorization\n expression: |-\n (\n (unlink.file.path in [ ~\"\ + /lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\"\ + , ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"] || unlink.file.path\ + \ in [ ~\"/etc/systemd/user/**\", ~\"/usr/lib/systemd/user/**\", ~\"/home/*/.config/systemd/user/**\"\ + , ~\"/home/*/.local/share/systemd/user/**\", ~\"/run/systemd/user/**\"])\n\ + \ && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\"\ + , \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"\ + /usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"\ + , \"/usr/lib/snapd/snapd\"]\n )\n agent_version: ''\n filters:\n - os\ + \ == \"linux\"\n- id: systemd_modification_utimes\n version: 82acf2d\n description:\ + \ A service may have been modified without authorization\n expression: |-\n\ + \ (\n (utimes.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\"\ + , ~\"/etc/systemd/system/**\", ~\"/usr/local/lib/systemd/system/**\", ~\"\ + /run/systemd/system/**\"] || utimes.file.path in [ ~\"/etc/systemd/user/**\"\ + , ~\"/usr/lib/systemd/user/**\", ~\"/home/*/.config/systemd/user/**\", ~\"\ + /home/*/.local/share/systemd/user/**\", ~\"/run/systemd/user/**\"])\n \ + \ && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"\ /usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"\ - , \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n )\n agent_version:\ - \ ''\n filters: []\n- id: tar_execution\n version: e63af392\n description:\ - \ Tar archive created\n expression: exec.file.path == \"/usr/bin/tar\" &&\ - \ exec.args_flags in [\"create\",\"c\"]\n agent_version: ''\n filters:\n\ - \ - os == \"linux\"\n- id: testcreateacloudworkloadsecurityagentrulereturnsokresponse1677856489\n\ + , ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"\ + ]\n )\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: tar_execution\n\ + \ version: e63af392\n description: Tar archive created\n expression: exec.file.path\ + \ == \"/usr/bin/tar\" && exec.args_flags in [\"create\",\"c\"]\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: testcreateacloudworkloadsecurityagentrulereturnsokresponse1677856489\n\ \ version: f43786f8\n description: Test Agent rule\n expression: exec.file.name\ \ == \"sh\"\n agent_version: ''\n filters: []\n- id: testcreateacloudworkloadsecurityagentrulereturnsokresponse1711550899\n\ \ version: f43786f8\n description: Test Agent rule\n expression: exec.file.name\ @@ -1606,50 +1930,68 @@ http_interactions: \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ \ == \"go\"\n agent_version: ''\n filters: []\n- id: tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390432\n\ \ version: 2dd188de\n description: an agent rule\n expression: exec.file.name\ - \ == \"go\"\n agent_version: ''\n filters: []\n- id: tty_shell_in_container\n\ - \ version: 3d9489bb\n description: A shell with a TTY was executed in a\ - \ container\n expression: |-\n exec.file.path in [ \"/bin/dash\",\n \ - \ \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \ - \ \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \ - \ \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\"\ - ,\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\"\ - ,\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\"\ - ,\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n\ - \ \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \ - \ \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\"\ - ,\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n\ - \ \"/bin/zsh5\",\n \"/bin/zsh5-static\" ] && process.tty_name !=\ - \ \"\" && process.container.id != \"\"\n agent_version: ''\n filters: []\n\ - - id: tunnel_traffic\n version: 816201a5\n description: Tunneling or port\ - \ forwarding tool used\n expression: ((exec.comm == \"pivotnacci\" || exec.comm\ - \ == \"gost\") && process.args_flags\n in [\"L\", \"C\", \"R\"]) || (exec.comm\ - \ in [\"ssh\", \"sshd\"] && process.args_flags in\n [\"R\", \"L\", \"D\"\ - , \"w\"] && process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"\ - ]\n ) || (exec.comm == \"sshuttle\" && process.args_flags in [\"r\", \"\ - remote\", \"l\", \"listen\"])\n || (exec.comm == \"socat\" && process.args\ - \ in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) ||\n (exec.comm in [\"iodine\", \"\ - iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\",\n \"\ - ssf\", \"3proxy\", \"ngrok\"] && process.parent.comm in [\"bash\", \"dash\"\ - , \"ash\", \"sh\",\n \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])\n\ - \ agent_version: ''\n filters:\n - os == \"linux\"\n- id: user_created_tty\n\ - \ version: 5b5f4a52\n description: A user was created via an interactive\ - \ session\n expression: exec.file.name in [\"useradd\", \"newusers\", \"\ - adduser\"] && exec.tty_name\n !=\"\" && process.ancestors.file.path not\ - \ in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\",\n \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - , \"/usr/bin/npm\", ~\"/usr/bin/pip*\",\n \"/usr/bin/yum\", \"/sbin/apk\"\ - , \"/usr/lib/snapd/snapd\"] && exec.args_flags not in\n [\"D\"]\n agent_version:\ + \ == \"go\"\n agent_version: ''\n filters: []\n- id: trufflehog_executed\n\ + \ version: 1717c8e8\n description: A Trufflehog process was executed\n \ + \ expression: exec.file.name == \"trufflehog\"\n agent_version: ''\n filters:\n\ + \ - os == \"linux\"\n- id: tty_shell_in_container\n version: 3d9489bb\n\ + \ description: A shell with a TTY was executed in a container\n expression:\ + \ |-\n exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \ + \ \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \ + \ \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\"\ + ,\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\"\ + ,\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\"\ + ,\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\"\ + ,\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \ + \ \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\"\ + ,\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \ + \ \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\"\ + \ ] && process.tty_name != \"\" && process.container.id != \"\"\n agent_version:\ + \ ''\n filters: []\n- id: tunnel_traffic\n version: 816201a5\n description:\ + \ Tunneling or port forwarding tool used\n expression: ((exec.comm == \"\ + pivotnacci\" || exec.comm == \"gost\") && process.args_flags\n in [\"L\"\ + , \"C\", \"R\"]) || (exec.comm in [\"ssh\", \"sshd\"] && process.args_flags\ + \ in\n [\"R\", \"L\", \"D\", \"w\"] && process.args in [r\"((25[0-5]|(2[0-4]|1\\\ + d|[1-9])\\d)\\.?\\b){4}\"]\n ) || (exec.comm == \"sshuttle\" && process.args_flags\ + \ in [\"r\", \"remote\", \"l\", \"listen\"])\n || (exec.comm == \"socat\"\ + \ && process.args in [r\"(TCP4-LISTEN:|SOCKS)\"]) || (exec.comm\n in [\"\ + iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\"\ + , \"ssf\",\n \"3proxy\", \"ngrok\"] && process.parent.comm in [\"bash\"\ + , \"dash\", \"ash\", \"sh\", \"tcsh\",\n \"csh\", \"zsh\", \"ksh\", \"\ + fish\"])\n agent_version: ''\n filters:\n - os == \"linux\"\n- id: unlink_self\n\ + \ version: 9f65729b\n description: A process removed itself from the filesystem\n\ + \ expression: unlink.file.path == process.file.path\n agent_version: ''\n\ + \ filters:\n - os == \"linux\"\n- id: user_created_tty\n version: 5b5f4a52\n\ + \ description: A user was created via an interactive session\n expression:\ + \ exec.file.name in [\"useradd\", \"newusers\", \"adduser\"] && exec.tty_name\n\ + \ !=\"\" && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"\ + /usr/bin/dpkg\",\n \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"\ + /usr/bin/npm\", ~\"/usr/bin/pip*\",\n \"/usr/bin/yum\", \"/sbin/apk\",\ + \ \"/usr/lib/snapd/snapd\"] && exec.args_flags not in\n [\"D\"]\n agent_version:\ \ ''\n filters: []\n- id: user_deleted_tty\n version: ad8edbe\n description:\ \ A user was deleted via an interactive session\n expression: exec.file.name\ \ in [\"userdel\", \"deluser\"] && exec.tty_name !=\"\" && process.ancestors.file.path\n\ \ not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\"\ - ,\n \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"\ - , \"/usr/lib/snapd/snapd\"]\n agent_version: ''\n filters: []\n- id: windows_cryptominer_process\n\ + ,\n \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"\ + /usr/bin/yum\", \"/sbin/apk\",\n \"/usr/lib/snapd/snapd\"]\n agent_version:\ + \ ''\n filters:\n - os == \"linux\"\n- id: windows_com_rpc_debugging_registry_key_modified\n\ + \ version: 9b71ec1\n description: Windows RPC COM debugging registry key\ + \ modified\n expression: set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\\ + SOFTWARE\\Microsoft\\Windows\n NT\\CurrentVersion\\Windows*\"]\n agent_version:\ + \ ''\n filters:\n - os == \"windows\"\n- id: windows_cryptominer_process\n\ \ version: e26f81ab\n description: A cryptominer was potentially executed\n\ \ expression: exec.cmdline in [~\"*xmrig*\", ~\"*cpu-priority*\", ~\"*donate-level*\"\ , ~\"*randomx-1gb-pages*\",\n ~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"\ *stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\",\n ~\"*stratum2+ssl*\"\ , ~\"*nicehash*\", ~\"*yespower*\"]\n agent_version: ''\n filters:\n -\ - \ os == \"windows\"\n" + \ os == \"windows\"\n- id: windows_security_essentials_executable_modified\n\ + \ version: 28b5296d\n description: microsoft security essentials executable\ + \ modified\n expression: write.file.device_path in [~\"\\Device\\*\\Program\ + \ Files\\Microsoft Security\n Client\\msseces.exe\"]\n agent_version:\ + \ ''\n filters:\n - os == \"windows\"\n- id: winlogon_registry_key_modified\n\ + \ version: 494de453\n description: Windows winlogon registry key modified\n\ + \ expression: set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\\ + Microsoft\\Windows\n NT\\CurrentVersion\\Winlogon*\"]\n agent_version:\ + \ ''\n filters:\n - os == \"windows\"\n" headers: Content-Type: - application/yaml diff --git a/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-returns-OK-response.frozen index 19fd41d61599..1292830f7abf 100644 --- a/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-returns-OK-response.frozen @@ -1 +1 @@ -2025-05-27T10:25:08.813Z \ No newline at end of file +2025-10-10T15:21:07.476Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-returns-OK-response.yml index 590ec605ee2d..75697778522d 100644 --- a/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Download-the-Workload-Protection-policy-returns-OK-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Tue, 27 May 2025 10:25:08 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:07 GMT request: body: null headers: @@ -10,7 +10,7 @@ http_interactions: response: body: encoding: UTF-8 - string: UEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAAOAAAAZGVmYXVsdC5wb2xpY3nsvXl32ziyOPr/fAoM35z52b6hNi9Z3s3Mc9vuad92Eh/L6b592nk8EAmJiEiADYCS1ePJZ/8dLFxFSpTkeEmUPm0RYGEhagFQKFT9P+D83eWHq+vj99dvwJmHBQeCAuFjDoY4QGCKgwAQKsAAAYaGAXIF8gAmQPgInEIBPToCx1EEIPE08AABOkFsyrAQiIApFj4gaAoiGmB3pmv16JQEFHq8BS4DBDkCIfXwcAZYHCBeVf2QMjCMgwAMY+IKTAkMsJi1/jJBjGNK3oBu62C/1bGZ+6rzF1XLm78AYAPsvQEwiiALKXNUIxh5jhCzvwAAgIe4y3AkVA3HRLZ0LCFBxKj+fMhBUkp2CxKAiUAMugJPEOCIy9ZVXUMcCMRUs/KfDSgHb98CK8AkvrVULrqNmC7xBqBb5LZkGy0CQyTr/t2C0PYwh4MAWS+ATLk0jAKIiUnC2MPC+gT+/nddXIiZo0r/9a2lWzDFvTdgCAOOVF7EqBe7whFwlOudkJ/gvrk+7nQ6h7aHhohwZKMJTD9IQSHXJ/iPGL257h4e9WwcRhCzBJyncBq5b4TPEBS2hwRSSMpQIHvuisCJORyh+bG/9lEKA1wahoqcIAcxR56kSEMfCsa7h/GWkEmDVjqgkI24MwzgiCuaV0jhcvAD69PTH1/PcSkZ4lFK5wvG2QMaNmZQvgHz1C4Zl8YCxByTUYqcdYaeRojooY+g8BVkGwm3rerUf72W7I5ChIZWOPg72PngnFydHV/ffXCurz6+P7n74BxfXp69P7374Fyd/np198H59erD+4vfdsE/QEcWjxh1Eec5VP81j+rngEUpvhzZ/2aI1DLzARGo2CKHQdWBlqdTLZWSPFPGsXnz6XtH8pQ7boAXScLjX/vg5OIcxALLWU6hVcqnWKB7k31Tvskw9Wzdn7oBOjrs2m5AY8+GXogJ5kLLGdvI9vJoDRAXdqSmVRetNJRozB2O2AS7yIGuS2MiHEHHiMgU4ryOeeQYn/3cB6YsMGWBKqtGvFB+xREvi7wvwGpPIGuzmLQ5chkSvI3GvAVD+CclcMpbLg3bpi+mK+29vZxALGBPddKa4wTVVjpxtWkk2p5eQ9lwhIhoo3CAPA957QEmbZWlGHUJIJ9xgUI7YnSAGsEjN2ZYzOzGLZivaF5AMOiiheDpF1Z/ZxtGYRuTz8iV0klQRz87LCaugo05U3V4nu1TLmxMuIBBUPnOpURATBCrg6oGqO50kuMGMReIpR/5pVgggu4YjhCXVDL30rSCmHy7ycrlyHYZ8hARGAa2ZohqgXjYs2OiEI+8XJnVxCIOPT7PrXJd/msfnL877Su+dOWXeWCCIYCAIDGlbJyIynV4VUlHKZc020xHSFGLGzOFpmAa2cl+Jbf2lktFVeCLtdc9et3qHR60zG87gAJx0Q6RgLZESRvDMOOK3Oi0Ne6yCl52Wr2/Hf/ad04+vL8+Pn9/diWnxtOz99fnxxd95+rs4vj6/Jcz5+PVeUXJ9l47V/k/sff2iWF/TTH/Z8zQAuKQr58TeUi60GShxknM2hTGwu+1lVj/J4ywbba13wb+BpCjowPHQy71alY8GqRy56eLAUyGlIVQ3M92W0LqNis3fwrT3kZj32wh2T3o2B6ig2HMXSiQTeWCUn6vLfvKZbr84U1G3EVMSJKvW2SemPeFlaVS/DBIeIgFoCwZeAgiKjQ9BDMQwgC7mMZ6w7EQE1NMPJosM5fgIulwC90ihZGdHc13oRdggtQCai9mgQtdH+1lOCu851GAxZ61C+7uKt7qz9mzdtdHarebrF9t+b+c1RkNqhHbObQxGclvtgWlga1GdohYcxz6UDBKQ4ehP2LERYXsA6fv+8C81ns/6CGlKoNpceDREOK1eMYjvKXqxpTktFQe5i5lcsceKr1UhFsCBWjEYNiibKSEo0daBgxGkYLcgJdWGPbDlz25ThXUlUMeE4ICTEbNx5yGISUOQcLBRLBYjoMj6bJq8EtzC9jhsesDyAEJYbRr6gpmWpBhpTjUNQIoBHTH/L73dQo7snGJghBy7kKlORxGmCi0/DlicJA+9OQTi7lI4CKinj4tVIf9IiHN9LQJUjsvbUUhE8RmlajsHBzZZohtszGqKNEAoxEOkAOHAjHHQwFOi5fQaSAZmDIqpNjjMY9ysk6pf0G6kl8HX3e2ASyoP4z2A/wDdMxrKf/MIwA7VXtJEUY120Oz5miNqVogtvasT7tpXXd3VbqcL3pvaupUmwlGqUgSe2pbYl7ITU1AXRi0AzzIdhcA7Ob6nmxKs1XTZziBal/lBlDT4shV6YHrWp9kv5IykLiIC8rWK11ihuYFs2ZXqiL31fNdSHkmwpEavWgmfEqyMfv73zN6amFPKbHqtTJQUXaO2HzI/Tfg3/9pyHALViQ5qAM7YniCAzRCNuIuDGCtkqfTe2mnSxdv8YqlKKQPbB9/hu440yLZw4BOV+Vq5mDiFDmylqnzCx1MOPYQoMNNGXqntDlYTm9VInt5qZ2KJdOIWpW7jUGMA89wLoslte3uVlCaVVAflchfiQZJjakSw8UBjkOjjNhA6jdbFq9CWRttTVwG3XEII0cOo1OYiwuU9DOhUwLoUHYdTxCQS7q0sMJBs4l88Zo4Wa8aTCb1y3cGoW6I5BI5l4pmD7NH7HT2bcrzwF4cRistrtKi2UGs64e0Yrj7cpjVCWtWSE3CHEwRQ9kZhznbAIQSmwtIPMg8hZx1uDmdnrPJF4Ad1cXSjGkON7gPPTq1krOOkUmD3Iw7PzUUlLTAanPJXhMc6XokvxVzTGrEyu9zOYpDE/720mw9Ude8VLpG6o6rC5TfqDZHjMYR9Eq5MUesMjOkFZkeKmpHRxHkfFrsluvDESoWdf0KOJMFPlUPd5VQSwb+S1YLjMRecVSi8aiQwaKwkI4JFAIRD3l2HI0Y9FDhNVHguRYiHM0tn3L5GeAsDjOcw2icIQYP2pzAyNN/s1WXkuwZhXpyt0aUgGyFcvf+17f512GqgHkaskLZN2CJpyVSgk7JU5cSdFpeV2+lxFZKPB0pkSfRvJiI9cYj91bm3N2BGvjRHPwIexso1R5NqgSYjJ+2UJE9XFGm5Irf3YGsgjwGG1e2FVBbAfUwAuoZig8aIeJMek9aghTNrHJ2VgWzqsTuajexr8rLoAp94VZsbMXG0xAb1RrUYq7LEBTIc6AA/wCvO/wZihqGCAwrjnGfkKTZ0X1cUVIUVyv5Krbrla3gecKC5xkKkZg8/Q2P7uOKQmTL9Vuu33J9HdcLHKIKu8knxfWqj1uu33L9luvX4XossAsDh6ER5oLNHHQbUVZhL8jQCHlYpJa1Gi6tACQVAB9P7se0U5k3MDRSZp0vgGV6oJKf5ow4zbG3Pw5Cc8Dtj9HMUch0Quj6mCQn3/pKSpKA6ZOxsX8+R+IGd2ZA1a0/vuDaH8ywZYrMX/xbD3NThkW691K3qXL2YTenKutm78aUv9EI2O/dbHjBpKE9yP6RHUL+RyzFYFO2oMSBwvlMB45SAWBK6swNjgmICYyFTxn+E3ngMx3oG2CepzlFVga46yMvTu1J72XqqzQuMPZ4PKI0aMumU7M8OQXKjNbeXJZQlp3FDHU5aKWZMhXYojhbmAbApufOS3rwNaeM+5i8V596NuGNZZcsO4f7tiFK5NkC8rFNmf2ZDhrIH7Ae+1Sewz8m+1Scuj8X9nmAA9ktuz1ndqvW1zwet1XpZu6Z2XLNNTi+Xrvx1baPjbl6y3PPnudohJ7SDFfnJ6PSLUaeV6uObddmlwecGLcs9OxZqO608tGYqOZs8p7ZoTh1LT/LXLv57eS15bxqzqs74ns8zqs+0Fub9LcT0ZYdVmCHmrOvR2SHypOuLTts2eG+2WEWCRrKIXEgG1XxQIJHEMCYyG5oT62QjeIQEcEB5Jy6GIrkTa5Ovg5HZB4FqOpDcmHVjWI7YpjqcxuJCY8SKJAdoAkK9nLXZnPuCGQ7DBKPhrd2dzSwIzhC3CpAJsdJyvVcHP6XcA2i0xzOg2JOdx6oOw/Vm4fq5aAIdpEPuW+SM8QjOkVsETFteLP7oKOcEbqiks4OXh/ZDHEaMxeZa9erHVFlpITIpIKULg0hITLBjBJJPWACGZafyUEIhZsQjxszhog7A6q6tYlIdkMfLV5++HDhfOyfXUke14mri/T58rjfl4nTD++Pr8+ci7Nfzi42YemvO85xxB0ewSlBnsN9FFT4HOnL7JRxDTAYMhqCiGEilDPDDQZ2iPPuNAsXxCPIEBE5CFnXkNIQCuzaDEebXArv2pjgZaet3dcdG91GAcXCjuJBgF17CF1MRjaMogC7K3pIilng6AnC4fKn4rz82kfgVIEADaJWCQwNkaRi4xAauB+vLkDereVmI6+8IcWs2imxIvqY4Ftbd6jG4Zj+rpaE2dMg80bSG6BrmeeWo+5+zuMhJF7GF6s7cPGggAPIkeYJpzinlqa0BBbkKCJlEwhUDS/0T+K15wWgDPx0fX25iYu4bLGXITNvyKQWI5D71gsDB/KrlPILmVmVJRSr1dRSUWBQ1+LciyTT1m1UFvqzprK6Rtya/HFNvqgqEOBBW4oGBsOh9qPFdWdjPhvQ2/mPqMhPGhjiiq8ec//1/lwuK3cyyayADapgw7rMRSPsch+yaK5YRGtGjLnzNFKHjVkVyv/k/mFlZtJLINdeyXu0kh/EUrkiS+iWXLnpMI/+SH55klBWbUmCTkmaSGE8KFD6nAJ7w/QJs+QRuT5NnoO0qoAnT+E4BxyOSdZ2OBYoTJsMJ8lTNE1BGIJegMk4TYfZU65aHiCUVsSFmKXPM+Imz4LGrp8kYjkZJImJqSrlOaYBU4bu8TgsZECO9nvlnKODck7SSEqCvktJIWNcqlkSQCGtnO4VcuJC0sPMpQFlvJRZbtqL8ylEJoXkbQSJV8opDMkQuoIWc8JCP4Y0KFSgDC0LnfIRLED4lAtcyCmlEle+WdZnigvDl5BGmqaj8neH3mFpiHVOS6Bb5RKx0MdwPMRDms+R241CutAhQv04KmTIBV0hIw5LI0ULXxlBLlAxQ/iuX/isCJPxrJDBiilMRAmjKm9YyBG3+SRDMJBNFfJiUqJPjv4oJH3YLY0m92Gvd1CReXg0n7n/qgLysFtmL+4z5BUz4sK3cMoKQzrHJFLAFtPeoFRFsUkB3WISF/AsEComeaF6gUNEi3wpWDEVExcWES3KX2HkVpKMyTxbxgT/UUyXWSDmqCgLpoUPm/q0lIQhTnKMmTKjNJ05khn/0252AFq7Z1FzTzjjfwRKKRRSMtL20xHlYsRMcAJTy193Fu595LLEG1gZfLYKl69tFyhdEgI2tHYb15p2pKbeL9ZeNHKmMNjIj+ljbLg8NIhHQ77EY5vcchnIssu2TX21ZesXCWQasZ755ggFSCBHG+M6AR3Nj2im6NPAnnFMCnQhENCRvvexzphWHu9kkQ5iESpfpCojoKP2tJwxKGcEkIuAjgp5Q4iDch6f8XJWiDhXasACnHJqXciCsfBb5cIDSsVc5hgxojI/5VUhioZS3445JXNODb2BlqmpSfTLjo2JJ9mQMpuhkE5gsALhRAGdORHDk8UOFFNnkF7GJtrNur5WvQ7V1OmaVrjJ/d+gyws4gZETIRZiISn87+Dk+NLp/9Z3jk/fnb9PPauuh48VPGIedbsKJEK2oCo2RAOMFN6X3Rgm6JpwP1ys/JADmslLpRRse2jS5n7YBh5mSC6Q11JvlHZwEjKteW9vE2HZjNQPjw5sH3vIhkxgudBvHlXCw0zMnAhHyIFC7uYq1HyXiXtzcCqhgYQGZuLTKqR80RXHbkcu/VzUUl1ARLCZUuWBv4PL88sz54ePPzo/Xhz/yzk5fu+8O7v619mupHwV5KhY9BaLpSXfJiUTtjCmxIWYScZcuLPJ+mEFlugcvbLzg2kPKVtcegWc5iteA7GbI7QJVv4BOuA7wAoVBAnHi8NokZw6zcCKUR5kBkzXKiEKlwmrZq5Utet/1ai6nVUXO8ClQYBcsZE0e22bWmpHXQo8KKAtpbOt9ge2XoY1H+YZgSF2lW04YknAv1rDn3RANYRSg5sqgK7CxAFU08c6/FCzBETCbQdei9NWxJDSCb4A+VwV7i+1X8jyWl57T7/89HjGBqsZCeRLrni7dD06W4HPN3e1XU1w6rbgInrTTvQFvXd6q41FeA/Udp9RCR+MWB/JMgY0vAW+NJRb45hv2zB0zzsMXYFi2GjSyWhk7nMLGTzNeTZSUxZzAl552/hnxAgKQEi9OHW3EWAuUmcbwkdAld3YrCBVd6nqNlnbLFNrdV71zFIm76R/DZWWGjmt9p0fumsfAf2uECoMNXG932icjL75aw7U/n4yUHQqWZEyO+aIrT1ULOQ1ilT1SnZ5xGB4n4Mk691gjL6qHZX+TNkpZ4CFo2x6q4cngwQDLIoWwBAQNA1miZZr7dVKahmSuwyPiRNHEWJOAGeIZYr+HIjrQzJCjsAhAv8N9js8B1WlJJuvocGF/Gbl/g76zvn/fuxf3cnff11dqt8P1z8VL53lBbuW6f91u5G4bqYa6vV6KjqIUqSnSi5bqQIVCrit3WKseFoh63T4jLgOuh1Whf+SBMTcgBL0taI064lRNSFnQqZNBYDFh0KpzM0Pd9WPp3+YG20y6t2Orb7XRGuuHPLOwasCkC2Flg3lp0q6maA0ANsKo008J3OjUmFjKiFSkc8RZK4vZ8ohZYCnnqzWPsYoijfZVnVonVwXN7MNb+phpnFgztqhHblRfeTUf51cPuW4qUmc1NaI0pESnIrGgrZLwygW6F0SR3XS1cYYxEVJDG3bBNHmbQ8NYRwIHVxV22SXA7JuUN+TooL1YiD52PMQUa6HFkRAOjZw+pxh/mw2Hy2PBt4GZ7S5E/EvwGrlNHbFbf8Xq+3TEKU7j3z8unI8u9xxxSYYazYpbXBeIVnVmXTr4rbmQmFPuoXIn5jzeL1pRzbZUrH6nYjRCfYQU+Bwqk/H1Xs45S2sA3Q7k558r4ZtTuuRj3v3t38XviaJ0s//U0KAYLH+1LlrEByJJCH/ycpLQ5RWmgMbYhR4b+b7lQOBUYRIvmn9T4jgDeh20n8NqeKr87GhDSn+ZN4kMYZeEv2O5IsYs2dJK1xAdq9h8NJVbgWXbs2ft+bPaeazM3+uu4OBK69VbGQ4tOy+4JE6X0oNh7wQE8yTNXheUdRoniEThEe+I2mqbrJJ73Ul83zpgqCxI1K557o+HRcxq2+zszuzDOxHlA4RO780N+quUBTMrun5JS9mnKpA16XMd8cnSU6f4KGpZ5M1wNJTvsPDlzb0JohxyGY2JrbwkR1izwuar8lw5Lg+csdOLnp3aTl2+r4PAkrHsT5I9eRWVIf+Pr8EqjAwk+NCVNSI9JrY39iFxId/4iiJ/o0jG0Y4SYUzHLWonFsJT/JUV3DUgiH8kxK5kDAvpj4UmKsicAxDqGuZP/bLjIQ2wNpStVz3KFHLJUGn9UFVzNbVZOJIKZe4g1QYeAcGAZ1WLa3P1HsgGBwOsQsMnFEGJ7Wsg8TivjapySop4rVIY9aHj9eXH69bezs7vcPfO/bhp7ud3u8d++DTXffGu/u9a7/+dLd74+3etP55M9j998F/WnvHJydnl9dzqv0sXDizdrq9lzet3budbkf/vOzdtLq/H9mvP2Vp2Y5J//8qY//3jt01AK9lgaNXOnH0+kZu2W5auxsxcdOFfE9pKjFLwFdYyTNXLs5ITlDUHJWqoP2QABqLAY2JB86vTkCp6IqIN6Vb0PNYSzn5ffsWHB0dvTSTVvYSc0fb9kqIdDm81qCuEKa/87KbNyK2lSZ0db3RZziB5XuBjrarrhpwCQ7Kt2e31wK36+LtujgP3WRdvL0WaG2vBeYzttcC09T2WmCStb0WuL0WaPIe7VqgmW8WuTJRc49cHMoJ67NaGPooiBDbaIvxCHfsPsfRTCDWxFXG/2hQuVFDA0rHmZbHLIhVoRUXvDtVR9h6Pk+m8mQWTyZwNXebaVvN2Gqy1hObmaLV7KzkXTInJ9NxOhOrSVjPv7mpV826yYSbzLVmmjUzbDK5JvOqmVLNTJpMoOm8mU6XuVkymRyTOdFMhekMqCe+/HyXTXNqdtMiMGUaM4WlM5cWw2aeSqcnMyulk5H+k049ZsYxA5HNL+m0kp9G0tnDTBpqrkimiGRmSCcENfKJ+M+kfiLsVedzoj2V6FqQ5+R3Kra1tM6EdF4250VyXhLnBXAid424NfIpGX8jU1NRar5fCU4jL7WYNNIxE4pKFuZEYCL5NAXl5JwRb6lUS4SZkmFadKUSy8ipzKtZiV2WLqArS+ndoqX/ZDtCnaE3dvmfdL9hqf2bpd+orZal9iiW3ndZ6c4p96R3TJbZ91h6V2Ql+yBL73ysMPvJWkv2MpbevVhyr2Lp3Yml9yKW3n1Y+f2GuttdYWyc7TqM4LONNFNy3GQFcPDcxPj4FXci6iVnm44xPXCUxYGju1Fn1PZzPECMIIE4iKiXaICBqQKoKrSpW76aFeV8qtioMMb/kl3/5chlSPD2OO1TC9PEoML0KD2hX6XAp2xSz3qQ3qHXhhnz8/7WNn1rm15nm96AWiS5JP11cYDjMDe4LmXII7zwUQaIRohBNZUDqx1CAkdIPw+DGBFhD7D+qCxpVdzjCGjs2YR6yM5XYRjGlvIQ2S7HKtcQWPGN7TE80UpWZeNhw2mpuzDALlVtpEMPp7ytz21s1YMpFK6fp57qd6o8GWFya2OiDjcSbXBgOp5iLhaUu7CcHTEaUSalmpS7RRgfRozezupqlrJDTRzIDpFg2OWlwbZHY2Tr0HemyEApDrRtmW0GTn+CHG+BWGgsYm0fEi+YQ191jRMYB1WolB10hSZvfQVQoURKVlQMNznCIoADm8Uk/yarSbVQdetHs75CeIAJstVtraoaTMS/5Ay5MJBlApxDWBOm+du/zSvEzcSFyeg/8wW3N4i2UrqhlG7kQLfScqyCFHMwVWZjkg5zIIvMxo4e32ysfkGpbhw5+sZRbRBEQNDUgJrLSdmdiI1WiY0iHgZ40DZXolJKiM1ZTy5/heAXX/PS5WqXJfMlV7whPPed33LE3WXf+de3uWrH6Y229cNRrrcl3LcjxDjmApGcmXWBZQ9e2gNKhU2ZHdARJXreFJCJCisvw74VftzLjFsdfvGhGLc61uKWcbeMu+w7FzPuAwTCfF6MXufM40H4vCZgT2M2z9XVLIRj45q3AmQrQOYEyHNkbwor19/zrC0h1+NtWdK019K1OENGQ0c7Vipc4MmD5u/v/G6RoWNMRl+k5qOO7ojOOSpnDaLC60JxA0x0rCEydBhSO1UcTQ5MA87V2f+cnVznm2NwKpOxFzkehoqQsfIgJROL6KbwKV+sIQxcShR9VtM7jERLKwi8lgdxMJOZt/oD7ACNoDuzwzgQSsfGudH+2VPKxhueFNfQ4cIL88uLr03G93gZf57uF3ubzFxMaprV9/CLjLEpNyz0ObmRjfl9I2KN0c3x+CoSRruLbOB0rcH4VkubzUyLn9jQLibiJoOc3L3b8OJds3H/tui8JkLzgyyON3MQlquoLj7zdi28XQsv+85vai1cGyz6Qfi5PjJ0Y0bM1dY07HPjurdMvmXyb4HJ693TPgiT1wah3jLilhGXfee3xYh1EbEfiBHrwl9vGXHLiMu+8xthRM6WO8828Sa0K0pE5HcBWUg5h6WSQVFg8wi5eIhdoI24NonKnboICKmnjaNA+UK/cpIfcranvBPoT+CbeMv/qk5AJXk4AeYV18Abed8d36vzXUWsoMrDnWx4M28kS/1a3Jdf3jGhU+J4QeAYo8GZM0YzR3vXrLJG/1X7eAE/y4Lg9OKCq4ho8iVIqgBjNAOFKlb2GMORaCXVtWSP0onli/XTz2e/ORcfTo4vnHfHJz+dvz+76f/Wvz57d3OiIpGLE23y2Efixjze9HXF4J02s71R3Ze93wxPDR1ONHU8XSVgUqN5xyPcQSQOEauJjJK7JXD6vg/KsCtS+7yvGOU/jsxa8n8+cVvGBLClJgrFCoUyYhapMv2rXyp0lV/Z8cvBUerxJfH1uDp3BJ5jIg84MYl5DAMnwAMGmabHeQxc+whcnDqXV2cXH45P03j5AHMQ0SgOlNfhwQxAdYKuXRLnXSziAN1DUKc0kv4XK+vM2z3tOlHN77nszIniRpzwoH7YAzyIYOigQTR0fEor9qAXGk0GssUpkHDpbIB+uPxxneEdRMOWG3oS5IfLH513x5daWXw2N7Ni5SZHN3/T4nSjwW1qU9o5PLIxiWJhuzASMUPNR5RSgmaOiNWyhCchmCoGVgGCawMIdk5+ObN7nd6+ffC6290FpmC22FlnmLO7cJmz6v7H89MkJEf2PsYKGVluPgpTmRn2/nVx/sOJc/3x/fEPF2f9ByP4+w/LFKJwqHwrw6olp3oL6OAzcsU9RvSTi0VVdaXv1rfJ2WvCBvkL2YUtTW6/Uh0PorDHUTFNbJUP5AsWJ5nyUW491ct2SAeztt6l3L46co4O7AEVIkBMwgpbfaI9InGbz7jNKBXFXqiNShbGNYso6tk4cm1zc7z43dlFTTUsb9Qdc0ebDjiCwVCikSCwY2J07sreLQRNbravR5LNViNHvY7N0FD5upsg26UesuUUt8pKPMQEq5hgS5wMmhNL5ckuDqPCajypAwxjomrXJ6kuDfnE5S1vyWX1Zs4G1QbnHSb4dGGUMNXkJvue5iK6s29TngeWY7Dq2JORE1EaONpT4Pz4Z5tOud0KJsrmQq4JFclCzqmLYer80WWzSFBdr7p0MVnTNVa1e8Ev1l4rxATdhiz1KFhISgACCZWf1KJM6TRKaQnC4yiiTOSqmcuRYO6+Kpf4Kcyn5OuopzKwuk6cT8iXSPjqXhhKulHOkEDDXr6BQko1QCUrt0Kla8kn5EsWBZCI1u3sT/m2kDLDhMmIugiSpAflrK/jSfGr7tuTraB2Rm78W0saVk6fJStUKC+vkIuICLKNpF4dm9LIA7krM1pynL877a9DtcoVdswCJQzae+0QCagC+rUxDLPbYrn22lqSVAb9zgemSEJ9dHsdDu7uimirAtzv8E0mgKZCaPO7R6G6uu5TLpxhBfLkPki+1DgzManlLKDK3Uvgb1VTS9NktgJpK8Tod0PuqC2oZA257wvg7P4Dg6+wDFwrjHB+uJcHWVdwlaFL7mHEy0rFmIjnPZ6SHR0fewsWMCY6gl61qFLrjJymR/U3opiIVk6bpS6XtrtG764SvXxiP584yCcO84mjfOJlPvEqn3i92aan2Qpzg0gJBAk9SyTOUeZRczynMZF0PmVYCES0cuUe4pyUnGEY4zBjG1YODdnUUaKpUk4d5nHeZkxNQibIBZh3hZEsqLifLHeS1VGyhhlTK3egdndX485D7n6SQ7kAD9JnJNzm8TY2OqZZwbNst3OYegYQlAa2YJDwoZFjTQkr0eGZNcQ8ab0v0k3JR3qO7D5ena9DVP8HreRWs+psoRX55oxur/U5Gu1Zn8D/eU4oEFVht47LHLtx1K2Sk95syDl19U0FD+t9Btd7KPkspxA1tAQJFwo9zMRVSgUii63tIXW3JtJbqjTJ8JxoSSSGlWJd9spgvNt72eq0Oi0zW+yFVHiteBATEcuupIZrz4cWnLnAZAXCOMu9TVSKKpbVfUr4lTCZITJFmUNVb3mCtohyocLXvdVoUmm5nzDpa/Prvf3/9EMcybrzRX58KxN7lc3lTAMWEcgmlPA48eJSmlgSAGehsLiHde4zkR1//Y5lhwuFk/mzrFy5ZxFNMPHUNpuMQEQ5x4MAmTqMd3jdxHoTTZU2WFeuMZ/Dv1z27WRSIxd3JrDqY9JEkgLu7kB1SbKg5GSuZCI2lNp7ALlvaEGlZerT7gbrucdwqmdEgcMJHg4xGanQN/NEcSGZIXWXp91taiOR5JAceQAOhQ5kby6rKWsgYNSr90AWwo28OFTSQnAfsvEmMrrBCXgnOwE3o7PCsE6dASaQzXIhGJaJ5WzkUOZ1lqAp0DUp6TRUoTAwUScAWQEcLostVDPO1RKxoGebC8zbSA1XcdKzoWrjYWUkR0QgtgRnBgrEXBulDRiCYxoLQIebTaHlk8O3crJUbRVnrMLSyRKQjZB421Uc8rZbGYxrIxQ8kHaJcD7FwvXl0A+dkHp1zpkSQBDCGfDhBIEBQiTTeMttp0QHjIVPGf5zbVueFZw2aQ1A0rOW/ISche4aLnnmOO7B7FtT0qnyplfxMjtvLuatZie7iVBvYLh6eKRjX89sSRWIiCTajhnjMpVW2JRV0WelD6JHp88K30QN6PPrep7Z0vPTp+fqi0mPTM5V15WqqTlXqoGznSUc8QzRV30Z/HHRV7wkvlO6DH5nTgZ2m94KbyDGtkIGPHkqdSa9LaFWb8KyXGOC6EAB/gFe673VlrjBkybuuhv8j0vbNTf7m8yiy+/wf3vzaN0N7UdGYvXN7W9w+Gvu5T728Ffe1332wy88rtVdSscWYFIhvd5fn/YTO8IhYrJDShtZLnQPRseyPy0Pi2diVUyHQ0Q4niBn/IrXaNGP9XXB3J00ECEitDGnDhLvQ66JeZPD+6qAY+CLFc2ET8meCeC/Y/0cD3DfhaQVzSwJk2gVJ1LcW7KTXDA8Rqz0dhfs1gRcUqUwdyGxXlhjD49URA5Vle3HSn35wmJwPEacWy+sCGEGBeIGRCkLzTOMPRWmShUNsCmqgjLE3HrxxRpQMbA3WxosOwE46u7nPPtD4mU2vKtfhaMhHlWpMD+EWHlM1JGXOYAg1bB6wPVx4IE8D69ICQpHMfbAP94WLa6qvELKeqjpziZM11viPbHX2Z+/zuMGGJF13KCpXUR6f7zSi0Niyy9B1aFKzVVxsPOuf7ULChHulbRbZ+jLZmlvgdXmM24cN7RDztoRZDBEstJ2/v54zmytaDa31KWa3JKsj7ivasMuv4fzwBlAd+xRWnGYYiDSwxTEBRwEmPugUGZFNKCC0a1po3Tsr+Yb7mgS3Gi+WUb6ncPXhUMs8/lkZCsRFzFJDc3HdIKYIhkHEcFmyjR2Ef0XHCikhUtHiaWqVhzuKqpXhrMcBcP20Gt3N6Puez/RetBJIOpFmAyRK+Qal6QvaxEWwsQZpgHWN54jysTcJaTL3uW5qhuEMJhCtpbQMi21oOex1hCGOJiBv4Od4x+d8/dn13fm92g3h4oMHnNHGySAoofNDEJ1/B9vwVGn25kvr97+t3p7uIEYW+GcuPOym7easNUJ9+qGVyZWj6NjkIVo6VWDS10AZAX0FT9jR3MPNljZ4qxss/xV9EKr6XPyJVfzhHOvrP9QwrrwXi6q7YipbqAcBYVOwZCi5sD78vjdI2166wIUyU1vBMOWp43cs4zND743QO3DbJkrsFZ5DPyYWKuOTrMS1r7ucfDzw3K1TvDxkFzjxnEZjnNVNDgkbVDh89F1zaG0+sD00VD61R1qf8OorDt4eTRk1ntTXoaFIocuP4BpUOUzRmzdYczjIbbWg+63jIWaM5lHxEKd+9TGWNiepz89suN86jnF/VmB3q59ZKAAZcD1zXP+SlOiSNSdAZCkFxgUMGVrHa5U7Kxzw656kaJGbWqTvlXfNEmdOvVlKS7U+cZXQFBTNW/n9SvbDJMdQoKV0726HfLhfjcF1qdrNkMhncBVdCdcIIfXuH49fd8H+o6YVpBQgsCQMgB1uQEmdoDHCKTlV0RmtcMdK6k88VEz8ikXubRALMwlx8GICd+4xGFKgdpyVSK5d9Di/ldyPLOCtmvzWxGRi51u1zl0XIYlVwf6kgtGvE5hcWIAEx8mCXzNXLEODlfTV0iONJKR554TBs4ly68zITqXmQcdUCqekFfux5xh5j79W3bUbb74YfVczfyJdPaP7BDyP2LEKt3UVU3Aizi9Usn1iJxerePacvqW0786pz9Z3ehjSIbq/fmjCYaazfkDyoVcb5qpWB+wb1uZVf7070FmPTOJUq2XfyyJcm9q+Rqt/ANy/5b5wZb5nwHzV94P2/L/lv/XZqHvmP/XuWv4zGRG3envY4mM+sPfx2H2pufID9i77Uak/Onfgyx6ZnKlzvjg0eRKre3BlnO3nLvl3Bzn1hisPB7n1tmrbDl3y7nfH+ciFtS6okUsqPchnzioXYcz5/0rfrFkT/asKhsdZROCjAfaOWewXAVI0zjbG2DimUeZDz2PmaSKpktMArouioSBEx5O8rnwaCw2i2LWyItsr9sp3sGlQ2W6I1AS7rN5zInIjzZzJhz50f17EpaQkR/VI5TNuRQuYtQp4RIJp4BDk6dRWczTm+hinrprWcxiCHp7T9LJ8L2TRwSnKupaHZ38dAmmaAByl/FAUgZkZdZzK5HRhB7ZiE4RU5XuWS8sN/Ra6BYVzbPyAalyZmF+pEBfyCfbHWFdcANkLLuCdq94oEL7tnCmaKAR4ejvnMfHcTU21OV5zamUmYf7iCCwU2FUCfSCyIPct14YOJCfeMsvNHvMZ8mRc+2aWioKDOpanHuRZNq6jcpCf9ZUVteIW5M/rskXVQXkCkByOYPhUNv6cd3ZmM8G9Hb+IyrykwaGuOKrx9x/vT+Xy8qdTDIrYIMq2LAuc9EIu9yHLJorFtGaEWPuPI3UYWNWhfI/uX9YmZn0EnxK/aM0DVJQdKiSsyxWXwiF9cI8+iP5rUkipF6WoFOSJlIYDwqUPqfA3jB9wix5RK5Pk+cgrSrgyVM4zgGHY5K1HY4FCtMmw0nyFE1TEDnXBZiM03SYPeWq5QFCaUVciFn6PCNu8ixo7PpJIpbyOUlMTFUplzENmLJwj8dhIQNytN8r5xwdlHOSRlKi811KChnjUs0S84U0jwLl0ibLiQtJDzOXBpTxUma5aS/OpxCZFJK3ESReKacwJEPoClrMCQv9GNKgUIH29p/P8REsQPiUC1zIKaUIFzAI8lmfKS4MX0IaaZqOyt8deoelIdY5LYFuhZyFCn0Mx0M8pPkcgt1CfaTQIUL9OCpkyLVAISMOSyNFC1+pjMaLGcJ3/cJnRZiMZ4UMVkxhIkoYVXnDQo64zScZgoFsqpAXkxJ9cvRHIenDbmk0uQ97vYOKzMOj+cz9VxWQh90ye3GfIa+YERe+hVNWGNI5JpEitZj2BqUqik0K6BaTuIBngVAxyQvVCxwiWuRLwYqpmLiwiGhR/gojt5JkTObZMib4j2K6zAIxR0VZMC182NSnpSQMcZKjdAKuzyhNZ45kjs/Hw6kMwJqtd2EEXR/15GxFRpjcqn2IoKGJz2P5QkRm7qqt6O0XtQ3bszbZszzsMjnZHTgojDBDTgxdZzCLIF/oXKoQRCmEwvVVNOh046uvrXw8PgG6ruwDlPc8SuSYZ40D3bhqcb1tT+JNz2wn7ff0EtjvKTkH9hT8pONy2i742+3bv+3sjCLw088nH9/06VBMIUM377DLKKdDcfOrbgV8jORaYrdlfs2uNF/t+pX9v5tdSns4N38S2ypw+4KracfalV9y/UzFaE89+uiA7qu5+Vtle2vJlkJKko2q6e/GO9UHHGLBoIscSAT20CAeLWK6mCOuLvYRgW0FPVKuFFPWEhQMAuqOgX6J2Fpu9HSXWibupYS8vL46Pjlz1N93Z1/lZldDnetRr2cnHzcH2HCsMfm83BlVwXuYLgFc6kmyExRAQoWPGMjf8byvUb788PPZ9dn/XquJZhHQ6fH18VKgj/2rr46UzuFhctvVLg5uI6xMyRgLJ3UE6ZRC7SyYgRI1jVKWG10rZRzQIchPkDJ98suZ3ev0uvZBZ/9gHXyVtTbK2VuyHonG8m2mfUVkkmo2+z+dXVyY+ePy+PqnvdzVWAWXi9B4et6/vDj+zUCfnvV/vv5w6fTP+v3zD+/zBc2Ni84m64wVwht1jl7NO7FcWHop1pV7VscNsOPSypjaCkDznMR1xOgEe8gDNAkHpu6BgqVeeBsr0HM+Y+u06G5NnF3b3et/OPnZ6V9fnR2/SxYL7h6PB4Zes7y8llsljaI7yYjErKUIe6/c2F+V50Yk4kgpuZ6R70YGCaehXB05hFZdfr5MTkcySMkXCBgLPRATT4XbU2tHuVkAHmZIbu4xWkv+Lg3ZbV4XgmqnqqovVtunIUpjXTNz2PwiPdoun2ebNI1EbfDsgI6KaTyYyxtAdxxHhazpdJqPsV0dBZxZO//EuztMHfuiO4aUM8c7hqB3hwkXLFYYu/Pp1BH0TqPhTi4mdlt7OzMaM+fOZbNIqLw7WbkB2tVkWmozEWrMumnJEn/bZD22zFdrx8bExwMsbG3eYJvPa+6rkrmOpkbuFGwgCkR6dQIM0EaGEjubWVZXujnSxMS0CpYSdTpuctShuvVpd/e7MgBYi84a+Pvo7L+0B5QKmzI7oCNKkgNG4+nFCMrmO3DJgc44HiDtiHme6q59BLL3ktj0hKi3JeuR4CKJ1m7J1tq6OTXKSrgVcjcZ4wf1QcuQh7nDIfEG9NbRTtfnh/hUlePJIrFndw4P9tcZ1zJrvv2SI9LbV0fO0YGtitojErf3rBphbQV44Nq9Vu91iyvPGia93ymlu6V0r5TeL6UPSunDUvqolH4p059qJEd22qNG2XZ95I5t5g0s5RhEZnHEJohtRC6NTvDvN0xwQjQT5Gj/5RVTgQQB+m2m3zCLlQ0op35SqJ4LquhNhGp9UENbX6y9lsaRfIJ0aJ7mEF0iyfVxDNXo5kbCh9x/A/79n4YUsGyp2u29trkPGfJsjZBVhO8Ic8Fmjo8niDvykx05kM4YzRYsBBK9XlIcqOJaNMspTG06x2jWbJlQq/DiSLSSJlqyRzlh/dPPZ785Fx9Oji+cd8cnP52/P7vp/9a/Pnt3cxIzhog40b5x+kjcmMcb2csAc7GZ+rGZTqDb7SV+sZJPKGOlwj4uxQeLyWIUHIOrZPA1bMaFDzvoH368/vX46mxe65sg4he5oqDk5iomitU2rYQSF9VWlOigf6XTo4P93nvqVeijV+lZvVL7/XW5nmvEQkxgAPpKJNyc65PQBZU86Z40GugH7c3Z7Uacu3x1e3hQXt3CWFAV2n6NYCUpN5tjqeVc3deAmWA1vP2wLL0KWkyP+YfViKW+omeG4QDOHCgEdMcqDNSik6LEPFYdFyJuwkOpKoCuAqSRpFbGcaXt494lElhcUgFDo1+7onJ3KnMENVk/UVFI/0+M3Vkh53PMheO5yMlDgAzEYlToEyhg6dwk1Y8oDfowjAKUZF0hHlHiIWYyvlh7PByoUbjdq04TEYSFjAu5TU7az5lfFc9Az8mEjpF9DQVipZrLFZu0GyLAw0Hu7Zv31xfv/ExhaerMj+sm9Nr0nO3w8DAHye0ho6Gd+LW0lUprlUVfgCBHjgr9VLsnPMlixCiI3InQYJbGk8FkVKxvIfUu3Y2nttyFOq0aJWS61Jeb9EwdmddGWu29vHpujRg0G2B3hQOGo27X1uNsC2r7lIvm6IwHKOaLBE80Z5evRJApCTLCAsJHQ7GpFCqxIeQMRYxCnpjNt810+GbMBmKU5KqD83YQY+9NJ+HzMWIDlC+qN5iUBDPQjhgdsVSwRUKAtsC5yxk4lHMBJVCgmKcSgCGCpiVIyMdiJEA7B+ZDNkFcgLbS9k9gkAiQg7gEx33QTjjRZI5o4CEC2hDx3uFRUhIHE8SywtaeHv6HEiCvbC4QDOS8N6RshGwzuNzWY7GC/IiJ6wQIjmfOsGINc10IMDVgCI5pLBLd0oHd6x71jvTxZaw6PIwXU1uN1HB9D7MWn0nGCnLb/ygfgEqrATRo6eySz3h7yNuusni0qnf+skL5ua2NzpoeSg4Qt+C9uxo1Ekxff9R+k1PH3SoMEaHE5gISDzIPTOFmhv6VIjtVnMfETXXYfC5nkF7/s1X+3OnOuqL8u70CuT39eBp8yuEQyR3IEl7tG7BsL/iwm0B1kLhAmSb79wOlYqMRb6ZLOzzqqfNPzBLwJpNV4X2Fro27PvLiAHmOgHysb/HV2NykoECCKrHZRNW92jLJbKHkUsH1ZTs8bwBRiJac3DjcYOSX75Q7h/t2+uG27JBcO3ymgwZjb0YYqRnCMT10EBlS5qKw8hJa/+xCAoMcENAO8rUzePOV60xIph8tU3XLVKsNKBELMed4oiRV0krxfmAmLrUZylu5nvvh7OTDuzO7//Hk5Kzf3wgXX5MLEkwQjgWeIEcwdS5UReXJNgFzYKDy0YnNW8TVZUDue8rGOb3Vm9tE5E1AV8TUTr0t39nZz8utAs/Ofl5uFXh29vPH/pU+69FA6i9qoRh7ErAQO1md8qVxG7xgougkmJhzTBh6RweWCuYgK5FPI306FATeYPnh0HLqWGFW2swQMdFSckGjefrQliWuyEydJRyASbF10D1vg2alzViVhmayzY12TEtMaV69Tu4Q2OkwNBo7H7IojrQOMOZwVKFRMTA5e3HJQWrRkzEaKKF4vbmlNKa6YTW/zE0oZmB/UjGe5XheQuEn5nofyR8xFcgzyln5yrwxyszTiwtd0mS/U2sUWY0p8oNxtDL/PplariFPSp/SEGLyr8vLy+KG+gRK4EL+BiSwEkfdu+GnvmziYzmhzBwPBUhUngSoayE/aTA1A57mQFfks7z7qOxEuzWA3E96IiVW689SeoiLGeV0yyvXkEuqKbTScVXZXjBR3X1aIHezbVBuo7QJETSbdDsvO3ZqWL1CuBuwbPFZoAI+C6sdjh0DPgsHshblT1wJDH1hyM9RRmIjKiAbIaWSbXto0ibxEkcKi6RyGkQ9INWSuLVnuqA3akmD3wxOkqt/X5s3l9m9LDGGrLKeegjGrrag02y9gKuLE1N6vfKZ0wxBy2K8a6bVEd4JoLEY0Jh4gCAxpWwMSoVXJKFV47jXWDhpHxuW/pP50dAZ2h1G/if10mAprxeWfqMcVFjKs4OlvVVYqb+J3JP2M2EZbxGW9iVhJd4jLO0vwgqzn6y1xAOEpX0+WExmap8OlvbgYGmfDVbeS0MSUHxBAPsNiHCZidb93iYw3lwYVfZaS9RIivAMbEHhuw6lLbSb3TOt5Nm/vcfcigO4naUGfrsbnr0t12/clyUAWCYiAjxBzHF7Dg6jABKxzlGdrgS4PWAqWYi9ZoonpUp6T89usQB78xsD9frE3DKqe//7CSWcBujTmzcfYhHF4oy41MNk9Pb3a3QrWh+vf3yVZH1680YmN1GVrBD/rvOymzd+tQM4Q3LpTgV1aRPRb7BHXSg2c3imqrgHl2c7O1V7O1m5lXMqli7czJvdytWbUqpXuRtTKQmenqsmxhEcCY5TF2nCQ4xttg17YKHJfSeJSYs8Z4xmtWEM+/2fsmMxCfi1vYTmQsSl0zGwSr2Vy7BSVs8C2qtdXfxDfXOBc7+4KCtkJTet0txSrNwHC2+3XGQvDVe6gZSuJI/K2HePQB5pnLB1yaM6aN59kMeTjYn25Mipeov/4NRUoQpaiZhqPJGvSUu5jjULmrZmOw8ThP2BKao6YNaDU9RmKoy5itYnzZpIO1uSKZJMZZilLdXcM9WAh42/8+QorS44z4MTWj4EznoUUhvWZ00ayXWuaYieNVv6JmVYXXiWB6esynO1lSirNrDLFt85fNcE9Xh4fOeCeayJ77pwIN8zvrHQdhPauYL2nT+PbWNXPsSjmOkbxokHnJl2t0hkZWBKWbgOwhccaLUiRkZlvOTzNJTuXLsKuPiqQh++0vLnqeI6wyihJLEiX3gwJjlYuzcQytt8BguoMUdPrdEjyta6XVQ49JGVKNy+6rwArzrq76sX4OBg/wV4pf4eHBwcLDiy5NzfQH/deWUHUCAGAzukk8wScg4Jve7aLk3l+CcHjEtOJZPTBgOlzbogUWjRlmv3M+Bv34Jeb+4ArsFJZfHALkrtQbq9l62O/K/96gXomMf93gvw5k233e29kg/ydxP1dENUHR7tl1Blcz0Stq8so1bxhsl54LiICX2ghxwBwwgxTEb1quoLkCtQngF1eeMhcB1cVge1qlM3I+G2OQ/aske84OYrGuMnFIvqwe4hzKvQK9TmZa36XxaMzl/f5m/MxMqfru1CO08D1nwFVRc+7rGqbwxn1f5dzVWwTY4vGxqrHB7u2zweTBATtmAxF8lB59wkULmgqhchNccZjyNCqo8ktiKkWoQ8wDHLVuQ8Ho6/UZFTp6d5DIlTo2hpIHBytTQ7o2pQ5/cmxGq/cxWZAJbLhXuu7jvAQpWo2Uyh9Kgip+5M9BFETp2KZ9mBVt2J1ApiZTujPzarNWGzZ8peNefHWw77Gmxxj1V9hxwGQOUpfNW7ezyLf1QOrT93fwQGrT86b8BquXqaHpM3qPV7W3lvBdVjY6CJoHqGgqbeDOMxBE2tJcWcSNiKgK0IeGgMfKsioNYy51FEQJ1xzVYEbEXAo2PgeYuA2KOIcUdDpB7Ma80SNLipUHI3qrHNUyKAxgIkFnPLXd+sJBPKpgqyAi0PdBetDe66fVcEvB5pruBq5/DglQ0HsaTiAE30pV1DoXaIXB8SzMONSLX6+PsJkWrxSHwxqT7AgfCzR3nN/uTJYLy0Y5lDeA528cFjPal8G4isOdR5VERuYMCbi8lfDmA1h8j5mFTbueXJ0WetzvVRKTQvaub0sEuEzUJt67cubmo1W08GnXParm8eJXWahqeDkrL2YfH67XFE+mO6oH9GNIg9HQtxgacmCPofz081wU0hBxp0vctmOxyJGHs5B8R3d8DkySyVtzuvQtCbUNB3zlVf5MpiDiatMv8mCZ+/TB8kMSipdxPtxNdGYP1liphH2MU05s4ACw69EJM637zHOWiQQqdB9tPYio2wvIpv3rSthd55oefJYprDUvfvL3RAGx6HaCMeW8GrVrdzaGMykl9kC0oDWzBI+HAVP0wZVlJ547gBrnQKf5yLJBNCAkfaL3wscIDFrMB3QMUvScHXYcOKGGrG8ayUfSoGtQhST4JVJgVrDf9SR1hHndf5iNCSWjAXLOEPhbnqgt2O7aEooDO7ODArIsoLgrpbmadBAOQrgYi6PJbno/R+5nrcosk8zy9fgLXX8gLtGzz/2kPKc3lpGr05Vdk3e2n8Qh3VYr93YywDMohLHU3qFAp4o3F+U++7VCLczIqKbb9l3BPhcclvdZKzn+FbQQA6BEmZ9fBeISWTChcKSQlUkpAbCMXGobU6nX2b8jxwPgDCiqOtlh4LVh1XyEVEBLOU5yjLFriysF6QrDZf1fobXLLYmF/H6q5oj4uOXA+D/wb7HZ75ICzykNVUg261aSTaHhTQoyNbBQVso3CAPA95eqGs4gTKFeoSQB1fwI4YHaBG8MiNGRYzu3EL5nuaF1CBIxaCp19Y/Z1tGIVtHe+hDWNBHf3szAfU8lSoIhvrALyV7zJhUwNVDVDd6STHDWIupPwy3f9SLBBBdwxHKDPYyr80rSCmnElvwNCPtxBVNOcVPPXWnZwdJ/E0HmkXW3e1Vynu9HeY3xRZqV6v+rXaAc+9+g5P4Fc/YNyA2JetKw6PXttGFq7gYQAs2zlXU3rlwdvjU3r1DdQtpd8LpT/Z88knxBm1QT8elTFq7Cjvny9yjTa7V3n/XfjuWPPbYJzq8+BHZpz7voy0pfYttStqrztdfmR6r7/bc/+UW5wqGl0Fuv9ObNnnWbJP3Wn+Y7NP7Y2VLeVuKVdTbo3Rw6NTbt1Fiy3lfn+UKyBbdGJxDRmAzPXxBDUKmr70bDazrUkGWUBWjFHp6FW4OjnQbVovLHcj5fFr26VBUBqU4uB2bPOdCSjybA8K2GCMzUiKmY405WDiFA/tyuyvgklJLgcQXF//dt8n4Snbl4Zd8bmleUqF2ku5M8ds5RcDFVpqPisLMVhRS0WBQV2Lcy+SzDRoYEWhP2sqq2vErckf1+SLqgKS6zHBgsFwqA0ouO5sEhix/BEV+UkDOoRiqYAJoFjKZeVOJpkVsEEVbFiXuWiEk0CNpWI6bGMFPHPnaaQOG7MqlOuwjxWZSS9B4Txfslv1UeTTte5YKkJiQlDgCAaHQ+zqXheksXqPyQio4P1MgCFlU8g8mZUGJlflVhQZO6XwcxGeUEGg62JLbtmKL0eUC6twfFwW2xdypjyRf66sT+XwdgqCSwpQDpm9op1GuaorCabqO5V/pvPQCo5ZOzu9w9879uGnu53e7x374NNd98a7+71rv/60e+Pt3rT+eTPY/ffBf6xPoDLgHvdjIQJkLeqMMiXS/oLlkzo8DZQ/7vnPfJtG8avr8PXJ5YF9cd6/Pnv/5q7/4eTn/m7NaGHqYaKa1E/KnNMjXNb+Alg+JDz5teNBTEQsk5GmJ5uM9FAP5c9+xOitigpMRoyOi8MZQYaIyDWshTMw0WWBZX70Xy0kgWV+/tQ/Y/2jBNynDRZEK9i1Hb7spbEhbZEwSWO2iz00WRKIVVsaARYHG62Dqt3Uy9Wz7ENbVs9bXuJ/Xs43VfnJXFT7Tq1o6yBYTMr58y7tjf7zq/urPzw4stEEEWELhkcjxJC3UvhWg0AiJyu0ZOF17aME8qvaIKbcbxqz7t3kcAVbiKNuV4FEyBZU2Yg0H1WOmJP4VRJiNj+ixwqmEMV+giGABKgYn7LHEwSMQ/W1xzOzOlIiSTYJPSUBCZrKlI7Z4XnyWdOyKpdbITS3VXruG9GqnVRqh3W60SZqOTd395XZHRQoCUKxGrF5OhD/UmIzcA9EbB5S87yHgi2BbUJABx0bhxF0ayIx7HfTyCXaXnOFQP+ahqZoAKPIwaHHnV+6DkN/xIhX2KX/igYgF1waGEDkgfN3p/1JF2TWoHwdQpIdaMEpb2GuOzPpSXA1VJJM1PuYBdokur3XDpGAStnQxjDMjBZz3WjrEN47NRSWESyMoOujnl7fYXKrsC9o6EJNa74QSkzc3dVRa2qsHfnRnrUU8C2wPsMJtDZY6T0EYXhMxXHnEZwS5NWFBP+B0akUMr+iwakqAEwBkBVYkRhKS+siur5Yrs9oiHTvFIJGyB1Tnc6JmqxYKsx1SVWE0lGA7CxDPWHN0kPM0JDebsK4na6tw/wstKTuvu7Y6DYKKBZ2FA8C7NpD6GIyygdyb44ybV/uDCgVDkMjuameOWOUXSqs4GtdBsgyICkDxmjWLJZYrUk7R6KVVNeSXcgt3n/6+ew35+LDyfGF8+745Kfz92c3/Q8/Xv96fHV28w67jHI6FMkNBvD++uYkZpIQfpFTKSU35wT/iAP0DkYRJqOb/m/967N3LUzwjfyKzUxmm3mW6XZ7thqfmZ185MpYcmnosMh1PDSIRyPtx3IllF1dnoCTD+9AWsFzwZ9580QQVaHgT1HEZpGgIwYjH7vOIKAqtlFyU3dFdBUqA0llphePjq2TrHezmw/npzdnxKUeJqPrWYRAR7/vn1+eBsGVnElQH48I8k6hgO/46CFQ2dyb03LWUx8bqot4Zq6Zx9sxyIGpJXREhV5aBLNm10wWX/gpXeZxo1huUalcxugF6J5HidwXBGiCApPFIPFoeGt3RwM7giOU3P9R+tM4/C/hRqUczoNiTnceqDsP1ZuH6uWgCHaRD7lvkjPEIzqV0/EGhLB4TXPw+shmiNOYuWiNQGMJ7tV0y1Bygid7uYB5TSmQlCpdNtqMa9UFw8SmJ7vOh0tX+Uz5m6QP6krYBsPckN86+0d2CPkfMWLQqxjpBXJTrp+mMEjiW5rolasKzKSWUgzMR5zk1EIjmc1OtPTpI3HTN2fLN30fMuQdqwXfzSVkMESyRzc/mk+5VEN3sxGXNETfZjOfT7ng2iNAPaKEj1IGUQUy3wCb4WVFxtAn/Pu9G73/4DdIuDeqQw8wzhuwSbJpdRDnZs/aTCqFybQNkipAVgXIqngYNJiLxECuyXm2pAD9pG8n6q77Tcg5chF/+uJLWyQMaeAhxleVWtpQwRR+TGFVuyIvL8fPzLxy01dd/1F3XU/s91PxR44YKNX+tClASRQHkQlmNEREOBPIsOLKFclBV0GUE4ekjsekCvVhFVOYebzp64rBO+V7gt2cZf1/4jjTnndXxY8u9ZgYSdhJrQ1wXoImfPVR9fEhhr/BomHRAjugo9WXeUm5p4CDhtoL1d8nj48Qa9UtJqM63e2J8faTHudOMAS/vjtfb9QrDoO+WGpbqJrfs15Ybqj9h1RZUBQV5L+G+JJN+mdf291I5+Clbb7IzhzuqDv4LJaPzXSw/zcAAP//UEsHCNE5ZgjYRgAAUisCAFBLAwQUAAgACAAAAAAAAAAAAAAAAAAAAAAADQAAAGN1c3RvbS5wb2xpY3ncnV9v2zjWxu/7KYS+19OS5/AckgHmosC7wM7F7BaD3heKRSeaypYryXXST7+QXLSzqYMJVSzKJ7kKAtt5fiJ5/vGQ/r/qt9/f/vuPd2/+9e6q+kfTTmM19dV0247Vtu1SdWq7rtr3U3WdqiFtu7SZUlO1+2q6TdX/11Pd9DfVm8OhqvfN+cXXqeo/peE0tNOU9tWpnW6rfTpVh75rN/fnT236077r62Z8Vb3tUj2matc37fa+Go5dGi99/LYfqu2x66rtcb+Z2n5fd+10/+rFpzSMbb+/ql5KoBhevlg+4epFVf1Stc1V9Ue9b/rdvt6lF1VVVU0aN0N7mM5vebn8bdt2UxqW98w/v1T9WP36a/Wya/fHu/NL0t1hSOP5H/WHtH81U7yaP3V5ZZo2r8fbuulPrw/1OJ76oTm/r2nH+rpLzVW1rbsxfVWV7urdoUubIdVTqjfjbrqdfx3rm7SfZoIhTcdhP/YfhjQe+v2YrLeO1Cm57zl+v6/ezG9cnt4apHSXNg+Qxtv/BYFGBSfwgQ02QdDowAkCB2yCSN6QAhMIBY+9DsQ5wV4HIgbcFok4Jex1oDYQ9hgEG7GtqQQFXwfKBtwnq7MGeh1wcBpDNLgEzpEEhSYQMtEURtCkLj2ZgISiGGJcAiavobQcLY9AlF1ptugmTU+Ub50V8WRh5ZOPpXnjHPnCgUhg5atwaZFElnz1pQWjOfJ99MhPv8DCSoZ8sVSc58qRz54druURZwjY64qwRZ77okZxJ48aKS59zJHPQsCWR0WQA2bvyqvBZcgPjhRYfjRSXP0wR37U4jYysuQH6wqrNzxdPhm2wIaTrPGCO/fJWgucqpNVBTacZMOcqsMuXRvnoAFWPimy2yK2HjjmIUdWgC2PUwccNJALDrhQQuLUB1zLIyEU13iSIT+48voFMuRHR8AVZoo+AMtnQ0ZwYx42TgxuzMMmMvDSZTLIlodJkIuETNBbc0wFtj3nyF86hmHls7HA29LM0JtDzEubLbB8NcCGk8UD57rMaoCbApi9Ke7QVI78qMhP3xnogNmZCFyiZccReHuCnSOnwE/fcSytFThLfgDu52EXInKy6KIFbslgMR451xWyxZ1TzpIfgOv7LOKQKw0iimw4RZE3h1i8Q67zSDTAe1ssMSK7Le+YLaM+fUfOsw1UlPzjoXn6AcAvh4cuELxL44TCwDT/gDOIhR8HR3wx/4JiEHvRHUAxqF6sAUExBHOxFIHEICZeLGZBMQjhj4N6eLskj7SdIzGovVybhmJ4pEQKxfBIOx8UQyD8uRQVfi4tB7DB49ZAl+MlnCwuOKPooxCdRZ9JYsgHdIblUD84A3mCZ1huJwBncFbhx2G5thKdQSK8XXJzoAHOsFwgis7AFn4uLR2C4AxLmyA6A+P7adXLcStM9iBe4fdPzvfZgDMofhanwcJHrd4y/FzyDt+yevXwtaUQLHykEQ3D703HOAdL6AwBvUJGxnn0uURGDbqfJksugO89kGUfwPeAvlyphM1A3qD3/RAbvny5EhID/v468bKfiM2g/EiFDKUiQD5QRI80gqq76KVRRoGNVfQeBzak6BVvNg6+R5qJCL1/jGnpzUVe0Yy/t85s3eUVjTMKBJ+/MeN3ODAzfJ2Vefk6QujV8Nj+FdAoOOvR+xvYOfhuUHZCl3tlYFaDE/h+Vnbeo9cB2Pl4+S4PJIblRgxshvPZenAGtfjjoBH9XCKLJ/QzfSzhkaoSEIMaVfS4W4Px7C58cS0OgzOGxFjo9eAMaQzlMGw3Nzfj9mPbbL5X1O7bqa27v/5xjar+kPYPVKVp83q8rZv+9PpQj+OpH5rHZFbVYeib42Z6P9U3f/mfm3536Np6v0nvt0O9S6d++HD1z9/evnnzle3D7bE9nbqbzx+eH9vu/v0yzd5/nSs/PX3or6fDYezvPt8+v8f9sfuz3ba76+tLbLuqXv2cf4zoLG6oT9tm9/mue4ZreBz7qbv+ONR3RTz4aTh+e+5TGqe8b49XG4V9KGO9rpCv1kos5NznGvkUHAE/fTashXyB6ir5lgX56bNYZPnizYXw/2fJb1KXMuTPhjNYWPmL4fS48ik4LqRKvUb+bDgjsHzLCjz3mYWQ5Ys3BXndjNsWz1azkLsuc7WrtVqSw8rSPttL0DkzG0tfUIyfp90WFSHnaWchWO3iTUEO9qbPio6tqCsrvMwEYI1BbUkhTi5AUPK+JLPzZ/2pzkKgoNarL2gMshGYJFpX0jSaEZ5uiOYkS1xJBarD/XTb77MGgYScCSUNwhoIDYGNKShlXAHBlgwbX1DaPhxz/DIZK2pDQTH0rP9vt0uv62ZIH4/zy7+hOLIavZaDMt0fvsjImlNOTfTRFhTnrQaxwXEp30TwQyDOsVBBq3w1iFCMl1o84EDUKvnnAOINaSlfd/FjICGSFFRJ+gaSWc5bzG+Riz0TZDG/z2FEFvNbULi7GmQxv0Uu9kyQxfw+B5DF/BYZouSCzOa3SKv19HTEGjEm+iJD36dTOIlBNRRprzIozn4QnmJxgkVmhTkUswfkgqrP6ygW91dkQJJDsfi+Il1GDsXi+ODHYvZ6JTU+fKNYVcQ6G92S9vh+GGi2v67I1bISaDHFRQZaK4FmqyxFllJWAi0GusjAZSXQbKvjcxqh2Wx7TLP9X9s/TiPFSxtxP+eo1o+g+CiWwwW7BofijDh2oaBG7LUg52igyOQlE2SJAoqMNjNBFu//HKbW4vXxTTC0t/8+I4vPYUQW715Qcfhv5T+SuUThkjqFVmKotWoLCh7XYlBwriBXuBaDTVH99qsxLJdUp1+NUVYuvxpDPCEt8QfB4WxokdbEwwDEqkVydw/kz4YVaQ08kD8bVCRL9FC+5ZL6R7Pll5UOZcsXX8rBw9PN3dhMN9Pu0j0WoHd0/CcAAP//UEsHCLWjn7yMCAAAmc8AAFBLAQIUABQACAAIAAAAAADROWYI2EYAAFIrAgAOAAAAAAAAAAAAAAAAAAAAAABkZWZhdWx0LnBvbGljeVBLAQIUABQACAAIAAAAAAC1o5+8jAgAAJnPAAANAAAAAAAAAAAAAAAAABRHAABjdXN0b20ucG9saWN5UEsFBgAAAAACAAIAdwAAANtPAAAAAA== + string: UEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAANAAAAY3VzdG9tLnBvbGljecx9Sa8kt9Xl3r8ioV4fKTiTArwQ0A20F+42DO+FGBhDxjwPv/5DZsmQ7O+9zxVZkWTVqvCQbziH5L2X5w78X7e//PVv///v//jl//3j59v/SYppvE3tbcqL8ZYWlb2tRVXdmna6RfY22LSy8WSTW9Hcptze/nc4hUmb3X7pulvYJF8+HNlbu9hhHYppss1tLab81tj11rVVEe9ffmrSrk3Vhsn44+1vlQ1He6vbpEj32zBXdvzox6ftcEvnqrqlcxNPRduEVTHtP/5pscNYtM3Ptx+E5pT+8KfnT/j5T7fb7YZbkfx8+3vYJG3dhLV9fvF2S+wYD0U3ffm2H377alpUkx1++84v392Otz//+fZDVTTz9s+PTWH2h89EYVzaJvn18Ut/ffwyEUzIaICGt799yG7dYMcvf2Pb2ebHBwE/Pv6c5w+3U/zTmIdJu/7UheO4tkPyz1+VFGMYVTb5+ZaG1Wj/AMluYd1VNh5sONkwHuspf/x3DDPbTI+/ZbDTPDRjWw527NpmtEQRTiWXlH9Ewl/32y+Pb33SfykfvI4RbAOWav2AD7vZ+N/4GPN3wZdGOod/zAxqL8DWwDd8pVngGv6WUVRzjTsNfcPX0nDX8IexRhrW6NLOO3zNtGv4c7Vhae84SuYbvqEqoNIt/KZoIcyKotOe4QuqlfOzL44JdzEj7Gvf8DkXzs9+qVdEQwZBKt/wReDe8tvZIutHCLN4h88ldX32zXqgziYcpW/LLyTR1PXqp0WBfSygotk3fE2Mc8eX5xVMU0JXo3f40v3ZH2KOSDCw8e4ZvmSB+6hvZQn6ToPtkW/4nATOz368NOjHFUXU+IXPNJdGm8At/GVPQJcIU1P6hc85FVq6hj/fN4zlBiaNZ/iCBiZwDf+eEtiOoirU5fATW9mvhk8FNSKgzC38uYqRNwTxIfzCZ1RJ7VztuUcWmipMvefVZ0Iy7tzy22OFGmqs8fVqT2anr8ROOBFCUeIWe8cbFPcah70+4j2DnSrjPN7rih5RHqKWk1fsgmlKhVvsQ9NCsBp1er3GdQa7FMx5oButdzRBjXm63tqfwi6V+yteSdEPCdjd755XRjlf9yM5MNsE1Xx9TucMdh+a9pQSRFkPFV1/uTuBXRDqPrxhwoKaFX3u1ccJphh3beeL/Y487JEsfrHzgDqP64Ysxdoq8PR6PecMdsGI8/M+Tj3mdYNNE7/YZSCd7/kgQl4GULnX2EYGwr2KFRwViqpFNl+fvziDnQnq3M5blYFNBHnn1dZJIdzfYfvWYucUeX994uYEdsU9ZG3GIgbpNkjjdd01p9I5dlaW4EONfs58YjeBcJ+uipTBFmeQzOueN0a6r1JYbIY+5aiywS92TbhztbZssN9T5NKnXkcDRtz7uHGscVQ1lj73iZ0ESjg/730UgvQ15rtP3YYSQtxrlXO+opx7zJP1il1K9z4unRIkzCLafWpWlGjBnNs60xBUJMPMr0/LnsFuHjGtY+y8r1GUE9LOp4+jVHqIbRI1gRcck918YmdEuY/n6yTEHEbYWp86LeWUCOd2nsULhrUDna5PxZ7BLrmHmHaJMKYl7g3xil1z9xp1VQS4iwlB7lO3oYJLpV3b+bzqoJMBQeFTr6NCa/fl1tvKMa8ade3VzmvuodyUZSuWckOkri83PYHdcOo+D7ttMZhoEXa7V+xKu8fO8jvopLEn13dYfD12FtBAOI/nj0mjTQLsm0+tkgVcBM7j+XGpQEeOe8K9YjfMva3b4xjVEkC2PnORjAYe7HxCMyTBgvUNLUVnsAsPOSk1GoxpD1p6tXXUR63RFFGw4g5rferzjPpooR3TO7Jyx9D69O+MPhtIXWM/BMplByt91h4wFhD3tYV0aVCREVHgdd2Zj5qTJm7BKUNeeI1t2LNx0jH2SigkeoZNfOZhGXvW2zjGzscDcawwez7vQrnX61qToZtK0MOnbsOYDNzXlG5ZgDkw2Aqf+jxjKnA/HyZtM+iSID0Kr9iNdL/u63GgKTSE9LrneeDhDlsnDYI8x7z61KgZD4z7XCRrNwTSYuOxV+zMuK89mPcFoSmhK595GcY55dL1uouIowwWDIfPfBzjnBnnnaGrDBDqBP3gNbbhXLuvnz/GAbvhkDP1il0b95pVMEnMsYW11w9AO4PdEPe1xGmxYp0XzNbrXUYEyr1e1+gKQ7Qj4l73vKDE/dC/hXDkS4bAa88IE1S7z7+PeYpoHkAKv9gFd6/TEj2AKoZQetVthJDufRzZR0ypxsz8nnfpoeaE2DuqQ4IVXrVKobh7fd5ogk21KI6P5t26w24C9/U22igIeQefveYihTEeYhvRobYNtsNnrRFTnDHCHK/7OlFoHmHepUfsnHLFiKZusVNp0MkdxRt6heYu+fr5Tr+NOvkQ/j/sOL2LgGVbYIIYS3198cVJAhh9/HNNwDCFiPQCPqfeCRDEww7oW4q+aCDz6691JwnglH2i5LyTgLBtMTYzJnF9nHuWAEE+cfvvJGAZS9h1x6ivd35nCZDyE+3+nQS0fICcOuzl9arOWQJ08ImQ+04CFAmwHRnC/fqS25MEiMB8ksF4JwHTfUARcWT79b2jZwkQ1MMO2G0HO++YJu+BkJDKgxfoRg7JRkTH9VmsswR82jz9TgLKcEMfZ+hn70ZQks8yuO8kgHKBvZmwxdfrHmcJ+DSd904CSC2RZAGq/vpht2cJ+LTf6J0EsC0FDzh6e3gnQFMPR8DKCn1LsFPrnQAjPRyB0giUFcd9u76n/CQBz1GIzm+DdlQY8gXN4D0Q0vSzu8D79KBxr9BSgyDpvcPngXS//mpMkJAB03j9MI2TBBhOPBwAoxJ0JsFGrs/4nSNABFRp9wTUWYVtyhBP17flnCTgORXUOQGhSdEagXDyLYgJqqgHAoZ7jaiYEfW+jeCX2ajOCWjaAbsIwcbr3/w4SQAn0sMO4GmLrOgh0uvfejtLABcedkCsDHSSoayu778/S4AwHrxAyjvQ9Y588J0WEfwRBzsnIGpn5EsNyq+fqHaSgOeDd84JqFKCUWfY0+tLm88SwIiHI1AOG+I2QHdcXwN0lgAlPOyAuc9wBBM08+4Gn31MzgkoiwRLWSK9+xbEhGQ+IsGcN9jnHrT2nRUQUn52G3yfGtDGC1YrkAnfirBQ0kdxRH3kyJIQMfVdHfJlarp7AqYMI0mx7b7lECm96EEyLCG7FklyfXHYSQI08XEXFEME3ht0wrcaoAjzcQQitWLLMrSxbzVAcS9OkFQUqs9Rp74lcSWVj5xArRT6bEbMfasBWhMfgXBKI/TJCJb6doMmYD5qBLecI14oYu9HwJjHRcA5AelmUTQxzHF9bfxZArSPtEgXMVDZgAvPl2EacOXjCOTZgKbZoY7rp1qcJEAGPiLBdcmQR3fI1vcOIJRrD7UB5l6AdhRL4LlAihKmtIfqkKSdwYM74u76hv+TBEgvdcJ9YsDMCEE8l8lSqgIfpfKZuSPPU6jQc3kMZQH77OWBdxKwRxlik4Ca69/LPEmAnyLJfMwwtTkK4TkrQNmzQMo5AVOxw4gYdem5TphK9mla5H2SqBpWZMOGSnlulqFKU+MhEC7JgGkJUUjrmQAtJf8kDnzf+vOohA1D3IXnGIAFRPooke1LiqxsIIhnA8gCKn3khfeowtRphKFnF8gC7qVllm0JlrBGnni+CDFKqY9OkaFlOISEoJ7FEEafDZOOTSALd5jFgr3hXZJz8JmnAkkpQfsd2+rZBTJG+Gcm8H3rb9oUNoqxd57LIhijXpSgSGrsvcHGPGeEGPNTIGsXg2Fr0NbXT/s8SQDzkhPMkhFBHWOsvFsAST7LB7zPAgxrChGmuIe+g2D2eVnMO9f/oAsawZEZz/kgxonyUR671CEOsSIqPFeGMc69NMrtoQHXBSTxbQK5oJ9ViL/PAlSmhogtMnP9nO+z8L30CZbRhr3KUGrPdUGMK+VDCB1sjIX1sMSzDsi4Mp8NQH4nAdMgkJkO/O65ReK3ScDuCehGmGPB0nkujv1tRKZzAoIhxsgnJIHnHhEmJPGxA2w5gG136N23ECKk8TE5qpMtJqPReL8ICUV9DE5qZot1K7Az33GA0J9mA95JwGoEEpYjZp7LYpgMpPRwFZarBtsa3N/w+sVJAnSgGA9cE5DHA1i3QxaeawJ4EFAREOc2IAgSlGmDdL3+LceTBFBptHsCYjuD5RL9fGGJfBpn2Zj2RRJ/BKdoiqkIqz9+8VJIaT0gaQPo5qPYru1s82+Q7BT/NOZh0q4/deE4ru2Q/E8Yb7duaJM5nn791z8Et7itu6oIm9j+mg5hbdd2KH/+v3/52y+//IGcMp+Lda2yo/RBjmhLHIlCln4kfngnp95/fZ6SX/+w0R3JAq1NUIYa437h7Iw2mrpubLcj97HY6bBjOBpk1UcT0b0vdl/di7Soo+hjcupbeP0qL2aDKSJMw0clAN9OyRdkQ7imSX1slRcDOBY11nuHYftoFNq3Y/zGZR/Hdqqifgg3d8tOsjtW1kL0H6n+r1IyDfMfV32y4xQ/PP1XO31JjGBKf8TD+wydHiokrMC2X/jW3wvYJSHCOJ4R1s4Ky5YgNRfGe69gp5pTx+vejxnskWHaLyz+eQU7C5gUbrGHZITeW3TjhRedl7ATJhyv+xKHWJYKtbow4fcSdiaIY+zFeEd5LLDRhVNBX8IuVPDh9f592Fm2o7Q5ou7i857Yyp7A/vBxmrjFnu09pm7Bslwobb2A/enjlFvsi64wRT2aK6vcX8FONWeOc7ssn1D3NfbowsTWK9gfPs64xR5vGhsZsIwXtnq/hJ0w6fi8RzZG3MRYq4vt/GnsTFDH2LO9RXjfQeSF085ewi5U4DiuK7IIDa1Q5xd29z+wn3j86ouDc/zome03FMWOdbiwl+cscEmIdB3VLK1FbSvo/cIC1tPAH67N8VY/lh1HPqKOLg7jTwFnAVOO7+xhcUeXH1DFxbb9HHDi/NK6bQL3UmFRF5YonAfOBHUMvCs2hLRH2/k0bg935jiEy+yIvhXg3cUhXNaeurASIbn7S1s4TijGBNN04ci+F9AzabQkrsN3UymEtUJ+5VOer6DXkirl2shPa4CdWpj1wnq0B/p7uISn8FMtiZLK8erHyY546dD2Fzu50/gZFYZw17t/mnLcOcUSXxzIP/B/vdknRBjBXWclqtyiHA9sV9YiPsB3+5S3zanlp4LyQLtefsVy7G0ATi/szH6VAak1CwLHylWb92g3i3t08QF4gQFGaMAC5Vi3NISiminoeGEp0oOBYT4T+dGACEm042utiDUeF53fX9G+EPx/rESLwmSw/fz4+O88cEqkUdIxD/cdug+xrBcLuNPe/Ybg1FHgMjDKEMcXoGhtcFQKSVB+JywQzZnrx+2jewnd1pDzxYrHyyxwzgR1bBZ3W6HRCdL84nTOyywIaszHtcrvY6FPQ3R5imn7XvaCJJIqxyyoI0VdHxDy4hvyyyyogErtOFTaaIec9xi3C595+zYWtKHCcQbgvgnsaYl2vLiM63cWTiaAnp7SsXWc2wFVeuA+XFzQ9TILT0/peC+U1QZ+1LDZhU8dfBMLT0/p+BI5HjOmssa2vC12PMnC01M6to42W1AuB3JzcYLsZRaentIxC8m0INlKsCsH/XwTC09P6TiCvqsVRdphuHLYybex8PCUjn1EubRoVYouuzid9DsLXy8vkEAEgVGOL5SUVxhGgyR4m2n8egq4MFpK7dg7rOuCWFGs9GJ56SUKvgRLjilohxiZjpHWF1cKvUbBM1JyrC/tC8e0LmjG7+EgPMMk5jjNGsUxsr7BdHWi8TUKnjGS43h5CTfEuUFhvouD8AyQHIcGRxmj7Bukw9sCpDMUPKMjx7ugHHrENkGRvO3ueIoCbajrulkZdchUiiW7cA7Ov1LwUvLhi390XXeUjxs2UoEdF3dMfDMbD1fJHVuIvdpwkBb3+9tkthfZeHpNx5eIuCqRVg2U+N7YeDhQ4ViIDjMFzRWy+m0xxItsPH2p47iasx7BfQH57uzGw60ax3tjWDTmqUY8vk2MfJUNbahy7GGngmMoZwSl9cbGv9R2cGmo+bi+552DZrpDYVgixOXbgq1zPCgjCNMfepF38hBPMbp5QzW/7epxigceCM64dtyXu0iOvk4xhRcOW/kWFr7Em67FiGDE1BbY97eVeZxk4RlnOr6GccZRzjmy4G0i9UkWnvGl4xPR2xGW3TESf/HlfxdmhGNvadYRfVuhf1/a5iQLPuJJ2w7YmhR1+LaSn5MsPONIx3tBTx2SOkOrvxe78IwfXScyRYS2amHjiycZ/EfsnygRRjDX9fGFKLClB9btwrc7v4EDSYgkjm9VZTgiiySK+mL/8CoHVHPuOF4i8YolO2DDi5tkXuWABc4bv49gQp8kqMqLtYaXOSDMdTa7TAvYNgOvL749vMyBez0ySzsMy4E0vrjM52UOhKKObaIMJ6y2hdwvLgr+jxz8263p4RMd24H+KBHqHEV5cSL7JPanL3QcE233BPm8oIitX+wPH+j43IerwjR3GPcLX7J/BfvD9zm2++neoTAl4uXiLsHT2Alz3R0XqBlFX6K2F6vqp7G710Y43xHZAlF/cX/saexCuZ7uNNoGVVKiWS68+6zZNiZTNtUfj+B983zi4z4hL1qM20cm7NVhvL9jfGk+8X8FAAD//1BLBwhbQCtOkhMAAH0QAQBQSwMEFAAIAAgAAAAAAAAAAAAAAAAAAAAAAA4AAABkZWZhdWx0LnBvbGljeey9e3fbuNU3+v/zKVCdrnkcv4FulmU750l7XNvTyTu5eMVO+3aN83JBJCTCIgEaACUrTeeznwWApEgJlERLtuyMpquxCAIgyH3BZe/92/8PePfh8tPn69OP12/AhUekAJIB6RMB+iTAYEyCAFAmQQ8DjvsBdiX2AKFA+hicI4k8NgCnUQQQ9UzlHgZshPmYEykxBWMifUDxGEQsIO7E9OqxMQ0Y8kQdXAYYCQxC5pH+BPA4wMLWfZ9x0I+DAPRj6krCKAqInNT/a4S5IIy+Aa36YavehNw9+C/dyZv/AgAACIj3BqCxcNyAOLFAA6zLAfCwcDmJpG587WNw+s8rcPb+HYglUV2DMRIA32M3lthL2vRJIDFPujbdMwHevgW1gND4vpaUSzTI1ekhd4ip56hROWo0Hu7DZrMJPXqbVML3EcfCvId6ZF19pDpFIdado7FIu/aIQL0Ae29AHwUifZeIMy92pVN8MAQSuZK4b65Pm81mG5qXIYzma2DXp+Quxm+uW93DFnQDFnsQeSGhREiOVHXosjBE1Ms1M7R808NCwojrp+D529LnGEnoYYnd7LlTipDQEzZinFJNi3cfzq80EVwUBNgDI4IAAhTLMePDlEobJcx4MIJj0YNR9mHnCKM+hWLP32rjAZa116DmxjxQf4NxBFO2rn0FP/1kGiA+0Pz82++1/Vb3pN4+7NSTv40ASSxkI8QSQQ9J1CAobAjsxpzICXQ59jCVBAWisV97DfIdHDXr7cZ+I1flr8R7u1/7ujabdHPPhch1sRAl7HJ42IYx1cPFXn60G+WTbzHHCzlFVdgCr7jtATxoxfA2Gj4JrygmMTyiP7OcNBiKpd9uSDbE9K8oIjBRhT8iG7gsjEiAuUOo4zIqEaGYWzkiq1rQ34BQQTwMWB8gMNvBZhgC+z6cRD14EgUWhtib4YhbNEKuZokA0YH6MXD1dc91a1/B9++z88CKrfYs08eA1aws1otJ4CWahcd0v/b11StVMfs+deKBP72t6dYRZ4oJ6oi6WEjGhXlIhKQP/vQW1Bqx4I0eoQ2XBCQOIRpgKteftQ6hh/uYCgzxCInyuavZPoKs14+FiyT2oBqbgIxDQvuMh2hm1lubHz0cBWziRJyMlvGjqkMCPMDe9MMaVaV6f6SlxW38rUwrTXlDka1mIfhcaTJSB0nwP6Al8uzgosiJMA/VWs8DP4Gz00vn6l9Xzun5h3cfwV9Ac20O6MDsC0IsXBTMErOwhGm1dKUIQ8mgz4RckaxgMV8Yqg/caNFU9Pezyy1MRJx1IL+NYWt0V0bytSaidOKpDxgbBLhOqMScoqChFG0s8Yd0Yhq1GoQKqRREQ2A+Ii5WMweLqRQND/dRHEgzW80sZpIZbo3+frj5TnGZM2qVb1hya+RRC3B8F2MhNeMRIeINa5VgeAtvaQ8Ofdu6WI21rvcNTsTZiHiYZ7sWxVH6PhqLOjFLfmfUVvc1hfKqZKqY1HaTUPDnfxc+g5MwgfjPHLUlj9ORIf0pC28ssJxeqv/UQ2a+cdZ5oWKf4MB7Mz/CQiUURZgWB2H+kzJ4A1rN7L/nx46G2SLkDtUnCBFFAxxiKpcusy5NEzBtonnPsLI5H3isdVZ45MFR4MODSam+m65MjA7L1iYokmq9My3wouGgUMCjsHAdUyQlph72YBwNOPJw4TbV1XNPiEi0Py0JmIuCfPm04iQ2DxJmXMPsZkB6DUFR5Jl/jVaen6HX1njLzwOahyfp1h+q/yf0pwOo54CIY5nRdplaA6sw4pR7HX0cRLDnuH7IPBsLXmEqiCQjnGumD5cEGGOeHCgR7IFYEDpQkzCjUE0nHuIekIwFG2VLcRLCPruDd3e2ldd3mLXcK+iIPf1+MxwLag0s3YbwkcfGmjHU5SC5Bl9fFbqYVaG6m0SF/pZy2IhE44zFiiXJ1YDP3s+V6IV9yoPelFcz/rbc1PLF3KG9wewd/cwBZ3GEvJnSWGBuLQyZpdDDQWEIgwgJMS4Oy/XRABebur6lXlIEvpZ9cNtuKP30L13vZO9sNoVTPvWwkITqZXg9ZJ7eSORuq6K1tdPqE2CzeQCZyFf34jAidDCvd9QKMyCKZkuVDhvTF6B0pNeGBy0XBrRTUemwMd0pnZ3SeeZKJ8+oea0Tm1VQ7q4q+f4dlNQfzNUfEO/VC1dSAaHDF6CjgoBA9xuHd51JJR2lXq+iiip08P07mHaRZ4aVu9tpvJ3Ge0qN98L1EYswdUbtF6CS0lPyg95JFZWkXrDeD9BAgJ/A3t4n5+zzxen190/O5/N/fv7+yfnn508f3//r+yfn+vOXj2evXoG/gCb46aeiWjOdVFJrOz2000NPqYcqmoT+Ak6a4oXrLo5zx7rPWXU1J7dwwCPohvdVVNeeecGKiqfQxffvIN/JbkW102TPXpO9cK0U0xeyx7trHkP3JIBcRJW0knnBilppp0R2SmSnRFZXIpKE2Oqy8syUyHB0ApvtLhz51Sxo5gV3SmSnRHZKZDNKhEjiosAZE+qxsXC0SsgUik2ToKwRSBolwSNIgJl25boiabmitkjPcO4HXYu2GHMis43KiLjYybmD3Jzropv9m+SRN2IiJA4P2jf7m/CdXtln9aALQyTuYiWbVejDqIOkc8t6jt6GE0bL3SROKYgpiqXPOPmGPXDLeposyPOwUuK6OyBcH3txMB3EZlQ6G/SgG0TQZ7KSSrc6Rfxea4wQb4iIsaChRt3YT+RVqXZVUN+fK5KoN1cgVK2KM0CmhmRRCyaPAJuwli8ZxWMqw01MTNWV6vqitooT0wFMuBt7UCIxhIzDW9abl7bljktV5LHEg2Cr8jimQ0gDAmmv2j7N6i/wkuTxSQzJO/n9ceS37OBlq+IbuiM4OWTw2+CwkvjaDlk2LL2FB65gen/w46tu3Sooip0Y/3BizCL8/GbhmAjotw5gp2XzYF/R/FxifV7d6PxgCXzi6XsnlT+cVJZbW7cql/eoBXvdEaRtWwRvVdvqhuWr8MiVbLEPHsBuit0J8+rCXG6k3Kowh+0DeNc7gSfiuJIw202SD5al3WS5k6815avUfrdV+eqE95B2GQzDXjX5slrrdvK1k6/Hl6/hsXBigbkjDJ9ahSql6yx+DEDg17iHOcUSC6C6AcVuNiNXqV0rkDa7lg5vzr9CPX2nKaLHg0i18LOpl9YeBWqQ5ZYmjfJmKgNTeaqONvqN2t43OJxISLNNxGq6p8ysFJBewwxYZEomTuy5ufJK6+LH1AHVZDff8gGma/DHMdcve88CztEwZF5tOjM82OpXTU7zKvUARpgLIiSmBXiRAjxE5wj2GJNKlQZswChEsWRCIi6tCrmKHiizcD2ZHjjpBDDwPYgPDirqAbs5a6cHdnpgE3rgSayNL1VvlJ4WPJnaiN0ePPzWgzy04a9WNqOtrDUKva1mI1u5751G2mmkEo30wvVFqQnvyfTFYXcCR6IHv93FVfRFmb1OR4d+/+ScXl5efDxfy4C3Uw879fAHVw8LbIlPpiAOSAt+izw4castKEoNhyvLdaG/Va2CK/e+0xo7rfFjao0FRssn0xrt5ggOvB5s+qiS1ii1UO7keifXf3S5LjeWPplc9yd38P4whuGoVU2uyyyjO7neyfUfT64pG1PHCwKH4wERkk+cIZ4sjEL8ZxJ6+KtqCs7fvxdAfXd1E6SdgCGePHZI4m3LFl0jsKyno6irV8lk/PfaL79e/Mt5/+ns9L3z4fTsl3cfL26u/nV1ffHh5izmHFN5xqjkLLjC8ib5eXNlOgYfNAQ3v9FvrV56E9b6VUMYD4860Ce3yB1OCQz7ARuvSGUqxJhI13dcRvuKuOXm5bQqCNEE+GiEQQ9jOg1SHxPps1iC1CEmnyZiM4o9vPNhMGCwx6tt8xZAPKcvVVfvX9DgDzAobk/jv1SnlJWU2mEXmuR0Spv5mEpidApMvvUarF5iQd0+q4/aPeh6B9ANeEVWLwUWXsLqj2sz24nGyxKNst359iVjPHZhl0goj0glySgHOpoVjEK7FcyES8XrhfNCmQFo+7yAD33IaAz7R5UCRuZwRGfxQ7WlqDJ+6BIFu1N/L4vlS6B0t8/16TaHnFSCoNwO11fFMd1JysuSlHLz3/YFRZA+9E4iOP42qCIoC7Faly0WlhsAl4rNC+eIctPO9jmiE8bQa9/D/sSWNLiqyeeHp2TpYf72KXknTyA5OYF3J9WQdBaBFf4olIxQmJzTmublZ3qXpx+2R8KDjoQ+ceGxSyuRsCyKRJEwQmHdM0aaaYEm5+vUkpPmd2/MWHJmywPS63bKahfvrHds+NJ5q+QQbau8FfVj6I18iA/HFXnLHpmwPd564oO6l82MZSuPrfLi/RGBB51b2OKjSrxY4mWyPVasfDK23dH+MNN32QHcVrl6fMTguHMMbw8qpT58Aqfs7bHcD7RkLN/Xb5frOIH+/QHs0GoRh6Wevttklll1uvzsYMsD/mG4u/yMYqvcfdJswpa4hfe+qMTdpR6pO2bZBLOUHoNslVmi+yHstGPYH1R0Xy5zc3wmzLKzADxr6XCJ02o5h06WpaBHKOIEi/JTprM0N4GB+QdpixLZ2aiUHI0IHB9y6LeqQfaWHTIpsiW0FLnfKaVzl7O3p2SfK8xX7TEmn5U38XalYu7lf2QH46ISfOJTxFVdTh+YNWOh4ig5Qtym4rgnMRz4d7DzrZqfUdkJ4k5x7BTHCsPfhOJ45ifE21M0ZZu+beqZk0kIW8cjeFhRz5Ts+J5QzRTGs9pp8BOObqcEbS//x1CCL1hFlZ31b1NF9SMEeXcA2zisoqI2eNRfctL/hOpkp00sL7/TJi9Am5T4MW9ToaQezJOjSoF8O4WycUnaKZQHDH9dhfIQv/gXrITKTcnb1EEnUQzD6ADe42rmk1JL8rZ0x6qG4ycc327vZXv5P4Zye8GKqtwrYJuKSogIdo4QjNrNSoqq1Clgpwh2imCF4f+RFUGpx8c2FcFdM4biOITHkVdNEZQ5fOwUwU4RrDD8H10RZPhWPhlh4ShSaGyolfGuMmwr3YGSdjwFvnoKvCtsUwibxrtSLxcQITfhsbQqRVutduq1lL7KikQVqI+V+im48tmIeJVUnFLxkal1f2iDJaxKLT39LEInQ338N8bkExLrsNuGJIwQ4WkDi1PZAzOHCR8HgeMTpS0njocDLO0yeaUqgl9MRQ0weV6ovJmp2Otz2JucQHFvS26ZX3nrtGCKjLV6Dwk/fQWlN+vfZq77pFgwe133ZnvIXWp0Quua//dagycTsVbxPguxuijgGbosDLO5p5ab83Kz4tOxUvOoCQn1lNgyDjkO2QgFj8RMYhKWYxGLSdhTPWnjNugzbhoDP8dgyVEdkIgPsCR0ABoeHjVoHASbZbqwD1HbhcyznZrrzHSairpfqs8TdSHiA5Ewwn59Pxm5mdbTcf6gpJU8pi7aqqYYHd7D46ADva7tmHE9i0bOivG0asZiPcmUzAIdMx2p+oopcWo/FOtFnOkF5NJlh+a+pLbmvpWXHVXYL1109Gm7lP1m6Who19hPBpcnaGOfu3kWyKEJzbJukWM1y65N6JUc3R+GgftQogvfmWYAVjuGBX7wV1e/TANEVNWnODXwpQvbR4ewOZYWDig9Nch5F2e6BdRmXlUph5midg18TXwQ7Q70WkvUhfCLqqJQNEJmQ5mVrgnM+iSM1zw5hsh1WUwlDBElURygJ+C1EtfprfDa0d0B7CIEI1IJmSznYPpQXrP7XG+G1565O+2z5c2yVfVWWPOk1YfR5A4ediohP1k2cpU4s8QE80DGLAxtNY/bBz7pqYM3t8KgZb6WW2FQHrnwljTht/62ktxZdhOVeL3Ep2rHgYs5sMQ/bytMmG4X7sY7JrStOp/aaevZMm65T9dW+FYexvDOu4fdw0o+Enm/qYexW6k32AMZrjC8VT27HvisP4SGLffp2QqjTpoTeDAIYLdTKRzdalGoxKil3kA75lnAPKV+IFthHr+H4LCPYeu+UlKQvP/HA5mnzINkxzwp8wSOi7k0R77YkSiMMCd0sOgw8D3INZllINNDAiSzUS6aHBI4uaewfVTpQHAh7KoQQUO9zDQ/nsaOGZJn5f3ztG4vM8eUlqPJ2ZPL/1r4hbLscnoQceQhiaGLYJ6JarYubF5GG+3sh6Od1Wb1p99BjcfU3X86g9Xh4QEUcW+EuYSSx0JC17h3rIrWs0gvlR4cb0kvDSccikEXxuKkol4qh+zd6aUtIkTs9Ni2af0H0GPlu7stqbFxtw/HEkPSrYZQugDBcYkWK/SzmlVghV7/iLqx9E2rqRmwXNVsvMM/BC3s+msTu8hnoMnKrVFb0mStkxaUkxbE2c5kJU1WZgxYfva/CNB7ZW21W308FwleTXpfvMyW2u+2JLaZDU92d2K7E9tHEltgt4fa727cLvoMRH+RBXRLks8OJew1j+Fxt1pOtIXJESpuPlYyWK7Q7x9x+7HTgc+FEqvpwBetvxYZxrekv04mLej2ejBqVjs6WZj+oqBndnplp1e2SYk/gl5Z4DOxJb2CJiPo32EYWKN1HwCcsdMr+r+dXnkulPhx9ErsMcyFY+pk6BsL3GhMg6RTg72xtZRM6dGLWzHTp821JtEy5vWmG6SkoO6tnXb4DyYkD2f+Dow4GZEADzDEwkVzvmPF8NNjiHqxkpQAj0yGpUQGYIhdH1EiwrWFocx34zkKQ3BcyXxg9ed4gDA8iYvDD8RUpbvB58hT4aRXiacs+8NVWKrQyXLL+ipdbtL19dnxUKkJ81nyUMiW8NCGwpps9pGVWGWLqRB3E/ND+H+BTeA5SsBhtWgpu51gFU6e1aNLjQQznf7hFOmCw9nnyEi9+w3kK16FkX5sopefnD1HoovmUTWi207TKhJ9exPidpFjXyKXa4RKr5hKu/QY5xQIzEfE3SJfd44F7HQpHHTGlfi6LC5Kr3fMR0j+ZpbubDlkv60lYEFLzSML2vOYWm79MY+oq5+LrS1ybSvOWBEp9QQawsCE7TeIlGqXu5ITo2cgd+PxBPodD0bjStnlSuN+dnL3XOTumR/BPUM5XQBEu20x7XYojLohjO9s8NW1vRuqyvbykFk5sbwpkcsbxYA3CyQzrWCVzULrculMq1nl86b21Qx9+fne3EBigfmCl5i5ncbGu4z2yWBZrSSbgo84Lquaf5/s1ldQ6XWeL1Vs7/HCSPHKvMJilX9T1Pmqx5ui1p8p4lE4UzKv+WcqUNMk/yyl5ecplb9zU5gBkpJ0DshVmJkFtEC9Wt/m/AzVc9n59jNQz0ffxvCuF8JJt1JymM17/T+75ZfSIIsiFIpSax9p4eZi5VGss0B1zA86vfHHXDH+iAqj3CDwDFRGxIewe9eCg6Zt45Vb0ZXEB7yQ1UP56J/9+sH6Di97Lbfamzx7yuxWdj+Woi43uD0DRX0bSDjpjKCHKsGql8dFPMs12uIojqIE7lZpu1XaBoW/1PD6DIR/cnsL2eEdvG9Wc9YoDV54nsK/MNRiJ/w74d+A8Cf5Gh2XhQ6PXMfDvXgwMMHcSQrQVVN+fr48A2efPoCsi2n6yCdI+CmRDbqzagrJTz9f//P088XNB+JyJlhf3qRv9/E6zSz5D8xV5+mdTXgkrBpL8vDcnymd8X0UMI65Y5hOjXchcZN2IG1nHG18JCpi+j6MqN3AltZvzInMtktKHPJUvTnXRTf7N8kjb9Kh1/E9fkJaPTDzbkqoPuF4jILAMfo65unpSUWpTPsBhX6eVDTHlG5ANMty8V4lKvHmSk1X3qmrppybS8RRiNVr3PycfIFL/dVvXpa8+kzIJP/yImpLH2eiqpsYOa2UQ+9hxJVBf30RNbPbQfvmnJORohmW7o1+jyck1poCK7AbcyInDhYCU0lQIFZVsmE624C0EzDtBEw7eWxafos6D6flJWcDjkLwMwmwmE6g4Cp9pbOAYCpvQiGwi8XL0sYmkWWfBR7moroSNglyk+ZPqnvpgS1rTVXdW7osml0TXSRz7Y3J5fmzeWOz+t5Mx18E5mCm95fDRlrPOZiOCGchptIZIU60fqjMU6YTqnoBaS9PylrhCdkAa+kvsihpu+kYfEAUDTC/uZi+9gsgPIoixEPGpx7tUk5sVD2l4DSKTlVdYMuAq74gooBQibka/ggDYb7MUupWOVk5kgK2m8eQU9tMoFNn64kgy5lRQwgmX1/tlhGC+jsgQpNLFHtEmvy4urmUE8eE4r+trX9svir5Hp6HP6GjegtXBk4s0MBqvLz2cVYLuCwMEfU0BWOBPSCZoeTE1FkuklWIlgrkUWiLPpghmuo8HWcxH7pjfB6yhPc6/clTpkHfCJG8ZMO0UIdmxPJmtkXzcpeeZsaC0EFG4UehXzCxYbHM+GmozvUJoB6K+dfTh3qamuvFZwILYkaeX14aK+hPvHTzlOMG1cCyd3pKLsC+zaJVGi9r2ECPu+6Zq7q+0oeXM4yS3LFkK//jcspYOG5AFiv2039egbP370AsSaC2Moo3zLZshdXVQ5jAo7aDL5sqny7bHv6tlx9Bdw9b0A1Y7EHkhYSq1V0aCqVnuvlP3sNCwkivVQo5qFajCB6qDbU+2HGSLFWOZENM1ZXaG5cKsiLVxa9XmZEqaQ10a024mR42Q7iT/gH00RietO6WS+/b34HJAabNKNjlWIoGHoo6CtE3RtFY1F0WNpJXSN6gsb+f0/AFJtDvVltscak1WCQbHpLIYwOIBpjKBg572POwZ+wwqkgrjSUVE1NExFkPr1Q/OQCAKz8heYvVG0iOXLywevaG9vdsoChsEHqLXaUpJXPMb4fH1C0apzzoMyEhoUKiILDey0Ify2rZK9gHnZa4QSwk5tlL/l5sECF3iAZ4ihybv5k8JTHTra0uutDl2DPHU9BIU5lyPmzDmGoGwF6uVXUVTULPbo2mWuLffTi/0sLtqvf0wIgggADFcsz4MFXbGxX48WAEx6IHo+zTzWlqpRuN7I0HWLOcG3NN62AcQY+NacCQl9sbqVV4slXeb3VP6u3DTj352wiQxEI2QiwRVHRtEBRORSv3aZMcg9MOjpr1dmO/kavyV+K9fbaMsMbE8S3meCGnqApb4BW3PYAHrRjeRrZE+5vnFcUkhkf0Z5aTBkOx9NsNPVH8FUUEjsy52o/IBj0kcLfjeNjNRa7OLhNMJetG3TQEhPYZDzfvvJIu8VDHFjRmWeKZoVr36pphNgEbs+pqu9VpQg+zXj8WLpIYMrXqVp8LqjELdT3/3VYjm4u5VMJXvhI/S2oUlt+KYpIjKkIiAeMp9RCImDTMFUxAiALiEhabrd1Scj7sPLSTbQiXEDR9U20C0UGhe0YHhF5AKNbLw/2YBy5yfbw/JXzhvogCIvdrr8D375a75ivs19Z2T2m10iU+VP9PkA/KuKN5CAkdqHeHkrEAasL0Ma/GCD6SnLHQ4fguxkLaWOEUnH+8AkkFs1VHHgZ9xgHKOgAeCxF5HOmlxGbT9qio6yERRnNnpB4RLuOeUvL6VDQidYkDPOAorDOunZ1cj9aTaiiKdM21pboS7Q6P2mpJL5mr6BZTigPrMfciwrEwZNShWDqESh6LxJEwsFNwZsYFeyJ2fYAEoCGKXiW9BROjl4k++zZ9AiQlcofi8bbh3c4RpEEPxoEtcsx2DK7GrOgYIiFcpA+/+xGhmrbfknvfBhz1sh9t9YvHQqb1I6p/fV14KPsPVTOZvNfnkOYR1Ew3wgXHhILho9OFCaVS7zNrm5XYIyIBdlBfYu54OCC5LmZ4I6nLwZgzqbS5iEWUU+HaHDLNprJR4otwAAN8DENh82zIeZcWTtCSAzTwF9DMKijVnl3MhwfqYwAZRiU7+2RxVx8yvaCvz3hY2kP4kuTiSa/GV5MxmV7s6z2l1UF1f78MxnovPVWYLlJv0QjpjbEbIMPkA1df91zXeK/Ow+g+pPWMlK3ecAa9d9UuyuG7dQ+ZGEYk0t8wmkif0f0i7HRpCiC7nCItKAWu9ZHw34B//6eCJC9cwaEHgh8120cwW+x5y9Z4xemkA31yi9zh9GwR9gM2fojK4A6hzqywl2qM/OKQUEE8DFj/0bQF9n04iXrwJLKt/vZmNnfLGdg2uSxvtWdZZg5Yzbpb7MUk8BJ1wGOaoWrOsG2tcKC4EH9e6RSXBCQOk+Ophfy+Njc/mEHX3lq6jGvvJ4k5dbRflI0Zz3VLgOhErVRwGMmc/VcfbjbERDSGmFMcNPJ9gj5nYZ5VX4OxT1wfhGTgS8CxiAPdmZLcCKtfPlMLYB+b+ZBj4MVhBIgAkpPBAHPs1TfK7+kC+DY8tPB7bf50+qaWf8MbxVU3dFpNk0yfKJvK6vMUKj3YQnVDZxXxTe2mui4WWE4v1X/qxWysMNVQDvEKLfoEB5p7psMp3Bcui/CbOQVl/pMyeANax83pfxXkqJK277Za0DAWlEwfZVcWDsV8TsZ5i4TDCIYw23ddP2Fgzb96jZiIDKGDxVLzOAx+eG8LKMD3RNZdFAvN22efPl+cf/lweXE+p0DfvgV//ncu3d9idvnP2hrzSSnNkTsMUaT9W52ZHViB2r9SNqaA9ZUuJyOlsFiQNddT0+obuIedysRHNlj0wolJMi+mw1L3kunRDXEd3+PcVTR52hPTZvMAMpGvruSj8s6cE0lcFEy9DPF9xLj1aIXjAfaIzI5DTc2si6mLoU9Gj3WU1uOlRJtZGnE80Mdoai9tBm4ci+cOzRIi+8MgTMjpD/HE0fsfJ0SuT2hKZzMdpRco+5UYW14mAzDqIOncsp6jM48uRh6lIKZp+Cb2wC3rGcu55xmeUN0B4frYi3OnRJvRv2zQg24QQZ/Z9G91zFG1HRYRY0FDjboQuKkK6vtzRVKf0hQLRNUIx9zSGBlzc7ZSTh4BNgHJucU4y5cK/7vc26V5eAAT7sYelEgM1Z7ilvVWlLlCDatfcIk8liGSblMex3QIaUAg7VXLoFuGRfpi5PFJoDp38vvjyG8pXMo2xTd0R3ByyOC3gW2/Xik90Kalt/DAVbA5H/r4SqkoqymKnRj/cGJcimi5TTGOiYB+6wB2rP6lT4hl+TAJfOLpeyeVP5xULoCN3KZc3qMW7HVHkLZt5p+KeaM2LV+FR64GNPjQAeym2J0wry7MC6AFtynMYfsA3vVO4ImomBS9DKbvYbK0myx38rWmfJWj921TvjrhPaRdBsOwWqraUiS8nXzt5OvR5WsSSRZqOy3igxJIzISuIEAxVcPRAcMA8UEcYioFQEIwlyCZ3sn1KjYqYrf8ADbDY3hrRU6bupUyPfTUJ8iNYhhxwox5SxHUYxRJDAM8woEpGaMgwBIiz1Pd7ee8lXJ+qmq4HFGPhfewNejBCA2wqBVqppY4HUIah/9LugkPZSVCBMWS1nyl1nyt9nytdq4WJS72kfCTywkWERtjvoxPN+Kd12nqGGVXlrBx56QLORYs5i5O3OaqW/imfIrpyMqnlwmX2qBjBAiRdFPOdDUeizsB4cYd5jJsv1tbTkHNJmr8xrx7+enTe+fL1cVnpYfMxef32e/L06srdXH+6ePp9YXz/uIfF+/XVztPQaw4Eo6I0Jhiz2BL2chlUI5S1ZJUNy5iESdU6hjnR6JOs29DIZixwGvf1vy0FiGOqczVUI/vMxYiSVzISbS+Z2ALEkqWm81bJ02ogR+JhFHcC4gL+8gldABRFAUJynFFmvHACQehdISaGkvCUrLZFIQasEjLmGmg11kc97GSrATRB7hfPr8HxSD6zRLSb61ASB2VFHM7IIwWxJiSe2jeoyQI0SwY6qqOUrEgKxI+CbPi32v70wVHoZQTlr/uczSUJF/ChzLAMin5+gBH61XYa3lARLd1kAvgRtSbKoOHxUV4SKIeEjgBmZtd8swwWFob5Pg40w3IIM29TgDnksia14Bx8Mv19eWjBLeGdy04OaJw2G9bGC2/qJ8y3XQRXzOLTST82uusJsivQ+dvqWJ7odR6prQva6Ne+bMtt9JiaJ5V0vBbaZflD3NL7wxL70h7o4D0GkpLchT2TSSeMAOPxaTH7m2vZL2TPqZPrN9hKPyTA0s5nx9wWmytH9jrh+XFi7++K3zEI0vTiJV+ST7bmeaXcmpN7KzxTfiHJcXpmIFaOE9r4ErR33Mti+JknuaqTWny0x+oL5FehMybXrAxzS6yOh6SOPudVfb62S/C05/Y9Vn6O8i6CkT6KxzmKodDOn12OJQ4zB4ZjtJf0TirwjHyAkKH2XU4/ZXrVgQYZx0JKSfZ7wl109+Sxa6fXsRqwksvRklXmXRyUzFTAG0Rh4UCJPBBe7ak25ktSR+SsaTvMlooGM70rFigcK0DfAslceHSI9xlAeNipnD20V6cv8J0VLi8jxD1ZkoKn6SPXMmKJWFhHH0WFDoYcBZHhUH5GBVq+ExIUiiZuUpBUaZFt4wUPl/KGtk1G8y+d+gdznxiU1KX+F6HXxfGGA77pM/yJWq/WLguDIgyP44KBWoNXCiIw5kvxQpvGSEhcbFA+q5feK2I0OGkUMCLV4TKGYrqsn6hRN7nLzlGgXpUoSymM/wp8F3h0ketma8pfNRudyyFh935woNjS83D1qx4CZ9jr1gQF95FMF74pHNCopRs8drrzXRRfKREbvGSFOgsMS5eikL3koSYFeVS8uJVTF1UJLScfYtEb6WXMZ0Xy5iSu+L1rAjEAhd1wbjwYmOfzVyikKQlOuGF63PGspkjXRF8fZX3DCjd6OnZJ5yIu0AfGYaMDpj+FTEhBzwBncv6+dPewi2jWrx4vVq+xXS/oSpAF+jTRgwgqr2q0HM2nNK+f6/tRwNnjIINoCdsb7eqk3D0xdLAyWsfp3VnIycfLWQyO2PI/GzscDiq32RstR9ou4cDLLFD8dhJONVGl9MpCKVp4AHhMy6DSRIbReTjwR+kBOJdm8uvzdr553+7et6vuz4i1MQFmXqLI5sqxdtxbIKaNES2erzGli7UTSLtZodYqJNG2+kBV+CVVWNSD7sd6BMPQ8QlUcunamhnCX8kUOEBG9jZIz0WTLnDwGUkybxAwAaagTZrXMhiqlp8Rb74bYpzGMtQo2DogoANGuPZgt5sQYCEDNigUNZHJJgtExMxWxRiIbTtoVBPA08VilAs/fps4x5jcq5wiDnVhV/zJ55aUWWwADmjWc6stvaJ9Mqs1zxqQkI9NWEwDjkO2QgFFbkvCtjEiTgZLYu4z+INvdypp8ZVU70/kkq6jb9ZWK/sXHp+xiiWJiN1kAT/A1qiQFgUORHmIZFKun4CZ6eXztW/rpzT8w/vPuZQPh5O1KeJ2CzUmI98T6k+En647OhRz0jZAkHbIRoeHjWEHzaARzhWO8XNHi5meLidUmPRVN/oxVs2ov399ZcHq8rduiqfcDlxIhJhJ4mLthHgMgU0A+eqPlD1QbJqNMfAxcaboYDAt7DV6kE86VoosKc2YC6u67FjKvlEGw3AT+Dy3eWF87cvPzs/vz/9u3N2+tH5cPH57xevlBjq8Pxi03sil7Z8m7ZMZTSJxCngUSfRNs311+6V5LPZPYZ5WsA+48vaV2KMfOcP4o6NckWn3YZiRGDzYLSUK1Yh7V9AE/zBSMskxdLRgAkL9e75tGIRplLjJGTrwBCHqyjfB8ZjY99CZjwPO6jHqiOUy3ALXRYE2JUbUM4nMOlrAemUBkcSQTVZQX1ikGTSrEarCUUhcXWAF+ZpgolF+bFTqpg62jKXdAJMJ0neCT2nLiVaFcls8zvo8W+w1bIlfipZo2PpNgKvLlg94libGl6DfKlOL5G5zU3L6l5j39z8uj3vtmpeafmWlfO9PpxZK2mczYBn2bm2FLVoyrQGc0+yJ2RacQhJhCBjzMK0pbkvNsCya2IMbYfjt+TPCZbgge1SDexSDRRTDRQ4hg9GzSmPzL1uoUBkJS9S9WIahw4J1Veyq1qrm1gKhBsQoU/g8+03o2czbCu8eDudgy7WakPRZRj3sCs1/7iS25zAanrEevgbINsWjub1sXUgSlBxftXIYyBknk4SNcYcp6QyaaGkj4Fu/agOfZ1728KuaDXRo1h/hb2cBM3jdpqaPge5uM7np3js5NYXM3LDsYupDKa5Ladmkke1hByMmgsFxvURHWBHkhCD/wEHTX2UmJhEdAVCExifZiY3cxNnZkQpfAhtwtPlGzOlzNpoCnUSE0pxiIUaKIow9d4AyWNcuGGzrJj/NIjhwRyE4YJBlnyDxx+qIN/wG9AqjBIswmFc9KWrGK0WvEYVk9WKcmYcAGxSdu1jYO4W0mM8qnz178Iy+cqUWuKysFAINqTVDg5SrcbGam5hHMYC83X02piHotQCr2+qwesM2o/6pfHIFts686XVcNb+0E8QR4Gn+dV7RDo6iLHsG0/rgl5iPM+CHhGgeBxMUsvV5je42UFaLCxfP+cknUN5I9SJowhzJ0ATzPP+KrlKtolnWs9m/rL1sgLe3KotfwJXzrv/8+Xq83f19++fL/XfT9e/zIKM5PcFZvn4v+43sGxc1WTTbrc1XLReN2bGK6hNfposApo1xgOcb7Kdgzah4nvpoJjYGZMjdzitD5L6CQ70tNFmudB3S1MPqWeCv+SXKSg5ij/9cv7u2jn98u7c+fLx6uJaVfjzv6d28MJM9x9DUb0/NLOW84BAO/PWbxY9Ju8GpP4rmYiNL5gz01wUanq4j+JAOiMUxPhNsdvlK4miL4/5L/91y9+h0IRQH3Mi8eyTVl1iVHijFQf+3zXFAc6f/92LSSAJFfU4Jl7nP7X/XmHgggSYykLReuuWolgVFkSrC1ah2WZFq0ftqNFqejWLeyNNM06K03s7qdL/rcicL1iqEgI+Y7kqtxWsIF0g33izMube2jYL+THXIzWLmUlsJ00rM+VOmh5FmgiVWPtcjXB5sPdCkcr1API9bFau7k9sJ4u5zQneBXDuAjh3AZxfC55KUk6cnNepBRTF2EZMJE3F6Uhd6OW3+ZmmxC9eUTx2dhPYC5/A5iaJ5zmXDY+FoyPNzMiNz2fECLW6rC6c1IbH2pmNg6SvpIPNzmmoWQp/oZ7tJM+up++Vk+SnkFZ1Y57yOyl+qVKs2CgVjWcpvwkXVhbWYrvNymjfcy0yauBCplBQ5+fO1cXnf7w7u6i9BrVP1xfv02vn4+mHC4NHVlOPrCfOKP5d3WVhIxl6TXUzPRFXFdebkHcy+jJlNFXEz1k+c7NEZVGleJyK62OedHaHtt3iM5Ha/ORbjNdb5RB2J9gvWrBzK6wXIuMPPGmdl/RHPHUd3tosG2Wnrtn2+Hmpgp1k7yR7Y5KtvbnEhLoOvu8T+6mujwF3A0Zx5t376L5UdImv4tS514xMSSM3eFmgJvpSx+Anf4Sr/3jmD3ej9T00Wk2oP5fkSC6I3OocF6pBNsIcIvWdKFJbZRhxJpnLqoW39wn1nGkuTat3tqqTeb4JjLjrEzoAfcaBwFQQfQrffzRwBdm0BdoWHbTUEO3J3XPvtkzdrUCrCnlKDw/bMKYGYcGD85+4An2WgKwuoI/Vrb7Q02Zp1R4P1qBVCmW6NpWWezRu3FV+4EYOCT17eAMFfz+7BO8+nF8ZPAgUBNgDI4K0o50cMz58FChSzjqQ38awNbIlycKVkBZtBAuxRGppUh8wNtAeelodBQ2XhVEs8YfkfmPUMiB21MXp6kVJD4upFI1kTmxINsTUQNu2uif19mGnnvxdp7/1uelRZH4eeQKsymlEOu4IO+1m+9DpHB8cd6w8l0DeFlCykWoMzPQ79onrA5fFgQd6M7gJrA/O/nEB1RNg/gmb4crMbWFSCl0y5UpjLa2Zf6bWUFNgzJn5P5kdraYtljVzRxsVa9r6VjMWxlpmH8z9MlbBWmLVqxmrXy218tWMVa8WTv9Mn5Za6GrGIlfjqtBY22rGslYzlrRa3nJmjyD87fTrVFsOiKyV1pq6ipqFS3l/s9Y3rnhUkBHegHwsz0rRbh7MIwa4AcFUWtsuFwKfeB6mJn5gZvE4Iwam5nxYDNCAbiIWEXEJiwXos8B7JGC33qBfxunTFejb30GtnkMJKPoV/F5r+CzEWYyhDKPs9wjxwnUO8WV96q7qP7wm5Mu80WcZUt8pnXcD0RQWEnFDYEE8rJTZYwH33WIfto4xDE9scBA7R5Gdo8jOUWTOUaTMGwTM45NtANBy+eTU1cAp2VbACwklIt1lFwNXV1VlI0wGvqO4z4kFGlgPMrPcM+l8NJMhKcEv1KXvTI9A9QjyPZarsYfh2twflS/JEtCaZOl/FTHWx/zdZZKM4jOOgsk1e3cpigXnLESEzhR+OD1LS64o6Sf9rD9XrYCAc3h4BJE3wlwgPoGEQuljGBLPC6qtwknkuD52h46nX9BG4VNw/vEKBIwNY4NU5Kl1t9qWI/DuEujmj2JH7rARRHQA2wObr4dHRf0uxkINMnf2RVxEffSNRGrtqfZ/JIIoIulVOCFRnUWYquZJmX4DEtVRiL4xisbZjbGPJBG6CRqiEJle5iFxps4la5N++Za/2eqmQYzJnhsa+JY4kfWHbfxJ5BgSL+SE5LUN0bGnQ+MNsLFihSSHmFqqqBs5NMPNMEQq3iSyJeV1GaXYlXU1irp69pMyxUumvI6eFA4eqG/poCBgY/s25ELXAJKjfp+4IKmZwCSk/TwKyY+Py5HK0j1mOoDaDDyJmZt57dOX68sv1/X9vb324W9NePj1+177tybsfP3euvG+/9aCJ1+/v7rxXt3U/3rTe/Xvzn/q+6dnZxeX13OAJyLDO+G1vVb76Kb+6vteq2n+HLVv6q3fuvDk6/RaPSe5/r+64OC3JmwlFU5Ug+6xueie3NTbh52b+qsN8NTqm562juklPG1QcdfDXScRv+lDSlRHiDwMEAUslj0WUw+8+3wG5hpvlnvuqC1rYkFhRIxL1X+32z1KlnDTm0Q4iZZ7+zZvY3owZVqtdEmmD23Vuo0XTB5F9N9WHi8e6rjhh9lJbtEIzeajcowJ00411SAj3TbTUU0jrW3m6l06KrDbpO42qbt0VLt0VLt0VOk126Wj2qWj2qWjmhY863RU2YyzKO+wnn3UmlRNWrd6PerjIMJ8A5ulreV0uo2jicR8tTyx/9tUVhtQ3GNsOD14RY8YQhz2y53CZ6hjlgXpiiBdDKTrAL0ESGZ/PfHrOd/Mj8lMryd5rTbTqT2d1bMJXc/lZhrPzeB68k7n7XTKTmbrZKJO5+h0ek5m5mRCTufhbPrNZt3cZJvOsenUmsyo2URq5s/8tDmdLfUkaTRpJnvJTJhNgEabJ9NdNsslk1s2p5l/shksmbiSDzGdprLZKT8bZZNQMvfoKSedadIJJptX9JdPZ5Hp5JHOGXrwuRkimxjMfJCbBjLtb5T+VNfnVXxes+cVel6Pp+o70dqJmku/f6KaM42cvL/Wv4naNdo2UbJT3apVak6TpgrUcFBOXSZaMlOOqU7UqtBowEzxJeruaxZAPCMuS1fi1lY/tjvJKzsi9XT7kmhMmChBPRkkRQHqveS5YKjBaB0DRusoJrBPA8M8aK22yqi6G/Y8PpQHkJAR5KNDi/ZXD0wGWjcPd/qchY7JWKEepr+6omW+qmbiDC6a9p3k0PZ1doDrmNGbku5sUS8q3C40TypTpEWK9h2ONQY3iUad5AHO54v/fXF2nX8cR2N1GXuR4xGkEdyJTs2hLhahoxde5fdaHwUuoxoS3g70jiJZNwf4Xt1DJJiownvzAjDAA+ROYBgHkmgXbREapG44Zny4kRXOAYwwF0RITAvOesvAHVfpIn+a3DmCPcYkZBwGbMAoRLFk2p1lqRV7A+CR8yK0LOPZ1L3Y8LHBjSzK2EYFyxv24EnswaaLlggWXZT3bAP2xseg54NIlFMd1TSecQldMU1OFSIFfADR6B7et4YP0n6bsBM8S/osE6dVKJV6tT2WS9vg/gB20CEcnyyTsHLi/YgSJ/gqmWKShHMGRBdT9aY6AlGj4TNFWRxAEWGX9IkLOB6o1+GPY/n1ouUQ0iHzTC6ROTutzk0VCr6vbdXm3cX6SaqeAAM5oVjyNk6IxF2M1UpiMemIAFlVRS4kAEolUj/NA71JYrHvcfXRpVrCGId5QgGRQsf/PQot+6L8GCFb3fPa/735rb5/8/XPuf2PyTIye/tVISQ1OS2KIi2qbdW2wAt6Gl0/ydyqRvXmQRfmSVGN+iHznIAIq1l2pYwVw8dOWHE/OloqmGoQ9iApNd5N+Mqt4DazyVwWw7inPr7EwvGocDCNQ1wIeCwSKqutfejma2+WIr0jYaHIvKOc6h/RSV39X4zcepIYqK4TQ2lyFdrISaTbXH3+h2VKfCKvt043c3pKI6UeRsHAc1DsEenENBYxCpyA9Djik3z+hrlY3/fnjsbJBiPEiZ4OiQARi+JA48r3JgDpXGoGdD4fjUEC/Mg5dMMjm0dEbS5Q/6aWvsWN2dXe0L0bCkAYomg2SuMmDdO4qb0G6krHZaQXWWDGjdHQxV5m8O2TxdQNVcr6hup6EWcJYcBPYO/y86dr5+L/XJwl+ULX56ctpIYKPCdJWFeVsS4/X7z/dHr+nFjr9hjBMXFhb0QsrIULUDC/16bv8HbfMIr2ic4VTzlmAxp/G8QlvQiFDu5FfcdnzJoc9L2hdlK3LhhQNbMpGf/t8ueN0ihbU/V6Fhr1on7dDT3V698uf3Y+nF6aFIgXJb6RZtQ3dcE2QKHVI02bh11IaBRL6KJIxhxXIwtjFE8cGdPEgdUcxVqpo6uC66Qq2EsCQw9g56TVepXGjU53Po9Cq9uWjVbTA/5ppo2rL+/OU8yV6f2YaIpOS/PplGfFcv/v79/97cy5/vLx9G/vL66eXPQeJ79yiMO+hnpA9k2svg9Y7xa7Ms378ii07N7ZnNDxfDCkHpE1IPJteq5ns3fPpN7M+1DU5tMpzqcEhbocqBs8TgvVT0lCrG82QtabNEwK0/vjrtPtwB6TMsBcIytA/VXggMYNMRGQMyaLo9CLiD/tTdFnkkW/50ESuTAxzBffe2rC0p/ljTbhO+aE25EchYoDKAZ7Hg6wxN4r7Z+/qOrUdeDhfL3qlq7bbkKO+zo0Z4ShyzwM1ZRfdXcXEkp0hvClYVXJiZQOu4nDqLDDS3sB/ZiaxZTB6WehGLmi7q3gC/Cw8CqvVbosKOQE/0AoOV+YM1yPdP3jmCozTvMAMpGvrj7hQwhIB07EWLBavIzxJk+zUrl8Eknmxpxj6k6S3oDqbSnFHqKqwsiz0Ks8Xub32n49JBTfhzwLkSlcqgoUUaZGXGdcm8xmrjUOShxFjMtcN3Mlqpp7oNulgTf5K3U7ausCos28+Qt1E0sfczW4dBizBapSv51/QOFKP4ApRVIPtY0uf6Fu8ihAVNbvJ9/U3cJV8pkIHTAXI5qOYLZo7Wn3CQ4b8/xswsAW87N6XDDSlrLzj1f6wBAgIZhLUBYDapg84W0d3b7pmAAXfYMTPoStDrbwtz1AcMfbG+XtR4yFfAq2T7LNGgAOjg270IGGQNJ4YlYgpM/2bLVJe+yBHGSOmZPffTi/2ijrZzjoPRuqmBp+PeaBnmYb+40QSwQ14hBB4TSbem6YDTNHz56lp7uSLF9empGw1W6K/AF7acWDplh/fbb69F4BumghX8RUOmpOdPpWDrhOwlsN4c3psl6k6ZYpKsvjmDazWf3etpnUA6gbqZjuMhqauuZeXzj6RFcJKRthHqCJzblgAxJcbb/YbbV0pQhDyWAueLgKzZahrSjC6ZpW3ManIBvp2VDRZ+2ZMZU/DlGUknB8YjddpjudBODIbG90u0f5/CG3+bIZydD/6qQXBcAiNfxGKwEl0hft/MVB/qKTvzjMX3TzF0f5i+P8xckmzmlW3c+uCXZEsTQzZ+qwaqPv6dyZtZK4MSdSYmqOtx8TO/BbvwfJPYOsM7bQPRc3yiJM6wbK5SfwyZyWpidwhSOOFdx2s07VlJpdALBnHjI9AFLTcwJ5pepObxfWq8JPV5Pp4jNdIg5ZPnICqBl55hEJD8eCZ7haAellv7F0q+BvAbD2ZF4p9LnVPISEatQBHWAKJUdU9DPVvDqfpkaZZJFm49SPRTacgbTJcfGXz+82yqPijsC71jfIqM094r+rxW5aEUkjP0qAauq30WC/9hX890ulo7QjMp/OapHHA2Q+mrQh8WPoh+3FKmXGsaUmmGs8kz1itpXC7LXVbzW1agpRLF0kDbWoq09nqWq2Rjzvq9Lk4dkJ9JRl0iNnxSzaIUCNLGGeVvuo3qw368lkuB8y6dXjXkxlrAazXwNrz11bZCvHgl9dhD/J3U8tRRr+9jEnMHTYhhzfwYFv84ObBedblSXyHJHR3mH6RUVK/4gJqZOpvzX01tdqG5lcXyd/vbf/n/kRR6r3fJOf36qL/ZIH5pznF/Ha+ky1TWzyjL2W7U0Wq7DH3JuMm99gt0NhT9gciF6URvvTTqNplnORLE9Km+65pjB9hHr64EabIYQgvQAnvSQgL+YxG55J003ZSffEwnc2q6EZk2GhHCOpdfbeVI/lEBmDWjlaY6QY6ft3YG9JF7QczbVM1ZiJakbCTxgqiS/fr319tfbSeXthaYlicgQl/T6hAw0KaeOs90q+QIJhDkz4qnFQTZ0fsQdQX+I8qL92bAePlM/qhNvCN2y8Jd3Ii0Otu6TwER+uP/Gs5NnYnHo2Jp+3Im3GTo9QxCc5TKflc8308+NpBDnFY2D60lqzrwG6CNXm5mkDEq4C3VmFWPeDMWwfE9g5tuU4sSv4wtHzjNPh7O2Sk2mLb8JGzti2ofIHnC1G8Uxtd1hI1AuI8DXFp8hrQDLTy0Ypm2WvGdjEcLENWsaU4mC/rkdV3wjMYkXKtOEY92AR3HRFeghMJeZLBTGpB2JhnAN6HKMhiyVg/Uda7E1B8VbIJ6Q6T4ZYXFUV9go1ifgAy7ctrTvftqwoyBuQqyc9u6bSE4Z8ml8CQq3n1x+vz69S+18fc0xds1afb7ZxN5zOam446kXqHpEv0M+G9fuYCjLCOkF12aLjFAwpG9NccAaIFMuKJGCNBcBHAvQwpo9zIpRSpHNiw5m0waSo3fRE+ozup3nna7/GPXLlIlqPJjolXipqI50/T72bkJwMlSAW7r4Cr0pgInQrIlxEa69rQ48MBpirX3EPQz/WMv26xtFwiIWova5FmKj1mUiqaMlJfuuIibRpQJKmGl48FrXXv9d6TPbgBnbqKyyYNp7ziIVkwKy2i08h0SH4BvlSAAQy9eMB1yeBl86qG2WnzkRC8g1DNCqFMY+JB/7ytmidsKETqEez5C3WF//lKPSbT5HCIkyncav2xFTZ2kZV1suakhBVsPfh6vMrUIBN1sp7o/TLUr5Fxxb6zdqA3oJaQ0xEw4TzNULBGxHiKMRqJI183GrORlS0U33/5Fx//vLx7Psn5/Ty8uLj+fdPzufzf37+/sn55+dPH9//C/wFNNel/hP446h3EyJw1Bf1GLMumJI62YIpW86CmVabpeVtsDzaMRnazPGTnoOFY4RgA3PwciFsHp4UVrnJ16MDqDV3xBVrVSPMCHPNgw6mkk+0jXyxJBZCyLPmMxvJuc42S7NmZMtXZJM/bXoXOOg3+l6jtZ6cPdLSdwsTY9SOCO1jV1YE957ZVCKgwbVn/UMv25fvdO8gRMEY8cfRwazFLDywV9h49lFIAg37cPqz8+7jxbVaTy2u0X0FloKEz9XQn+Evb0G32Wo27Xf/R989XFtZV9rnbhBgPELuEA2wM83TuXQHfGma5FN76nCH5MD5Me0e4ZEHR4EPDyaliSWtnhQ9QhsokiZ0Jgu7iYaDQgGPwsK1HRQqu00j47SbFUQkMdrrEm25yJdPK05i8yBhxjXMbgak1xAURZ7599G25U87JRVqzCegTBlRiLG3GE3z2sdJPcA4cP3kd976lq4y9AHiBCCanW3ryoxvdiMZtDFEQwR749Jkwf0ZKO6MW/Tga4XQsPSV7JaMLLjsSrUSUu/l1t/BPRRlLM8tJ8dpHlQYIkp0MPQCN7aDVlbdHEpAjkM2QlV1l5DYEaXoOOVpkHTLHqEwIEMMxKZT9Xe6TTiYCBjcRRauKEmElI4pDQ0Y+EzI3LXEPMxdDoMBl34SicD1wqzu6ov0OLou/Ef19680ZW3m0HxK8ZVOzmeiuHTrzVM7XblEolrU1iNR/CWS1Rz+PYimmOLUwyc9QCx0s2EaUxt2x2KrSJotdOoWypCQ9Yiz/GVARjh/3Y9p/jKLAerFPHJZEKAe40gyXqdY5iqS/mQaTeQiivhE56MWuRijxKVSsda0sUdFwAZ1dxOZq7dm9o4wDxZ4UWAelDuJpr4Vj8I3AV4l+Pwt+L2mXmG/VurIkCRbnvdjuPp09qtzdf354vRD4skgmDtUHOkQur+JoOsVqdpuNYsniqyvZ3eJU7tcNaf1yI/WdYyJ/OgpvGKOcOnxb/GAN/KjcgrzOfeYlMRCh/k7PUK9HImx1LhjmBbLFI0iWSwz8ArFMn3MUyziGHn7z9ph5lF4LEJjHVRbzmy/XIIx7oGcdgJpqxWx/B9mOPyWfcMlLjG/1yI2xlyPZb/2uuaGXh3fzyRotydpiPxIV32tfkF3QEzDtSm6fKu5cWIyaSyYzhj3kiQNi1KmWUk6zc+gtpqFvGlLifwQ3XF8u5JvenEzuUuTlt3ZpUmbKf6R06RV8z0uGtt3SdHMxS4p2i4pWla0S4qWluySohVKdknRqiVFy4e5WLE5pgtuFCHXx20dFDEg9F7vpiQLk9Cbmi9llMxepR29/V1vJvc3gJK9jXV6ulVxcBgRjp0YuU5vEiGxxGuoEGYVIun6GrIoOwMwh/xfTs+A6W36GtrL0wCnTx8PzOOTZ2568zaIbQbtgtdnsrOGH9klgB8ZfQfgGPxi8BWgC/58//bPe3uDCPzy69mXN1esL8eI45sPxOVMsL68+acZGPgSqSXJq3ryN9mg57t9eGf/7yacBZ/aHVUxjMbtW2hWPDUup6npUEP0RUU8v+ruqA9jFjbplDHL7H6dMzdkNN2zJy+6oU37k9NJcuRiB1FJPNyLB4vFPxZYaMsulQTq+gPtN5wJuWSgFzB3CMzNTWe6iMYxPIqPICE2LwTzLukhu+r88vrz6dmFo//9cPGIFrmVcUS67TZMv42l6soEI/R2FS+jgm+ZaQNc5ilOlgwgyqSPOXgMz9xhFMKjoQ/vv9lQZEpJdfnp14vri/+j/YoWVjo/vT5dWunL1ecno2zz8BAmHxLOUmdF0o7pkEgnc5x25uI2FszK6dmZNq4kR/GMC8D6IL90UNcJoHMLdpoHnY0SfRx9gz0Swi63AW7NHqRpf8J0qRcN1d3p4Xwenvnql4v375M59fL0+pf9nJeGrpcLjj9/d3X5/vRfSe3zi6tfrz9dOlcXV1fvPn3MN0wBoddfwFUKtXkcrGcTIeG4AXGUeNvY5VJXMdKvGCbibEQ87AGWBi1q0zNYKQynClMMjvpw2OdQeoshvXOWuDTeo8xS45agt0DXYo2D7r6Ie4msTMvylhR9mRhT0oJITupaqPZnH/Yn7aaMZRzpI8oX6qjMERUsVEtQhzK7I89lasab1tXZlFO0cBBTT4cn65W92tplWRYI3ux0kkVyMZtz+QrgVFmFAnhU3l3RpPFI/Ag1hnd6oVhjf7/ocphes0iWQkQFbFC8Jr25MvWmcVQoGo/HRSSpn37K42FlK1Fe2/srebXHdSgL/s6xdlz+TqiQPNbk/u7jIPrus7EjmfpzAyT7boj5qr6/N2Exd7J2GoX2u1q9JVUKPalHi1dmV2wdy+eLs0//uPhc37+py3uZZJyaqZnqaV67qasH/Xn9FfMyB7nOSRMS6pMekWluo+SFq3l4c9cxkiGcFMvUJjKfz0BSDcxU26wcTNo2OdgrcP/eqr74r1Jn/FnUNXNar9iam1N/RrXbZFJisiB9fVWShXjaz3R+zuTnRToFr8usK6U0bB7MpjRMLPPkm1kxJAxWjX0x8pxh3MMmoMvGutc+BtMaJlBXLRTMLvSR+PhubMNqWqSgG3U1yIYZpSaV1tWF0vUJtYUYEo49IhyBqNdj944JKrXR6Vy3Fekyvg2bh52DRyEOjUblSoYUoBlTcUmyY+in6YQYpXCNtYD0XNiut08MSGN6fdCcuW7NXLdnrg9mrjsz14cz192Z6yOdymdpJnVNHuj62B1C7vWMK6gqEpiPNpJ0ekUXnM0776WcN8JOIYVzcWZTldJUtdmp3GPmjRmPDsrZr3yOs09tD8MTNYRWvxDrJ7/muGWGr9djFKSJU/iEPhL+G/Dv/1RgpeUbilb7BAofcezBJDtmRZYZECH5xOExHeLJwjXRKfic1Aam9pR9Vl4jPexQt8t8CwcJLOvp+Otq8LlJ5pdfL/7lvP90dvre+XB69su7jxc3V59+vv7n6eeL+ZP6mzOdl0T+Q83pjN58TjyH1+2EUReXdpTaDf7Jxt3OQfsj8yw2hCojKzdEfLye7edaZ1VAAbjSvHzzzhjBF3TyrEey0od+0tFc3G9gIllllbn5xNmZSkhskquohitTNWubKojH1gv3Np+/qnqhCm2TFxWfqnFceUcvmE0CNHGQlMgdapyaxSbCLL0Xkq6PRYJfozsBphMgV8kG9TBG6Y1sjGL1/92/xJLISyZRmBwifmZqv6pKJEuKfmGycP2/Y+JOCiW3sZCO52InXwNMq9Q4k8b0CGqmNL26ihgLrlAYBTgt+oxFxKiHeVLwe21fhD398e737ddUBmGhQOMUps/P+QAWLejv6IgNMbxGEvOZnmc7Tq7dEAMR9nJ333y8fv/Bn57KJn3mv+v6TL+6gfXw8DCfFgX2OQthGssK9Zlb1TVTgJHAjoaYWbDBO5uiPug6OSteb5IhRBA6KPa4VAQesgbHvs2HYma1rDovDKVWcspam6Lm589b88ettUZy3v5gVIm1WaSSPWdN6DQe93AsFqvAaC7URivDpG0uhRKQPu7LR9WHh6WBNjMKAQmOI85Qhh/cSJYFb4a8JwdpqXb5aAQx8d40U40zxLyH803NJpPRYAIaEWcDnqnYSErQkMQd4rQuCdWkxiiSOBaZLuKY4vFMTSSGciBBI1fNR3yEhQQNbVQZoSBVZZ14pp7wQSPVBUnhgAUepqCBsGgfdtOWJBhhPm1c2zdUe2pVdgyFxChQ03if8QGGyUcW0HyTipospq4TYDScOH3ruu66AF6TITUmR1Yd2G51211jt471wPvxcpZ9iP7yWza8ZNf3CK+LiRLuIHcgUAC3MQcDpmp/HoSqLxqu9iKeh1jNPATVd6pvwD74tBqJuk4eBbaMvqpiCoFrEnolKd40DAllFAqJqIe4B8Zos7E7MojhXRDCFlspVU0JDkTFBMEFe9y6sxOYY5onM5RkcjmFwJgaRyw3p9/BW8Pg8tX24jtb0TMReoH6WG3zlgr+VVJxumN/5K36/WHLIuJVt+ra8Jvups8MsMIVljfJzxv1Wn9jTG6AbKv6ix1229pyTXjaYNU5uFDDZWEUEEQLkD7C9bEXB9hzJBJDE31c6kWWVQaqslblq57qP4ykozubzc+6iEy2umoh5fpqeCLvjVNMkZ2EWK9NwFWORZqHBzD7blANTK2sbllvRRImZMJ60nOSsTqY9hl3cVgSMHt18V5VB7lqwGARGZSd5I2XUq3KTDse3MFg0FGvaBVD3Vc9GVE9GY1xk8Y8JEIYcI1aOrhiQPRU/xvHqrdqyfy3i7NPHy7g1Zezs4urqw0Q9PElMiUnFUSSEXYk1wY5u7yl2zkiQFIvj5Wb3MVCRz8L39MxFRmgQm6zV3T33gy5MwzPjs1rd6/c2fbi4tflbrsXF78ud9u9uPj1y9VnY2AzlfS/uI5jk4ZrPs9gBs/lBSPNbMEosUCj0Ot2ahqzS3Wifg2MSS4IvN5qFrlVWKzSXL2+p3B6wi4ks6YfN45OrpyGVqiaAIEiPv9meSYe2TB85/07a9noalYnTjXUDWyPlzqGHZ+k0VMw9x1XJICPeBRH5vw6FtMkH0UymFq5IBcly3p1ORV5MMcvm55v7/qrEsaMV8+5c5NsQp1fNFyxIsklkn7qT/uF3sVMYi+xTqhbyZ3k/P78/XvTMin+oFeNqpukyd/URpJgMX8/nWavkUhbn2ucqb9fXl4Wj2DOkKpcKF+bjyrK9qO4d5tYPZ+ouXLieDjAssSepqPqfjEV9argvFB5QxLf57A3OYHi3sZYJuhz1iui3kPCT19BKeD6t5nrPikWzF7Xvdkecpd6WZF/ct5xrODMmx47f10wjUx3u7n98PqctOpCpHnUhFkIR0WARrB8c1BgJjEJ1UezMdMpEJOwp3oCqopWXiZs088xWOoLbhKbqNWMTodL4xVAeSoxXdiHqO1C5tkyR0xxKXS/1D611PeTkZtNfTrOH5S0aVT3FjXF6PAeHgcd6HWRhWjLPLmWeCvbnAqfQs3YvVONklmgY4pzbRZy/0OxHsXLEdCNCjH45xSwWPZ07rQ0o+dc881wYhZAgriFEzeEcl7iEWiwoGrmnynWkykwYE35PxlKUE3jMdXMHQ2ZVNPYQjWDn1TL0I9yvwzmUS3BLKoZTKNaimFUM5hFtXD6Z/q0FH+oZvCGalwVGiyhmsENqhmcoFoeFyhFyl4A7742iy93Z9x8fFQCX8aZIubyc1HN1EntgjnkUbi4T21+KQvd5veTweU1VGOfuxZr+95Sr9pXGzG0r3LStkkHJLBciwVkhLnjth0SRgGi8mGWedMNcNsg6WYpEzxsZ+f3bMps/mz0I7u4JxLsz+/q9O2zJPSz7P5vZ4wKFuCvb958imUUywvqMo/QwdvfrvG9rH+5/vk4Lfr65o26XP/YrhIa8gbzMuhEzevinupOngL5lBGbeWRvNpGa3t3rDNQ5bNFsuZzceWVdM2uzlw11VF+p6pkvRuraJbAUJENKlR7mfBMb8a3MAsJ3UCx9xsk37DlDPBGORqiz8cbV1S9TK7iqCkI0AT4a4Yre7lU4wZcubB8dwubYBpCdx7HMfqn/9EvMLFRAbeZV1fJ3pqidZuHLdTCFxUzXwXUh/OJiuFCUBsNmpSBDSQbA5IuZ9u5pcHEt1/WQeRqxI3c7zMW7P5i1VpmJVki1sObkY+U1NrYvOLbBa0d3B7CLEIzIfTVeY+PZnVpFXss6eARey3efZ7YEISJ3V5WorYC9/mCu/oB468NLPFveLDs32gprnrT6MJrcwcOOLXtyKWtajiorcablwHENxiwM7fv33OjyfLaJJ+VE4MdlULWpeTYMyiMX3pIm/NaPqzDoemdklq4ezuuW7eWOA8FSDnSyGJLtM+E07H7HhLZV51zCt2JpYutwkAR/ASdN8eMyLtfg0M+Gb+VhDO+8e9g9tGXiL+Vb8xbrsFu+h00wXGF4378XRrib4x/AqMbm+2wYddKcwINBALtWB6pSRrXazCsxqtX2vWMesJh5JAntidK3wjx+D8FhH8PWve1Yt5x59FusxTy5HnbMU8I8RBp3L4MxZNI32VgniX3Kpc1PQfEmBh+bqu7AmPFwo9wzzeNsg01ZYLSuR5wOZgmcLzO1zDs1bJWLtywGpUpLxpfAMlO2oIymcU5LTN9KpxiEH6mTHOVyf7MkZCqLmIoYX240egh3dFq2TO/z6bUVgxw3X4Pjpv73+DXodA5eg2P9b6fT6SzwbRDCX9v80zyGAZKYowCGbJT3iZ+jZLu1Fhq+ImLqhbDUeSG1+BWTYVJNW+NN/ChUGxzakLjmqfb2LWi3zZnmRhwainb9KHORa7WP6k31v8bxa9BMfh60X4M3b1qNVvtY/VB/1zf6rMwGh92DGTaAwnwo6GvP06rQ6CImnqON/wttwAhcfXl3DjK7P14Vp/4hfHA4tgEa7QksY+LlPOS/fwdJmSrSZa/mQw61NeUncOW806+gdutzdbIu83dS7OSSKMY/5YGdReyx9bVBJSfcw84xRL1YYIgDPDIW4cR+DEPs+ogSEVbkhTRbqdMjUiAvJLTc7/s0n900q58hLD9VSoPOKikNVPfZEBd6fiPPU80Ss24hoyXHIg7xBmy8lYz+m0mBnCNtdtDjuAEpzVo4jWsPEUUDE4eVz4SfkhXoQOis+lIqV1EIqH8LD8UItscrgGrnnJrVLkCDfEqdr82VPHPgmjn5WpeUK5jru82TPISm4kAikpzSKR+UNW01oYejgE3g7AeuTHYvCMpX8+dBANRNianJe50T7Wxdv5S0DxNg7NpsWUby8iL8O6jt173AxNPkb3tYhwnNxFXfnOvim/0Mr8rExx60bxIn+WmNSwO3cY4kujEcdFPu16r4JvGd15rkj8NCVHpCqYDyOeFqyja6DmB9kLZ6JPZpD7vLdYPqPh3HQvWvKs3o/rXVfQUIk82ku8mRTC/vFq7sPmMXUxlMMvlnfHompJqbRV/16byKos8yETNbrM3e3pIF3bxbct6T1ZEkxOB/wEFTTJ2/ivJcQDdZhNdgoPA9JJHHBlDDQDVw2MOehz2D4qCRoV6DpRUTmPaIsx5eqT52Y07kBK78hDT6cuUGOnp0YfXsDe3v2UBR2DDBng0US5Yk8HHmEUc8jd4As/SSlntThVdSy17BPui0xA1iIZUOTYb/e7FBhNwhGmBRSHyQ3kyegnk+b8HDtcK2F/ua/7yCz3e5099pGlRbckKsM/KwWIL08HW1UM8qOqJzLGCnS+GgswQOp3huXOrCp7FMzEdI/hbSXyy4jaW7sKUGVlnQnsfUcit3ngy2iZzzhLAx23GDXL7eOuyepGk0Kh62FWrYD9ntclfiAPkM5G48nkC/48HImsRgkdzZ3Rl3cvdc5O6Zu4Q+QzldEES8bTHtdiiMuiGM72yxErW9G6rK9vLOoDmxvCmRyxvFgDcLJDOtYJXNQuty6UyrWeXzpvbVDH0VT9GZgcRCL9bKXmLm9oydb0kt8z46uUBZ1fz7ZLe+gkqv83ypYnuPF0aKV+YVFqv8m6LOVz3eFLX+TBGPwpmSec0/U4GaJvlnKS0/T6n8nZvCDJCUpHNArsLMLKAF6tVTHFs9uXouc4V+Bur56NsY3vVCOOl6VVZRZQ4Gy11Qy3xIn93yq5hrrzBWiwKxj7Rwc7HyKNZZoDrmB53e+GOuGH9EhVHuAPwMVEbEh7B714KDpm3jlVvRlbjvvpDVQ/non/36wfoOL3stt9qbPHvK7FZ2P5aiLneAfwaK+jaQcNIZQQ9VChgu92Z/lmu00tHuVmm7Vdq05mMIf2kAwzMQ/sntLWSHd/C+WSloqzwa4XkKf9lod8K/E/5pzc0Iv4jQmGKvHJ4oqQiSiiBfcTNSnYWZoMFiqZ46k0zFomZYR4PJ5dgwx1Xzt3oab8hWOIXSs/ZlbdQrf7blVlqcgeRZG34r7bL8YW7pnWHpHWlvpNieUCI5CvvGE1aYgaeggPOvZL2TPsZACM41SiAE58r5/IDTYmv9wF4/LC9e/PVT2MK5pgbG0NqGz3am+aWcWhM7axg4RGtxOmZQkvBgKhhv34Ky+ctLlA7jBTesCHFM5Y+rrx9TS89n7shVXO4bJBFf7DR4jThA3PXJCK+cRuUh6rd1fJdUsjt3FllLaw/Ei6jIjjk91857Zqi11zV3A1Q4gS4LgrkJrjhZNmHymdLK2IMekqgaOUIkcbnT7WcdDwSMY2kBrToWhA4AAjJJ3Kxzoauix8yQELg21M5CjJXPhJz67Avh1/Ur1glbny6VgivarZM0nMp8PjOxVKOOnJiVikOoM+tjbUUFVpsSgMD19b+eLJIiJc5Je0nE/m49s1vP7NYzxfWMknC7q/hLCChaQYPFlOLAkRz1+8RN36Aw3+saaubQaZq4BH3Gx4h7qihL/JK03KzG8gMrlPkMuGtERkxS5LqkNk3end4cMCFrhRiB2YXBe7VaO1P/fK59nQWPTScpdVsIfza710xXn1U13d+5+mc8X1vX47W9vfbhb014+PX7Xvu3Jux8/d668b7/1oInX1/deK9u6n+96b36d+c/ta/ACmcr/FjKANcWDUZHwpkJTv3SHvKBhgyYf823GUZu2YCvzy478P27q+uLj2++X306+/XqVcnXIswjVD/S/NJZRjwqVO+vQc1HVKR/YdyLqYzVZWQYEdKB+dR99ecg4uxepyigA86Gxc+Z7BGmDzazAUjA6EEt+WP+NZoY1JI/38yfofmj9efXtY9QKi0/Do/aGXwzlKmMVZLd2MOjpbjtJtANKNl61OX6mNlC+eygHFi6DTX4hupF1L0UbUPNi7bydM4svZedbtpq8JjOlpfmX38ydI7DThfiEaYSSk4GA8yxVxntPeECbZtxBA76NvpPER10Qgy11JSqLuhzFgLpYx3jZXbjj8IYQ25T4nMWpbdv549p16bEqplDDrsd6BMPQ8Ql6SO3YrbwmOoj6qWbgGsfp3WfPJ56iqceWMhRnAqSMdYeKW66UvTTmnl/Y4G5k6IaSjmxi4iqVdg9jwgCiAINqq5GPsIgwdrYKFGaRxM4bB1Dl9hQL7AlyF2NFHl6TqV4rK4M7pXnqd+51LG5hevqIY4v/XjNdvqThW+er3/AsJJqbx3ooF9kDhZYTB/AsUkGvBU4Nqn5VByb4avi0hTHFo71sF5+ejjYcen6XLgs8efhQStD/kqOtqolw5oyYsg8Z5q71xlwFlvzseYYEnmeAY1SawsRewzkW22WCyWxmejw/0/d1e20jgPhV4lyddTdtE33AOJiL7ptgWopINqlQooUOck0NSSxcZyUrBDPvrKdtClNt79UOnfgeIwnM5ofO3zfKgBArot0sR+V58PoWt12Vz68Fr3O/8WW3KfnS6eqpUo8opcXVcOzKUCgH9xu7JZHjwIHNwMHUWrj0IvtJ9POyY2rHGIMjlbiq9HyqeBp/UF3mJolnuf4W1wDnVeddoqd19EsruNYaZG2xF+Qb14YUD5PWKAgRxq1RggcyVP7Bkbh4h/xS7tvKFKhH2si1yIQIorcKbRUO4ujdxlVOAldpGLYlHOZwz4+1kXBORgKndKavnHin5r+glJ0uKedKODMwPGYpKfa+BXAX4zMRMAZg9OVIif4HiDCtMKjqq4s5zb/1N0pIyEotaSVfXBfifq9lAcXYvOQoiSlCCF+AMZiQP6EVb6ZYAYT8n54VmmahsJu3IBTYl42CwJgQ7HgGRNJ8l7mp9rN7gr8xXYI4TYDH8ecZfYrZPYXENrlCKOkNCGlFVLaK2TbQ9fuhzrjv1VRfcbA68Uu6mLvpQOPm797z/btfad9aw/anZv+Xc8a3l+Nxu3HnjXALiMxmfACq0i7G1mdhAlvehK1JomsfoSvcAADRCmOfGv4PBz1BnUcYUsofwxAim0bZdNsGfL1Zkah7F6mdllGOfEZolPs2k5AJHqhrRbY3QeWltOK5fL9fLc/XJxXXVQf7g+dhVKZdd/vWgUD3SijoDXV82H/oRsEj/JoZ4j9CLwu4mgQ+6f0irOzP4w4cVJg3OAsyQFc2K63qcvOEUqcujy8Vhm/rZUmytKTEq6ScpBtj1W0n9En8dqvE77ASrk0EXUaEXWD6iRqHolEdxhACkE+xFDkkfDdMH3HoMif08TLy50k/I279MtIHAfLI+bqJHN1Vmt1Vqs0K8IuTBdceBnElMzgGOx2m4qIn5fnBoOYJMyFPQFNCwdKqIc47B5GlNxJk8nsrQqteN/g8SBeEYZ4Nav8I1U7ghm3DgpHSBWSDnV3MxaSJzVkCv8e0ZDbVAXjXM1fyqghVsW9yPZrq/uCrnV+Lp5ipI0H/e8y3UsV9nTFWdanLoOh3HdN/113QwUDWXUvudyHjUP8wNJh71Sokc2fF0b+MowFiKuEMWOS1XXbKv2/AAAA//9QSwcIgsxtSENdAACoHwMAUEsBAhQAFAAIAAgAAAAAAFtAK06SEwAAfRABAA0AAAAAAAAAAAAAAAAAAAAAAGN1c3RvbS5wb2xpY3lQSwECFAAUAAgACAAAAAAAgsxtSENdAACoHwMADgAAAAAAAAAAAAAAAADNEwAAZGVmYXVsdC5wb2xpY3lQSwUGAAAAAAIAAgB3AAAATHEAAAAA headers: Content-Type: - application/zip diff --git a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-Not-Found-response.frozen b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-Not-Found-response.frozen index 5d7b14d74bbe..9656c92c77ae 100644 --- a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-Not-Found-response.frozen +++ b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-05-27T10:25:09.411Z \ No newline at end of file +2025-10-10T15:21:08.449Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-Not-Found-response.yml b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-Not-Found-response.yml index 972e792e8c4b..0f9f4df28127 100644 --- a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-Not-Found-response.yml +++ b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-Not-Found-response.yml @@ -1,18 +1,16 @@ http_interactions: -- recorded_at: Tue, 27 May 2025 10:25:09 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:08 GMT request: body: null headers: Accept: - application/json method: GET - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/non-existent-rule-id + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/abc-def-ghi response: body: encoding: UTF-8 - string: '{"errors":["Not found"]} - - ' + string: '{"errors":["not_found(Agent rule not found: agentRuleId=abc-def-ghi)"]}' headers: Content-Type: - application/json diff --git a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-OK-response.frozen index e0d58107a0ad..27d8adf4be40 100644 --- a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-OK-response.frozen @@ -1 +1 @@ -2025-05-27T10:25:09.727Z \ No newline at end of file +2025-10-10T15:21:08.896Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-OK-response.yml index 6e3d7e2a6153..5f6efb01ac2b 100644 --- a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-US1-FED-returns-OK-response.yml @@ -1,10 +1,10 @@ http_interactions: -- recorded_at: Tue, 27 May 2025 10:25:09 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:08 GMT request: body: encoding: UTF-8 string: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","name":"testgetaworkloadprotectionagentruleus1fedreturnsokresponse1748341509"},"type":"agent_rule"}}' + == \"sh\"","name":"testgetaworkloadprotectionagentruleus1fedreturnsokresponse1760109668"},"type":"agent_rule"}}' headers: Accept: - application/json @@ -15,8 +15,8 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"ser-ofz-4ms","attributes":{"version":1,"name":"testgetaworkloadprotectionagentruleus1fedreturnsokresponse1748341509","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1748341510125,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1748341510125,"filters":["os + string: '{"data":{"id":"bpy-c0l-ijc","attributes":{"version":1,"name":"testgetaworkloadprotectionagentruleus1fedreturnsokresponse1760109668","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1760109669336,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1760109669336,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"}} ' @@ -26,36 +26,35 @@ http_interactions: status: code: 200 message: OK -- recorded_at: Tue, 27 May 2025 10:25:09 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:08 GMT request: body: null headers: Accept: - application/json method: GET - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ser-ofz-4ms + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/bpy-c0l-ijc response: body: encoding: UTF-8 - string: '{"data":{"id":"ser-ofz-4ms","attributes":{"version":1,"name":"testgetaworkloadprotectionagentruleus1fedreturnsokresponse1748341509","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1748341510125,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1748341510125,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"}} - - ' + string: '{"data":{"id":"bpy-c0l-ijc","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1760109669336,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testgetaworkloadprotectionagentruleus1fedreturnsokresponse1760109668","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1760109669336,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}}}' headers: Content-Type: - - application/json + - application/vnd.api+json status: code: 200 message: OK -- recorded_at: Tue, 27 May 2025 10:25:09 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:08 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ser-ofz-4ms + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/bpy-c0l-ijc response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-Not-Found-response.frozen b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-Not-Found-response.frozen index 0f1c9b381a1c..0b64b75c8b4f 100644 --- a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-Not-Found-response.frozen +++ b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-05-27T10:25:10.862Z \ No newline at end of file +2025-10-10T15:21:10.333Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-Not-Found-response.yml b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-Not-Found-response.yml index b61fa469ac7e..56b8bc214b7f 100644 --- a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-Not-Found-response.yml +++ b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-Not-Found-response.yml @@ -1,12 +1,12 @@ http_interactions: -- recorded_at: Tue, 27 May 2025 10:25:10 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:10 GMT request: body: null headers: Accept: - application/json method: GET - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/non-existent-rule-id + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/abc-def-ghi response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-OK-response.frozen index e6dcf8a16afa..35c8858ab880 100644 --- a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-OK-response.frozen @@ -1 +1 @@ -2025-06-13T15:16:09.321Z \ No newline at end of file +2025-10-10T15:21:10.974Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-OK-response.yml index cf39acc56062..f1f24b13e96a 100644 --- a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-agent-rule-returns-OK-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Fri, 13 Jun 2025 15:16:09 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:10 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testgetaworkloadprotectionagentrulereturnsokresponse1749827769"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testgetaworkloadprotectionagentrulereturnsokresponse1760109670"},"type":"policy"}}' headers: Accept: - application/json @@ -14,20 +14,20 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"8ps-fwp-o64","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testgetaworkloadprotectionagentrulereturnsokresponse1749827769","policyVersion":"1","priority":1000000013,"ruleCount":226,"updateDate":1749827769724,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + string: '{"data":{"id":"03k-bzr-nas","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testgetaworkloadprotectionagentrulereturnsokresponse1760109670","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760109671322,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 13 Jun 2025 15:16:09 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:10 GMT request: body: encoding: UTF-8 string: '{"data":{"attributes":{"actions":[{"set":{"name":"test_set","scope":"process","value":"test_value"}},{"hash":{}}],"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testgetaworkloadprotectionagentrulereturnsokresponse1749827769","policy_id":"8ps-fwp-o64","product_tags":["security:attack","technique:T1059"]},"type":"agent_rule"}}' + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testgetaworkloadprotectionagentrulereturnsokresponse1760109670","policy_id":"03k-bzr-nas","product_tags":["security:attack","technique:T1059"]},"type":"agent_rule"}}' headers: Accept: - application/json @@ -38,45 +38,45 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"onw-c2u-mha","type":"agent_rule","attributes":{"actions":[{"set":{"name":"test_set","value":"test_value","scope":"process"},"disabled":false},{"hash":{},"disabled":false}],"category":"Process - Activity","creationDate":1749827770435,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + string: '{"data":{"id":"ftd-agj-4eh","type":"agent_rule","attributes":{"actions":[{"set":{"name":"test_set","value":"test_value","scope":"process","inherited":false},"disabled":false},{"hash":{},"disabled":false}],"category":"Process + Activity","creationDate":1760109672543,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["8ps-fwp-o64"],"name":"testgetaworkloadprotectionagentrulereturnsokresponse1749827769","product_tags":["security:attack","technique:T1059"],"updateDate":1749827770435,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + == \"linux\""],"monitoring":["03k-bzr-nas"],"name":"testgetaworkloadprotectionagentrulereturnsokresponse1760109670","product_tags":["security:attack","technique:T1059"],"updateDate":1760109672543,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 13 Jun 2025 15:16:09 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:10 GMT request: body: null headers: Accept: - application/json method: GET - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/onw-c2u-mha?policy_id=8ps-fwp-o64 + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/ftd-agj-4eh?policy_id=03k-bzr-nas response: body: encoding: UTF-8 - string: '{"data":{"id":"onw-c2u-mha","type":"agent_rule","attributes":{"actions":[{"set":{"name":"test_set","value":"test_value","scope":"process"},"disabled":false},{"hash":{},"disabled":false}],"category":"Process - Activity","creationDate":1749827770435,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + string: '{"data":{"id":"ftd-agj-4eh","type":"agent_rule","attributes":{"actions":[{"set":{"name":"test_set","value":"test_value","scope":"process","inherited":false},"disabled":false},{"hash":{},"disabled":false}],"category":"Process + Activity","creationDate":1760109672543,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["8ps-fwp-o64"],"name":"testgetaworkloadprotectionagentrulereturnsokresponse1749827769","product_tags":["security:attack","technique:T1059"],"updateDate":1749827770435,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + == \"linux\""],"monitoring":["03k-bzr-nas"],"name":"testgetaworkloadprotectionagentrulereturnsokresponse1760109670","product_tags":["security:attack","technique:T1059"],"updateDate":1760109672543,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 13 Jun 2025 15:16:09 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:10 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/onw-c2u-mha + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/ftd-agj-4eh response: body: encoding: UTF-8 @@ -87,14 +87,14 @@ http_interactions: status: code: 204 message: No Content -- recorded_at: Fri, 13 Jun 2025 15:16:09 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:10 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/8ps-fwp-o64 + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/03k-bzr-nas response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-Not-Found-response.frozen b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-Not-Found-response.frozen index a8371879b622..75eb7e4f66c7 100644 --- a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-Not-Found-response.frozen +++ b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-05-27T10:25:14.574Z \ No newline at end of file +2025-10-10T15:21:15.632Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-Not-Found-response.yml b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-Not-Found-response.yml index 10c943156fe5..6fed16c43a3f 100644 --- a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-Not-Found-response.yml +++ b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-Not-Found-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Tue, 27 May 2025 10:25:14 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:15 GMT request: body: null headers: diff --git a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-OK-response.frozen index 348b12dffd32..f514714bddf1 100644 --- a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-OK-response.frozen @@ -1 +1 @@ -2025-05-27T10:25:15.088Z \ No newline at end of file +2025-10-10T15:21:16.325Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-OK-response.yml index 1d1a9133a2b1..b48c5e43647d 100644 --- a/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Get-a-Workload-Protection-policy-returns-OK-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Tue, 27 May 2025 10:25:15 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:16 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testgetaworkloadprotectionpolicyreturnsokresponse1748341515"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testgetaworkloadprotectionpolicyreturnsokresponse1760109676"},"type":"policy"}}' headers: Accept: - application/json @@ -14,41 +14,41 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"xln-mmt-sy7","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testgetaworkloadprotectionpolicyreturnsokresponse1748341515","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1748341515373,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + string: '{"data":{"id":"lwx-2sg-6dt","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testgetaworkloadprotectionpolicyreturnsokresponse1760109676","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760109676701,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Tue, 27 May 2025 10:25:15 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:16 GMT request: body: null headers: Accept: - application/json method: GET - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/xln-mmt-sy7 + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/lwx-2sg-6dt response: body: encoding: UTF-8 - string: '{"data":{"id":"xln-mmt-sy7","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testgetaworkloadprotectionpolicyreturnsokresponse1748341515","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1748341515373,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + string: '{"data":{"id":"lwx-2sg-6dt","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testgetaworkloadprotectionpolicyreturnsokresponse1760109676","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760109676701,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Tue, 27 May 2025 10:25:15 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:16 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/xln-mmt-sy7 + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/lwx-2sg-6dt response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-US1-FED-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-US1-FED-returns-OK-response.frozen index b2c1f59ef175..ab80071ac04b 100644 --- a/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-US1-FED-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-US1-FED-returns-OK-response.frozen @@ -1 +1 @@ -2025-06-04T08:45:43.051Z \ No newline at end of file +2025-10-10T15:21:19.417Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-US1-FED-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-US1-FED-returns-OK-response.yml index 4eb3fd5b2a76..b1544bfbe7c6 100644 --- a/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-US1-FED-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-US1-FED-returns-OK-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Wed, 04 Jun 2025 08:45:43 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:19 GMT request: body: null headers: @@ -10,1370 +10,2008 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":[{"id":"h9w-1za-erv","attributes":{"version":2,"name":"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1742473058","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1742473059337,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1742473059978,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"khg-aab-9th","attributes":{"version":2,"name":"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1737245933","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1737245935950,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1737245936416,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ayg-ed4-gwq","attributes":{"version":1,"name":"dummy_rule_KSDPb","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1730871736407,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1730871736407,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"om5-n7z-ike","attributes":{"version":1,"name":"dummy_rule_qDgvU","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1727845578846,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1727845578846,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"6ae-6oo-ebo","attributes":{"version":1,"name":"dummy_rule_DBtCK","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1724855417119,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1724855417119,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"z3p-vom-jnb","attributes":{"version":1,"name":"examplegetacloudworkloadsecurityagentrulereturnsokresponse1724373425","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1724373425669,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1724373425669,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"aum-fmk-2zi","attributes":{"version":1,"name":"dummy_rule_sUVnW","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1720846828022,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1720846828022,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"8j1-gvj-zbg","attributes":{"version":1,"name":"dummy_rule_ipyRF","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1720846816336,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1720846816336,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"mgj-zek-ajo","attributes":{"version":1,"name":"dummy_rule_AszwF","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1718401086044,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1718401086044,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"bf0-bng-csr","attributes":{"version":1,"name":"dummy_rule_bVlLJ","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1718400725834,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1718400725834,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"qni-ngf-dzd","attributes":{"version":1,"name":"dummy_rule_tSfwV","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1716175452369,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1716175452369,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"qio-d0k-d3j","attributes":{"version":1,"name":"dummy_rule_mABue","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1716162686297,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1716162686297,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"fbo-ian-ijl","attributes":{"version":1,"name":"dummy_rule_VfQSV","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1713905359927,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1713905359927,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"1o7-fwy-pet","attributes":{"version":1,"name":"dummy_rule_JAnCe","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1713903379681,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1713903379681,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ug1-mbq-gkm","attributes":{"version":1,"name":"dummy_rule_KJInv","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1713902127183,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1713902127183,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"xvo-htm-wak","attributes":{"version":1,"name":"dummy_rule_PkauG","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1713901759732,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1713901759732,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"zfc-g0g-a8x","attributes":{"version":1,"name":"dummy_rule_LPRxi","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1713196703991,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1713196703991,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"pae-rpt-yni","attributes":{"version":1,"name":"dummy_rule_CpDMZ","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1713196520725,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1713196520725,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"jwu-xbf-ic5","attributes":{"version":1,"name":"dummy_rule_HfYXr","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1713196519724,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1713196519724,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"uew-oxg-b86","attributes":{"version":1,"name":"dummy_rule_Tjzvu","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1712805386256,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1712805386256,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"wyn-ib7-f7o","attributes":{"version":1,"name":"dummy_rule_fWORB","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1712805020073,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1712805020073,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"mwk-g74-lbd","attributes":{"version":1,"name":"dummy_rule_XcxFr","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1712804840761,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1712804840761,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"rqa-io7-fwn","attributes":{"version":1,"name":"dummy_rule_bKkuv","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1712804479644,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1712804479644,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"n1x-qsa-p53","attributes":{"version":1,"name":"windows_cryptominer_process","description":"A - cryptominer was potentially executed","expression":"exec.cmdline in [~\"*xmrig*\", - ~\"*cpu-priority*\", ~\"*donate-level*\", ~\"*randomx-1gb-pages*\", ~\"*stratum+tcp*\", - ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", - ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","category":"Process - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1712079129574,"filters":["os - == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rws-z9b-qjv","attributes":{"version":1,"name":"ransomware_note","description":"Possible - ransomware note created under common user directories","expression":"open.flags - & O_CREAT > 0\n&& open.file.path in [~\"/home/**\", ~\"/root/**\", ~\"/bin/**\", - ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", ~\"/var/lib/log/**\", - ~\"/var/backup/**\", ~\"/var/www/**\"]\n&& open.file.name in [r\"(?i).*(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom).*\"] - && open.file.name not in [r\".*\\.lock$\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1711644650371,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pqp-0vs-cmu","attributes":{"version":1,"name":"ssh_it_tool_config_write","description":"The - configuration directory for an ssh worm","expression":"open.file.path in [\"/root/.prng/*\", - ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] - && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1711644642969,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tkp-w9m-vzp","attributes":{"version":1,"name":"safeboot_modification","description":"Safeboot - registry modified","expression":"set.registry.key_path =~ \"*\\\\HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\SafeBoot\"","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1711644635093,"filters":["os - == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"8be-hej-nf2","attributes":{"version":3,"name":"ps_discovery","description":"Processes - were listed using the ps command","expression":"exec.comm == \"ps\" && exec.argv - not in [\"-p\", \"--pid\"] && process.ancestors.file.name not in [\"qualys-cloud-agent\", - \"amazon-ssm-agent\"] && process.parent.file.name not in [\"rkhunter\", \"jspawnhelper\", - ~\"vm-agent*\", \"PassengerAgent\", \"node\", \"wdavdaemon\", \"chkrootkit\", - \"tsagentd\", \"wazuh-modulesd\", \"wdavdaemon\", \"talend-remote-engine-service\", - \"check_procs\", \"newrelic-daemon\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1711644627589,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wn9-9vf-8be","attributes":{"version":1,"name":"mount_proc_hide","description":"Process - hidden using mount","expression":"mount.mountpoint.path in [~\"/proc/1*\", - ~\"/proc/2*\", ~\"/proc/3*\", ~\"/proc/4*\", ~\"/proc/5*\", ~\"/proc/6*\", - ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1711644623109,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"upj-muh-hms","attributes":{"version":2,"name":"chatroom_request","description":"A - DNS request was made for a chatroom domain","expression":"dns.question.name - in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"]","category":"Network - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1711644612626,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gnz-81e-6lg","attributes":{"version":1,"name":"cryptominer_envs","description":"Process - environment variables match cryptocurrency miner","expression":"exec.envs - in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","category":"Process - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1711644602654,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"7da-gwx-c3l","attributes":{"version":2,"name":"auditctl_usage","description":"The - auditctl command was used to modify auditd","expression":"exec.file.name == - \"auditctl\" && exec.args_flags not in [\"s\", \"l\"]","category":"Process - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1711644592613,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"8jg-xym-vqz","attributes":{"version":1,"name":"jupyter_shell_execution","description":"A - Jupyter notebook executed a shell","expression":"(exec.file.name in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] - || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name - in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) - && process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","category":"Process - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1711644590883,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"9ih-87r-xrp","attributes":{"version":1,"name":"registry_runkey_modified","description":"A - Registry runkey has been modified","expression":"set.registry.key_path in - [~\"*\\\\HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", - ~\"*\\\\HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\", - ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", - ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal - Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", - ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal - Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\", - ~\"*\\\\HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal - Server\\\\Install\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunonceEx\"]","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1711644584412,"filters":["os - == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"msb-ai6-ua5","attributes":{"version":2,"name":"tunnel_traffic","description":"Tunneling - or port forwarding tool used","expression":"((exec.comm == \"pivotnacci\" - || exec.comm == \"gost\") && process.args_flags in [\"L\", \"C\", \"R\"]) - || (exec.comm in [\"ssh\", \"sshd\"] && process.args_flags in [\"R\", \"L\", - \"D\", \"w\"] && process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] - ) || (exec.comm == \"sshuttle\" && process.args_flags in [\"r\", \"remote\", - \"l\", \"listen\"]) || (exec.comm == \"socat\" && process.args in [r\".*(TCP4-LISTEN:|SOCKS).*\"]) - || (exec.comm in [\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", - \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"] && process.parent.comm in - [\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", - \"fish\"])","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1711644574925,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"6fr-csu-axm","attributes":{"version":7,"name":"k8s_pod_service_account_token_accessed","description":"The - Kubernetes pod service account token was accessed","expression":"open.file.path - in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] - && open.file.name == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", + string: '{"data":[{"id":"pr9-h2a-hay","type":"agent_rule","attributes":{"actions":[{"set":{"append":true,"default_value":"","expression":"${process.correlation_key}","inherited":true,"name":"parent_correlation_keys","scope":"process"},"filter":"${process.correlation_key} + != \"\""},{"set":{"default_value":"","expression":"\"npm_install_${builtins.uuid4}\"","inherited":true,"name":"correlation_key","scope":"process"}}],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Track + execution context from npm install","enabled":true,"expression":"exec.file.name + in [~\"node\", ~\"npm\"] \u0026\u0026 \n(process.args =~ \"* install *\" || + process.args =~ \"* add *\" || process.args =~ \"* i *\" || \n process.args + =~ \"* in *\" || process.args =~ \"* ins *\" || process.args =~ \"* inst *\" + || \n process.args =~ \"* insta *\" || process.args =~ \"* instal *\" || process.args + =~ \"* isnt *\" || \n process.args =~ \"* isnta *\" || process.args =~ \"* + isntal *\" || process.args =~ \"* isntall *\") \u0026\u0026\nnot(process.args + =~ \"*-e *\") \u0026\u0026\n${process.correlation_key} in [\"\", ~\"cgroup_*\", + ~\"auid_*\", ~\"service_*\", ~\"service_new_cgroup_*\", ~\"interactive_shell_*\", + ~\"k8s_session_*\"]","filters":["os == \"linux\""],"name":"execution_context_npm_install","updateDate":1759520093655,"updater":{"name":"","handle":""},"version":1}},{"id":"yde-3oy-fmf","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + Trufflehog process was executed","enabled":true,"expression":"exec.file.name + == \"trufflehog\"","filters":["os == \"linux\""],"name":"trufflehog_executed","updateDate":1759520092637,"updater":{"name":"","handle":""},"version":1}},{"id":"upw-rcz-uuw","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + process was executed in an SSH session","enabled":true,"expression":"exec.comm + != \"\" \u0026\u0026 process.ancestors.file.name in [\"sshd\"] \u0026\u0026 + process.file.name != \"sshd\"","filters":["os == \"linux\""],"name":"ssh_session","updateDate":1759520048798,"updater":{"name":"","handle":""},"version":1}},{"id":"had-5ot-yh0","type":"agent_rule","attributes":{"actions":[{"set":{"append":true,"field":"process.file.name","name":"imds_v1_usage_services","ttl":10000000000}}],"agentConstraint":"","category":"Network + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"An + AWS IMDSv1 request was issued","enabled":false,"expression":"imds.cloud_provider + == \"aws\" \u0026\u0026 imds.aws.is_imds_v2 == false \u0026\u0026 process.file.name + not in ${imds_v1_usage_services}","filters":["os == \"linux\""],"name":"imds_v1_usage","updateDate":1759520031629,"updater":{"name":"","handle":""},"version":4}},{"id":"lcs-ioe-tlm","type":"agent_rule","attributes":{"actions":[{"set":{"append":true,"default_value":"","expression":"${process.correlation_key}","inherited":true,"name":"parent_correlation_keys","scope":"process"},"filter":"${process.correlation_key} + != \"\""},{"set":{"default_value":"","expression":"\"spawned_shell_${builtins.uuid4}\"","inherited":true,"name":"correlation_key","scope":"process"}}],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Track + execution context from spawned shell","enabled":true,"expression":"exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] \u0026\u0026 (process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", + \"httpd\"] || process.parent.file.name =~ \"php*\" || process.parent.file.name + in [\"mysqld\", \"mongod\", \"postgres\"] || process.parent.file.name in [\"java\", + \"jspawnhelper\"]) \u0026\u0026 ${process.correlation_key} in [\"\", ~\"cgroup_*\", + ~\"auid_*\", ~\"service_*\", ~\"service_new_cgroup_*\"]","filters":["os == + \"linux\""],"name":"execution_context_spawned_shell","updateDate":1759520028728,"updater":{"name":"","handle":""},"version":1}},{"id":"sa7-eth-w9c","type":"agent_rule","attributes":{"actions":[{"set":{"append":true,"field":"exec.file.path","name":"chain_exec_unlink","scope":"cgroup","ttl":30000000000}},{"set":{"append":true,"field":"exec.file.path","name":"exec_new_file_in_cgroup","scope":"cgroup","size":10000,"ttl":1800000000000}},{"set":{"field":"exec.file.path","name":"correlation_key_file_path","scope":"cgroup"}}],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + recently modified file was executed","enabled":true,"expression":"exec.file.change_time + \u003c 30s \u0026\u0026 cgroup.file.inode != 0 \u0026\u0026 exec.file.path + not in ${cgroup.exec_new_file_in_cgroup} \u0026\u0026 exec.file.in_upper_layer + != false \u0026\u0026 container.created_at \u003e 1m","filters":["os == \"linux\""],"name":"exec_new_file","updateDate":1759520026505,"updater":{"name":"","handle":""},"version":1}},{"id":"2xy-wbx-chp","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + process cleared the system cache","enabled":true,"expression":"open.file.path + == \"/proc/sys/vm/drop_caches\"","filters":["os == \"linux\""],"name":"drop_caches","updateDate":1759519988245,"updater":{"name":"","handle":""},"version":1}},{"id":"nmg-ix4-vy0","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Network + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"GitHub + API was contacted","enabled":true,"expression":"connect.addr.hostname =~ \"api.github.com\"","filters":["os + == \"linux\""],"name":"github_api_contacted","updateDate":1759519986994,"updater":{"name":"","handle":""},"version":1}},{"id":"zuq-yfd-hun","type":"agent_rule","attributes":{"actions":[{"set":{"field":"container.id","name":"ratelimit_priv_container","scope":"container","ttl":10000000000}}],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + privileged container was created","enabled":true,"expression":"exec.file.name + != \"\" \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at + \u003c 1s \u0026\u0026 process.cap_permitted \u0026 CAP_SYS_ADMIN \u003e 0 + \u0026\u0026 container.id != ${container.ratelimit_priv_container}","filters":["os + == \"linux\""],"name":"deploy_priv_container","updateDate":1759519984225,"updater":{"name":"","handle":""},"version":3}},{"id":"ez9-ozl-3lz","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Network + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + process resolved a DNS name associated with cryptomining activity","enabled":true,"expression":"dns.question.name + in [~\"*.minexmr.com\", \"minexmr.com\", ~\"*.nanopool.org\", \"nanopool.org\", + ~\"*.supportxmr.com\", \"supportxmr.com\", ~\"*.c3pool.com\", \"c3pool.com\", + ~\"*.p2pool.io\", \"p2pool.io\", ~\"*.ethermine.org\", \"ethermine.org\", + ~\"*.f2pool.com\", \"f2pool.com\", ~\"*.poolin.me\", \"poolin.me\", ~\"*.rplant.xyz\", + \"rplant.xyz\", ~\"*.miningocean.org\", \"miningocean.org\", \"donate.v2.xmrig.com\"] + \u0026\u0026 process.file.name != \"\"","filters":["os == \"linux\""],"name":"mining_pool_lookup","updateDate":1759519934875,"updater":{"name":"","handle":""},"version":4}},{"id":"pbi-dxy-kcf","type":"agent_rule","attributes":{"actions":[{"set":{"field":"container.id","name":"core_pattern_write_container_id","scope":"container","ttl":1800000000000}}],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Detect + any attempt to modify /proc/sys/kernel/core_pattern from a container, which + might result to escape to host when a core dump is triggered.","enabled":true,"expression":"open.file.name + == \"core_pattern\" \u0026\u0026\nopen.file.filesystem == \"proc\" \u0026\u0026\nopen.flags + \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 \ncontainer.id + != \"\"","filters":["os == \"linux\""],"name":"core_pattern_write","updateDate":1759519934829,"updater":{"name":"","handle":""},"version":2}},{"id":"f3b-103-7p3","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Network + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + process connected to a cryptocurrency mining pool","enabled":true,"expression":"connect.addr.hostname + in [~\"*.minexmr.com\", \"minexmr.com\", ~\"*.nanopool.org\", \"nanopool.org\", + ~\"*.supportxmr.com\", \"supportxmr.com\", ~\"*.c3pool.com\", \"c3pool.com\", + ~\"*.p2pool.io\", \"p2pool.io\", ~\"*.ethermine.org\", \"ethermine.org\", + ~\"*.f2pool.com\", \"f2pool.com\", ~\"*.poolin.me\", \"poolin.me\", ~\"*.rplant.xyz\", + \"rplant.xyz\", ~\"*.miningocean.org\", \"miningocean.org\", \"donate.v2.xmrig.com\"] + \u0026\u0026 connect.addr.is_public == true \u0026\u0026 connect.addr.port + not in [53, 80, 443]","filters":["os == \"linux\""],"name":"mining_pool_domain","updateDate":1759519901151,"updater":{"name":"","handle":""},"version":2}},{"id":"wn9-9vf-8be","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Process + hidden using mount","enabled":true,"expression":"mount.mountpoint.path in + [~\"/proc/1*\", ~\"/proc/2*\", ~\"/proc/3*\", ~\"/proc/4*\", ~\"/proc/5*\", + ~\"/proc/6*\", ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"] \u0026\u0026 process.argv0 + not in [\"runc\", ~\"/*/runc\"]","filters":["os == \"linux\""],"name":"mount_proc_hide","updateDate":1759519900139,"updater":{"name":"","handle":""},"version":3}},{"id":"rlu-e6g-9lc","type":"agent_rule","attributes":{"actions":[{"set":{"append":true,"default_value":"","expression":"${process.correlation_key}","inherited":true,"name":"parent_correlation_keys","scope":"process"},"filter":"${process.correlation_key} + != \"\""},{"set":{"default_value":"","expression":"\"service_new_cgroup_${builtins.uuid4}\"","inherited":true,"name":"correlation_key","scope":"process"}}],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Track + execution context from new service cgroup","enabled":true,"expression":"(exec.envs + in [\"DD_SERVICE\", \"OTEL_SERVICE_NAME\"] || \"tags.datadoghq.com/service\" + in container.tags) \u0026\u0026 ${process.correlation_key} in [~\"service_*\"] + \u0026\u0026 process.cgroup.id != process.parent.cgroup.id","filters":["os + == \"linux\""],"name":"execution_context_service_new_cgroup","updateDate":1758821704744,"updater":{"name":"","handle":""},"version":1}},{"id":"5u4-9yp-qzj","type":"agent_rule","attributes":{"actions":[{"set":{"append":true,"default_value":"","expression":"${process.correlation_key}","inherited":true,"name":"parent_correlation_keys","scope":"process"},"filter":"${process.correlation_key} + != \"\""},{"set":{"default_value":"","expression":"\"cgroup_${builtins.uuid4}\"","inherited":true,"name":"correlation_key","scope":"process"}}],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Track + execution context from cgroup","enabled":true,"expression":"exec.cgroup.id + != process.parent.cgroup.id \u0026\u0026 ${process.correlation_key} in [\"\", + ~\"cgroup_*\"]","filters":["os == \"linux\""],"name":"execution_context_cgroup","updateDate":1758821602050,"updater":{"name":"","handle":""},"version":1}},{"id":"4ev-hmm-maa","type":"agent_rule","attributes":{"actions":[{"set":{"append":true,"default_value":"","expression":"${process.correlation_key}","inherited":true,"name":"parent_correlation_keys","scope":"process"},"filter":"${process.correlation_key} + != \"\""},{"set":{"default_value":"","expression":"\"interactive_shell_${builtins.uuid4}\"","inherited":true,"name":"correlation_key","scope":"process"}}],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Track + execution context from interactive shell","enabled":true,"expression":"exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] \u0026\u0026 (process.tty_name != \"\" || exec.args_flags in [\"i\"]) \u0026\u0026 + ${process.correlation_key} in [\"\", ~\"cgroup_*\", ~\"auid_*\", ~\"service_*\", + ~\"service_new_cgroup_*\"]","filters":["os == \"linux\""],"name":"execution_context_interactive_shell","updateDate":1758821602039,"updater":{"name":"","handle":""},"version":1}},{"id":"oom-s2e-cik","type":"agent_rule","attributes":{"actions":[{"set":{"append":true,"default_value":"","expression":"${process.correlation_key}","inherited":true,"name":"parent_correlation_keys","scope":"process"},"filter":"${process.correlation_key} + != \"\""},{"set":{"default_value":"","expression":"\"auid_${builtins.uuid4}\"","inherited":true,"name":"correlation_key","scope":"process"}}],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Track + execution context from auid","enabled":true,"expression":"exec.auid \u003e= + 0 \u0026\u0026 exec.auid != AUDIT_AUID_UNSET \u0026\u0026 ${process.correlation_key} + in [\"\", ~\"cgroup_*\"]","filters":["os == \"linux\""],"name":"execution_context_auid","updateDate":1758821601623,"updater":{"name":"","handle":""},"version":1}},{"id":"clu-w0v-xue","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Kernel + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"The + LD_AUDIT variable is populated by a link to a suspicious file directory","enabled":true,"expression":"process.envs + in [\"LD_AUDIT\"] \u0026\u0026 \n(\n mmap.file.path in [~\"/home/*\", ~\"/tmp/*\", + ~\"/dev/shm/*\"] || \n mmap.file.in_upper_layer == true\n) \u0026\u0026\nmmap.protection + \u0026 (PROT_EXEC) \u003e 0 ","filters":["os == \"linux\""],"name":"ld_audit_unusual_library_path","updateDate":1758821600445,"updater":{"name":"","handle":""},"version":1}},{"id":"vay-3e5-8rx","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Network + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + process connected to a paste site","enabled":true,"expression":"connect.addr.hostname + in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\", \"rentry.co\", + \"transfer.sh\"] \u0026\u0026 connect.addr.is_public == true \u0026\u0026 + connect.addr.port in [80, 443]","filters":["os == \"linux\""],"name":"paste_site_domain","updateDate":1758821600423,"updater":{"name":"","handle":""},"version":1}},{"id":"f2e-rwu-xk1","type":"agent_rule","attributes":{"actions":[{"set":{"append":true,"default_value":"","expression":"${process.correlation_key}","inherited":true,"name":"parent_correlation_keys","scope":"process","scope_field":"cgroup_write.pid"},"filter":"${process.correlation_key} + != \"\""},{"set":{"default_value":"","expression":"\"cgroup_${builtins.uuid4}\"","inherited":true,"name":"correlation_key","scope":"process","scope_field":"cgroup_write.pid"}}],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Track + execution context from cgroup write","enabled":true,"expression":"cgroup_write.pid + \u003e 0 \u0026\u0026 ${process.correlation_key} in [\"\", ~\"cgroup_*\"]","filters":["os + == \"linux\""],"name":"execution_context_cgroup_write","updateDate":1758821487905,"updater":{"name":"","handle":""},"version":1}},{"id":"vjy-zww-l4n","type":"agent_rule","attributes":{"actions":[{"set":{"append":true,"default_value":"","expression":"${process.correlation_key}","inherited":true,"name":"parent_correlation_keys","scope":"process","scope_field":"cgroup_write.pid"},"filter":"${process.correlation_key} + != \"\""},{"set":{"default_value":"","expression":"\"service_new_cgroup_${builtins.uuid4}\"","inherited":true,"name":"correlation_key","scope":"process","scope_field":"cgroup_write.pid"}}],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Track + execution context from new service cgroup write","enabled":true,"expression":"cgroup_write.pid + \u003e 0 \u0026\u0026 (process.envs in [\"DD_SERVICE\", \"OTEL_SERVICE_NAME\"] + || \"tags.datadoghq.com/service\" in container.tags) \u0026\u0026 ${process.correlation_key} + in [~\"service_*\"]","filters":["os == \"linux\""],"name":"execution_context_service_new_cgroup_write","updateDate":1758821487905,"updater":{"name":"","handle":""},"version":1}},{"id":"lp4-x68-ekq","type":"agent_rule","attributes":{"actions":[{"set":{"append":true,"default_value":"","expression":"${process.correlation_key}","inherited":true,"name":"parent_correlation_keys","scope":"process"},"filter":"${process.correlation_key} + != \"\""},{"set":{"default_value":"","expression":"\"k8s_session_${builtins.uuid4}\"","inherited":true,"name":"correlation_key","scope":"process"}}],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Track + execution context from k8s user session","enabled":true,"expression":"exec.user_session.k8s_username + != \"\" \u0026\u0026 ${process.correlation_key} in [\"\", ~\"cgroup_*\", + ~\"auid_*\", ~\"service_*\", ~\"service_new_cgroup_*\", ~\"interactive_shell_*\"]","filters":["os + == \"linux\""],"name":"execution_context_k8s_usersession_entrypoint","updateDate":1758821487471,"updater":{"name":"","handle":""},"version":1}},{"id":"mps-sso-ozk","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + container performed various enumeration activities including checking container + runtime, process privileges, user namespace mappings, Linux Security Modules, + mount points, and network namespaces.","enabled":true,"expression":"container.id + != \"\" \u0026\u0026 (\n open.file.path in [~\"/run/systemd/container\"] + ||\n open.file.path in [~\"/proc/*/status\", ~\"/proc/*/task/*/status\"] + ||\n (open.file.path in [~\"/proc/*/uid_map\"] \u0026\u0026 process.file.name + not in [\"runc\"]) ||\n open.file.path in [~\"/proc/*/attr/current\"] ||\n open.file.path + in [~\"/proc/*/mountinfo\"] ||\n open.file.path in [~\"/proc/*/cgroup\"] + ||\n open.file.path in [~\"/proc/net/unix\"]\n) \u0026\u0026\nprocess.file.in_upper_layer + \u0026\u0026 \nprocess.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", - \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", - \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", - \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", - \"/opt/datadog-agent/bin/datadog-cluster-agent\"] && process.file.path not - in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", - \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", - \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", - \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", \"/nginx-ingress-controller\", - \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", \"/haproxy-ingress-controller\", - \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", \"/bin/external-secrets\", - \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", - \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", - \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", - \"/usr/local/bin/cluster-autoscaler\"] && process.ancestors.file.path not - in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", - \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", + \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", - \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1711644571787,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"30s-pi8-9b4","attributes":{"version":1,"name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1711550899","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1711550899699,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1711550899699,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"a9q-iyx-gfu","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1708686508","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1708686508595,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1708686508595,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"hlq-w7y-5tg","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1708686508","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1708686508341,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1708686508341,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"lj4-ina-ue2","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1708686507","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1708686507890,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1708686507890,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"qlz-mcu-d2k","attributes":{"version":1,"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1708686507","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1708686507757,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1708686507757,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"bmx-go6-0lz","attributes":{"version":1,"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1708686507","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1708686507388,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1708686507388,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"bk0-mpb-ii8","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1708686507","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1708686507115,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1708686507115,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"0xw-wbm-pel","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1707131459","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1707131459596,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1707131459596,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"nvt-eoh-yiz","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1707131458","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1707131458820,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1707131458820,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"dc5-hba-20b","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1707131457","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1707131457616,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1707131457616,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"asb-kqf-vex","attributes":{"version":1,"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1707131456","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1707131457216,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1707131457216,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"yzx-ia6-bdh","attributes":{"version":1,"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1707131456","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1707131456469,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1707131456469,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"3uo-x9p-tmb","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1707131455","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1707131455692,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1707131455692,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"kan-5ki-wau","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1706872191","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1706872191984,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1706872191984,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"ggb-h3r-t7d","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1706872191","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1706872191450,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1706872191450,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"y4n-8gx-m3n","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1706872190","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1706872190549,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1706872190549,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"xsf-ugy-cfq","attributes":{"version":1,"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1706872190","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1706872190256,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1706872190256,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"btr-btz-zif","attributes":{"version":1,"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1706872189","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1706872189757,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1706872189757,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"jnw-ija-az5","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1706872189","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1706872189262,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1706872189262,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"6v0-shq-8gm","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1704452911","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1704452911364,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1704452911364,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"yrv-svq-9nz","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1704452911","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1704452911144,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1704452911144,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"9s9-wui-t8c","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1704452910","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1704452910712,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1704452910712,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"krm-ssv-tn5","attributes":{"version":1,"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1704452910","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1704452910586,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1704452910586,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"uiu-6vz-z2h","attributes":{"version":1,"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1704452910","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1704452910368,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1704452910368,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"eej-oup-jwu","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1704452910","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1704452910147,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1704452910147,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"ltv-fla-wb0","attributes":{"version":1,"name":"ntds_in_commandline","description":"NTDS - file referenced in commandline","expression":"exec.cmdline =~ \"*ntds.dit*\"","category":"Process - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1704404490608,"filters":["os - == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"uuf-w3c-u9q","attributes":{"version":1,"name":"scheduled_task_creation","description":"A - scheduled task was created","expression":"exec.file.name in [\"at.exe\",\"schtasks.exe\"]","category":"Process - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1704404490608,"filters":["os - == \"windows\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nyc-gfz-yr5","attributes":{"version":5,"name":"nsswitch_conf_mod_chown","description":"nsswitch - may have been modified without authorization","expression":"(\n (chown.file.path - in [ \"/etc/nsswitch.conf\" ])\n) && (chown.file.destination.uid != chown.file.uid - || chown.file.destination.gid != chown.file.gid) && process.file.path not - in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142958657,"updateDate":1704404477785,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bm8-j5w-xfv","attributes":{"version":3,"name":"suspicious_suid_execution","description":"Recently - written or modified suid file has been executed","expression":"((process.file.mode - & S_ISUID > 0) && process.file.modification_time < 30s) && exec.file.name - != \"\" && process.ancestors.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", - \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", - \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", - \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", - \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", - \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1704404469455,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"phy-tco-k7w","attributes":{"version":6,"name":"database_shell_execution","description":"A - database application spawned a shell, shell utility, or HTTP utility","expression":"(exec.file.path - in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path - in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) - &&\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] &&\n!(process.parent.file.name - == \"initdb\" &&\nexec.args == \"-c locale -a\") &&\n!(process.parent.file.name - == \"postgres\" &&\nexec.args == ~\"*pg_wal*\")","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":1617722069155,"updateDate":1704404453620,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"7x1-glr-ofl","attributes":{"version":2,"name":"credential_modified_open_v2","description":"Sensitive - credential files were modified using a non-standard tool","expression":"(\n open.flags - & ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) > 0 &&\n (open.file.path in [ \"/etc/shadow\", - \"/etc/gshadow\" ])\n && process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", - \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", - \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", - \"/usr/bin/chage\", \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && + \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", + ~\"/opt/datadog-installer/**\"] ","filters":["os == \"linux\""],"name":"container_breakout_enumeration_tool","updateDate":1758821487213,"updater":{"name":"","handle":""},"version":1}},{"id":"sgo-0ij-wgo","type":"agent_rule","attributes":{"actions":[{"set":{"append":true,"default_value":"","expression":"${process.correlation_key}","inherited":true,"name":"parent_correlation_keys","scope":"process"},"filter":"${process.correlation_key} + != \"\""},{"set":{"default_value":"","expression":"\"service_${builtins.uuid4}\"","inherited":true,"name":"correlation_key","scope":"process"}}],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Track + execution context from service","enabled":true,"expression":"(exec.envs in + [\"DD_SERVICE\", \"OTEL_SERVICE_NAME\"] || \"tags.datadoghq.com/service\" + in container.tags) \u0026\u0026 ${process.correlation_key} in [\"\", ~\"cgroup_*\", + ~\"auid_*\"]","filters":["os == \"linux\""],"name":"execution_context_service","updateDate":1758821487211,"updater":{"name":"","handle":""},"version":1}},{"id":"nx5-ll1-x6m","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + process is masquerading as a kernel thread by using bracket notation in its + name","enabled":true,"expression":"(exec.comm in [r\"^\\[.*\\]$\"] || exec.argv0 + in [r\"^\\[.*\\]$\"]) \u0026\u0026 (process.parent.ppid !=2 || process.args + != \"\")","filters":["os == \"linux\""],"name":"kernel_process_masquerade","updateDate":1758821487207,"updater":{"name":"","handle":""},"version":1}},{"id":"6lb-gwv-535","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + new static pod manifest was created in the Kubernetes manifests directory","enabled":true,"expression":"open.flags + \u0026 O_CREAT \u003e 0\n\u0026\u0026 open.file.path in [~\"/etc/kubernetes/manifests/*\"]\n\u0026\u0026 + open.file.extension in [\".yaml\", \".yml\"]\n\u0026\u0026 process.file.path + not in [\"/usr/bin/kubelet\", \"/usr/local/bin/kubelet\", \"/opt/bin/kubelet\"]","filters":["os + == \"linux\""],"name":"static_pod_manifest_created","updateDate":1758821487200,"updater":{"name":"","handle":""},"version":1}},{"id":"mil-ofs-8td","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + process removed itself from the filesystem","enabled":true,"expression":"unlink.file.path + == process.file.path","filters":["os == \"linux\""],"name":"unlink_self","updateDate":1758821487200,"updater":{"name":"","handle":""},"version":1}},{"id":"cuo-g81-vwm","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + process was executed in a Kubernetes user session","enabled":true,"expression":"exec.user_session.k8s_username + != \"\"","filters":["os == \"linux\""],"name":"k8s_user_session","updateDate":1758821487198,"updater":{"name":"","handle":""},"version":1}},{"id":"9rv-bls-azq","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"nohup + was used to ignore process termination signals","enabled":true,"expression":"exec.comm + == \"nohup\"","filters":["os == \"linux\""],"name":"nohup_usage","updateDate":1758821487198,"updater":{"name":"","handle":""},"version":1}},{"id":"mpb-1rj-dv6","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1598516746168,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (rename.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\", ~\"/usr/lib/modules-load.d/**\", + ~\"/etc/modules-load.d/**\", ~\"/etc/modprobe.d/**\" ])\n \u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && container.created_at - > 90s","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1704404453617,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jjg-cwd-bi8","attributes":{"version":2,"name":"pci_11_5_critical_binaries_open_v2","description":"Critical - system binaries may have been modified","expression":"(\n open.flags & - (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", - ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", - ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] + \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n)","filters":["os + == \"linux\""],"name":"kernel_module_rename","updateDate":1758821375033,"updater":{"name":"","handle":""},"version":11}},{"id":"lt7-ru0-jsw","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Network + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + process connected to a penetration testing domain","enabled":true,"expression":"connect.addr.hostname + in [~\"*.interact.sh\", ~\"*.oast.pro\", ~\"*.oast.live\", ~\"*.oast.fun\", + ~\"*.oast.me\", ~\"*.burpcollaborator.net\", ~\"*.oastify.com\", ~\"*canarytokens.com\", + ~\"*.requestbin.net\", ~\"*.dnslog.cn\"] \u0026\u0026 connect.addr.is_public + == true","filters":["os == \"linux\""],"name":"pentest_domain","updateDate":1758821375016,"updater":{"name":"","handle":""},"version":2}},{"id":"esk-ygv-wg5","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + file executed from /dev/shm/ directory","enabled":true,"expression":"exec.file.path + == ~\"/dev/shm/**\"","filters":["os == \"linux\""],"name":"devshm_execution","updateDate":1758821374996,"updater":{"name":"","handle":""},"version":2}},{"id":"m8i-uhr-aoq","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142936138,"creator":{"name":"","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", + ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\"]\n || link.file.destination.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", + ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\"])\n)","filters":["os == + \"linux\""],"name":"pam_modification_link","updateDate":1758821338819,"updater":{"name":"","handle":""},"version":4}},{"id":"eeb-m3q-buz","type":"agent_rule","attributes":{"actions":[{"set":{"field":"unlink.file.path","name":"correlation_key_file_path","scope":"cgroup"}}],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + file was deleted shortly after it was executed","enabled":true,"expression":"unlink.file.path + in ${cgroup.chain_exec_unlink}","filters":["os == \"linux\""],"name":"delete_new_process","updateDate":1758821241938,"updater":{"name":"","handle":""},"version":2}},{"id":"2fy-aqt-8mz","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142936138,"creator":{"name":"","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", + ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\" ]\n || rename.file.destination.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", + ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\" ])\n)","filters":["os == + \"linux\""],"name":"pam_modification_rename","updateDate":1758821241590,"updater":{"name":"","handle":""},"version":4}},{"id":"ysz-c0t-vzy","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Network + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + process checked the public IP address of the host","enabled":true,"expression":"connect.addr.hostname + in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", + \"whatismyip.akamai.com\"] \u0026\u0026 connect.addr.is_public == true \u0026\u0026 + connect.addr.port in [80, 443]","filters":["os == \"linux\""],"name":"ip_lookup_domain","updateDate":1758821241561,"updater":{"name":"","handle":""},"version":2}},{"id":"fak-u9s-pac","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142936138,"creator":{"name":"","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", + ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\" ])\n) \u0026\u0026 (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os + == \"linux\""],"name":"pam_modification_chown","updateDate":1758821241527,"updater":{"name":"","handle":""},"version":5}},{"id":"adl-qjr-lyg","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142936138,"creator":{"name":"","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", + ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\" ])\n)","filters":["os == + \"linux\""],"name":"pam_modification_open","updateDate":1758821241329,"updater":{"name":"","handle":""},"version":5}},{"id":"ei7-n5e-rvv","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142936138,"creator":{"name":"","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", + ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\" ])\n)","filters":["os == + \"linux\""],"name":"pam_modification_unlink","updateDate":1758821241325,"updater":{"name":"","handle":""},"version":4}},{"id":"kr2-ybp-wh8","type":"agent_rule","attributes":{"actions":[{"hash":{"field":"process.file"}}],"agentConstraint":"","category":"Network + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + process made a connection to a port associated with P2PInfect malware","enabled":true,"expression":"(connect.addr.family + == AF_INET || connect.addr.family == AF_INET6) \u0026\u0026 connect.addr.is_public + == true \u0026\u0026 connect.addr.port \u003e= 60100 \u0026\u0026 connect.addr.port + \u003c= 60150","filters":["os == \"linux\""],"name":"p2pinfect_connection","updateDate":1758821241285,"updater":{"name":"","handle":""},"version":2}},{"id":"12k-ui3-z4h","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142936138,"creator":{"name":"","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", + ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\"])\n) \u0026\u0026 chmod.file.destination.mode + != chmod.file.mode","filters":["os == \"linux\""],"name":"pam_modification_chmod","updateDate":1758821241268,"updater":{"name":"","handle":""},"version":5}},{"id":"avt-p2e-fyc","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1598516746168,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (chmod.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\", ~\"/usr/lib/modules-load.d/**\", + ~\"/etc/modules-load.d/**\", ~\"/etc/modprobe.d/**\" ])\n \u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && container.created_at - > 90s","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1704404449335,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rqb-wq9-xzq","attributes":{"version":1,"name":"dummy_rule_jcvqK","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1704404420111,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1704404420111,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"sqx-azd-ia2","attributes":{"version":1,"name":"dummy_rule_ivMAv","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1700251049947,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1700251049947,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"83g-jde-hyc","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700243663","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1700243663249,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1700243663249,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"hyg-8q3-gme","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700219294","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700219294824,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700219294824,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"bn3-we8-cxn","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700219294","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700219294647,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700219294647,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"goh-6ij-cpa","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700219294","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700219294269,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700219294269,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"he7-cho-9th","attributes":{"version":1,"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700219294","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700219294175,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700219294175,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"pj5-9wo-0ny","attributes":{"version":1,"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700219293","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700219293961,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700219293961,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"dmd-ens-omw","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700219293","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700219293736,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700219293736,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"8ft-wcs-sok","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700132880","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700132880522,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700132880522,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"onm-fm3-ilm","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700132880","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700132880255,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700132880255,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"cxv-wyz-udh","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700132879","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700132879795,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700132879795,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"7ro-vjj-hqg","attributes":{"version":1,"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700132879","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700132879679,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700132879679,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"3uf-mai-edh","attributes":{"version":1,"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700132879","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700132879455,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700132879455,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"e2t-sos-sgs","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700132879","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700132879213,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700132879213,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"joz-phu-bj6","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700046608","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700046608383,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700046608383,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"9gx-e5x-wxl","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700046607","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700046607880,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700046607880,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"cmg-7ok-iws","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700046606","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700046607019,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700046607019,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"fc2-mmz-xme","attributes":{"version":1,"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700046606","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700046606743,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700046606743,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"cw4-gei-lqg","attributes":{"version":1,"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700046606","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700046606184,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700046606184,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"djb-5it-syy","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700046605","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700046605699,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700046605699,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"2be-cfa-xhr","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699960183","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699960183272,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699960183272,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"5dp-tcj-tbm","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699960182","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699960182731,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699960182731,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"a0m-zaf-0a8","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699960181","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699960181838,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699960181838,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"erx-pyz-xft","attributes":{"version":1,"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699960181","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699960181554,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699960181554,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"ydh-fsm-slz","attributes":{"version":1,"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699960180","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699960181024,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699960181024,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"5pp-60h-keq","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699960180","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699960180438,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699960180438,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"xyn-fkc-osi","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699873852","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699873852793,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699873852793,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"llg-x6t-jjq","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699873851","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699873852043,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699873852043,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"q1s-ejx-xq3","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699873850","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699873850880,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699873850880,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"zw4-cad-dro","attributes":{"version":1,"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699873850","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699873850490,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699873850490,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"rik-8jl-7nr","attributes":{"version":1,"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699873849","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699873849810,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699873849810,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"vih-vom-ryl","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699873848","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699873849102,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699873849102,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"mhl-gkn-bun","attributes":{"version":6,"name":"pci_11_5_critical_binaries_unlink","description":"Critical - system binaries may have been modified","expression":"(\n (unlink.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in - [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] + \u0026\u0026 process.ancestors.file.path != \"/usr/bin/kmod\"\n) \u0026\u0026 + chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"name":"kernel_module_chmod","updateDate":1758821241158,"updater":{"name":"","handle":""},"version":10}},{"id":"ec9-vff-7ni","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1598516746168,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\", ~\"/usr/lib/modules-load.d/**\", + ~\"/etc/modules-load.d/**\", ~\"/etc/modprobe.d/**\" ]\n || link.file.destination.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":1606142933669,"updateDate":1699614659146,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"j3f-cie-47b","attributes":{"version":2,"name":"kernel_module_load_from_memory","description":"A - kernel module was loaded from memory","expression":"load_module.loaded_from_memory - == true","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":1650293718630,"updateDate":1699614659145,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"my1-vln-8fq","attributes":{"version":3,"name":"cryptominer_args","description":"A - process launched with arguments associated with cryptominers","expression":"exec.args_options - in [~\"cpu-priority*\", ~\"donate-level*\"] || exec.args in [~\"*stratum+tcp*\"]","category":"Process - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1699614656177,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"us6-p6v-hbj","attributes":{"version":2,"name":"tar_execution","description":"Tar - archive created","expression":"exec.file.path == \"/usr/bin/tar\" && exec.args_flags - in [\"create\",\"c\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1699614655670,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vky-y2i-mvh","attributes":{"version":2,"name":"java_shell_execution_parent","description":"A - java process spawned a shell, shell utility, or HTTP utility","expression":"(exec.file.path - in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path - in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n&& - process.parent.file.name == \"java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1699614653571,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ohe-vlf-t2h","attributes":{"version":9,"name":"ssl_certificate_tampering_chown","description":"SSL - certificates may have been tampered with","expression":"(\n (chown.file.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid - != chown.file.gid)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& - process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_link","updateDate":1758821241086,"updater":{"name":"","handle":""},"version":11}},{"id":"esw-jp7-chn","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"The + rclone utility was executed","enabled":true,"expression":"exec.file.name in + [\"rclone\", \"rsync\", \"sftp\", \"ftp\", \"scp\", \"dcp\", \"rcp\"]","filters":["os + == \"linux\""],"name":"file_sync_exfil","updateDate":1749232465958,"updater":{"name":"","handle":""},"version":1}},{"id":"a6b-xqu-n6r","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"process + arguments match sliver c2 implant","enabled":true,"expression":"exec.cmdline + =~ \"*NoExit *\" \u0026\u0026 exec.cmdline =~ \"*Command *\" \u0026\u0026 + exec.cmdline =~ \"*[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*\"","filters":["os + == \"windows\""],"name":"sliver_c2_implant_execution","updateDate":1749232465391,"updater":{"name":"","handle":""},"version":1}},{"id":"9mk-xxe-lpw","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":1617722068555,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + container management utility was executed in a container","enabled":true,"expression":"exec.file.name + in [\"docker\", \"kubectl\", \"ctr\"] \u0026\u0026 container.id != \"\"","filters":["os + == \"linux\""],"name":"suspicious_container_client","updateDate":1749232439098,"updater":{"name":"","handle":""},"version":3}},{"id":"pwg-71z-aob","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& - process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142980369,"updateDate":1699614645120,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"abo-w0g-emz","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699614584","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699614584761,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699614584761,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"yyr-62t-pwg","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699614583","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699614584201,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699614584201,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"s87-olo-akk","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699614583","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699614583309,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699614583309,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"hqc-ilw-6pg","attributes":{"version":1,"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699614582","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699614583007,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699614583007,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"5ik-iyy-ry4","attributes":{"version":1,"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699614582","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699614582497,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699614582497,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"0mj-ptm-mcq","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699614581","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699614581944,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699614581944,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"awr-mtg-lce","attributes":{"version":1,"name":"offensive_k8s_tool","description":"A - known kubernetes pentesting tool has been executed","expression":"(exec.file.name - in [ ~\"python*\" ] && (\"KubiScan.py\" in exec.argv || \"kubestriker\" in - exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","category":"Process - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1699605598275,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qng-psi-j15","attributes":{"version":5,"name":"runc_modification","description":"The - runc binary was modified in a non-standard way","expression":"open.file.path - in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n&& open.flags - & O_CREAT|O_TRUNC|O_RDWR|O_WRONLY > 0\n&& process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n&& - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":1627392837049,"updateDate":1699605592780,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vlh-msh-elx","attributes":{"version":1,"name":"redis_save_module","description":"Redis - module has been created","expression":"(open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) - > 0 && open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.rdb\", ~\"*.aof\", - ~\"*.so\"]) && process.file.name in [\"redis-check-rdb\", \"redis-server\"]","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1699605590262,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"i0s-yb1-hnl","attributes":{"version":4,"name":"net_util_exfiltration","description":"Exfiltration - attempt via network utility","expression":"exec.comm in [\"wget\", \"curl\", - \"lwp-download\"] && \nexec.args_options in [ ~\"post-file=*\", ~\"post-data=*\", - ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] &&\nexec.args not in - [~\"*localhost*\", ~\"*127.0.0.1*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1699605585597,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ki7-koc-icf","attributes":{"version":2,"name":"apparmor_modified_tty","description":"An - AppArmor profile was modified in an interactive session","expression":"exec.file.name - in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] && exec.tty_name !=\"\"","category":"Process - Activity","defaultRule":true,"enabled":true,"creationDate":1627392836162,"updateDate":1699605581360,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kzh-5hn-edg","attributes":{"version":6,"name":"pci_11_5_critical_binaries_chmod","description":"Critical - system binaries may have been modified","expression":"(\n (chmod.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in - [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ + \"runc*\"\n\u0026\u0026 container.id != \"\"\n\u0026\u0026 container.created_at + \u003e 90s","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open_v2","updateDate":1749232438080,"updater":{"name":"","handle":""},"version":2}},{"id":"efc-svz-7hu","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + web application spawned a shell or shell utility","enabled":true,"expression":"(exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path + in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"]) + \u0026\u0026\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", + \"httpd\"] || process.parent.file.name =~ \"php*\")","filters":["os == \"linux\""],"name":"potential_web_shell_parent","updateDate":1749232437323,"updater":{"name":"","handle":""},"version":2}},{"id":"fjh-jmi-fbi","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"The + auditd rules file was modified without using auditctl","enabled":true,"expression":"open.file.path + in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] \u0026\u0026 + open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 + process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_rule_file_modified","updateDate":1749232436502,"updater":{"name":"","handle":""},"version":2}},{"id":"ipa-v3l-kt6","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142961130,"creator":{"name":"","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chmod.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 + chmod.file.destination.mode != chmod.file.mode\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142933669,"updateDate":1699605577106,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rm1-b8h-cec","attributes":{"version":5,"name":"pci_11_5_critical_binaries_link","description":"Critical - system binaries may have been modified","expression":"(\n (link.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in - [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os + == \"linux\""],"name":"cron_at_job_creation_chmod","updateDate":1749232436328,"updater":{"name":"","handle":""},"version":8}},{"id":"onm-dqu-jly","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142961130,"creator":{"name":"","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os + == \"linux\""],"name":"cron_at_job_creation_open","updateDate":1749232434913,"updater":{"name":"","handle":""},"version":8}},{"id":"7nq-ugi-gu1","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142980369,"creator":{"name":"","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":1606142933669,"updateDate":1699605575176,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zk5-jeo-579","attributes":{"version":2,"name":"rc_scripts_modified","description":"RC - scripts modified","expression":"(open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) - > 0 && (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) && process.ancestors.file.path + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.path + != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1699605566454,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"je9-er4-njy","attributes":{"version":2,"name":"selinux_disable_enforcement","description":"SELinux - enforcement status was disabled","expression":"selinux.enforce.status in [\"permissive\", - \"disabled\"] && process.ancestors.args != ~\"*BECOME-SUCCESS*\"","category":"Kernel - Activity","defaultRule":true,"enabled":true,"creationDate":1635332067172,"updateDate":1699605560892,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yly-big-wfq","attributes":{"version":6,"name":"pci_11_5_critical_binaries_chown","description":"Critical - system binaries may have been modified","expression":"(\n (chown.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in - [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.name + !~ \"runc*\"\n)","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_link","updateDate":1749232434911,"updater":{"name":"","handle":""},"version":9}},{"id":"msb-ai6-ua5","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Tunneling + or port forwarding tool used","enabled":true,"expression":"((exec.comm == + \"pivotnacci\" || exec.comm == \"gost\") \u0026\u0026 process.args_flags in + [\"L\", \"C\", \"R\"]) || (exec.comm in [\"ssh\", \"sshd\"] \u0026\u0026 process.args_flags + in [\"R\", \"L\", \"D\", \"w\"] \u0026\u0026 process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] + ) || (exec.comm == \"sshuttle\" \u0026\u0026 process.args_flags in [\"r\", + \"remote\", \"l\", \"listen\"]) || (exec.comm == \"socat\" \u0026\u0026 process.args + in [r\"(TCP4-LISTEN:|SOCKS)\"]) || (exec.comm in [\"iodine\", \"iodined\", + \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", + \"ngrok\"] \u0026\u0026 process.parent.comm in [\"bash\", \"dash\", \"ash\", + \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","filters":["os == + \"linux\""],"name":"tunnel_traffic","updateDate":1749232434907,"updater":{"name":"","handle":""},"version":3}},{"id":"7bv-uip-wxv","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"microsoft + security essentials executable modified","enabled":true,"expression":"write.file.device_path + in [~\"\\Device\\*\\Program Files\\Microsoft Security Client\\msseces.exe\"]","filters":["os + == \"windows\""],"name":"windows_security_essentials_executable_modified","updateDate":1749232411868,"updater":{"name":"","handle":""},"version":1}},{"id":"24x-t0s-vlw","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"find + command searching for sensitive files","enabled":true,"expression":"exec.comm + == \"find\" \u0026\u0026 exec.args in [~\"*credentials*\"]","filters":["os + == \"linux\""],"name":"find_credentials","updateDate":1749232411667,"updater":{"name":"","handle":""},"version":1}},{"id":"tfh-7pq-ne3","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Perl + executed with suspicious argument","enabled":true,"expression":"exec.file.name + == ~\"perl*\" \u0026\u0026 exec.args_flags in [\"e\"] \u0026\u0026 (exec.args + in [~\"*socket*\", ~\"*bind*\", ~\"*sockaddr*\", ~\"*listen*\", ~\"*accept\", + ~\"*stdin*\", ~\"*stdout\"])","filters":["os == \"linux\""],"name":"perl_shell","updateDate":1749232409731,"updater":{"name":"","handle":""},"version":1}},{"id":"rek-wb4-s7y","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n ( rename.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", + ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"] \n || + rename.file.path in [ ~\"/etc/systemd/user/**\", ~\"/usr/lib/systemd/user/**\", + ~\"/home/*/.config/systemd/user/**\", ~\"/home/*/.local/share/systemd/user/**\", + ~\"/run/systemd/user/**\"]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", + ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", ~\"/usr/local/lib/systemd/system/**\", + ~\"/run/systemd/system/**\"] \n || rename.file.destination.path in [ ~\"/etc/systemd/user/**\", + ~\"/usr/lib/systemd/user/**\", ~\"/home/*/.config/systemd/user/**\", ~\"/home/*/.local/share/systemd/user/**\", + ~\"/run/systemd/user/**\"])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", + \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_rename","updateDate":1749232382129,"updater":{"name":"","handle":""},"version":8}},{"id":"qdc-oqx-zsx","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", + ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"])\n \u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 + (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)","filters":["os == \"linux\""],"name":"systemd_modification_chown","updateDate":1749232381893,"updater":{"name":"","handle":""},"version":9}},{"id":"ich-3ke-cor","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path + in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"]\n || link.file.destination.path + in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"])\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_link","updateDate":1749232381667,"updater":{"name":"","handle":""},"version":2}},{"id":"nlp-lzc-rcf","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142929241,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", + ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"] || open.file.path + in [ ~\"/etc/systemd/user/**\", ~\"/usr/lib/systemd/user/**\", ~\"/home/*/.config/systemd/user/**\", + ~\"/home/*/.local/share/systemd/user/**\", ~\"/run/systemd/user/**\"])\n \u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"systemd_modification_open","updateDate":1749232381238,"updater":{"name":"","handle":""},"version":6}},{"id":"ohp-ags-xpk","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142936138,"creator":{"name":"","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid - != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142933669,"updateDate":1699605558253,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"6ef-efv-07c","attributes":{"version":5,"name":"pci_11_5_critical_binaries_utimes","description":"Critical - system binaries may have been modified","expression":"(\n (utimes.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in - [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os + == \"linux\""],"name":"pam_modification_utimes","updateDate":1749232380612,"updater":{"name":"","handle":""},"version":5}},{"id":"ybu-yya-acz","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142980369,"creator":{"name":"","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (chmod.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":1606142933669,"updateDate":1699605550430,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"1vg-wvn-jeo","attributes":{"version":5,"name":"pci_11_5_critical_binaries_rename","description":"Critical - system binaries may have been modified","expression":"(\n (rename.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.mode != + chmod.file.destination.mode\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 + process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 + process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chmod","updateDate":1749232340405,"updater":{"name":"","handle":""},"version":10}},{"id":"vky-y2i-mvh","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + java process spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path + in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"])\n\u0026\u0026 + process.parent.file.name in [\"java\", \"jspawnhelper\"]","filters":["os == + \"linux\""],"name":"java_shell_execution_parent","updateDate":1749232339592,"updater":{"name":"","handle":""},"version":3}},{"id":"6ef-efv-07c","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142933669,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n && process.file.path not in - [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":1606142933669,"updateDate":1699605548906,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"332-1wp-nhi","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699375258","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1699375258346,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1699375258346,"filters":["os - == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"pn7-9wx-enb","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689275130","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689275130893,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689275130893,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"Sherzod - Karimov","handle":"sherzod.karimov@datadoghq.com"},"updater":{"name":"Sherzod - Karimov","handle":"sherzod.karimov@datadoghq.com"}},"type":"agent_rule"},{"id":"zag-uxd-4rh","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689275130","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689275130586,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689275130586,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"Sherzod - Karimov","handle":"sherzod.karimov@datadoghq.com"},"updater":{"name":"Sherzod - Karimov","handle":"sherzod.karimov@datadoghq.com"}},"type":"agent_rule"},{"id":"gj1-f5n-atq","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689275129","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689275130040,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689275130040,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"Sherzod - Karimov","handle":"sherzod.karimov@datadoghq.com"},"updater":{"name":"Sherzod - Karimov","handle":"sherzod.karimov@datadoghq.com"}},"type":"agent_rule"},{"id":"xoa-393-gtb","attributes":{"version":1,"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689275129","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689275129856,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689275129856,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"Sherzod - Karimov","handle":"sherzod.karimov@datadoghq.com"},"updater":{"name":"Sherzod - Karimov","handle":"sherzod.karimov@datadoghq.com"}},"type":"agent_rule"},{"id":"wib-odd-eos","attributes":{"version":1,"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689275129","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689275129533,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689275129533,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"Sherzod - Karimov","handle":"sherzod.karimov@datadoghq.com"},"updater":{"name":"Sherzod - Karimov","handle":"sherzod.karimov@datadoghq.com"}},"type":"agent_rule"},{"id":"zi0-hgn-9ec","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689275129","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689275129209,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689275129209,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"Sherzod - Karimov","handle":"sherzod.karimov@datadoghq.com"},"updater":{"name":"Sherzod - Karimov","handle":"sherzod.karimov@datadoghq.com"}},"type":"agent_rule"},{"id":"oce-aqj-x6b","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689185615","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689185616079,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689185616079,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"Sherzod - Karimov","handle":"sherzod.karimov@datadoghq.com"},"updater":{"name":"Sherzod - Karimov","handle":"sherzod.karimov@datadoghq.com"}},"type":"agent_rule"},{"id":"cdt-p7e-q1b","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689185615","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689185615169,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689185615169,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"Sherzod - Karimov","handle":"sherzod.karimov@datadoghq.com"},"updater":{"name":"Sherzod - Karimov","handle":"sherzod.karimov@datadoghq.com"}},"type":"agent_rule"},{"id":"wgo-mps-djd","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689185614","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689185614427,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689185614427,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"Sherzod - Karimov","handle":"sherzod.karimov@datadoghq.com"},"updater":{"name":"Sherzod - Karimov","handle":"sherzod.karimov@datadoghq.com"}},"type":"agent_rule"},{"id":"odr-ipk-wvx","attributes":{"version":1,"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689185613","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689185613924,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689185613924,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"Sherzod - Karimov","handle":"sherzod.karimov@datadoghq.com"},"updater":{"name":"Sherzod - Karimov","handle":"sherzod.karimov@datadoghq.com"}},"type":"agent_rule"},{"id":"nb1-dkb-bwz","attributes":{"version":1,"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689185612","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689185612915,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689185612915,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"Sherzod - Karimov","handle":"sherzod.karimov@datadoghq.com"},"updater":{"name":"Sherzod - Karimov","handle":"sherzod.karimov@datadoghq.com"}},"type":"agent_rule"},{"id":"t2g-qma-f5b","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689185611","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689185611378,"updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689185611378,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"Sherzod - Karimov","handle":"sherzod.karimov@datadoghq.com"},"updater":{"name":"Sherzod - Karimov","handle":"sherzod.karimov@datadoghq.com"}},"type":"agent_rule"},{"id":"pwg-71z-aob","attributes":{"version":1,"name":"ssl_certificate_tampering_open_v2","description":"SSL - certificates may have been tampered with","expression":"(\n open.flags - & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", - ~\"/etc/pki/**\" ])\n)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& - process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& - process.file.name !~ \"runc*\"\n&& container.created_at > 180s","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1688748504240,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zuq-yfd-hun","attributes":{"version":1,"name":"deploy_priv_container","description":"A - privileged container was created","expression":"exec.file.name != \"\" && - container.created_at < 1s && process.cap_permitted & CAP_SYS_ADMIN > 0","category":"Process - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1688748488881,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ayp-cd9-j3f","attributes":{"version":1,"name":"network_sniffing_tool","description":"Local - account groups were enumerated after container start up","expression":"exec.file.name - in [\"tcpdump\", \"tshark\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1688748485348,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"x3k-0en-bhm","attributes":{"version":1,"name":"ssh_authorized_keys_open_v2","description":"SSH - modified keys may have been modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) - > 0 &&\n open.file.name in [ \"authorized_keys\", \"authorized_keys2\" - ] && (open.file.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" - ])\n) && container.created_at > 180s","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1688748480895,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kmx-s3s-htb","attributes":{"version":1,"name":"nsswitch_conf_mod_open_v2","description":"nsswitch - may have been modified without authorization","expression":"(\n open.flags - & ((O_RDWR|O_WRONLY|O_CREAT)) > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" - ])\n) && container.created_at > 180s","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1688748480617,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fdh-b1k-i0e","attributes":{"version":1,"name":"suid_file_execution","description":"a - SUID file was executed","expression":"(setuid.euid == 0 || setuid.uid == - 0) && process.file.mode & S_ISUID > 0 && process.file.uid == 0 && process.uid - != 0 && process.file.path != \"/usr/bin/sudo\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1688748479473,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rqu-01q-fmr","attributes":{"version":1,"name":"net_util_in_container_v2","description":"A - network utility was executed in a container","expression":"(exec.comm in [\"socat\", - \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm - in [\"wget\", \"curl\", \"lwp-download\"]) &&\ncontainer.id != \"\" && exec.args - not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ] && container.created_at - > 180s","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1688748479210,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"igw-lex-dzw","attributes":{"version":1,"name":"hidden_file_executed","description":"A - hidden file was executed in a suspicious folder","expression":"exec.file.name - =~ \".*\" && exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", - ~\"/dev/shm/**\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1688748474266,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ixh-tff-n0g","attributes":{"version":1,"name":"shell_profile_modification","description":"Shell - profile was modified","expression":"open.file.path in [~\"/home/*/*profile\", - ~\"/home/*/*rc\"] && open.flags & ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) > 0","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1688748474208,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"84k-f4f-yx8","attributes":{"version":4,"name":"python_cli_code","description":"Python - code was provided on the command line","expression":"exec.file.name == ~\"python*\" - && exec.args_flags in [\"c\"] && exec.args in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", - \"*-c*/bash*\", \"*-c*/bin/sh*\", \"*-c*pty.spawn*\"] && exec.args !~ \"*setuptools*\"","category":"Process - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1688748470573,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"llh-ylu-udm","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740628","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1688740629202,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1688740629202,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"tfj-qbi-njb","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740550","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1688740550818,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1688740550818,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"otj-idk-ece","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740379","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1688740379706,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1688740379706,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"l88-cpw-jvx","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688739737","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1688739737197,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1688739737197,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"kcw-scc-5ve","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688677455","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1688677455854,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1688677455854,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"lg7-iv9-wts","attributes":{"version":1,"name":"sudoers_policy_modified_utimes","description":"Sudoers - policy file may have been modified without authorization","expression":"(\n (utimes.file.path - == \"/etc/sudoers\")\n) && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1684185006444,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"lxo-jgz-gtv","attributes":{"version":1,"name":"sudoers_policy_modified_chown","description":"Sudoers - policy file may have been modified without authorization","expression":"(\n (chown.file.path - == \"/etc/sudoers\")\n) && (chown.file.destination.uid != chown.file.uid || - chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1684185001787,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vu4-g2z-6yx","attributes":{"version":1,"name":"user_deleted_tty","description":"A - user was deleted via an interactive session","expression":"exec.file.name - in [\"userdel\", \"deluser\"] && exec.tty_name !=\"\" && process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"Process - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1684185000708,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"dgj-0mh-asf","attributes":{"version":1,"name":"sudoers_policy_modified_unlink","description":"Sudoers - policy file may have been modified without authorization","expression":"(\n (unlink.file.path - == \"/etc/sudoers\")\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1684184996909,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"6t0-pxf-oag","attributes":{"version":1,"name":"curl_docker_socket","description":"The - Docker socket was referenced in a cURL command","expression":"exec.file.name - == \"curl\" && exec.args_flags in [\"unix-socket\"] && exec.args in [\"*docker.sock*\"] - && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1684184996292,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"07x-ilo-vbw","attributes":{"version":1,"name":"sudoers_policy_modified_rename","description":"Sudoers - policy file may have been modified without authorization","expression":"(\n (rename.file.path - == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1684184995498,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vbb-8oz-uj8","attributes":{"version":1,"name":"read_release_info","description":"OS - information was read from the /etc/lsb-release file","expression":"open.file.path - == \"/etc/lsb-release\" && open.flags & O_RDONLY > 0","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1684184994303,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hxb-abz-bnu","attributes":{"version":1,"name":"sudoers_policy_modified_chmod","description":"Sudoers - policy file may have been modified without authorization","expression":"(\n (chmod.file.path - == \"/etc/sudoers\") \n) && chmod.file.destination.mode != chmod.file.mode - && process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1684184993817,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wxp-zv6-mdg","attributes":{"version":1,"name":"kmod_list","description":"Kernel - modules were listed using the kmod command","expression":"exec.comm == \"kmod\" - && exec.args in [~\"*list*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1684184992493,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"0on-nzp-luo","attributes":{"version":1,"name":"sudoers_policy_modified_open","description":"Sudoers - policy file may have been modified without authorization","expression":"\n(open.flags - & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n(open.file.path == \"/etc/sudoers\")) - && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1684184992340,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rsp-g6i-jdi","attributes":{"version":1,"name":"service_stop","description":"systemctl - used to stop a service","expression":"exec.file.name == \"systemctl\" && exec.args - in [~\"*stop*\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1684184991238,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"d5p-vk6-w0f","attributes":{"version":1,"name":"exec_lsmod","description":"Kernel - modules were listed using the lsmod command","expression":"exec.comm == \"lsmod\"","category":"Process - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1684184990877,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ich-3ke-cor","attributes":{"version":1,"name":"sudoers_policy_modified_link","description":"Sudoers - policy file may have been modified without authorization","expression":"(\n (link.file.path - == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1684184985910,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"zdy-kcq-q0v","attributes":{"version":1,"name":"read_kubeconfig","description":"The - kubeconfig file was accessed","expression":"open.file.path in [~\"/home/*/.kube/config\", - \"/root/.kube/config\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1684184984191,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yij-lei-ykx","attributes":{"version":1,"name":"exec_whoami","description":"The - whoami command was executed","expression":"exec.comm == \"whoami\"","category":"Process - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1684184982050,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fjh-jmi-fbi","attributes":{"version":1,"name":"auditd_rule_file_modified","description":"The - auditd rules file was modified without using auditctl","expression":"open.file.path - in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] && open.flags - & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.name != \"auditctl\"","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1681490457848,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"div-3ym-esz","attributes":{"version":1,"name":"auditd_config_modified","description":"The - auditd configuration file was modified without using auditctl","expression":"open.file.path - == \"/etc/audit/auditd.conf\" && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) - > 0 && process.file.name != \"auditctl\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1681490453830,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"swo-jyw-vtb","attributes":{"version":5,"name":"aws_eks_service_account_token_accessed","description":"The - AWS EKS service account token was accessed","expression":"open.file.path =~ - \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" && open.file.name - == \"token\" && process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", - \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", - \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", - \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", - \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", - \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1681490453789,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"2p0-3i2-b4y","attributes":{"version":9,"name":"ssl_certificate_tampering_open","description":"SSL - certificates may have been tampered with","expression":"(\n open.flags - & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/etc/ssl/certs/**\", - ~\"/etc/pki/**\" ])\n)\n&& process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& - process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"pci_11_5_critical_binaries_utimes","updateDate":1749232337174,"updater":{"name":"","handle":""},"version":6}},{"id":"ki2-nwj-sot","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142958657,"creator":{"name":"","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path + in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode + != chmod.file.mode \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_chmod","updateDate":1749232336676,"updater":{"name":"","handle":""},"version":5}},{"id":"div-3ym-esz","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"The + auditd configuration file was modified without using auditctl","enabled":true,"expression":"open.file.path + == \"/etc/audit/auditd.conf\" \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) + \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == + \"linux\""],"name":"auditd_config_modified","updateDate":1749232336672,"updater":{"name":"","handle":""},"version":2}},{"id":"lxo-jgz-gtv","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path + in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"])\n) \u0026\u0026 (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os + == \"linux\""],"name":"sudoers_policy_modified_chown","updateDate":1749232336672,"updater":{"name":"","handle":""},"version":2}},{"id":"t8w-eul-chf","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", + ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"] || utimes.file.path + in [ ~\"/etc/systemd/user/**\", ~\"/usr/lib/systemd/user/**\", ~\"/home/*/.config/systemd/user/**\", + ~\"/home/*/.local/share/systemd/user/**\", ~\"/run/systemd/user/**\"])\n \u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"systemd_modification_utimes","updateDate":1749232290939,"updater":{"name":"","handle":""},"version":8}},{"id":"rws-z9b-qjv","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Possible + ransomware note created under common user directories","enabled":true,"expression":"open.flags + \u0026 O_CREAT \u003e 0\n\u0026\u0026 open.file.path in [~\"/home/**\", ~\"/root/**\", + ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", + ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n\u0026\u0026 + (open.file.name in [r\"(?i)(restore|recover|instruction|help|how_to|how\\ + to|ransom).*(your_|recover|crypt|lock|ransom|instruction|files)\"] || open.file.name + in [r\"RECOVER.*\\.txt\"]) \u0026\u0026 open.file.name not in [r\"\\.lock$\"]","filters":["os + == \"linux\""],"name":"ransomware_note","updateDate":1749232290803,"updater":{"name":"","handle":""},"version":2}},{"id":"atu-tci-bjn","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142961130,"creator":{"name":"","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os + == \"linux\""],"name":"cron_at_job_creation_unlink","updateDate":1749232289522,"updater":{"name":"","handle":""},"version":8}},{"id":"cyq-zts-9vf","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Process + matches known relay attack tool","enabled":true,"expression":"exec.file.name + in [~\"*PetitPotam*\", ~\"*RottenPotato*\", ~\"*HotPotato*\", ~\"*JuicyPotato*\", + ~\"*just_dce_*\", ~\"*Juicy Potato*\", \"rot.exe\", \"Potato.exe\", \"SpoolSample.exe\", + \"Responder.exe\", ~\"*smbrelayx*\", ~\"*smbrelayx*\", ~\"*ntlmrelayx*\", + ~\"*LocalPotato*\"] || exec.cmdline in [~\"*Invoke-Tater*\", ~\"*smbrelay*\", + ~\"*ntlmrelay*\", ~\"*cme smb*\", ~\"*ntlm:NTLMhash*\", ~\"*Invoke-PetitPotam*\"]","filters":["os + == \"windows\""],"name":"relay_attack_tool_execution","updateDate":1749232288712,"updater":{"name":"","handle":""},"version":1}},{"id":"d6x-aku-m2l","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + process attempted to overwrite the container entrypoint","enabled":true,"expression":"open.file.path + == \"/proc/self/fd/1\" \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY + \u003e 0 \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"overwrite_entrypoint","updateDate":1749232287873,"updater":{"name":"","handle":""},"version":1}},{"id":"jjg-cwd-bi8","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& - process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1681490451189,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ybu-yya-acz","attributes":{"version":9,"name":"ssl_certificate_tampering_chmod","description":"SSL - certificates may have been tampered with","expression":"(\n (chmod.file.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e + 90s","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open_v2","updateDate":1749232277186,"updater":{"name":"","handle":""},"version":3}},{"id":"vei-wlu-ojy","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Windows + Known DLLs location registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\KnownDLLs*\"]","filters":["os + == \"windows\""],"name":"known_dll_registry_key_modified","updateDate":1749232277181,"updater":{"name":"","handle":""},"version":1}},{"id":"yly-big-wfq","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142933669,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - && chmod.file.mode != chmod.file.destination.mode\n&& process.file.path != - \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n&& + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& process.file.name - !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142980369,"updateDate":1681490448291,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kek-yib-peb","attributes":{"version":2,"name":"shell_history_deleted","description":"Shell - History was Deleted","expression":"(unlink.file.name =~ r\".([dbazfi]*sh)(_history)$\") - && process.comm not in [\"dockerd\", \"containerd\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1681490445819,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"w07-amm-bxr","attributes":{"version":10,"name":"ssl_certificate_tampering_utimes","description":"SSL - certificates may have been tampered with","expression":"(\n (utimes.file.path - in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chown","updateDate":1749232277090,"updater":{"name":"","handle":""},"version":7}},{"id":"nej-iw4-adk","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142954844,"creator":{"name":"","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os + == \"linux\""],"name":"ssh_authorized_keys_open","updateDate":1749232241422,"updater":{"name":"","handle":""},"version":4}},{"id":"hxb-abz-bnu","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path + in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"])\n) \u0026\u0026 chmod.file.destination.mode + != chmod.file.mode \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n&& - process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not - in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& - process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1681490443753,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pti-xku-k7y","attributes":{"version":3,"name":"shell_history_truncated","description":"Shell - History was Deleted","expression":"open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) - > 0 && open.file.name =~ r\".([dbazfi]*sh)(_history)$\" && open.file.path - in [~\"/root/*\", ~\"/home/**\"] && process.file.name == \"truncate\"","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1681490441112,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jin-icc-lpi","attributes":{"version":8,"name":"ssl_certificate_tampering_unlink","description":"SSL - certificates may have been tampered with","expression":"(\n (unlink.file.path - in [ ~\"/etc/ssl/certs/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", + ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", + \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chmod","updateDate":1749232240734,"updater":{"name":"","handle":""},"version":2}},{"id":"eoy-4fe-q7q","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1598516746271,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chown.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", + \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os + == \"linux\""],"name":"credential_modified_chown","updateDate":1749232236504,"updater":{"name":"","handle":""},"version":12}},{"id":"bgs-kbk-xkh","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n ( link.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", + ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"]\n || + link.file.destination.path in [ ~\"/etc/systemd/user/**\", ~\"/usr/lib/systemd/user/**\", + ~\"/home/*/.config/systemd/user/**\", ~\"/home/*/.local/share/systemd/user/**\", + ~\"/run/systemd/user/**\"] \n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", + ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", ~\"/usr/local/lib/systemd/system/**\", + ~\"/run/systemd/system/**\"] \n || link.file.path in [ ~\"/etc/systemd/user/**\", + ~\"/usr/lib/systemd/user/**\", ~\"/home/*/.config/systemd/user/**\", ~\"/home/*/.local/share/systemd/user/**\", + ~\"/run/systemd/user/**\"])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n&& - process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not - in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& - process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142980369,"updateDate":1681490440557,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"aby-cmp-yrd","attributes":{"version":2,"name":"dynamic_linker_config_write","description":"A - process wrote to a dynamic linker config file","expression":"open.file.path - in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", \"/etc/ld.so.conf.d/*.conf\"] - && open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 && process.file.path + ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", + \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_link","updateDate":1749232236046,"updater":{"name":"","handle":""},"version":8}},{"id":"pnv-bxc-sbp","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"a + critical windows file was modified","enabled":true,"expression":"write.file.device_path + in [~\"\\Device\\*\\windows\\system32\\**\"]","filters":["os == \"windows\""],"name":"critical_windows_files_modified","updateDate":1749232205582,"updater":{"name":"","handle":""},"version":1}},{"id":"eay-ery-jdc","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Dotnet_dump + was used to dump a process memory","enabled":true,"expression":"exec.cmdline + =~ \"*dotnet-dump*\" \u0026\u0026 exec.cmdline =~ \"*collect*\"","filters":["os + == \"windows\""],"name":"dotnet_dump_execution","updateDate":1749232205568,"updater":{"name":"","handle":""},"version":1}},{"id":"xhw-6bw-uk0","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Windows + RPC COM debugging registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows*\"]","filters":["os + == \"windows\""],"name":"windows_com_rpc_debugging_registry_key_modified","updateDate":1749232204661,"updater":{"name":"","handle":""},"version":1}},{"id":"cj8-z89-sqt","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Windows + winlogon registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*\"]","filters":["os + == \"windows\""],"name":"winlogon_registry_key_modified","updateDate":1749232204661,"updater":{"name":"","handle":""},"version":1}},{"id":"fpw-paa-smb","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1598516746168,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_utimes","updateDate":1749232192112,"updater":{"name":"","handle":""},"version":11}},{"id":"vlh-msh-elx","type":"agent_rule","attributes":{"actions":[{"hash":{}}],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Redis + module has been created","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) + \u003e 0 \u0026\u0026 open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name + in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) \u0026\u0026 process.file.name in + [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_save_module","updateDate":1749232190855,"updater":{"name":"","handle":""},"version":2}},{"id":"kxs-kt6-5gt","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", + ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"] || unlink.file.path + in [ ~\"/etc/systemd/user/**\", ~\"/usr/lib/systemd/user/**\", ~\"/home/*/.config/systemd/user/**\", + ~\"/home/*/.local/share/systemd/user/**\", ~\"/run/systemd/user/**\"])\n \u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"systemd_modification_unlink","updateDate":1749232190582,"updater":{"name":"","handle":""},"version":8}},{"id":"84k-f4f-yx8","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Python + code was provided on the command line","enabled":true,"expression":"exec.file.name + == ~\"python*\" \u0026\u0026 exec.args_flags in [\"c\"] \u0026\u0026 exec.args + in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", ~\"*-c*/bash*\", ~\"*-c*/bin/sh*\", + ~\"*-c*pty.spawn*\"] \u0026\u0026 exec.args !~ \"*setuptools*\"","filters":["os + == \"linux\""],"name":"python_cli_code","updateDate":1749232190580,"updater":{"name":"","handle":""},"version":5}},{"id":"x3k-0en-bhm","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) + \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e + 90s","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open_v2","updateDate":1749232190516,"updater":{"name":"","handle":""},"version":2}},{"id":"psd-3el-h33","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1598516746271,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (utimes.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"] && process.ancestors.file.path not in - [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", - \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", - \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", - \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", - \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1681490436787,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"7nq-ugi-gu1","attributes":{"version":8,"name":"ssl_certificate_tampering_link","description":"SSL - certificates may have been tampered with","expression":"(\n (link.file.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", + \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && - process.file.path != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n && process.ancestors.file.path + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_utimes","updateDate":1749232187098,"updater":{"name":"","handle":""},"version":10}},{"id":"dgj-0mh-asf","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path + in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"])\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_unlink","updateDate":1749232187098,"updater":{"name":"","handle":""},"version":2}},{"id":"uuf-w3c-u9q","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + scheduled task was created","enabled":true,"expression":"exec.cmdline in [~\"*at.exe\",~\"*schtasks*\"] + \u0026\u0026 exec.cmdline =~ \"*create*\"","filters":["os == \"windows\""],"name":"scheduled_task_creation","updateDate":1749232187097,"updater":{"name":"","handle":""},"version":2}},{"id":"47p-vyr-rfx","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Process + executed with arguments common with Inveigh tool usage","enabled":true,"expression":"exec.cmdline + in [~\"*SpooferIP*\", ~\"*ReplyToIPs*\", ~\"*ReplyToDomains*\", ~\"*ReplyToMACs*\", + ~\"*SnifferIP*\"]","filters":["os == \"windows\""],"name":"inveigh_tool_usage","updateDate":1749232184204,"updater":{"name":"","handle":""},"version":1}},{"id":"c4t-pxu-ixk","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1598516746168,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && - process.file.name !~ \"runc*\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142980369,"updateDate":1681490436302,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qzs-yvl-f4t","attributes":{"version":8,"name":"ssl_certificate_tampering_rename","description":"SSL - certificates may have been tampered with","expression":"(\n (rename.file.path + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_unlink","updateDate":1749232167527,"updater":{"name":"","handle":""},"version":11}},{"id":"i0s-yb1-hnl","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Exfiltration + attempt via network utility","enabled":true,"expression":"exec.comm in [\"wget\", + \"curl\", \"lwp-download\"] \u0026\u0026\nexec.args_options in [ ~\"post-file=*\", + ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] \u0026\u0026\nexec.args + not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","filters":["os == \"linux\""],"name":"net_util_exfiltration","updateDate":1749232167524,"updater":{"name":"","handle":""},"version":5}},{"id":"vu4-g2z-6yx","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + user was deleted via an interactive session","enabled":true,"expression":"exec.file.name + in [\"userdel\", \"deluser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os + == \"linux\""],"name":"user_deleted_tty","updateDate":1749232147434,"updater":{"name":"","handle":""},"version":2}},{"id":"qzs-yvl-f4t","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142980369,"creator":{"name":"","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n && process.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n&& - process.file.path != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n&& process.ancestors.file.path not + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ + \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_rename","updateDate":1749232147409,"updater":{"name":"","handle":""},"version":9}},{"id":"3tj-btx-kvo","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":1617722067648,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Package + management was detected in a container","enabled":true,"expression":"exec.file.path in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n&& - process.file.name !~ \"runc*\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142980369,"updateDate":1681490435881,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"9hn-ukg-ek1","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1681222899","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1681222899530,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1681222899530,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ulc-8ym-1ch","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1681222899","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1681222899155,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1681222899155,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"zja-jqt-rpm","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1681222898","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1681222898613,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1681222898613,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"2ov-h11-m4w","attributes":{"version":1,"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1681222898","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1681222898408,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1681222898408,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"shb-0xv-eib","attributes":{"version":1,"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1681222897","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1681222898061,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1681222898061,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"psp-nbn-dtg","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1681222897","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1681222897739,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1681222897739,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"mcq-6by-989","attributes":{"version":1,"name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1677856493","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1677856493876,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1677856493876,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"tci-5f7-cis","attributes":{"version":1,"name":"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1677856492","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1677856492960,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1677856492960,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"mey-lit-gzs","attributes":{"version":1,"name":"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1677856491","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1677856491445,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1677856491445,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"4ve-rws-nw0","attributes":{"version":1,"name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1677856490","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1677856490988,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1677856490988,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"9aa-y0q-rrc","attributes":{"version":1,"name":"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1677856490","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1677856490077,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1677856490077,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"tvd-3p1-cai","attributes":{"version":1,"name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1677856489","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1677856489180,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1677856489180,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"asy-mod-zmt","attributes":{"version":5,"name":"user_created_tty","description":"A - user was created via an interactive session","expression":"exec.file.name - in [\"useradd\", \"newusers\", \"adduser\"] && exec.tty_name !=\"\" && process.ancestors.file.path + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\"","filters":["os + == \"linux\""],"name":"package_management_in_container","updateDate":1749232147395,"updater":{"name":"","handle":""},"version":6}},{"id":"rm1-b8h-cec","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142933669,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] - && exec.args_flags not in [\"D\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":1627392836979,"updateDate":1677793421528,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"rek-wb4-s7y","attributes":{"version":7,"name":"systemd_modification_rename","description":"A - service may have been modified without authorization","expression":"(\n (rename.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", - ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1677793418528,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"4fh-bb7-747","attributes":{"version":11,"name":"credential_modified_chmod","description":"Sensitive - credential files were modified using a non-standard tool","expression":"(\n (chmod.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in - [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", - \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", - \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - && chmod.file.destination.mode != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1598516746271,"updateDate":1677793414173,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yiy-mba-pny","attributes":{"version":5,"name":"common_net_intrusion_util","description":"A - network utility (nmap) commonly used in intrusion attacks was executed","expression":"exec.file.name - in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", - \"pnscan\"] && exec.args_flags not in [\"V\", \"version\"]","category":"Process - Activity","defaultRule":true,"enabled":true,"creationDate":1617722067554,"updateDate":1677793413474,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"3tj-btx-kvo","attributes":{"version":5,"name":"package_management_in_container","description":"Package - management was detected in a container","expression":"exec.file.path in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] - && container.id != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":1617722067648,"updateDate":1677793413044,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"oio-i4o-xzw","attributes":{"version":1,"name":"tty_shell_in_container","description":"A - shell with a TTY was executed in a container","expression":"exec.file.path - in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] && process.tty_name != \"\" && process.container.id != \"\"","category":"Process - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1677793412844,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"qdc-oqx-zsx","attributes":{"version":8,"name":"systemd_modification_chown","description":"A - service may have been modified without authorization","expression":"(\n (chown.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) && (chown.file.destination.uid - != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1677793412379,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pwh-omk-qrr","attributes":{"version":3,"name":"new_binary_execution_in_container","description":"A - container executed a new binary not found in the container image","expression":"container.id - != \"\" && process.file.in_upper_layer && process.file.modification_time < - 30s && exec.file.name != \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":1652129906455,"updateDate":1677793412378,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bgs-kbk-xkh","attributes":{"version":7,"name":"systemd_modification_link","description":"A - service may have been modified without authorization","expression":"(\n (link.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", - ~\"/etc/systemd/system/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1677793412375,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tmh-now-e61","attributes":{"version":6,"name":"pci_11_5_critical_binaries_open","description":"Critical - system binaries may have been modified","expression":"(\n open.flags & - (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) > 0 &&\n open.file.path in [ ~\"/bin/*\", - ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", - ~\"/boot/**\" ]\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n && + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":1606142933669,"updateDate":1677793410974,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kxs-kt6-5gt","attributes":{"version":7,"name":"systemd_modification_unlink","description":"A - service may have been modified without authorization","expression":"(\n (unlink.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1677793406609,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ohp-ags-xpk","attributes":{"version":4,"name":"pam_modification_utimes","description":"PAM - may have been modified without authorization","expression":"(\n (utimes.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) && process.file.path not - in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"pci_11_5_critical_binaries_link","updateDate":1749232147394,"updater":{"name":"","handle":""},"version":6}},{"id":"1vg-wvn-jeo","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142933669,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (rename.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142936138,"updateDate":1677793405837,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"t8w-eul-chf","attributes":{"version":7,"name":"systemd_modification_utimes","description":"A - service may have been modified without authorization","expression":"(\n (utimes.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1677793405627,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ay7-jkz-rda","attributes":{"version":10,"name":"credential_modified_unlink","description":"Sensitive - credential files were modified using a non-standard tool","expression":"(\n (unlink.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in - [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"pci_11_5_critical_binaries_rename","updateDate":1749232103404,"updater":{"name":"","handle":""},"version":6}},{"id":"6t0-pxf-oag","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + container management socket was referenced in a cURL command","enabled":true,"expression":"exec.file.name + == \"curl\" \u0026\u0026 exec.args_flags in [\"unix-socket\"] \u0026\u0026 + exec.args in [~\"*docker.sock*\", ~\"*dockershim.sock*\", ~\"*containerd.sock*\", + ~\"*crio.sock*\", ~\"*frakti.sock*\", ~\"*rktlet.sock*\"] \u0026\u0026 container.id + != \"\"","filters":["os == \"linux\""],"name":"curl_mgmt_socket","updateDate":1749232103400,"updater":{"name":"","handle":""},"version":2}},{"id":"0gu-pqy-o1a","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142961130,"creator":{"name":"","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || + link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", + ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", + \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_link","updateDate":1749232103394,"updater":{"name":"","handle":""},"version":8}},{"id":"ac4-asc-qi4","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1598516746271,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (rename.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", - \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":1598516746271,"updateDate":1677793404797,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fpw-paa-smb","attributes":{"version":10,"name":"kernel_module_utimes","description":"A - new kernel module was added","expression":"(\n (utimes.file.path in [ ~\"/lib/modules/**\", - ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_rename","updateDate":1749232103392,"updater":{"name":"","handle":""},"version":11}},{"id":"9ih-87r-xrp","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + Registry runkey has been modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\", + ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\", + ~\"HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\", + ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal + Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows + NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce\", + ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal + Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\RunonceEx\"]","filters":["os + == \"windows\""],"name":"registry_runkey_modified","updateDate":1749232103386,"updater":{"name":"","handle":""},"version":2}},{"id":"kmx-s3s-htb","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n open.flags + \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path + in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 container.id != \"\" \u0026\u0026 + container.created_at \u003e 90s \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_open_v2","updateDate":1749232103384,"updater":{"name":"","handle":""},"version":2}},{"id":"mhl-gkn-bun","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142933669,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1598516746168,"updateDate":1677793402985,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"c4t-pxu-ixk","attributes":{"version":10,"name":"kernel_module_unlink","description":"A - new kernel module was added","expression":"(\n (unlink.file.path in [ ~\"/lib/modules/**\", - ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"name":"pci_11_5_critical_binaries_unlink","updateDate":1749232103382,"updater":{"name":"","handle":""},"version":7}},{"id":"tkp-w9m-vzp","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Safeboot + registry modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\"]","filters":["os + == \"windows\""],"name":"safeboot_modification","updateDate":1749232103378,"updater":{"name":"","handle":""},"version":2}},{"id":"kek-yib-peb","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Shell + History was Deleted","enabled":true,"expression":"unlink.file.name in [\".bash_history\", + \".zsh_history\", \".fish_history\", \"fish_history\", \".dash_history\", + \".sh_history\"] \u0026\u0026 unlink.file.path in [~\"/root/**\", ~\"/home/**\"] + \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os + == \"linux\""],"name":"shell_history_deleted","updateDate":1749232103375,"updater":{"name":"","handle":""},"version":3}},{"id":"0on-nzp-luo","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(open.flags + \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n(open.file.path + in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"])) \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_open","updateDate":1749232103374,"updater":{"name":"","handle":""},"version":2}},{"id":"kzh-5hn-edg","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142933669,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (chmod.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1598516746168,"updateDate":1677793402725,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ec9-vff-7ni","attributes":{"version":9,"name":"kernel_module_link","description":"A - new kernel module was added","expression":"(\n (link.file.path in [ ~\"/lib/modules/**\", - ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", - ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os + == \"linux\""],"name":"pci_11_5_critical_binaries_chmod","updateDate":1749232103371,"updater":{"name":"","handle":""},"version":7}},{"id":"2p0-3i2-b4y","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ + \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open","updateDate":1749232035236,"updater":{"name":"","handle":""},"version":10}},{"id":"q7y-2ci-hkh","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Network + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + DNS lookup was done for a pastebin-like site","enabled":true,"expression":"dns.question.name + in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\", \"rentry.co\", + \"transfer.sh\"] \u0026\u0026 process.file.name != \"\"","filters":["os == + \"linux\""],"name":"paste_site","updateDate":1749232034921,"updater":{"name":"","handle":""},"version":2}},{"id":"pti-xku-k7y","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Shell + History was Deleted","enabled":true,"expression":"open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) + \u003e 0 \u0026\u0026 open.file.name in [\".bash_history\", \".zsh_history\", + \".fish_history\", \"fish_history\", \".dash_history\", \".sh_history\"] \u0026\u0026 + open.file.path in [~\"/root/*\", ~\"/home/**\"] \u0026\u0026 process.file.name + == \"truncate\"","filters":["os == \"linux\""],"name":"shell_history_truncated","updateDate":1749231989700,"updater":{"name":"","handle":""},"version":4}},{"id":"wew-y1h-1um","type":"agent_rule","attributes":{"actions":[{"hash":{}}],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + compiler wrote a suspicious file in a container","enabled":true,"expression":"open.flags + \u0026 O_CREAT \u003e 0\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" + \u0026\u0026 open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path + in [~\"/var/tmp/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n\u0026\u0026 + (process.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.ancestors.comm + in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.file.name in [\"javac\", + \"clang\", \"gcc\", \"bcc\"] || process.ancestors.file.name in [\"javac\", + \"clang\", \"gcc\", \"bcc\"])\n\u0026\u0026 process.file.name not in [\"pip\", + ~\"python*\"]\n\u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"compile_after_delivery","updateDate":1749231989698,"updater":{"name":"","handle":""},"version":2}},{"id":"smc-exb-ymp","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"The + LD_PRELOAD variable is populated by a link to a suspicious file directory","enabled":true,"expression":"exec.envs + in [~\"LD_PRELOAD=*/tmp/*\", ~\"LD_PRELOAD=/dev/shm/*\"]","filters":["os == + \"linux\""],"name":"ld_preload_unusual_library_path","updateDate":1749231989692,"updater":{"name":"","handle":""},"version":2}},{"id":"zk5-jeo-579","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"RC + scripts modified","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) + \u003e 0 \u0026\u0026 (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) + \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1598516746168,"updateDate":1677793401708,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"r5z-tke-sjm","attributes":{"version":10,"name":"credential_modified_link","description":"Sensitive - credential files were modified using a non-standard tool","expression":"(\n (link.file.path + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os + == \"linux\""],"name":"rc_scripts_modified","updateDate":1749231989692,"updater":{"name":"","handle":""},"version":3}},{"id":"ygi-ozn-m5d","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"memfd + object created","enabled":true,"expression":"exec.file.name =~ \"memfd*\" + \u0026\u0026 exec.file.path == \"\" \u0026\u0026 process.parent.file.path + not in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\" , + \"/run/docker/runtime-runc/moby/*\", \"/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/runc\"] + \u0026\u0026 !(process.comm == \"dd-ipc-helper\" \u0026\u0026 exec.file.name + in [\"memfd:spawn_worker_trampoline (deleted)\", \"memfd:spawn_worker_trampoline\"])","filters":["os + == \"linux\""],"name":"memfd_create","updateDate":1749231989691,"updater":{"name":"","handle":""},"version":2}},{"id":"aby-cmp-yrd","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + process wrote to a dynamic linker config file","enabled":true,"expression":"open.file.path + in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] + \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) + \u003e 0 \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"] \u0026\u0026 process.ancestors.file.path not in + [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", + \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", + \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", + \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", + \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", + \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", + ~\"/opt/datadog-installer/**\"] \u0026\u0026 process.argv0 not in [\"runc\", + \"/usr/bin/runc\", \"/usr/sbin/runc\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_write","updateDate":1749231989670,"updater":{"name":"","handle":""},"version":3}},{"id":"r5z-tke-sjm","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1598516746271,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (link.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in - [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", - \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":1598516746271,"updateDate":1677793401181,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"eoy-4fe-q7q","attributes":{"version":11,"name":"credential_modified_chown","description":"Sensitive - credential files were modified using a non-standard tool","expression":"(\n (chown.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in - [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_link","updateDate":1749231989669,"updater":{"name":"","handle":""},"version":11}},{"id":"cd0-w8q-vl4","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1598516746168,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid + || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"kernel_module_chown","updateDate":1749231989669,"updater":{"name":"","handle":""},"version":12}},{"id":"f5y-pdn-pnj","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1650293718458,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + kernel module was loaded","enabled":true,"expression":"load_module.loaded_from_memory + == false \u0026\u0026 load_module.name not in [\"nf_tables\", \"iptable_filter\", + \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", + \"ipt_REJECT\", \"iptable_raw\", \"udp_diag\", \"inet_diag\"] \u0026\u0026 + process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", + \"apt.systemd.daily\", \"xtables-legacy-multi\", \"ssm-agent-worker\"]","filters":["os + == \"linux\""],"name":"kernel_module_load","updateDate":1749231989667,"updater":{"name":"","handle":""},"version":5}},{"id":"qng-psi-j15","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1627392837049,"creator":{"name":"","handle":""},"defaultRule":true,"description":"The + runc binary was modified in a non-standard way","enabled":true,"expression":"open.file.path + in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n\u0026\u0026 + open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0\n\u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n\u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os + == \"linux\""],"name":"runc_modification","updateDate":1749231989583,"updater":{"name":"","handle":""},"version":6}},{"id":"bm8-j5w-xfv","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Recently + written or modified suid file has been executed","enabled":true,"expression":"((process.file.mode + \u0026 S_ISUID \u003e 0) \u0026\u0026 process.file.modification_time \u003c + 30s) \u0026\u0026 exec.file.name != \"\" \u0026\u0026 process.ancestors.file.path + not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", + \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", + \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", + \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", + \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", + \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", + ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"name":"suspicious_suid_execution","updateDate":1749231989566,"updater":{"name":"","handle":""},"version":4}},{"id":"h9w-1za-erv","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1742473059337,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1742473058","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1742473059978,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":2}},{"id":"khg-aab-9th","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1737245935950,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1737245933","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1737245936416,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":2}},{"id":"ayg-ed4-gwq","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1730871736407,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":["os + == \"linux\""],"name":"dummy_rule_KSDPb","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1730871736407,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"om5-n7z-ike","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1727845578846,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":["os + == \"linux\""],"name":"dummy_rule_qDgvU","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1727845578846,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"6ae-6oo-ebo","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1724855417119,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":["os + == \"linux\""],"name":"dummy_rule_DBtCK","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1724855417119,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"z3p-vom-jnb","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1724373425669,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"examplegetacloudworkloadsecurityagentrulereturnsokresponse1724373425","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1724373425669,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"aum-fmk-2zi","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1720846828022,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":["os + == \"linux\""],"name":"dummy_rule_sUVnW","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1720846828022,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"8j1-gvj-zbg","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1720846816336,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":["os + == \"linux\""],"name":"dummy_rule_ipyRF","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1720846816336,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"mgj-zek-ajo","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1718401086044,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":["os + == \"linux\""],"name":"dummy_rule_AszwF","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1718401086044,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"bf0-bng-csr","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1718400725834,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":["os + == \"linux\""],"name":"dummy_rule_bVlLJ","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1718400725834,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"qni-ngf-dzd","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1716175452369,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":["os + == \"linux\""],"name":"dummy_rule_tSfwV","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1716175452369,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"qio-d0k-d3j","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1716162686297,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":["os + == \"linux\""],"name":"dummy_rule_mABue","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1716162686297,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"fbo-ian-ijl","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1713905359927,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":["os + == \"linux\""],"name":"dummy_rule_VfQSV","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1713905359927,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"1o7-fwy-pet","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1713903379681,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":["os + == \"linux\""],"name":"dummy_rule_JAnCe","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1713903379681,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"ug1-mbq-gkm","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1713902127183,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":["os + == \"linux\""],"name":"dummy_rule_KJInv","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1713902127183,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"xvo-htm-wak","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1713901759732,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":["os + == \"linux\""],"name":"dummy_rule_PkauG","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1713901759732,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"zfc-g0g-a8x","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1713196703991,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":["os + == \"linux\""],"name":"dummy_rule_LPRxi","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1713196703991,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"pae-rpt-yni","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1713196520725,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":["os + == \"linux\""],"name":"dummy_rule_CpDMZ","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1713196520725,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"jwu-xbf-ic5","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1713196519724,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":["os + == \"linux\""],"name":"dummy_rule_HfYXr","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1713196519724,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"uew-oxg-b86","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1712805386256,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":["os + == \"linux\""],"name":"dummy_rule_Tjzvu","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1712805386256,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"wyn-ib7-f7o","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1712805020073,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":["os + == \"linux\""],"name":"dummy_rule_fWORB","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1712805020073,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"mwk-g74-lbd","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1712804840761,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":["os + == \"linux\""],"name":"dummy_rule_XcxFr","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1712804840761,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"rqa-io7-fwn","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1712804479644,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":["os + == \"linux\""],"name":"dummy_rule_bKkuv","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1712804479644,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"n1x-qsa-p53","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + cryptominer was potentially executed","enabled":true,"expression":"exec.cmdline + in [~\"*xmrig*\", ~\"*cpu-priority*\", ~\"*donate-level*\", ~\"*randomx-1gb-pages*\", + ~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", + ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os + == \"windows\""],"name":"windows_cryptominer_process","updateDate":1712079129574,"updater":{"name":"","handle":""},"version":1}},{"id":"pqp-0vs-cmu","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"The + configuration directory for an ssh worm","enabled":true,"expression":"open.file.path + in [\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] + \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0","filters":["os + == \"linux\""],"name":"ssh_it_tool_config_write","updateDate":1711644642969,"updater":{"name":"","handle":""},"version":1}},{"id":"8be-hej-nf2","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Processes + were listed using the ps command","enabled":true,"expression":"exec.comm == + \"ps\" \u0026\u0026 exec.argv not in [\"-p\", \"--pid\"] \u0026\u0026 process.ancestors.file.name + not in [\"qualys-cloud-agent\", \"amazon-ssm-agent\"] \u0026\u0026 process.parent.file.name + not in [\"rkhunter\", \"jspawnhelper\", ~\"vm-agent*\", \"PassengerAgent\", + \"node\", \"wdavdaemon\", \"chkrootkit\", \"tsagentd\", \"wazuh-modulesd\", + \"wdavdaemon\", \"talend-remote-engine-service\", \"check_procs\", \"newrelic-daemon\"]","filters":["os + == \"linux\""],"name":"ps_discovery","updateDate":1711644627589,"updater":{"name":"","handle":""},"version":3}},{"id":"upj-muh-hms","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Network + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + DNS request was made for a chatroom domain","enabled":true,"expression":"dns.question.name + in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"]","filters":["os + == \"linux\""],"name":"chatroom_request","updateDate":1711644612626,"updater":{"name":"","handle":""},"version":2}},{"id":"gnz-81e-6lg","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Process + environment variables match cryptocurrency miner","enabled":true,"expression":"exec.envs + in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","filters":["os + == \"linux\""],"name":"cryptominer_envs","updateDate":1711644602654,"updater":{"name":"","handle":""},"version":1}},{"id":"7da-gwx-c3l","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"The + auditctl command was used to modify auditd","enabled":true,"expression":"exec.file.name + == \"auditctl\" \u0026\u0026 exec.args_flags not in [\"s\", \"l\"]","filters":["os + == \"linux\""],"name":"auditctl_usage","updateDate":1711644592613,"updater":{"name":"","handle":""},"version":2}},{"id":"8jg-xym-vqz","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + Jupyter notebook executed a shell","enabled":true,"expression":"(exec.file.name + in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] + || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name + in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) + \u0026\u0026 process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","filters":["os + == \"linux\""],"name":"jupyter_shell_execution","updateDate":1711644590883,"updater":{"name":"","handle":""},"version":1}},{"id":"30s-pi8-9b4","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1711550899699,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1711550899","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1711550899699,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"a9q-iyx-gfu","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1708686508595,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1708686508","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1708686508595,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"hlq-w7y-5tg","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1708686508341,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1708686508","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1708686508341,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"lj4-ina-ue2","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1708686507890,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1708686507","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1708686507890,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"qlz-mcu-d2k","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1708686507757,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1708686507","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1708686507757,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"bmx-go6-0lz","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1708686507388,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1708686507","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1708686507388,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"bk0-mpb-ii8","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1708686507115,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1708686507","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1708686507115,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"0xw-wbm-pel","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1707131459596,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1707131459","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1707131459596,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"nvt-eoh-yiz","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1707131458820,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1707131458","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1707131458820,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"dc5-hba-20b","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1707131457616,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1707131457","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1707131457616,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"asb-kqf-vex","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1707131457216,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1707131456","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1707131457216,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"yzx-ia6-bdh","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1707131456469,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1707131456","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1707131456469,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"3uo-x9p-tmb","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1707131455692,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1707131455","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1707131455692,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"kan-5ki-wau","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1706872191984,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1706872191","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1706872191984,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"ggb-h3r-t7d","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1706872191450,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1706872191","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1706872191450,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"y4n-8gx-m3n","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1706872190549,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1706872190","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1706872190549,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"xsf-ugy-cfq","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1706872190256,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1706872190","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1706872190256,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"btr-btz-zif","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1706872189757,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1706872189","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1706872189757,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"jnw-ija-az5","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1706872189262,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1706872189","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1706872189262,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"6v0-shq-8gm","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1704452911364,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1704452911","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1704452911364,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"yrv-svq-9nz","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1704452911144,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1704452911","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1704452911144,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"9s9-wui-t8c","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1704452910712,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1704452910","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1704452910712,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"krm-ssv-tn5","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1704452910586,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1704452910","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1704452910586,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"uiu-6vz-z2h","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1704452910368,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1704452910","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1704452910368,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"eej-oup-jwu","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1704452910147,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1704452910","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1704452910147,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"ltv-fla-wb0","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"NTDS + file referenced in commandline","enabled":true,"expression":"exec.cmdline + =~ \"*ntds.dit*\"","filters":["os == \"windows\""],"name":"ntds_in_commandline","updateDate":1704404490608,"updater":{"name":"","handle":""},"version":1}},{"id":"nyc-gfz-yr5","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142958657,"creator":{"name":"","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path + in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid) \u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":["os + == \"linux\""],"name":"nsswitch_conf_mod_chown","updateDate":1704404477785,"updater":{"name":"","handle":""},"version":5}},{"id":"phy-tco-k7w","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":1617722069155,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + database application spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path + in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) + \u0026\u0026\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] + \u0026\u0026\n!(process.parent.file.name == \"initdb\" \u0026\u0026\nexec.args + == \"-c locale -a\") \u0026\u0026\n!(process.parent.file.name == \"postgres\" + \u0026\u0026\nexec.args == ~\"*pg_wal*\")","filters":["os == \"linux\""],"name":"database_shell_execution","updateDate":1704404453620,"updater":{"name":"","handle":""},"version":6}},{"id":"7x1-glr-ofl","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n open.flags + \u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \u003e 0 \u0026\u0026\n (open.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", - \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - && (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid - != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1598516746271,"updateDate":1677793399502,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cd0-w8q-vl4","attributes":{"version":11,"name":"kernel_module_chown","description":"A - new kernel module was added","expression":"(\n (chown.file.path in [ ~\"/lib/modules/**\", - ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && + \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"credential_modified_open_v2","updateDate":1704404453617,"updater":{"name":"","handle":""},"version":2}},{"id":"rqb-wq9-xzq","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1704404420111,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":["os + == \"linux\""],"name":"dummy_rule_jcvqK","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1704404420111,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"sqx-azd-ia2","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1700251049947,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":["os + == \"linux\""],"name":"dummy_rule_ivMAv","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1700251049947,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"83g-jde-hyc","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1700243663249,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700243663","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1700243663249,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"hyg-8q3-gme","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700219294824,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700219294","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700219294824,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"bn3-we8-cxn","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700219294647,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700219294","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700219294647,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"goh-6ij-cpa","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700219294269,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700219294","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700219294269,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"he7-cho-9th","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700219294175,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700219294","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700219294175,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"pj5-9wo-0ny","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700219293961,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700219293","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700219293961,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"dmd-ens-omw","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700219293736,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700219293","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700219293736,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"8ft-wcs-sok","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700132880522,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700132880","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700132880522,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"onm-fm3-ilm","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700132880255,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700132880","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700132880255,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"cxv-wyz-udh","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700132879795,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700132879","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700132879795,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"7ro-vjj-hqg","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700132879679,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700132879","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700132879679,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"3uf-mai-edh","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700132879455,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700132879","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700132879455,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"e2t-sos-sgs","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700132879213,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700132879","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700132879213,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"joz-phu-bj6","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700046608383,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1700046608","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700046608383,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"9gx-e5x-wxl","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700046607880,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1700046607","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700046607880,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"cmg-7ok-iws","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700046607019,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1700046606","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700046607019,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"fc2-mmz-xme","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700046606743,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1700046606","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700046606743,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"cw4-gei-lqg","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700046606184,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1700046606","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700046606184,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"djb-5it-syy","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1700046605699,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1700046605","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1700046605699,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"2be-cfa-xhr","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699960183272,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699960183","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699960183272,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"5dp-tcj-tbm","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699960182731,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699960182","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699960182731,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"a0m-zaf-0a8","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699960181838,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699960181","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699960181838,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"erx-pyz-xft","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699960181554,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699960181","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699960181554,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"ydh-fsm-slz","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699960181024,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699960180","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699960181024,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"5pp-60h-keq","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699960180438,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699960180","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699960180438,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"xyn-fkc-osi","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699873852793,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699873852","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699873852793,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"llg-x6t-jjq","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699873852043,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699873851","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699873852043,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"q1s-ejx-xq3","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699873850880,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699873850","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699873850880,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"zw4-cad-dro","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699873850490,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699873850","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699873850490,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"rik-8jl-7nr","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699873849810,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699873849","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699873849810,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"vih-vom-ryl","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699873849102,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699873848","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699873849102,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"j3f-cie-47b","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Kernel + Activity","creationDate":1650293718630,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + kernel module was loaded from memory","enabled":true,"expression":"load_module.loaded_from_memory + == true","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory","updateDate":1699614659145,"updater":{"name":"","handle":""},"version":2}},{"id":"my1-vln-8fq","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + process launched with arguments associated with cryptominers","enabled":true,"expression":"exec.args_options + in [~\"cpu-priority*\", ~\"donate-level*\"] || exec.args in [~\"*stratum+tcp*\"]","filters":["os + == \"linux\""],"name":"cryptominer_args","updateDate":1699614656177,"updater":{"name":"","handle":""},"version":3}},{"id":"us6-p6v-hbj","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Tar + archive created","enabled":true,"expression":"exec.file.path == \"/usr/bin/tar\" + \u0026\u0026 exec.args_flags in [\"create\",\"c\"]","filters":["os == \"linux\""],"name":"tar_execution","updateDate":1699614655670,"updater":{"name":"","handle":""},"version":2}},{"id":"ohe-vlf-t2h","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142980369,"creator":{"name":"","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 + process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path - != \"/usr/bin/kmod\"\n) && (chown.file.destination.uid != chown.file.uid || - chown.file.destination.gid != chown.file.gid)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1598516746168,"updateDate":1677793397722,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"bw8-80r-qih","attributes":{"version":1,"name":"dummy_rule_BAiZP","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1677793394115,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1677793394115,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"mpb-1rj-dv6","attributes":{"version":9,"name":"kernel_module_rename","description":"A - new kernel module was added","expression":"(\n (rename.file.path in [ ~\"/lib/modules/**\", - ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", - ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n && - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name + !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chown","updateDate":1699614645120,"updater":{"name":"","handle":""},"version":9}},{"id":"abo-w0g-emz","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699614584761,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1699614584","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699614584761,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"yyr-62t-pwg","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699614584201,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1699614583","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699614584201,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"s87-olo-akk","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699614583309,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1699614583","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699614583309,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"hqc-ilw-6pg","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699614583007,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1699614582","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699614583007,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"5ik-iyy-ry4","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699614582497,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1699614582","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699614582497,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"0mj-ptm-mcq","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1699614581944,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699614581","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1699614581944,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"awr-mtg-lce","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + known kubernetes pentesting tool has been executed","enabled":true,"expression":"(exec.file.name + in [ ~\"python*\" ] \u0026\u0026 (\"KubiScan.py\" in exec.argv || \"kubestriker\" + in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","filters":[],"name":"offensive_k8s_tool","updateDate":1699605598275,"updater":{"name":"","handle":""},"version":1}},{"id":"ki7-koc-icf","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":1627392836162,"creator":{"name":"","handle":""},"defaultRule":true,"description":"An + AppArmor profile was modified in an interactive session","enabled":true,"expression":"exec.file.name + in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] \u0026\u0026 exec.tty_name + !=\"\"","filters":["os == \"linux\""],"name":"apparmor_modified_tty","updateDate":1699605581360,"updater":{"name":"","handle":""},"version":2}},{"id":"je9-er4-njy","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Kernel + Activity","creationDate":1635332067172,"creator":{"name":"","handle":""},"defaultRule":true,"description":"SELinux + enforcement status was disabled","enabled":true,"expression":"selinux.enforce.status + in [\"permissive\", \"disabled\"] \u0026\u0026 process.ancestors.args != ~\"*BECOME-SUCCESS*\"","filters":[],"name":"selinux_disable_enforcement","updateDate":1699605560892,"updater":{"name":"","handle":""},"version":2}},{"id":"332-1wp-nhi","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1699375258346,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1699375258","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1699375258346,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"pn7-9wx-enb","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689275130893,"creator":{"name":"Sherzod + Karimov","handle":"sherzod.karimov@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689275130","updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689275130893,"updater":{"name":"Sherzod + Karimov","handle":"sherzod.karimov@datadoghq.com"},"version":1}},{"id":"zag-uxd-4rh","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689275130586,"creator":{"name":"Sherzod + Karimov","handle":"sherzod.karimov@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689275130","updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689275130586,"updater":{"name":"Sherzod + Karimov","handle":"sherzod.karimov@datadoghq.com"},"version":1}},{"id":"gj1-f5n-atq","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689275130040,"creator":{"name":"Sherzod + Karimov","handle":"sherzod.karimov@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689275129","updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689275130040,"updater":{"name":"Sherzod + Karimov","handle":"sherzod.karimov@datadoghq.com"},"version":1}},{"id":"xoa-393-gtb","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689275129856,"creator":{"name":"Sherzod + Karimov","handle":"sherzod.karimov@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689275129","updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689275129856,"updater":{"name":"Sherzod + Karimov","handle":"sherzod.karimov@datadoghq.com"},"version":1}},{"id":"wib-odd-eos","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689275129533,"creator":{"name":"Sherzod + Karimov","handle":"sherzod.karimov@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689275129","updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689275129533,"updater":{"name":"Sherzod + Karimov","handle":"sherzod.karimov@datadoghq.com"},"version":1}},{"id":"zi0-hgn-9ec","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689275129209,"creator":{"name":"Sherzod + Karimov","handle":"sherzod.karimov@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689275129","updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689275129209,"updater":{"name":"Sherzod + Karimov","handle":"sherzod.karimov@datadoghq.com"},"version":1}},{"id":"oce-aqj-x6b","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689185616079,"creator":{"name":"Sherzod + Karimov","handle":"sherzod.karimov@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1689185615","updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689185616079,"updater":{"name":"Sherzod + Karimov","handle":"sherzod.karimov@datadoghq.com"},"version":1}},{"id":"cdt-p7e-q1b","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689185615169,"creator":{"name":"Sherzod + Karimov","handle":"sherzod.karimov@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1689185615","updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689185615169,"updater":{"name":"Sherzod + Karimov","handle":"sherzod.karimov@datadoghq.com"},"version":1}},{"id":"wgo-mps-djd","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689185614427,"creator":{"name":"Sherzod + Karimov","handle":"sherzod.karimov@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1689185614","updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689185614427,"updater":{"name":"Sherzod + Karimov","handle":"sherzod.karimov@datadoghq.com"},"version":1}},{"id":"odr-ipk-wvx","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689185613924,"creator":{"name":"Sherzod + Karimov","handle":"sherzod.karimov@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1689185613","updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689185613924,"updater":{"name":"Sherzod + Karimov","handle":"sherzod.karimov@datadoghq.com"},"version":1}},{"id":"nb1-dkb-bwz","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689185612915,"creator":{"name":"Sherzod + Karimov","handle":"sherzod.karimov@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1689185612","updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689185612915,"updater":{"name":"Sherzod + Karimov","handle":"sherzod.karimov@datadoghq.com"},"version":1}},{"id":"t2g-qma-f5b","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","creationDate":1689185611378,"creator":{"name":"Sherzod + Karimov","handle":"sherzod.karimov@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1689185611","updateAuthorUuId":"6018c832-80a7-11ea-93dd-43183212bc7a","updateDate":1689185611378,"updater":{"name":"Sherzod + Karimov","handle":"sherzod.karimov@datadoghq.com"},"version":1}},{"id":"ayp-cd9-j3f","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Local + account groups were enumerated after container start up","enabled":true,"expression":"exec.file.name + in [\"tcpdump\", \"tshark\"]","filters":[],"name":"network_sniffing_tool","updateDate":1688748485348,"updater":{"name":"","handle":""},"version":1}},{"id":"fdh-b1k-i0e","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"a + SUID file was executed","enabled":true,"expression":"(setuid.euid == 0 || + setuid.uid == 0) \u0026\u0026 process.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 + process.file.uid == 0 \u0026\u0026 process.uid != 0 \u0026\u0026 process.file.path + != \"/usr/bin/sudo\"","filters":[],"name":"suid_file_execution","updateDate":1688748479473,"updater":{"name":"","handle":""},"version":1}},{"id":"rqu-01q-fmr","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + network utility was executed in a container","enabled":true,"expression":"(exec.comm + in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] + ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id + != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", + ~\"*motd.ubuntu.com*\" ] \u0026\u0026 container.created_at \u003e 180s","filters":[],"name":"net_util_in_container_v2","updateDate":1688748479210,"updater":{"name":"","handle":""},"version":1}},{"id":"igw-lex-dzw","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + hidden file was executed in a suspicious folder","enabled":true,"expression":"exec.file.name + =~ \".*\" \u0026\u0026 exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", + ~\"/dev/shm/**\"]","filters":[],"name":"hidden_file_executed","updateDate":1688748474266,"updater":{"name":"","handle":""},"version":1}},{"id":"ixh-tff-n0g","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Shell + profile was modified","enabled":true,"expression":"open.file.path in [~\"/home/*/*profile\", + ~\"/home/*/*rc\"] \u0026\u0026 open.flags \u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) + \u003e 0","filters":[],"name":"shell_profile_modification","updateDate":1688748474208,"updater":{"name":"","handle":""},"version":1}},{"id":"llh-ylu-udm","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1688740629202,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740628","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1688740629202,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"tfj-qbi-njb","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1688740550818,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740550","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1688740550818,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"otj-idk-ece","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1688740379706,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1688740379","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1688740379706,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"l88-cpw-jvx","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1688739737197,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688739737","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1688739737197,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"kcw-scc-5ve","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1688677455854,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1688677455","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1688677455854,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"lg7-iv9-wts","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path + == \"/etc/sudoers\")\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":[],"name":"sudoers_policy_modified_utimes","updateDate":1684185006444,"updater":{"name":"","handle":""},"version":1}},{"id":"07x-ilo-vbw","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path + == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","filters":[],"name":"sudoers_policy_modified_rename","updateDate":1684184995498,"updater":{"name":"","handle":""},"version":1}},{"id":"wxp-zv6-mdg","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Kernel + modules were listed using the kmod command","enabled":true,"expression":"exec.comm + == \"kmod\" \u0026\u0026 exec.args in [~\"*list*\"]","filters":[],"name":"kmod_list","updateDate":1684184992493,"updater":{"name":"","handle":""},"version":1}},{"id":"rsp-g6i-jdi","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"systemctl + used to stop a service","enabled":true,"expression":"exec.file.name == \"systemctl\" + \u0026\u0026 exec.args in [~\"*stop*\"]","filters":[],"name":"service_stop","updateDate":1684184991238,"updater":{"name":"","handle":""},"version":1}},{"id":"d5p-vk6-w0f","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Kernel + modules were listed using the lsmod command","enabled":true,"expression":"exec.comm + == \"lsmod\"","filters":[],"name":"exec_lsmod","updateDate":1684184990877,"updater":{"name":"","handle":""},"version":1}},{"id":"zdy-kcq-q0v","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"The + kubeconfig file was accessed","enabled":true,"expression":"open.file.path + in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","filters":[],"name":"read_kubeconfig","updateDate":1684184984191,"updater":{"name":"","handle":""},"version":1}},{"id":"yij-lei-ykx","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"The + whoami command was executed","enabled":true,"expression":"exec.comm == \"whoami\"","filters":[],"name":"exec_whoami","updateDate":1684184982050,"updater":{"name":"","handle":""},"version":1}},{"id":"swo-jyw-vtb","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"The + AWS EKS service account token was accessed","enabled":true,"expression":"open.file.path + =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" \u0026\u0026 open.file.name + == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", + \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", + \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/bin/agent/agent\", + \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", + \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", + \"/opt/datadog-agent/bin/datadog-cluster-agent\"]","filters":[],"name":"aws_eks_service_account_token_accessed","updateDate":1681490453789,"updater":{"name":"","handle":""},"version":5}},{"id":"w07-amm-bxr","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in + [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 + process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 + process.file.name !~ \"runc*\"","filters":[],"name":"ssl_certificate_tampering_utimes","updateDate":1681490443753,"updater":{"name":"","handle":""},"version":10}},{"id":"jin-icc-lpi","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142980369,"creator":{"name":"","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in + [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 + process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 + process.file.name !~ \"runc*\"","filters":[],"name":"ssl_certificate_tampering_unlink","updateDate":1681490440557,"updater":{"name":"","handle":""},"version":8}},{"id":"9hn-ukg-ek1","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1681222899530,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1681222899","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1681222899530,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"ulc-8ym-1ch","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1681222899155,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1681222899","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1681222899155,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"zja-jqt-rpm","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1681222898613,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1681222898","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1681222898613,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"2ov-h11-m4w","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1681222898408,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1681222898","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1681222898408,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"shb-0xv-eib","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1681222898061,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1681222897","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1681222898061,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"psp-nbn-dtg","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1681222897739,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1681222897","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1681222897739,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"mcq-6by-989","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1677856493876,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1677856493","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1677856493876,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"tci-5f7-cis","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1677856492960,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1677856492","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1677856492960,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"mey-lit-gzs","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1677856491445,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testgetallcloudworkloadsecurityagentrulesreturnsokresponse1677856491","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1677856491445,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"4ve-rws-nw0","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1677856490988,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1677856490","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1677856490988,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"9aa-y0q-rrc","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1677856490077,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1677856490","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1677856490077,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"tvd-3p1-cai","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1677856489180,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1677856489","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1677856489180,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"asy-mod-zmt","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":1627392836979,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + user was created via an interactive session","enabled":true,"expression":"exec.file.name + in [\"useradd\", \"newusers\", \"adduser\"] \u0026\u0026 exec.tty_name !=\"\" + \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] && process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1598516746168,"updateDate":1677793394010,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ac4-asc-qi4","attributes":{"version":10,"name":"credential_modified_rename","description":"Sensitive - credential files were modified using a non-standard tool","expression":"(\n (rename.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in - [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 exec.args_flags + not in [\"D\"]","filters":[],"name":"user_created_tty","updateDate":1677793421528,"updater":{"name":"","handle":""},"version":5}},{"id":"4fh-bb7-747","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1598516746271,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chmod.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", - \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":1598516746271,"updateDate":1677793391290,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gtx-vpl-ror","attributes":{"version":1,"name":"dummy_rule_lszUX","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1675978633464,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1675978633464,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"xye-pfo-y0r","attributes":{"version":9,"name":"kernel_module_open","description":"A - new kernel module was added","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) - > 0 &&\n (open.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" - ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\"]\n && process.ancestors.file.path not in - [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"] && - process.ancestors.file.path != \"/usr/bin/kmod\"\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1598516746168,"updateDate":1674486423764,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"cmu-g58-cau","attributes":{"version":6,"name":"cron_at_job_creation_rename","description":"An - unauthorized job was added to cron scheduling","expression":"(\n (rename.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || - rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", - ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" - ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":1606142961130,"updateDate":1674486423628,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"sna-hgh-vo4","attributes":{"version":3,"name":"dynamic_linker_config_unlink","description":"A - process unlinked a dynamic linker config file","expression":"unlink.file.path - in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] - && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1674486422738,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"efc-svz-7hu","attributes":{"version":1,"name":"potential_web_shell_parent","description":"A - web application spawned a shell or shell utility","expression":"(exec.file.path + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":[],"name":"credential_modified_chmod","updateDate":1677793414173,"updater":{"name":"","handle":""},"version":11}},{"id":"yiy-mba-pny","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":1617722067554,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + network utility (nmap) commonly used in intrusion attacks was executed","enabled":true,"expression":"exec.file.name + in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", + \"pnscan\"] \u0026\u0026 exec.args_flags not in [\"V\", \"version\"]","filters":[],"name":"common_net_intrusion_util","updateDate":1677793413474,"updater":{"name":"","handle":""},"version":5}},{"id":"oio-i4o-xzw","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + shell with a TTY was executed in a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path - in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"]) - &&\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", \"httpd\"] - || process.parent.file.name =~ \"php*\")","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1674486413493,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tna-ty5-e7c","attributes":{"version":1,"name":"mount_host_fs","description":"The - host file system was mounted in a container","expression":"mount.source.path - == \"/\" && mount.fs_type != \"overlay\" && container.id != \"\"","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1674486412444,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ygi-ozn-m5d","attributes":{"version":1,"name":"memfd_create","description":"memfd - object created","expression":"exec.file.name =~ \"memfd*\" && exec.file.path - == \"\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1674486411993,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nlp-lzc-rcf","attributes":{"version":5,"name":"systemd_modification_open","description":"A - service may have been modified without authorization","expression":"(\n open.flags - & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/lib/systemd/system/**\", - ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" ])\n && process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n)","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":1606142929241,"updateDate":1674486408888,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"avt-p2e-fyc","attributes":{"version":9,"name":"kernel_module_chmod","description":"A - new kernel module was added","expression":"(\n (chmod.file.path in [ ~\"/lib/modules/**\", - ~\"/usr/lib/modules/**\" ])\n && process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n && process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"] && - process.ancestors.file.path != \"/usr/bin/kmod\"\n) && chmod.file.destination.mode - != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1598516746168,"updateDate":1674486407158,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ipa-v3l-kt6","attributes":{"version":7,"name":"cron_at_job_creation_chmod","description":"An - unauthorized job was added to cron scheduling","expression":"(\n (chmod.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && - process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) && chmod.file.destination.mode - != chmod.file.mode\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":1606142961130,"updateDate":1674486406983,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"3xl-qds-f0e","attributes":{"version":7,"name":"cron_at_job_creation_chown","description":"An - unauthorized job was added to cron scheduling","expression":"(\n (chown.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && - process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) && (chown.file.destination.uid - != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n&& process.file.path + ] \u0026\u0026 process.tty_name != \"\" \u0026\u0026 process.container.id + != \"\"","filters":[],"name":"tty_shell_in_container","updateDate":1677793412844,"updater":{"name":"","handle":""},"version":1}},{"id":"pwh-omk-qrr","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":1652129906455,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + container executed a new binary not found in the container image","enabled":true,"expression":"container.id + != \"\" \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.modification_time + \u003c 30s \u0026\u0026 exec.file.name != \"\"","filters":[],"name":"new_binary_execution_in_container","updateDate":1677793412378,"updater":{"name":"","handle":""},"version":3}},{"id":"tmh-now-e61","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142933669,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142961130,"updateDate":1674486406776,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"0gu-pqy-o1a","attributes":{"version":7,"name":"cron_at_job_creation_link","description":"An - unauthorized job was added to cron scheduling","expression":"(\n (link.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || - link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", - ~\"/etc/crontab\" ])\n && process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" - ]\n)\n&& process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":1606142961130,"updateDate":1674486406604,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ygn-d8o-ncr","attributes":{"version":7,"name":"cron_at_job_creation_utimes","description":"An - unauthorized job was added to cron scheduling","expression":"(\n (utimes.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && - process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& - process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":1606142961130,"updateDate":1674486406387,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"psd-3el-h33","attributes":{"version":9,"name":"credential_modified_utimes","description":"Sensitive - credential files were modified using a non-standard tool","expression":"(\n (utimes.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n && process.file.path not in - [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":[],"name":"pci_11_5_critical_binaries_open","updateDate":1677793410974,"updater":{"name":"","handle":""},"version":6}},{"id":"ay7-jkz-rda","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1598516746271,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (unlink.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", - \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n && process.ancestors.file.path + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":[],"name":"credential_modified_unlink","updateDate":1677793404797,"updater":{"name":"","handle":""},"version":10}},{"id":"bw8-80r-qih","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1677793394115,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"dummy_rule_BAiZP","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1677793394115,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"gtx-vpl-ror","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1675978633464,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"dummy_rule_lszUX","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1675978633464,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"xye-pfo-y0r","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1598516746168,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n)","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":1598516746271,"updateDate":1674486406248,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"atu-tci-bjn","attributes":{"version":7,"name":"cron_at_job_creation_unlink","description":"An - unauthorized job was added to cron scheduling","expression":"(\n (unlink.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && - process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","filters":[],"name":"kernel_module_open","updateDate":1674486423764,"updater":{"name":"","handle":""},"version":9}},{"id":"cmu-g58-cau","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142961130,"creator":{"name":"","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (rename.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ]\n || + rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", + ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", + \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":[],"name":"cron_at_job_creation_rename","updateDate":1674486423628,"updater":{"name":"","handle":""},"version":6}},{"id":"sna-hgh-vo4","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + process unlinked a dynamic linker config file","enabled":true,"expression":"unlink.file.path + in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] + \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\"]","filters":[],"name":"dynamic_linker_config_unlink","updateDate":1674486422738,"updater":{"name":"","handle":""},"version":3}},{"id":"tna-ty5-e7c","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"The + host file system was mounted in a container","enabled":true,"expression":"mount.source.path + == \"/\" \u0026\u0026 mount.fs_type != \"overlay\" \u0026\u0026 container.id + != \"\"","filters":[],"name":"mount_host_fs","updateDate":1674486412444,"updater":{"name":"","handle":""},"version":1}},{"id":"3xl-qds-f0e","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142961130,"creator":{"name":"","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 + (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":[],"name":"cron_at_job_creation_chown","updateDate":1674486406776,"updater":{"name":"","handle":""},"version":7}},{"id":"ygn-d8o-ncr","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142961130,"creator":{"name":"","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n \u0026\u0026 + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":1606142961130,"updateDate":1674486405229,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"onm-dqu-jly","attributes":{"version":7,"name":"cron_at_job_creation_open","description":"An - unauthorized job was added to cron scheduling","expression":"(\n open.flags - & (O_CREAT|O_RDWR|O_WRONLY) > 0 &&\n (open.file.path in [ ~\"/var/spool/cron/**\", - ~\"/etc/cron.*/**\", ~\"/etc/crontab\" ])\n && process.file.path not in - [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n&& process.file.path not in - [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142961130,"updateDate":1674486404864,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"kuu-k1s-gqz","attributes":{"version":6,"name":"systemd_modification_chmod","description":"A - service may have been modified without authorization","expression":"(\n (chmod.file.path + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\"]","filters":[],"name":"cron_at_job_creation_utimes","updateDate":1674486406387,"updater":{"name":"","handle":""},"version":7}},{"id":"kuu-k1s-gqz","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142929241,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ])\n && process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - \"/usr/bin/yum\", \"/sbin/apk\"]\n) && chmod.file.destination.mode != chmod.file.mode","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":1606142929241,"updateDate":1674486404846,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"hnh-eio-mow","attributes":{"version":2,"name":"ptrace_antidebug","description":"A - process uses an anti-debugging technique to block debuggers","expression":"ptrace.request - == PTRACE_TRACEME && process.file.name != \"\"","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":1650293718435,"updateDate":1670604150759,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"f5y-pdn-pnj","attributes":{"version":4,"name":"kernel_module_load","description":"A - kernel module was loaded","expression":"load_module.name not in [\"nf_tables\", - \"iptable_filter\", \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", - \"nf_reject_ipv4\", \"ipt_REJECT\", \"iptable_raw\"] && process.ancestors.file.name - not in [~\"falcon*\", \"unattended-upgrade\", \"apt.systemd.daily\", \"xtables-legacy-multi\", - \"ssm-agent-worker\"]","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":1650293718458,"updateDate":1670604150549,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ddh-ld5-2rj","attributes":{"version":1,"name":"aws_imds","description":"An - AWS IMDS was called via a network utility","expression":"exec.comm in [\"wget\", - \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", - \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","category":"Process - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1670604150281,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"enj-kdc-1tt","attributes":{"version":1,"name":"net_file_download","description":"A - suspicious file was written by a network utility","expression":"open.flags - & O_CREAT > 0 && process.comm in [\"wget\", \"curl\", \"lwp-download\"]\n&& - (\n (open.file.path =~ \"/tmp/**\" && open.file.name in [~\"*.sh\", ~\"*.c\", - ~\"*.so\", ~\"*.ko\"])\n || open.file.path in [~\"/usr/**\", ~\"/lib/**\", - ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1670604150067,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wew-y1h-1um","attributes":{"version":1,"name":"compile_after_delivery","description":"A - compiler wrote a suspicious file in a container","expression":"open.flags - & O_CREAT > 0\n&& (\n (open.file.path =~ \"/tmp/**\" && open.file.name in - [~\"*.ko\", ~\".*\"])\n || open.file.path in [~\"/var/tmp/**\", ~\"/dev/shm/**\", - ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n&& (process.comm - in [\"javac\", \"clang\", \"gcc\",\"bcc\"] || process.ancestors.comm in [\"javac\", - \"clang\", \"gcc\",\"bcc\"])\n&& process.file.name not in [\"pip\", ~\"python*\"]\n&& - container.id != \"\"","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1670604150062,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ct9-og0-h7h","attributes":{"version":1,"name":"net_unusual_request","description":"Network - utility executed with suspicious URI","expression":"exec.comm in [\"wget\", - \"curl\", \"lwp-download\"] && exec.args in [~\"*.php*\", ~\"*.jpg*\"] ","category":"Process - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1670604150059,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"9dx-svj-apj","attributes":{"version":1,"name":"azure_imds","description":"An - Azure IMDS was called via a network utility","expression":"exec.comm in [\"wget\", - \"curl\", \"lwp-download\"] && exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","category":"Process - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1670604150058,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"sah-xju-jcq","attributes":{"version":1,"name":"gcp_imds","description":"An - GCP IMDS was called via a network utility","expression":"exec.comm in [\"wget\", - \"curl\", \"lwp-download\"] && exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", - ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","category":"Process - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1670604150002,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"mmk-0g6-4qu","attributes":{"version":1,"name":"dummy_rule_VxNSK","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1668731826060,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1668731826060,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"uze-gr4-sfh","attributes":{"version":1,"name":"examplecreateacloudworkloadsecurityagentrulereturnsokresponse1667938921","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1667938921652,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1667938921652,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"mgd-dmc-zta","attributes":{"version":1,"name":"interactive_shell_in_container","description":"An - interactive shell was started inside of a container","expression":"exec.file.path + \"/usr/bin/yum\", \"/sbin/apk\"]\n) \u0026\u0026 chmod.file.destination.mode + != chmod.file.mode","filters":[],"name":"systemd_modification_chmod","updateDate":1674486404846,"updater":{"name":"","handle":""},"version":6}},{"id":"hnh-eio-mow","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Kernel + Activity","creationDate":1650293718435,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + process uses an anti-debugging technique to block debuggers","enabled":true,"expression":"ptrace.request + == PTRACE_TRACEME \u0026\u0026 process.file.name != \"\"","filters":[],"name":"ptrace_antidebug","updateDate":1670604150759,"updater":{"name":"","handle":""},"version":2}},{"id":"ddh-ld5-2rj","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"An + AWS IMDS was called via a network utility","enabled":true,"expression":"exec.comm + in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", + \"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","filters":[],"name":"aws_imds","updateDate":1670604150281,"updater":{"name":"","handle":""},"version":1}},{"id":"enj-kdc-1tt","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + suspicious file was written by a network utility","enabled":true,"expression":"open.flags + \u0026 O_CREAT \u003e 0 \u0026\u0026 process.comm in [\"wget\", \"curl\", + \"lwp-download\"]\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 + open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path + in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","filters":[],"name":"net_file_download","updateDate":1670604150067,"updater":{"name":"","handle":""},"version":1}},{"id":"ct9-og0-h7h","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Network + utility executed with suspicious URI","enabled":true,"expression":"exec.comm + in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*.php*\", + ~\"*.jpg*\"] ","filters":[],"name":"net_unusual_request","updateDate":1670604150059,"updater":{"name":"","handle":""},"version":1}},{"id":"9dx-svj-apj","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"An + Azure IMDS was called via a network utility","enabled":true,"expression":"exec.comm + in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","filters":[],"name":"azure_imds","updateDate":1670604150058,"updater":{"name":"","handle":""},"version":1}},{"id":"sah-xju-jcq","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"An + GCP IMDS was called via a network utility","enabled":true,"expression":"exec.comm + in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", + ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","filters":[],"name":"gcp_imds","updateDate":1670604150002,"updater":{"name":"","handle":""},"version":1}},{"id":"mmk-0g6-4qu","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1668731826060,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"dummy_rule_VxNSK","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1668731826060,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"uze-gr4-sfh","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1667938921652,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"examplecreateacloudworkloadsecurityagentrulereturnsokresponse1667938921","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1667938921652,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"mgd-dmc-zta","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"An + interactive shell was started inside of a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] && exec.args_flags in [\"i\"] && container.id !=\"\"","category":"Process - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1666888169595,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"3lt-gov-2yu","attributes":{"version":4,"name":"net_util","description":"A - network utility was executed","expression":"(exec.comm in [\"socat\", \"dig\", - \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm in - [\"wget\", \"curl\", \"lwp-download\"]) &&\ncontainer.id == \"\" && exec.args - not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","category":"Process - Activity","defaultRule":true,"enabled":true,"creationDate":1642158534952,"updateDate":1666888163498,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jx4-pkv-247","attributes":{"version":2,"name":"dirty_pipe_attempt","description":"Potential - Dirty pipe exploitation attempt","expression":"(splice.pipe_entry_flag & PIPE_BUF_FLAG_CAN_MERGE) - != 0 && (splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) == 0 && (process.uid - != 0 && process.gid != 0)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1648564123603,"updateDate":1666888163347,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ifl-wfe-sch","attributes":{"version":6,"name":"net_util_in_container","description":"A - network utility was executed in a container","expression":"(exec.comm in [\"socat\", + ] \u0026\u0026 exec.args_flags in [\"i\"] \u0026\u0026 container.id !=\"\"","filters":[],"name":"interactive_shell_in_container","updateDate":1666888169595,"updater":{"name":"","handle":""},"version":1}},{"id":"3lt-gov-2yu","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":1642158534952,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + network utility was executed","enabled":true,"expression":"(exec.comm in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm - in [\"wget\", \"curl\", \"lwp-download\"]) &&\ncontainer.id != \"\" && exec.args - not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" ]","category":"Process - Activity","defaultRule":true,"enabled":true,"creationDate":1617722068439,"updateDate":1666888163319,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"aux-r7v-odv","attributes":{"version":2,"name":"dirty_pipe_exploitation","description":"Potential - Dirty pipe exploitation","expression":"(splice.pipe_exit_flag & PIPE_BUF_FLAG_CAN_MERGE) - > 0 && (process.uid != 0 && process.gid != 0)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1648564123563,"updateDate":1666888163318,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vri-cjo-ywh","attributes":{"version":2,"name":"pwnkit_privilege_escalation","description":"A - process was spawned with indicators of exploitation of CVE-2021-4034","expression":"(exec.file.path - == \"/usr/bin/pkexec\" && exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] && exec.envs - not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] && exec.uid != 0)","category":"Process - Activity","defaultRule":true,"enabled":true,"creationDate":1643639113864,"updateDate":1666888163135,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ejk-rbu-v9x","attributes":{"version":3,"name":"passwd_execution","description":"The - passwd or chpasswd utility was used to modify an account password","expression":"exec.file.path - in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] && exec.args_flags not in - [\"S\", \"status\"]","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":1617722068383,"updateDate":1666888162106,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pej-frv-8lb","attributes":{"version":2,"name":"java_shell_execution","description":"A - java process spawned a shell, shell utility, or HTTP utility","expression":"(exec.file.path - in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path - in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\"])\n&& - process.ancestors.file.name == \"java\"","category":"Process Activity","defaultRule":true,"enabled":true,"creationDate":1617722069224,"updateDate":1666888161764,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"llh-jd2-obf","attributes":{"version":1,"name":"dummy_rule_cdxqn","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1666320581140,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1666320581140,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"xae-nwo-v33","attributes":{"version":1,"name":"dummy_rule_iNwDw","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1666305602255,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1666305602255,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"rvp-ggu-cvk","attributes":{"version":2,"name":"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1665706668","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1665706668670,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1665706791898,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"vx9-lii-nnm","attributes":{"version":1,"name":"examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1665706685","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1665706690162,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1665706690162,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"xur-uya-vqn","attributes":{"version":1,"name":"examplegetacloudworkloadsecurityagentrulereturnsokresponse1665706585","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1665706656639,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1665706656639,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"96x-aqb-3yh","attributes":{"version":1,"name":"dummy_rule_RMoJm","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1665706171079,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1665706171079,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"smc-exb-ymp","attributes":{"version":1,"name":"ld_preload_unusual_library_path","description":"The - LD_PRELOAD variable is populated by a link to a suspicious file directory","expression":"exec.envs - in [~\"LD_PRELOAD=*/tmp/*\" ,~\"LD_PRELOAD=/dev/shm/*\" ]","category":"Process - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1665475122471,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fak-u9s-pac","attributes":{"version":4,"name":"pam_modification_chown","description":"PAM - may have been modified without authorization","expression":"(\n (chown.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) && (chown.file.destination.uid - != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":1606142936138,"updateDate":1665475121157,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ki2-nwj-sot","attributes":{"version":4,"name":"nsswitch_conf_mod_chmod","description":"nsswitch - may have been modified without authorization","expression":"(\n (chmod.file.path - in [ \"/etc/nsswitch.conf\" ])\n) && chmod.file.destination.mode != chmod.file.mode","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":1606142958657,"updateDate":1665475120054,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"12k-ui3-z4h","attributes":{"version":4,"name":"pam_modification_chmod","description":"PAM - may have been modified without authorization","expression":"(\n (chmod.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) && chmod.file.destination.mode - != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142936138,"updateDate":1665475102566,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ien-7aw-blw","attributes":{"version":4,"name":"ssh_authorized_keys_chown","description":"SSH - modified keys may have been modified","expression":"(\n chown.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] && (chown.file.path in [ - ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) && (chown.file.destination.uid - != chown.file.uid || chown.file.destination.gid != chown.file.gid)","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":1606142954844,"updateDate":1665475102281,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"vqc-lta-u8c","attributes":{"version":4,"name":"ssh_authorized_keys_chmod","description":"SSH - modified keys may have been modified","expression":"(\n chmod.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] && (chmod.file.path in [ - ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) && chmod.file.destination.mode - != chmod.file.mode","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142954844,"updateDate":1665475100348,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"m1y-sk8-b4c","attributes":{"version":1,"name":"dummy_rule_xkrhu","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1665129615755,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1665129615755,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"19v-30b-0xf","attributes":{"version":1,"name":"dummy_rule","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1665129432848,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1665129432848,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ehj-52q-wq0","attributes":{"version":1,"name":"shell_history_symlink","description":"A - symbolic link for shell history was created targeting /dev/null","expression":"exec.comm - == \"ln\" && exec.args in [~\"*.*history*\", \"/dev/null\"]","category":"Process - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1661193980229,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"gp1-mai-dlc","attributes":{"version":1,"name":"new_java_detect_sync_test_us1_prod","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1661183150504,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1661183150504,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ai3-b8g-lbc","attributes":{"version":1,"name":"new_java_detect_sync_test_prod","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1661182864424,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1661182864424,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"tmz-dqc-yml","attributes":{"version":1,"name":"new_java_detect_sync_test","description":"Execution - of a java process","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1661182722064,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1661182722064,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ez9-ozl-3lz","attributes":{"version":2,"name":"potential_cryptominer","description":"A - process resolved a DNS name associated with cryptomining activity","expression":"dns.question.name - in [~\"*minexmr.com\", ~\"*nanopool.org\", ~\"*supportxmr.com\", ~\"*c3pool.com\", - ~\"*p2pool.io\", ~\"*ethermine.org\", ~\"*f2pool.com\", ~\"*poolin.me\", ~\"*rplant.xyz\"] - && process.file.name != \"\"","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1658502077556,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tef-sab-thr","attributes":{"version":2,"name":"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1656001149","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1656001153179,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1656001158687,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"wup-o5b-tjo","attributes":{"version":1,"name":"examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1656001148","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1656001152681,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1656001152681,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"c3v-vla-rev","attributes":{"version":1,"name":"examplegetacloudworkloadsecurityagentrulereturnsokresponse1656001148","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1656001148856,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1656001148856,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"yel-nbl-2pj","attributes":{"version":1,"name":"testpythonupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1654691372","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1654691372829,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1654691372829,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"},{"id":"rp0-hmk-9c1","attributes":{"version":1,"name":"ip_check_domain","description":"A - DNS lookup was done for a IP check service","expression":"dns.question.name + in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id == \"\" + \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" + ]","filters":[],"name":"net_util","updateDate":1666888163498,"updater":{"name":"","handle":""},"version":4}},{"id":"jx4-pkv-247","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1648564123603,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Potential + Dirty pipe exploitation attempt","enabled":true,"expression":"(splice.pipe_entry_flag + \u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \u0026\u0026 (splice.pipe_exit_flag \u0026 + PIPE_BUF_FLAG_CAN_MERGE) == 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 + process.gid != 0)","filters":[],"name":"dirty_pipe_attempt","updateDate":1666888163347,"updater":{"name":"","handle":""},"version":2}},{"id":"ifl-wfe-sch","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":1617722068439,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + network utility was executed in a container","enabled":true,"expression":"(exec.comm + in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] + ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id + != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", + ~\"*motd.ubuntu.com*\" ]","filters":[],"name":"net_util_in_container","updateDate":1666888163319,"updater":{"name":"","handle":""},"version":6}},{"id":"aux-r7v-odv","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1648564123563,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Potential + Dirty pipe exploitation","enabled":true,"expression":"(splice.pipe_exit_flag + \u0026 PIPE_BUF_FLAG_CAN_MERGE) \u003e 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 + process.gid != 0)","filters":[],"name":"dirty_pipe_exploitation","updateDate":1666888163318,"updater":{"name":"","handle":""},"version":2}},{"id":"vri-cjo-ywh","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":1643639113864,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + process was spawned with indicators of exploitation of CVE-2021-4034","enabled":true,"expression":"(exec.file.path + == \"/usr/bin/pkexec\" \u0026\u0026 exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] + \u0026\u0026 exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] \u0026\u0026 + exec.uid != 0)","filters":[],"name":"pwnkit_privilege_escalation","updateDate":1666888163135,"updater":{"name":"","handle":""},"version":2}},{"id":"ejk-rbu-v9x","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":1617722068383,"creator":{"name":"","handle":""},"defaultRule":true,"description":"The + passwd or chpasswd utility was used to modify an account password","enabled":true,"expression":"exec.file.path + in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] \u0026\u0026 exec.args_flags + not in [\"S\", \"status\"]","filters":[],"name":"passwd_execution","updateDate":1666888162106,"updater":{"name":"","handle":""},"version":3}},{"id":"llh-jd2-obf","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1666320581140,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"dummy_rule_cdxqn","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1666320581140,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"xae-nwo-v33","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1666305602255,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"dummy_rule_iNwDw","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1666305602255,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"rvp-ggu-cvk","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1665706668670,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1665706668","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1665706791898,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":2}},{"id":"vx9-lii-nnm","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1665706690162,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1665706685","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1665706690162,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"xur-uya-vqn","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1665706656639,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"examplegetacloudworkloadsecurityagentrulereturnsokresponse1665706585","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1665706656639,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"96x-aqb-3yh","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1665706171079,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"dummy_rule_RMoJm","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1665706171079,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"ien-7aw-blw","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142954844,"creator":{"name":"","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n chown.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chown.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) + \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)","filters":[],"name":"ssh_authorized_keys_chown","updateDate":1665475102281,"updater":{"name":"","handle":""},"version":4}},{"id":"vqc-lta-u8c","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142954844,"creator":{"name":"","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n chmod.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chmod.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) + \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":[],"name":"ssh_authorized_keys_chmod","updateDate":1665475100348,"updater":{"name":"","handle":""},"version":4}},{"id":"m1y-sk8-b4c","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1665129615755,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"dummy_rule_xkrhu","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1665129615755,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"19v-30b-0xf","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1665129432848,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"dummy_rule","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1665129432848,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"ehj-52q-wq0","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + symbolic link for shell history was created targeting /dev/null","enabled":true,"expression":"exec.comm + == \"ln\" \u0026\u0026 exec.args in [~\"*.*history*\", \"/dev/null\"]","filters":[],"name":"shell_history_symlink","updateDate":1661193980229,"updater":{"name":"","handle":""},"version":1}},{"id":"gp1-mai-dlc","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1661183150504,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"new_java_detect_sync_test_us1_prod","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1661183150504,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"ai3-b8g-lbc","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1661182864424,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"new_java_detect_sync_test_prod","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1661182864424,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"tmz-dqc-yml","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1661182722064,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Execution + of a java process","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"new_java_detect_sync_test","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1661182722064,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"tef-sab-thr","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1656001153179,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"exampleupdateacloudworkloadsecurityagentrulereturnsokresponse1656001149","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1656001158687,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":2}},{"id":"wup-o5b-tjo","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1656001152681,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"examplegetallcloudworkloadsecurityagentrulesreturnsokresponse1656001148","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1656001152681,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"c3v-vla-rev","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1656001148856,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"examplegetacloudworkloadsecurityagentrulereturnsokresponse1656001148","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1656001148856,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"yel-nbl-2pj","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1654691372829,"creator":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testpythonupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1654691372","updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1654691372829,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"version":1}},{"id":"rp0-hmk-9c1","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Network + Activity","creationDate":0,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + DNS lookup was done for a IP check service","enabled":true,"expression":"dns.question.name in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", - \"whatismyip.akamai.com\"] && process.file.name != \"\"","category":"Network - Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1654020337230,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"q7y-2ci-hkh","attributes":{"version":1,"name":"paste_site","description":"A - DNS lookup was done for a pastebin-like site","expression":"dns.question.name - in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\"] && - process.file.name != \"\"","category":"Network Activity","defaultRule":true,"enabled":true,"creationDate":0,"updateDate":1654020335889,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ntj-rfs-mw3","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1652008845","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1652008845797,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1652008845797,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"dyn-u7u-v86","attributes":{"version":2,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1651997887","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651997888388,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651997888544,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"mlg-yxw-uig","attributes":{"version":1,"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1651997886","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651997887223,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651997887223,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"lq3-t6t-xng","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651997885","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651997886363,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651997886363,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"1hp-hpr-4ez","attributes":{"version":1,"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1651997885","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651997885869,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651997885869,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"mt3-pks-n5s","attributes":{"version":1,"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1651997884","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651997884985,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651997884985,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"r4a-yvz-rj7","attributes":{"version":1,"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1651997883","description":"Test - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651997884150,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651997884150,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"5k1-gwi-0aq","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651943471","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651943472022,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651943472022,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"lkj-jnq-r6s","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651915814","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651915815493,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651915815493,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"mbc-iwk-zpb","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651912469","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651912470539,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651912470539,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"fzb-lli-m26","attributes":{"version":1,"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651867149","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651867150336,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651867150336,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"9mk-xxe-lpw","attributes":{"version":2,"name":"suspicious_container_client","description":"A - container management utility was executed in a container","expression":"exec.file.name - in [\"docker\", \"kubectl\"] && container.id != \"\"","category":"Process - Activity","defaultRule":true,"enabled":true,"creationDate":1617722068555,"updateDate":1651671394200,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ieg-lmk-cgo","attributes":{"version":2,"name":"kernel_module_load_container","description":"A - container loaded a new kernel module","expression":"load_module.name != \"\" - && container.id !=\"\"","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":1650293718705,"updateDate":1650371511241,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"lzx-kkv-at3","attributes":{"version":1,"name":"ptrace_injection","description":"A - process attempted to inject code into another process","expression":"ptrace.request + \"whatismyip.akamai.com\"] \u0026\u0026 process.file.name != \"\"","filters":[],"name":"ip_check_domain","updateDate":1654020337230,"updater":{"name":"","handle":""},"version":1}},{"id":"ntj-rfs-mw3","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1652008845797,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1652008845","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1652008845797,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"dyn-u7u-v86","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651997888388,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsokresponse1651997887","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651997888544,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":2}},{"id":"mlg-yxw-uig","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651997887223,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1651997886","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651997887223,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"lq3-t6t-xng","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651997886363,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651997885","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651997886363,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"1hp-hpr-4ez","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651997885869,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptgetacloudworkloadsecurityagentrulereturnsokresponse1651997885","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651997885869,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"mt3-pks-n5s","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651997884985,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptdeleteacloudworkloadsecurityagentrulereturnsokresponse1651997884","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651997884985,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"r4a-yvz-rj7","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651997884150,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptcreateacloudworkloadsecurityagentrulereturnsokresponse1651997883","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651997884150,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"5k1-gwi-0aq","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651943472022,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651943471","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651943472022,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"lkj-jnq-r6s","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651915815493,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651915814","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651915815493,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"mbc-iwk-zpb","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651912470539,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651912469","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651912470539,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"fzb-lli-m26","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1651867150336,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":[],"name":"testtypescriptgetallcloudworkloadsecurityagentrulesreturnsokresponse1651867149","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1651867150336,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"ieg-lmk-cgo","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Kernel + Activity","creationDate":1650293718705,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + container loaded a new kernel module","enabled":true,"expression":"load_module.name + != \"\" \u0026\u0026 container.id !=\"\"","filters":[],"name":"kernel_module_load_container","updateDate":1650371511241,"updater":{"name":"","handle":""},"version":2}},{"id":"lzx-kkv-at3","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Kernel + Activity","creationDate":1650293718540,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + process attempted to inject code into another process","enabled":true,"expression":"ptrace.request == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request - == PTRACE_POKEUSR","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":1650293718540,"updateDate":1650293789265,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"foo-pve-qbq","attributes":{"version":1,"name":"kernel_module_load_from_memory_container","description":"A - kernel module was loaded from memory inside a container","expression":"load_module.loaded_from_memory - == true && container.id !=\"\"","category":"Kernel Activity","defaultRule":true,"enabled":true,"creationDate":1650293718365,"updateDate":1650293788418,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"irg-o45-pxz","attributes":{"version":3,"name":"example_agent_rule","description":"An - example agent rule generated in terraform","expression":"exec.file.name == - \"java\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1647036168203,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1647036377676,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"rsy-7jg-hqm","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392923","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392938634,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392938634,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"m39-rre-anw","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392903","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392919175,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392919175,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"4wd-unc-xof","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392885","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392899126,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392899126,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"jhk-qpj-jlt","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392458","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392475857,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392475857,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ruf-aic-d4j","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392438","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392453588,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392453588,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"jtf-zrn-0ph","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392419","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392434263,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392434263,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ijz-1cz-bms","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392026","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392042558,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392042558,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"21m-gs8-p43","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392003","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392021741,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392021741,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"in7-ydq-pbw","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391983","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643391998597,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643391998597,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"v8v-sem-rmg","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391729","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643391745920,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643391745920,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"kox-qtp-cbn","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391707","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643391725233,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643391725233,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"thp-evn-3gr","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391687","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643391702920,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643391702920,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"hx6-v0z-9gk","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390432","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643390450706,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643390450706,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"n8j-9n3-urm","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390410","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643390427444,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643390427444,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"tkl-mjf-is5","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390389","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643390405807,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643390405807,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"up2-fhh-bc8","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390151","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643390171673,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643390171673,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"vdu-0rd-lnj","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390130","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643390147278,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643390147278,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"dfb-wz2-0ka","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390108","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643390124588,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643390124588,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"7vz-wdj-vwc","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389977","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389998703,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389998703,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"qls-upn-1vc","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389955","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389972825,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389972825,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"rxo-lya-bqu","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389931","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389950224,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389950224,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"dm3-ip4-rza","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389911","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389929035,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389929035,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"rzs-ccq-4qm","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389756","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389773436,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389773436,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"wa9-zm8-8ds","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389685","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389706550,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389706550,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"alm-sgy-vz3","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389627","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389645597,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389645597,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"dls-vo9-rqx","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389553","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389575084,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389575084,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"fyz-u20-nvn","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389530","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389549031,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389549031,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"nqv-0et-fcj","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389507","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389523942,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389523942,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"u7v-36z-wue","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389484","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389502800,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389502800,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"y2z-ffa-zys","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389460","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389479547,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389479547,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"cym-1zi-nnd","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389411","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389428402,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389428402,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ip9-wgt-q3k","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389389","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389406698,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389406698,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"t9d-zbo-2nw","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389363","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389381751,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389381751,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"kaw-0h7-dji","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389339","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389356453,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389356453,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"m4i-otg-jnj","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389317","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389335243,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389335243,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"heh-lnh-xwm","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389210","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389226802,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389226802,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"cwa-5rh-qtd","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389186","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389204108,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389204108,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"e5l-xtx-hmi","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389165","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389181761,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389181761,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ebx-lyj-r3a","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389136","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389155207,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389155207,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"xac-4if-49b","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389111","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389130549,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389130549,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"dh6-bdu-8v0","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389088","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389106392,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389106392,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"hkd-6dr-ify","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388939","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388960762,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388960762,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"bsx-fod-0xj","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388912","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388931383,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388931383,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"8jt-x9p-yoy","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388890","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388907818,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388907818,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"rhd-qao-dub","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388866","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388883010,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388883010,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"j0f-fhi-ab7","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388847","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388862340,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388862340,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"rvn-u2c-xm4","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388825","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388843151,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388843151,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ldn-agb-3fl","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388726","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388744863,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388744863,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"cyr-g7t-to0","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388700","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388719895,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388719895,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"wnm-xkk-mat","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388666","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388693095,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388693095,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"moo-kuq-zbt","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388257","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388275282,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388275282,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"wzs-moc-ji9","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388230","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388250051,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388250051,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"uw2-d3y-5h6","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388208","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388226579,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388226579,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"fez-txs-qf9","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388182","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388201323,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388201323,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"fga-mna-xej","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388161","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388177724,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388177724,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"iyn-7sl-swn","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388137","description":"an - agent rule","expression":"exec.file.name == \"go\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388157048,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388157048,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"p3w-qyi-pbo","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387992","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388010676,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388010676,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"yyt-sfa-fck","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387579","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387597089,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387597089,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"5z7-fqq-siu","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387554","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387573023,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387573023,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ivz-amj-yl7","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387531","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387549793,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387549793,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"lyv-3xn-qch","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387505","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387524178,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387524178,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"fpt-c7o-ipx","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387484","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387500298,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387500298,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"tap-fek-5kw","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387461","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387480011,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387480011,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"u7b-x0z-cbe","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387148","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387165931,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387165931,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"hhe-gcm-vjl","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387120","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387141298,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387141298,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"nt9-5fe-de1","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387090","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387114912,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387114912,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"pj0-bcy-euh","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387063","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387082695,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387082695,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"rm5-px4-iua","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387039","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387057879,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387057879,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"cqz-7pc-ajz","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387014","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387032689,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387032689,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"hot-prj-df5","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386909","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386926682,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386926682,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"q7n-lvv-4au","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386882","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386901939,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386901939,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"gly-5wu-uny","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386858","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386877222,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386877222,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"umz-fjl-7qq","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386831","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386850558,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386850558,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"spq-5f8-isw","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386809","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386826170,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386826170,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"dul-hdz-xmo","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386786","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386804704,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386804704,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"n94-q2a-co9","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386742","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386762229,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386762229,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"x1n-wra-hdt","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386718","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386735946,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386735946,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"kgt-kcc-tnu","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386695","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386713348,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386713348,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"znp-dul-gcj","attributes":{"version":1,"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386657","description":"an - agent rule","expression":"exec.file.name == \"java\"","category":"Process - Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386674573,"updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386674573,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"frog","handle":"frog@datadoghq.com"},"updater":{"name":"frog","handle":"frog@datadoghq.com"}},"type":"agent_rule"},{"id":"ily-tsr-dtj","attributes":{"version":1,"name":"compiler_in_container","description":"Compiler - Executed in Container","expression":"(exec.file.name in [\"javac\", \"clang\", - \"gcc\",\"bcc\"] || (exec.file.name == \"go\" && exec.args in [~\"*build*\", - ~\"*run*\"])) && container.id !=\"\" && process.ancestors.file.path != \"/usr/bin/cilium-agent\"","category":"Process - Activity","defaultRule":true,"enabled":true,"creationDate":1627392836759,"updateDate":1636729662344,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"jl5-wjt-58e","attributes":{"version":1,"name":"aws_metadata_service","description":"EC2 - Instance Metadata Service Accessed via Network Utility","expression":"exec.file.path - in [\"/usr/bin/wget\", \"/usr/bin/curl\"] && exec.args in [~\"*169.254.169.254*\"]","category":"Process - Activity","defaultRule":true,"enabled":true,"creationDate":1627392836096,"updateDate":1629226276630,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"8ol-dkr-aml","attributes":{"version":3,"name":"nsswitch_conf_mod_link","description":"Nsswitch - Configuration Modified","expression":"(\n (link.file.path in [ \"/etc/nsswitch.conf\" - ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":1606142958657,"updateDate":1628512222322,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"fdf-wvb-c3k","attributes":{"version":3,"name":"nsswitch_conf_mod_open","description":"Nsswitch - Configuration Modified","expression":"(\n open.flags & ((O_RDWR|O_WRONLY|O_CREAT)) - > 0 &&\n (open.file.path in [ \"/etc/nsswitch.conf\" ])\n)","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":1606142958657,"updateDate":1628512222322,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"pkn-azw-qia","attributes":{"version":3,"name":"nsswitch_conf_mod_rename","description":"Nsswitch - Configuration Modified","expression":"(\n (rename.file.path in [ \"/etc/nsswitch.conf\" - ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" ])\n)","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":1606142958657,"updateDate":1628512222322,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"wpt-ba8-mpd","attributes":{"version":3,"name":"nsswitch_conf_mod_unlink","description":"Nsswitch - Configuration Modified","expression":"(\n (unlink.file.path in [ \"/etc/nsswitch.conf\" - ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142958657,"updateDate":1628512222322,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"7ud-d2o-qgo","attributes":{"version":3,"name":"nsswitch_conf_mod_utimes","description":"Nsswitch - Configuration Modified","expression":"(\n (utimes.file.path in [ \"/etc/nsswitch.conf\" - ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142958657,"updateDate":1628512222322,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"za8-uxc-jxk","attributes":{"version":3,"name":"ssh_authorized_keys_link","description":"SSH - Authorized Keys Modified","expression":"(\n link.file.name == \"authorized_keys\" - && (link.file.path in [ ~\"*/.ssh/*\" ]\n || link.file.destination.path - in [ ~\"*/.ssh/*\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142954844,"updateDate":1628512221784,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"nej-iw4-adk","attributes":{"version":3,"name":"ssh_authorized_keys_open","description":"SSH - Authorized Keys Modified","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) - > 0 &&\n open.file.name == \"authorized_keys\" && (open.file.path in [ - ~\"*/.ssh/*\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142954844,"updateDate":1628512221784,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"tiz-yss-zhq","attributes":{"version":3,"name":"ssh_authorized_keys_rename","description":"SSH - Authorized Keys Modified","expression":"(\n rename.file.name == \"authorized_keys\" - && (rename.file.path in [ ~\"*/.ssh/*\" ]\n || rename.file.destination.path - in [ ~\"*/.ssh/*\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142954844,"updateDate":1628512221784,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"apr-zj4-ee1","attributes":{"version":3,"name":"ssh_authorized_keys_unlink","description":"SSH - Authorized Keys Modified","expression":"(\n unlink.file.name == \"authorized_keys\" - && (unlink.file.path in [ ~\"*/.ssh/*\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142954844,"updateDate":1628512221784,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"yhq-etl-wr6","attributes":{"version":3,"name":"ssh_authorized_keys_utimes","description":"SSH - Authorized Keys Modified","expression":"(\n utimes.file.name == \"authorized_keys\" - && (utimes.file.path in [ ~\"*/.ssh/*\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142954844,"updateDate":1628512221784,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"m8i-uhr-aoq","attributes":{"version":3,"name":"pam_modification_link","description":"PAM - Configuration Files Modification","expression":"(\n (link.file.path in - [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ]\n || link.file.destination.path - in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142936138,"updateDate":1628512221276,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"adl-qjr-lyg","attributes":{"version":3,"name":"pam_modification_open","description":"PAM - Configuration Files Modification","expression":"(\n open.flags & (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) - > 0 &&\n (open.file.path in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n)","category":"File - Activity","defaultRule":true,"enabled":true,"creationDate":1606142936138,"updateDate":1628512221276,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"2fy-aqt-8mz","attributes":{"version":3,"name":"pam_modification_rename","description":"PAM - Configuration Files Modification","expression":"(\n (rename.file.path in - [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ]\n || rename.file.destination.path - in [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142936138,"updateDate":1628512221276,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"},{"id":"ei7-n5e-rvv","attributes":{"version":3,"name":"pam_modification_unlink","description":"PAM - Configuration Files Modification","expression":"(\n (unlink.file.path in - [ ~\"/etc/pam.d/*\", \"/etc/pam.conf\" ])\n)","category":"File Activity","defaultRule":true,"enabled":true,"creationDate":1606142936138,"updateDate":1628512221276,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"","handle":""},"updater":{"name":"","handle":""}},"type":"agent_rule"}]} - - ' + == PTRACE_POKEUSR","filters":[],"name":"ptrace_injection","updateDate":1650293789265,"updater":{"name":"","handle":""},"version":1}},{"id":"foo-pve-qbq","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Kernel + Activity","creationDate":1650293718365,"creator":{"name":"","handle":""},"defaultRule":true,"description":"A + kernel module was loaded from memory inside a container","enabled":true,"expression":"load_module.loaded_from_memory + == true \u0026\u0026 container.id !=\"\"","filters":[],"name":"kernel_module_load_from_memory_container","updateDate":1650293788418,"updater":{"name":"","handle":""},"version":1}},{"id":"irg-o45-pxz","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1647036168203,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"An + example agent rule generated in terraform","enabled":true,"expression":"exec.file.name + == \"java\"","filters":[],"name":"example_agent_rule","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1647036377676,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":3}},{"id":"rsy-7jg-hqm","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392938634,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392923","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392938634,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"m39-rre-anw","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392919175,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392903","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392919175,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"4wd-unc-xof","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392899126,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392885","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392899126,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"jhk-qpj-jlt","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392475857,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392458","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392475857,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"ruf-aic-d4j","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392453588,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392438","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392453588,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"jtf-zrn-0ph","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392434263,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392419","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392434263,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"ijz-1cz-bms","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392042558,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392026","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392042558,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"21m-gs8-p43","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643392021741,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643392003","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643392021741,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"in7-ydq-pbw","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643391998597,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391983","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643391998597,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"v8v-sem-rmg","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643391745920,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391729","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643391745920,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"kox-qtp-cbn","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643391725233,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391707","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643391725233,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"thp-evn-3gr","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643391702920,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643391687","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643391702920,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"hx6-v0z-9gk","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643390450706,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"go\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390432","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643390450706,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"n8j-9n3-urm","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643390427444,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"go\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390410","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643390427444,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"tkl-mjf-is5","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643390405807,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"go\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643390389","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643390405807,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"up2-fhh-bc8","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643390171673,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390151","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643390171673,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"vdu-0rd-lnj","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643390147278,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390130","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643390147278,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"dfb-wz2-0ka","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643390124588,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643390108","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643390124588,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"7vz-wdj-vwc","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389998703,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389977","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389998703,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"qls-upn-1vc","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389972825,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"go\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389955","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389972825,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"rxo-lya-bqu","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389950224,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389931","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389950224,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"dm3-ip4-rza","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389929035,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"go\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389911","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389929035,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"rzs-ccq-4qm","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389773436,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389756","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389773436,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"wa9-zm8-8ds","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389706550,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389685","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389706550,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"alm-sgy-vz3","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389645597,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389627","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389645597,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"dls-vo9-rqx","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389575084,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"go\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389553","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389575084,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"fyz-u20-nvn","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389549031,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389530","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389549031,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"nqv-0et-fcj","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389523942,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"go\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389507","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389523942,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"u7v-36z-wue","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389502800,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389484","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389502800,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"y2z-ffa-zys","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389479547,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"go\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389460","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389479547,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"cym-1zi-nnd","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389428402,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"go\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389411","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389428402,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"ip9-wgt-q3k","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389406698,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389389","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389406698,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"t9d-zbo-2nw","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389381751,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"go\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389363","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389381751,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"kaw-0h7-dji","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389356453,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389339","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389356453,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"m4i-otg-jnj","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389335243,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"go\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389317","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389335243,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"heh-lnh-xwm","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389226802,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389210","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389226802,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"cwa-5rh-qtd","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389204108,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"go\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389186","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389204108,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"e5l-xtx-hmi","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389181761,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389165","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389181761,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"ebx-lyj-r3a","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389155207,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"go\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389136","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389155207,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"xac-4if-49b","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389130549,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643389111","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389130549,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"dh6-bdu-8v0","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643389106392,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"go\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643389088","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643389106392,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"hkd-6dr-ify","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388960762,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388939","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388960762,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"bsx-fod-0xj","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388931383,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"go\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388912","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388931383,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"8jt-x9p-yoy","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388907818,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388890","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388907818,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"rhd-qao-dub","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388883010,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"go\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388866","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388883010,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"j0f-fhi-ab7","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388862340,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388847","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388862340,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"rvn-u2c-xm4","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388843151,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"go\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388825","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388843151,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"ldn-agb-3fl","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388744863,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388726","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388744863,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"cyr-g7t-to0","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388719895,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"go\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388700","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388719895,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"wnm-xkk-mat","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388693095,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388666","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388693095,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"moo-kuq-zbt","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388275282,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388257","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388275282,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"wzs-moc-ji9","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388250051,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"go\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388230","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388250051,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"uw2-d3y-5h6","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388226579,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388208","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388226579,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"fez-txs-qf9","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388201323,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"go\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388182","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388201323,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"fga-mna-xej","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388177724,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643388161","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388177724,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"iyn-7sl-swn","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388157048,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"go\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643388137","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388157048,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"p3w-qyi-pbo","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643388010676,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387992","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643388010676,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"yyt-sfa-fck","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387597089,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387579","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387597089,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"5z7-fqq-siu","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387573023,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387554","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387573023,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"ivz-amj-yl7","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387549793,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387531","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387549793,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"lyv-3xn-qch","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387524178,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387505","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387524178,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"fpt-c7o-ipx","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387500298,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387484","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387500298,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"tap-fek-5kw","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387480011,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387461","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387480011,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"u7b-x0z-cbe","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387165931,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387148","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387165931,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"hhe-gcm-vjl","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387141298,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387120","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387141298,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"nt9-5fe-de1","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387114912,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387090","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387114912,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"pj0-bcy-euh","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387082695,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387063","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387082695,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"rm5-px4-iua","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387057879,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643387039","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387057879,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"cqz-7pc-ajz","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643387032689,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643387014","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643387032689,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"hot-prj-df5","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386926682,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386909","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386926682,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"q7n-lvv-4au","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386901939,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386882","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386901939,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"gly-5wu-uny","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386877222,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386858","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386877222,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"umz-fjl-7qq","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386850558,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386831","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386850558,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"spq-5f8-isw","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386826170,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386809","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386826170,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"dul-hdz-xmo","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386804704,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386786","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386804704,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"n94-q2a-co9","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386762229,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386742","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386762229,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"x1n-wra-hdt","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386735946,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRulesDatasource_local_1643386718","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386735946,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"kgt-kcc-tnu","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386713348,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386695","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386713348,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"znp-dul-gcj","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","creationDate":1643386674573,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"an + agent rule","enabled":true,"expression":"exec.file.name == \"java\"","filters":[],"name":"tf_TestAccDatadogCloudWorkloadSecurityAgentRule_local_1643386657","updateAuthorUuId":"3ad549bf-eba0-11e9-a77a-0705486660d0","updateDate":1643386674573,"updater":{"name":"frog","handle":"frog@datadoghq.com"},"version":1}},{"id":"ily-tsr-dtj","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":1627392836759,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Compiler + Executed in Container","enabled":true,"expression":"(exec.file.name in [\"javac\", + \"clang\", \"gcc\",\"bcc\"] || (exec.file.name == \"go\" \u0026\u0026 exec.args + in [~\"*build*\", ~\"*run*\"])) \u0026\u0026 container.id !=\"\" \u0026\u0026 + process.ancestors.file.path != \"/usr/bin/cilium-agent\"","filters":[],"name":"compiler_in_container","updateDate":1636729662344,"updater":{"name":"","handle":""},"version":1}},{"id":"jl5-wjt-58e","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"Process + Activity","creationDate":1627392836096,"creator":{"name":"","handle":""},"defaultRule":true,"description":"EC2 + Instance Metadata Service Accessed via Network Utility","enabled":true,"expression":"exec.file.path + in [\"/usr/bin/wget\", \"/usr/bin/curl\"] \u0026\u0026 exec.args in [~\"*169.254.169.254*\"]","filters":[],"name":"aws_metadata_service","updateDate":1629226276630,"updater":{"name":"","handle":""},"version":1}},{"id":"8ol-dkr-aml","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142958657,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Nsswitch + Configuration Modified","enabled":true,"expression":"(\n (link.file.path + in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" + ])\n)","filters":[],"name":"nsswitch_conf_mod_link","updateDate":1628512222322,"updater":{"name":"","handle":""},"version":3}},{"id":"fdf-wvb-c3k","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142958657,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Nsswitch + Configuration Modified","enabled":true,"expression":"(\n open.flags \u0026 + ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path in + [ \"/etc/nsswitch.conf\" ])\n)","filters":[],"name":"nsswitch_conf_mod_open","updateDate":1628512222322,"updater":{"name":"","handle":""},"version":3}},{"id":"pkn-azw-qia","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142958657,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Nsswitch + Configuration Modified","enabled":true,"expression":"(\n (rename.file.path + in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" + ])\n)","filters":[],"name":"nsswitch_conf_mod_rename","updateDate":1628512222322,"updater":{"name":"","handle":""},"version":3}},{"id":"wpt-ba8-mpd","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142958657,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Nsswitch + Configuration Modified","enabled":true,"expression":"(\n (unlink.file.path + in [ \"/etc/nsswitch.conf\" ])\n)","filters":[],"name":"nsswitch_conf_mod_unlink","updateDate":1628512222322,"updater":{"name":"","handle":""},"version":3}},{"id":"7ud-d2o-qgo","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142958657,"creator":{"name":"","handle":""},"defaultRule":true,"description":"Nsswitch + Configuration Modified","enabled":true,"expression":"(\n (utimes.file.path + in [ \"/etc/nsswitch.conf\" ])\n)","filters":[],"name":"nsswitch_conf_mod_utimes","updateDate":1628512222322,"updater":{"name":"","handle":""},"version":3}},{"id":"za8-uxc-jxk","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142954844,"creator":{"name":"","handle":""},"defaultRule":true,"description":"SSH + Authorized Keys Modified","enabled":true,"expression":"(\n link.file.name + == \"authorized_keys\" \u0026\u0026 (link.file.path in [ ~\"*/.ssh/*\" ]\n || + link.file.destination.path in [ ~\"*/.ssh/*\" ])\n)","filters":[],"name":"ssh_authorized_keys_link","updateDate":1628512221784,"updater":{"name":"","handle":""},"version":3}},{"id":"tiz-yss-zhq","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142954844,"creator":{"name":"","handle":""},"defaultRule":true,"description":"SSH + Authorized Keys Modified","enabled":true,"expression":"(\n rename.file.name + == \"authorized_keys\" \u0026\u0026 (rename.file.path in [ ~\"*/.ssh/*\" ]\n || + rename.file.destination.path in [ ~\"*/.ssh/*\" ])\n)","filters":[],"name":"ssh_authorized_keys_rename","updateDate":1628512221784,"updater":{"name":"","handle":""},"version":3}},{"id":"apr-zj4-ee1","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142954844,"creator":{"name":"","handle":""},"defaultRule":true,"description":"SSH + Authorized Keys Modified","enabled":true,"expression":"(\n unlink.file.name + == \"authorized_keys\" \u0026\u0026 (unlink.file.path in [ ~\"*/.ssh/*\" ])\n)","filters":[],"name":"ssh_authorized_keys_unlink","updateDate":1628512221784,"updater":{"name":"","handle":""},"version":3}},{"id":"yhq-etl-wr6","type":"agent_rule","attributes":{"actions":[],"agentConstraint":"","category":"File + Activity","creationDate":1606142954844,"creator":{"name":"","handle":""},"defaultRule":true,"description":"SSH + Authorized Keys Modified","enabled":true,"expression":"(\n utimes.file.name + == \"authorized_keys\" \u0026\u0026 (utimes.file.path in [ ~\"*/.ssh/*\" ])\n)","filters":[],"name":"ssh_authorized_keys_utimes","updateDate":1628512221784,"updater":{"name":"","handle":""},"version":3}}]}' headers: Content-Type: - - application/json + - application/vnd.api+json status: code: 200 message: OK diff --git a/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-returns-OK-response.frozen index c7e02949aebf..db6e5a0f548a 100644 --- a/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-returns-OK-response.frozen @@ -1 +1 @@ -2025-06-04T08:45:53.095Z \ No newline at end of file +2025-10-10T15:21:20.533Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-returns-OK-response.yml index ecac6d2a6d54..76f8ac2e732b 100644 --- a/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-agent-rules-returns-OK-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Wed, 04 Jun 2025 08:45:53 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:20 GMT request: body: null headers: @@ -10,85 +10,200 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":[{"id":"aoo-snu-t5u","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714423023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + string: '{"data":[{"id":"0rc-s4t-d0f","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1735562223000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714423023","updateDate":1714423024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-eho","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Container - escape attempted by overwriting release_agent","enabled":true,"expression":"open.file.name - == \"release_agent\" \u0026\u0026 open.file.path in [\"/tmp/**\", \"/home/**\", - \"/root/**\", \"/*\"] \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY - \u003e 0","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"release_agent_escape","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"5zt-j5u-aqm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715287024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1735562223","updateDate":1735562225000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ti4-rku-0ke","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746789271799,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715287024","updateDate":1715287024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"fpa-r6g-2em","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical - system binaries may have been modified","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"pci_11_5_critical_binaries_open","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ujx-skx-369","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1744258690000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746789271","updateDate":1746789271799,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"piq-bha-m6t","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714279024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1744258690","updateDate":1744258690000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"oed-ka8-syl","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1711550899000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714279024","updateDate":1714279024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"1l2-7qh-mfa","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1717432623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"my_agent_rule","updateDate":1711550899000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"24l-rs9-d0x","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1710500975000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1717432622","updateDate":1717432626000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"00d-kfn-fwm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1740025013000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptgetacsmthreatsagentrulereturnsokresponse1710500975","updateDate":1710500975000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-xv7","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kernel - modules were listed using the kmod command","enabled":true,"expression":"exec.comm - == \"kmod\" \u0026\u0026 exec.args in [~\"*list*\"]","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"kmod_list","product_tags":["tactic:TA0007-discovery","technique:T1082-system-information-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"xiu-ghq-4zi","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical - system binaries may have been modified","enabled":true,"expression":"(\n (chown.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1740025013","updateDate":1740025019000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"igb-n2l-mh4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746635706008,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testdeleteacsmthreatsagentrulereturnsokresponse1746635705","updateDate":1746635706008,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"434-kuh-g0w","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746184344309,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746184344","updateDate":1746184344309,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-crv","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path + in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"])\n) \u0026\u0026 chmod.file.destination.mode + != chmod.file.mode \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", + \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"sudoers_policy_modified_chmod","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-969","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process + arguments indicating possible netcat shell detected","enabled":true,"expression":"exec.file.name + in [\"netcat\", \"nc\", \"ncat\"] \u0026\u0026 ((exec.args_flags in [\"l\"] + \u0026\u0026 exec.args_flags in [\"p\"]) || (exec.args_flags in [\"n\"] \u0026\u0026 + exec.args_flags in [\"v\"]) || (exec.args in [~\"*/bin/bash*\", ~\"*/bin/sh*\"]))","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"netcat_shell","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-b5z","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"process + arguments match rubeus credential theft tool","enabled":true,"expression":"exec.cmdline + in [~\"*asreproast*\", ~\"*/service:krbtgt*\", ~\"*dump /luid:0x*\", ~\"*kerberoast*\", + ~\"*createonly /program*\", ~\"*ptt /ticket*\", ~\"*impersonateuser*\", ~\"*renew + /ticket*\", ~\"*asktgt /user*\", ~\"*harvest /interval*\", ~\"*s4u /user*\", + ~\"*hash /password*\", ~\"*golden /aes256*\", ~\"*silver /user*\", \"*rubeus*\"]","filters":["os + == \"windows\""],"monitoring":["threat-detection.policy"],"name":"rubeus_execution","product_tags":["tactic:TA0006-credential-access","technique:T1558-steal-or-forge-kerberos-tickets","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"sqi-q1z-onu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Network + utility executed with suspicious URI","enabled":true,"expression":"exec.comm + in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*.php*\", + ~\"*.jpg*\"] ","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"net_unusual_request","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-guo","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process was executed matching arguments for a UAC bypass technique common + in powershell empire","enabled":true,"expression":"exec.cmdline in [~\"*-NoP + -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)*\", + ~\"*-NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);*\"]","filters":["os + == \"windows\""],"monitoring":["threat-detection.policy"],"name":"powershell_empire_uac_bypass","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-41f","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH + initiated a connection on a nonstandard port","enabled":true,"expression":"connect.addr.port + in [80, 8080, 88, 443, 8443, 4444] \u0026\u0026 process.file.name == \"ssh\"","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"ssh_nonstandard_connection","product_tags":["tactic:TA0008-lateral-movement","technique:T1021-remote-services","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"64n-p6m-uq1","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n ( link.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", + ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"]\n || + link.file.destination.path in [ ~\"/etc/systemd/user/**\", ~\"/usr/lib/systemd/user/**\", + ~\"/home/*/.config/systemd/user/**\", ~\"/home/*/.local/share/systemd/user/**\", + ~\"/run/systemd/user/**\"] \n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", + ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", ~\"/usr/local/lib/systemd/system/**\", + ~\"/run/systemd/system/**\"] \n || link.file.path in [ ~\"/etc/systemd/user/**\", + ~\"/usr/lib/systemd/user/**\", ~\"/home/*/.config/systemd/user/**\", ~\"/home/*/.local/share/systemd/user/**\", + ~\"/run/systemd/user/**\"])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", + \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"systemd_modification_link","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"fog-8k1-fzi","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1733704624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733704624","updateDate":1733704624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"5rb-4q9-p5g","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1716813423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1716813422","updateDate":1716813424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-a0x","type":"agent_rule","attributes":{"actions":[{"filter":"${process.correlation_key} + != \"\"","set":{"name":"parent_correlation_keys","default_value":"","append":true,"scope":"process","expression":"${process.correlation_key}","inherited":true},"disabled":false},{"set":{"name":"correlation_key","default_value":"","scope":"process","expression":"\"k8s_session_${builtins.uuid4}\"","inherited":true},"disabled":false}],"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Track + execution context from k8s user session","enabled":true,"expression":"exec.user_session.k8s_username + != \"\" \u0026\u0026 ${process.correlation_key} in [\"\", ~\"cgroup_*\", + ~\"auid_*\", ~\"service_*\", ~\"service_new_cgroup_*\", ~\"interactive_shell_*\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"execution_context_k8s_usersession_entrypoint","product_tags":["policy:threat-detection"],"silent":true,"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6ku","type":"agent_rule","attributes":{"actions":[{"filter":"${process.correlation_key} + != \"\"","set":{"name":"parent_correlation_keys","default_value":"","append":true,"scope":"process","expression":"${process.correlation_key}","inherited":true},"disabled":false},{"set":{"name":"correlation_key","default_value":"","scope":"process","expression":"\"service_new_cgroup_${builtins.uuid4}\"","inherited":true},"disabled":false}],"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Track + execution context from new service cgroup","enabled":true,"expression":"(exec.envs + in [\"DD_SERVICE\", \"OTEL_SERVICE_NAME\"] || \"tags.datadoghq.com/service\" + in container.tags) \u0026\u0026 ${process.correlation_key} in [~\"service_*\"] + \u0026\u0026 process.cgroup.id != process.parent.cgroup.id","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"execution_context_service_new_cgroup","product_tags":["policy:threat-detection"],"silent":true,"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6oh","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + Registry runkey has been modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\", + ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\", + ~\"HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\", + ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal + Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows + NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce\", + ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal + Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\RunonceEx\"]","filters":["os + == \"windows\""],"monitoring":["threat-detection.policy"],"name":"registry_runkey_modified","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-zo8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Recently + written or modified suid file has been executed","enabled":true,"expression":"((process.file.mode + \u0026 S_ISUID \u003e 0) \u0026\u0026 process.file.modification_time \u003c + 30s) \u0026\u0026 exec.file.name != \"\" \u0026\u0026 process.ancestors.file.path + not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", + \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", + \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", + \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", + \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", + \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", + ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"suspicious_suid_execution","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"svl-2s4-jd4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1730450224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1730450223","updateDate":1730450224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"syl-o29-0dq","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714826223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714826223","updateDate":1714826223000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"0t6-uce-ee0","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734899824000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734899824","updateDate":1734899824000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"bou-hvm-24h","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715474223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715474222","updateDate":1715474224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"mtg-s1f-xy5","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1716050223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1716050222","updateDate":1716050224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"xa1-b6v-n2l","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (rename.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || + rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", + ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", + \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"cron_at_job_creation_rename","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"7q3-6aa-pix","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n chown.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chown.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid - != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"pci_11_5_critical_binaries_chown","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"x7i-34j-1rv","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM - may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || link.file.destination.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"pam_modification_link","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bv2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process - matches known relay attack tool","enabled":true,"expression":"exec.file.name - in [~\"*PetitPotam*\", ~\"*RottenPotato*\", ~\"*HotPotato*\", ~\"*JuicyPotato*\", - ~\"*just_dce_*\", ~\"*Juicy Potato*\", \"rot.exe\", \"Potato.exe\", \"SpoolSample.exe\", - \"Responder.exe\", ~\"*smbrelayx*\", ~\"*smbrelayx*\", ~\"*ntlmrelayx*\", - ~\"*LocalPotato*\"] || exec.cmdline in [~\"*Invoke-Tater*\", ~\"*smbrelay*\", - ~\"*ntlmrelay*\", ~\"*cme smb*\", ~\"*ntlm:NTLMhash*\", ~\"*Invoke-PetitPotam*\"]","filters":["os - == \"windows\""],"monitoring":["CWS_DD"],"name":"relay_attack_tool_execution","product_tags":["tactic:TA0006-credential-access","technique:T1555-credentials-from-password-stores","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wzz-ni8-56v","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733963824000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"ssh_authorized_keys_chown","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-l8e","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path + in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"])\n) \u0026\u0026 (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os + == \"linux\""],"monitoring":["compliance.policy"],"name":"sudoers_policy_modified_chown","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"zfb-ixo-o4w","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + suspicious file was written by a network utility","enabled":true,"expression":"open.flags + \u0026 O_CREAT \u003e 0 \u0026\u0026 process.comm in [\"wget\", \"curl\", + \"lwp-download\"]\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 + open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path + in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"net_file_download","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"rwf-5af-jaw","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1733618223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733963824","updateDate":1733963824000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"z2v-n54-g9a","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733661423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733618222","updateDate":1733618223000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"p6o-t98-nm1","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1735691823000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733661422","updateDate":1733661424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"6at-weo-6ya","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746635720659,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1735691823","updateDate":1735691824000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"voe-mel-8yq","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746611600937,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746635720","updateDate":1746635720659,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-but","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - java process spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path - in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path - in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"])\n\u0026\u0026 - process.parent.file.name in [\"java\", \"jspawnhelper\"]","filters":["os == - \"linux\""],"monitoring":["CWS_DD"],"name":"java_shell_execution_parent","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"9pu-mp3-xea","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testgetacsmthreatsagentrulereturnsokresponse1746611600","updateDate":1746611600937,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-0en","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + debugfs was executed in a container","enabled":true,"expression":"exec.comm + == \"debugfs\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"debugfs_in_container","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ab6","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Recently + modified file requested credentials from IMDS","enabled":true,"expression":"imds.url + =~ \"/*/meta-data/iam/security-credentials/*\" \u0026\u0026 (process.parent.file.modification_time + \u003c 120s || process.file.modification_time \u003c 30s)","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"modified_file_requesting_imds_creds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"hk2-qrd-3jt","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714667824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714667824","updateDate":1714667824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"i0b-hk0-7h3","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715560625000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1715560625","updateDate":1715560625000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3gw-vkx-b7s","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1728419826000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1728419824","updateDate":1728419826000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"d5b-olo-ecr","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746789273109,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746789272","updateDate":1746789273109,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"xgw-28i-480","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + container executed a new binary not found in the container image","enabled":true,"expression":"container.id + != \"\" \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.modification_time + \u003c 30s \u0026\u0026 exec.file.name != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"new_binary_execution_in_container","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"eor-xnf-mac","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746616279688,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746616279","updateDate":1746616279688,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"9pu-mp3-xea","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path @@ -100,21 +215,68 @@ http_interactions: process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"pci_11_5_critical_binaries_rename","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7zf-mmz-56y","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746616270272,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["compliance.policy"],"name":"pci_11_5_critical_binaries_rename","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"ezw-7rm-wca","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1735634224000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746616270","updateDate":1746616270272,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"krx-co0-pz2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715531823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1735634224","updateDate":1735634224000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"4fo-giq-5f8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715416623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715531822","updateDate":1715531824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"kfi-eog-4ml","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746631376325,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715416622","updateDate":1715416624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"dou-40j-cpw","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1721378223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746631375","updateDate":1746631376325,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"9ym-18v-5zi","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical - system binaries may have been modified","enabled":true,"expression":"(\n (link.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1721378223","updateDate":1721378224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ag7-847-gm6","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746529951029,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746529950","updateDate":1746529951029,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"9ws-qol-qpn","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746529951975,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746529951","updateDate":1746529951975,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"x7i-34j-1rv","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", + ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\"]\n || link.file.destination.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", + ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\"])\n)","filters":["os == + \"linux\""],"monitoring":["compliance.policy"],"name":"pam_modification_link","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"gx3-4a5-w9a","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + kernel module was loaded from memory inside a container","enabled":true,"expression":"load_module.loaded_from_memory + == true \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"kernel_module_load_from_memory_container","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qwm","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + kubeconfig file was accessed","enabled":true,"expression":"open.file.path + in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","filters":["os == + \"linux\""],"monitoring":["threat-detection.policy"],"name":"read_kubeconfig","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"cx8-x1r-vs8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746630369591,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testdeleteacsmthreatsagentrulereturnsokresponse1746630369","updateDate":1746630369591,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"h4n-yuq-2mp","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715632623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715632622","updateDate":1715632624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-lt6","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process was executed in a Kubernetes user session","enabled":true,"expression":"exec.user_session.k8s_username + != \"\"","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"k8s_user_session","product_tags":["policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j1p","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + Known DLLs location registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\KnownDLLs*\"]","filters":["os + == \"windows\""],"monitoring":["compliance.policy"],"name":"known_dll_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1574-hijack-execution-flow","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wnn","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + firewall configuration registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\*\"]","filters":["os + == \"windows\""],"monitoring":["compliance.policy"],"name":"windows_firewall_configuration_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"ucb-5zb-rmj","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"kernel_module_link","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"ssp-47a-p20","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", @@ -123,494 +285,585 @@ http_interactions: process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"pci_11_5_critical_binaries_link","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"w7o-w48-j34","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM - may have been modified without authorization","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"pam_modification_open","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"i0b-hk0-7h3","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715560625000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["compliance.policy"],"name":"pci_11_5_critical_binaries_unlink","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-4xu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kernel + modules were listed using the lsmod command","enabled":true,"expression":"exec.comm + == \"lsmod\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"exec_lsmod","product_tags":["tactic:TA0007-discovery","technique:T1082-system-information-discovery","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"jeh-18e-m9h","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + interactive shell was started inside of a container","enabled":true,"expression":"exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] \u0026\u0026 exec.args_flags in [\"i\"] \u0026\u0026 container.id !=\"\"","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"interactive_shell_in_container","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wok","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Device + rule created","enabled":true,"expression":"open.file.path in [~\"/etc/udev/rules.d/*\", + ~\"/lib/udev/rules.d/*\", ~\"/usr/lib/udev/rules.d/*\", ~\"/usr/local/lib/udev/rules.d/*\", + ~\"/run/udev/rules.d/*\"] \u0026\u0026 open.flags \u0026 O_CREAT \u003e 0","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"udev_modification","product_tags":["tactic:TA0003-persistence","technique:T1546-event-triggered-execution","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"ekr-3xj-8yj","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1735619823000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1715560625","updateDate":1715560625000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"p6o-t98-nm1","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735691823000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1735619823","updateDate":1735619825000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"0zl-ilo-guv","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1716050224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1735691823","updateDate":1735691824000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-bxs","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers - policy file may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path - == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"sudoers_policy_modified_unlink","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-lel","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Perl - executed with suspicious argument","enabled":true,"expression":"exec.file.name - == ~\"perl*\" \u0026\u0026 exec.args_flags in [\"e\"] \u0026\u0026 (exec.args - in [~\"*socket*\", ~\"*bind*\", ~\"*sockaddr*\", ~\"*listen*\", ~\"*accept\", - ~\"*stdin*\", ~\"*stdout\"])","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"perl_shell","product_tags":["tactic:TA0001-initial-access","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"m77-qgu-c48","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1717677423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1716050224","updateDate":1716050224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"fiw-wuv-ueg","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734914224000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1717677422","updateDate":1717677424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"tiy-95c-mkc","type":"agent_rule","attributes":{"category":"Process + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734914224","updateDate":1734914224000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"c79-8dg-klx","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715445423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715445422","updateDate":1715445424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"tiy-95c-mkc","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1723797423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1723797423","updateDate":1723797424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-crv","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers - policy file may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path - == \"/etc/sudoers\")\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode - \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1723797423","updateDate":1723797424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"v9x-9ib-tr7","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1737288363000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"im + a rule","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"qljifimbbh","updateDate":1737288363000,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"zjt-hio-sx0","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1748011784397,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"initial + description","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"wgxsdtgtmx","product_tags":["compliance_framework:HIPAA"],"updateDate":1748011784397,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-x51","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Safeboot + registry modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\"]","filters":["os + == \"windows\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"safeboot_modification","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bxs","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path + in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"])\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"sudoers_policy_modified_unlink","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"tlu-qlm-1ow","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + runc binary was modified in a non-standard way","enabled":true,"expression":"open.file.path + in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n\u0026\u0026 + open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0\n\u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n\u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"sudoers_policy_modified_chmod","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"krq-ced-idm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746702684947,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"runc_modification","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"k8w-brg-51l","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715445426000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746702684","updateDate":1746702684947,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"i5i-xfz-wxs","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746195393441,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715445424","updateDate":1715445426000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"eue-gqs-59v","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715503024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746195393","updateDate":1746195393441,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"wnk-nli-nbp","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chown.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 - process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 - (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid - != chown.file.gid)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"cron_at_job_creation_chown","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"m23-qb9-9s8","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (unlink.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 - process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 - process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"cron_at_job_creation_unlink","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"94l-lhd-e33","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - new kernel module was added","enabled":true,"expression":"(\n (chown.file.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715503024","updateDate":1715503024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"s9m-foq-qqz","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chmod.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", + \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid - || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"kernel_module_chown","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"hsg-toh-i57","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1723610223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1723610223","updateDate":1723610224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ybl-tp8-aab","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1730263023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode + != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"credential_modified_chmod","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"245-ynt-xcy","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714610223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1730263022","updateDate":1730263025000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"uor-lfz-jrm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746097917859,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714610223","updateDate":1714610224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"k95-kl4-jxt","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714696623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746097917","updateDate":1746097917859,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"fyq-x5u-mv1","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - new kernel module was added","enabled":true,"expression":"(\n (utimes.file.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714696623","updateDate":1714696627000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"4mu-d2x-fyk","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path + in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"nsswitch_conf_mod_unlink","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"191-ty1-ede","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"kernel_module_utimes","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"3gw-vkx-b7s","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1728419826000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ + \"runc*\"","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"ssl_certificate_tampering_open","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-a65","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Web + application requested IMDSv1 credentials","enabled":true,"expression":"imds.aws.is_imds_v2 + == false \u0026\u0026 imds.url =~ \"*/*/meta-data/iam/security-credentials/*\" + \u0026\u0026 (process.ancestors.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", + \"httpd\"] || process.ancestors.file.name =~ \"php*\" || process.ancestors.file.name + == \"java\")","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"webapp_imds_V1_request","product_tags":["tactic:TA0040-impact","technique:T1531-account-access-removal","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"zsr-y94-6u2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734482226000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1728419824","updateDate":1728419826000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ou7-vxd-f9m","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746611594063,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734482224","updateDate":1734482226000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-eho","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Container + escape attempted by overwriting release_agent","enabled":true,"expression":"open.file.name + == \"release_agent\" \u0026\u0026 open.file.path in [\"/tmp/**\", \"/home/**\", + \"/root/**\", \"/*\"] \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY + \u003e 0","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"release_agent_escape","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"18r-273-a6u","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1735547824000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735547824","updateDate":1735547824000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"sim-wjp-rxz","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1748011504465,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"initial + description","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"rawfdmzxlc","product_tags":["compliance_framework:HIPAA"],"updateDate":1748011504465,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"gyo-ajy-16h","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746633521705,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testdeleteacsmthreatsagentrulereturnsokresponse1746633521","updateDate":1746633521705,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"g7f-kfr-tdb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Python + code was provided on the command line","enabled":true,"expression":"exec.file.name + == ~\"python*\" \u0026\u0026 exec.args_flags in [\"c\"] \u0026\u0026 exec.args + in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", ~\"*-c*/bash*\", ~\"*-c*/bin/sh*\", + ~\"*-c*pty.spawn*\"] \u0026\u0026 exec.args !~ \"*setuptools*\"","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"python_cli_code","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"wvg-hbj-6o2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1720600623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1720600622","updateDate":1720600624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"qfa-phf-txa","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746529940327,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746529940","updateDate":1746529940327,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"v64-qmf-tal","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1740543488000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testcreateacsmthreatsagentrulereturnsokresponse1746611593","updateDate":1746611594063,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ast-isd-tty","type":"agent_rule","attributes":{"category":"Process + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1740543488","updateDate":1740543488000,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"dfr-by9-sx8","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell + History was Deleted","enabled":true,"expression":"unlink.file.name in [\".bash_history\", + \".zsh_history\", \".fish_history\", \"fish_history\", \".dash_history\", + \".sh_history\"] \u0026\u0026 unlink.file.path in [~\"/root/**\", ~\"/home/**\"] + \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os + == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"shell_history_deleted","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-but","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + java process spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path + in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"])\n\u0026\u0026 + process.parent.file.name in [\"java\", \"jspawnhelper\"]","filters":["os == + \"linux\""],"monitoring":["threat-detection.policy"],"name":"java_shell_execution_parent","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-nip","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Browser + WebDriver spawned shell","enabled":true,"expression":"process.parent.file.name + in [~\"chromedriver*\", \"geckodriver\"] \u0026\u0026 exec.file.name not in + [\"chrome\", \"google-chrome\", \"chromium\", \"firefox\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"webdriver_spawned_shell","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"ast-isd-tty","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1715645381000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testgocreateacsmthreatsagentrulereturnsokresponse1715645381","updateDate":1715645381000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"w6f-wte-i63","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n (link.file.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.path - != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.name - !~ \"runc*\"\n)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"ssl_certificate_tampering_link","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"es7-rhv-nra","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714797423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"ylx-z1o-jjd","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746184343494,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714797422","updateDate":1714797424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"fmr-do0-8np","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1748003540353,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"initial - description","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"fcggsfqidc","product_tags":["compliance_framework:HIPAA"],"updateDate":1748003540353,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"aw7-tup-sy0","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746628448155,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746184343","updateDate":1746184343494,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"kas-gb6-imd","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746611611223,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsokresponse1746628447","updateDate":1746628448155,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"lkj-jnb-khe","type":"agent_rule","attributes":{"actions":[{"set":{"name":"imds_v1_usage_services","field":"process.file.name","append":true,"ttl":10000000000},"disabled":false}],"category":"Network - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - AWS IMDSv1 request was issued","disabled":["CWS_DD"],"enabled":false,"expression":"imds.cloud_provider - == \"aws\" \u0026\u0026 imds.aws.is_imds_v2 == false \u0026\u0026 process.file.name - not in ${imds_v1_usage_services}","filters":["os == \"linux\""],"name":"imds_v1_usage","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d1i","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process - memory was dumped using the minidump function from comsvcs.dll","enabled":true,"expression":"exec.cmdline - =~ \"*MiniDump*\" \u0026\u0026 exec.cmdline =~ \"*comsvcs*\"","filters":["os - == \"windows\""],"monitoring":["CWS_DD"],"name":"minidump_usage","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"4ov-ang-2gx","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - DNS lookup was done for a IP check service","enabled":true,"expression":"dns.question.name - in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", - \"whatismyip.akamai.com\"] \u0026\u0026 process.file.name != \"\"","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"ip_check_domain","product_tags":["tactic:TA0007-discovery","technique:T1016-system-network-configuration-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"hcr-3py-6it","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1736807340000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746611610","updateDate":1746611611223,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"900-1sj-xhs","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", + ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\" ])\n)","filters":["os == + \"linux\""],"monitoring":["compliance.policy"],"name":"pam_modification_unlink","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"wzz-ni8-56v","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1733963824000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1736807340","updateDate":1736807342000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"igb-n2l-mh4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746635706008,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733963824","updateDate":1733963824000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"1ys-tf8-u32","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1735562224000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testdeleteacsmthreatsagentrulereturnsokresponse1746635705","updateDate":1746635706008,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-y7j","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical - system binaries may have been modified","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e - 90s","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"pci_11_5_critical_binaries_open_v2","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"kax-qcg-qu0","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714581423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735562224","updateDate":1735562224000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ou7-vxd-f9m","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746611594063,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714581423","updateDate":1714581424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"y0s-toi-yyk","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746097927076,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testcreateacsmthreatsagentrulereturnsokresponse1746611593","updateDate":1746611594063,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"9wz-mgt-zkp","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715546226000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746097926","updateDate":1746097927076,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"gfp-rvz-fcq","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746633537526,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715546226","updateDate":1715546226000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"sfj-gky-roy","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1732869424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746633537","updateDate":1746633537526,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"j8a-wic-bvi","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - LD_PRELOAD variable is populated by a link to a suspicious file directory","enabled":true,"expression":"exec.envs - in [~\"LD_PRELOAD=*/tmp/*\", ~\"LD_PRELOAD=/dev/shm/*\"]","filters":["os == - \"linux\""],"monitoring":["CWS_DD"],"name":"ld_preload_unusual_library_path","product_tags":["tactic:TA0004-privilege-escalation","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"fii-ysi-7bu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715618226000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1732869424","updateDate":1732869424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ybg-c9d-29b","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1723034223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715618224","updateDate":1715618226000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ceu-3h6-qug","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1740269813000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1723034223","updateDate":1723034224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"a1s-8yo-pst","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746630365537,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1740269813","updateDate":1740269814000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"8rl-d3i-xyv","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746195378531,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testcreateacsmthreatsagentrulereturnsokresponse1746630365","updateDate":1746630365537,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-fn2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell + profile was modified","enabled":true,"expression":"open.file.path in [~\"/home/*/*profile\", + ~\"/home/*/*rc\"] \u0026\u0026 open.flags \u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) + \u003e 0","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"shell_profile_modification","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-brb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"regedit + used to export critical registry hive","enabled":true,"expression":"exec.file.name + in [\"reg.exe\", \"regedit.exe\"] \u0026\u0026 exec.cmdline in [~\"*hklm*\", + ~\"*hkey_local_machine*\", ~\"*system*\", ~\"*sam*\", ~\"*security*\"]","filters":["os + == \"windows\""],"monitoring":["threat-detection.policy"],"name":"critical_registry_export","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"gyq-tpv-vvr","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746195381263,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testcreateacsmthreatsagentrulereturnsokresponse1746195378","updateDate":1746195378531,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-925","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - shell with a TTY was executed in a container","enabled":true,"expression":"exec.file.path - in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] \u0026\u0026 process.tty_name != \"\" \u0026\u0026 process.container.id - != \"\"","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"tty_shell_in_container","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"jr3-0m8-jlj","type":"agent_rule","attributes":{"actions":[{"hash":{},"disabled":false}],"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process launched with arguments associated with cryptominers","enabled":true,"expression":"exec.args_options - in [~\"cpu-priority*\", ~\"donate-level*\"] || exec.args_flags == \"randomx-1gb-pages\" - || exec.args in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", - ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", - ~\"*yespower*\"]","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"cryptominer_args","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"3cv-rwp-2t7","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1724215024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testdeleteacsmthreatsagentrulereturnsokresponse1746195381","updateDate":1746195381263,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-fdc","type":"agent_rule","attributes":{"actions":[{"filter":"${process.correlation_key} + != \"\"","set":{"name":"parent_correlation_keys","default_value":"","append":true,"scope":"process","expression":"${process.correlation_key}","inherited":true},"disabled":false},{"set":{"name":"correlation_key","default_value":"","scope":"process","expression":"\"service_${builtins.uuid4}\"","inherited":true},"disabled":false}],"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Track + execution context from service","enabled":true,"expression":"(exec.envs in + [\"DD_SERVICE\", \"OTEL_SERVICE_NAME\"] || \"tags.datadoghq.com/service\" + in container.tags) \u0026\u0026 ${process.correlation_key} in [\"\", ~\"cgroup_*\", + ~\"auid_*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"execution_context_service","product_tags":["policy:threat-detection"],"silent":true,"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"4mc-0xr-vlw","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714264624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1724215024","updateDate":1724215024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"245-ynt-xcy","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714610223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1714264624","updateDate":1714264624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"4qm-ikt-fpr","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1721954224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714610223","updateDate":1714610224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"9of-ebc-ypn","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733143023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1721954223","updateDate":1721954224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"bcc-gqn-ty6","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746443531257,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733143022","updateDate":1733143023000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-juz","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - privileged container was created","enabled":true,"expression":"exec.file.name - != \"\" \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at - \u003c 1s \u0026\u0026 process.cap_permitted \u0026 CAP_SYS_ADMIN \u003e 0","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"deploy_priv_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection","policy:best-practice"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"5b4-k0v-rzw","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734424624000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746443531","updateDate":1746443531257,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"p4n-ijm-zeu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714155721000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734424623","updateDate":1734424624000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"6w8-3xn-j4c","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1736066223000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714155721","updateDate":1714155721000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"xx5-jk7-v7j","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746631365451,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1736066222","updateDate":1736066224000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-t06","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"find - command searching for sensitive files","enabled":true,"expression":"exec.comm - == \"find\" \u0026\u0026 exec.args in [~\"*credentials*\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"find_credentials","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"3i1-zpd-ycj","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - new kernel module was added","enabled":true,"expression":"(\n (rename.file.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testgetacsmthreatsagentrulereturnsokresponse1746631365","updateDate":1746631365451,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-2k6","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Suspicious + usage of ntdsutil","enabled":true,"expression":"exec.file.name == \"ntdsutil.exe\" + \u0026\u0026 exec.cmdline in [~\"*ntds*\", ~\"*create*\"]","filters":["os + == \"windows\""],"monitoring":["threat-detection.policy"],"name":"suspicious_ntdsutil_usage","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oil","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + unshare utility was executed in a container","enabled":true,"expression":"exec.comm + == \"unshare\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"unshare_in_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"td2-31c-ln4","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chown.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", + \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os + == \"linux\""],"monitoring":["compliance.policy"],"name":"credential_modified_chown","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"mqh-lgo-brj","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path + in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode + != chmod.file.mode \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"nsswitch_conf_mod_chmod","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"9y1-cbb-p03","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in + [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"kernel_module_rename","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"hk2-qrd-3jt","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714667824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ + \"runc*\"","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"ssl_certificate_tampering_unlink","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mpd","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process connected to a cryptocurrency mining pool","enabled":true,"expression":"connect.addr.hostname + in [~\"*.minexmr.com\", \"minexmr.com\", ~\"*.nanopool.org\", \"nanopool.org\", + ~\"*.supportxmr.com\", \"supportxmr.com\", ~\"*.c3pool.com\", \"c3pool.com\", + ~\"*.p2pool.io\", \"p2pool.io\", ~\"*.ethermine.org\", \"ethermine.org\", + ~\"*.f2pool.com\", \"f2pool.com\", ~\"*.poolin.me\", \"poolin.me\", ~\"*.rplant.xyz\", + \"rplant.xyz\", ~\"*.miningocean.org\", \"miningocean.org\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"mining_pool_domain","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"kpm-7kh-xz5","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process attempted to inject code into another process","enabled":true,"expression":"ptrace.request + == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request + == PTRACE_POKEUSR","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"ptrace_injection","product_tags":["tactic:TA0005-defense-evasion","technique:T1055-process-injection","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-dar","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + shell made an outbound network connection","enabled":true,"expression":"(connect.addr.family + == AF_INET || connect.addr.family == AF_INET6) \u0026\u0026 process.file.name + in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"] + \u0026\u0026 connect.addr.is_public == true","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"shell_net_connection","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-krr","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process removed itself from the filesystem","enabled":true,"expression":"unlink.file.path + == process.file.path","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"unlink_self","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"hhl-9nk-8ls","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715819826000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714667824","updateDate":1714667824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"fog-8k1-fzi","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733704624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715819824","updateDate":1715819826000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"shf-bur-1id","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1735288624000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733704624","updateDate":1733704624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"vma-z5w-bi9","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734179823000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735288624","updateDate":1735288624000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"qk2-gkn-517","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1730162223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734179822","updateDate":1734179825000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-4xu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kernel - modules were listed using the lsmod command","enabled":true,"expression":"exec.comm - == \"lsmod\"","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"exec_lsmod","product_tags":["tactic:TA0007-discovery","technique:T1082-system-information-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"c79-8dg-klx","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715445423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1730162223","updateDate":1730162225000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"v2b-cd3-clr","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path + in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid) \u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os + == \"linux\""],"monitoring":["compliance.policy"],"name":"nsswitch_conf_mod_chown","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-dpm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process attempted to enable writing to model-specific registers","enabled":true,"expression":"exec.comm + == \"modprobe\" \u0026\u0026 process.args =~ \"*msr*allow_writes*\"","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"kernel_msr_write","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"460-gys-lqp","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + DNS lookup was done for a pastebin-like site","enabled":true,"expression":"dns.question.name + in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\", \"rentry.co\", + \"transfer.sh\"] \u0026\u0026 process.file.name != \"\"","filters":["os == + \"linux\""],"monitoring":["threat-detection.policy"],"name":"paste_site","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-vjv","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Command + executed via WMI","enabled":true,"expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] + \u0026\u0026 process.parent.file.name == \"WmiPrvSE.exe\"","filters":["os + == \"windows\""],"monitoring":["threat-detection.policy"],"name":"wmi_spawning_shell","product_tags":["tactic:TA0002-execution","technique:T1047-windows-management-instrumentation","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"w60-a8d-qrd","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734439024000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715445422","updateDate":1715445424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"y5i-yxn-27t","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n (chmod.file.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734439023","updateDate":1734439024000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"i5i-xfz-wxs","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746195393441,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746195393","updateDate":1746195393441,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"3i1-zpd-ycj","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (rename.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.mode != - chmod.file.destination.mode\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 - process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 - process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"ssl_certificate_tampering_chmod","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"egv-kvz-h9q","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746529942370,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"kernel_module_rename","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-do7","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Possible + ransomware note created under common user directories","enabled":true,"expression":"open.flags + \u0026 O_CREAT \u003e 0\n\u0026\u0026 open.file.path in [~\"/home/**\", ~\"/root/**\", + ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", + ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n\u0026\u0026 + (open.file.name in [r\"(?i)(restore|recover|instruction|help|how_to|how\\ + to|ransom).*(your_|recover|crypt|lock|ransom|instruction|files)\"] || open.file.name + in [r\"RECOVER.*\\.txt\"]) \u0026\u0026 open.file.name not in [r\"\\.lock$\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"ransomware_note","product_tags":["tactic:TA0040-impact","technique:T1490-inhibit-system-recovery","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"d7t-4i4-tex","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1722659826000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746529942","updateDate":1746529942370,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-vjv","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Command - executed via WMI","enabled":true,"expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] - \u0026\u0026 process.parent.file.name == \"WmiPrvSE.exe\"","filters":["os - == \"windows\""],"monitoring":["CWS_DD"],"name":"wmi_spawning_shell","product_tags":["tactic:TA0002-execution","technique:T1047-windows-management-instrumentation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-76q","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows - cryptographic blocking policy modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType - 0\\CryptSIPDllRemoveSignedDataMsg*\"]","filters":["os == \"windows\""],"monitoring":["CWS_DD"],"name":"windows_cryptographic_blocking_policy_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-zse","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PHP - web application spawning shell","enabled":true,"expression":"exec.file.name - in [~\"powershell*\",\"cmd.exe\"] \u0026\u0026 process.parent.file.name in - [\"php.exe\",\"php-cgi.exe\"]","filters":["os == \"windows\""],"monitoring":["CWS_DD"],"name":"php_spawning_shell","product_tags":["tactic:TA0002-execution","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"pwu-7u7-iiq","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process uses an anti-debugging technique to block debuggers","enabled":true,"expression":"ptrace.request - == PTRACE_TRACEME \u0026\u0026 process.file.name != \"\"","filters":["os == - \"linux\""],"monitoring":["CWS_DD"],"name":"ptrace_antidebug","product_tags":["tactic:TA0005-defense-evasion","technique:T1622-debugger-evasion","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"nco-423-hiu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733531824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1722659824","updateDate":1722659826000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3ox-06e-x4c","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734093424000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733531824","updateDate":1733531824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"4sz-cc7-ukd","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733560627000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734093423","updateDate":1734093424000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"eqx-iiy-wru","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746195384460,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733560624","updateDate":1733560627000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"zjt-hio-sx0","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1748011784397,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"initial - description","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"wgxsdtgtmx","product_tags":["compliance_framework:HIPAA"],"updateDate":1748011784397,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"18r-273-a6u","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735547824000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testgetacsmthreatsagentrulereturnsokresponse1746195384","updateDate":1746195384460,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"6at-weo-6ya","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746635720659,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735547824","updateDate":1735547824000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-a65","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Web - application requested IMDSv1 credentials","enabled":true,"expression":"imds.aws.is_imds_v2 - == false \u0026\u0026 imds.url =~ \"*/*/meta-data/iam/security-credentials/*\" - \u0026\u0026 (process.ancestors.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", - \"httpd\"] || process.ancestors.file.name =~ \"php*\" || process.ancestors.file.name - == \"java\")","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"webapp_imds_V1_request","product_tags":["tactic:TA0040-impact","technique:T1531-account-access-removal","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"p4n-ijm-zeu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714155721000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746635720","updateDate":1746635720659,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ukn-yjf-h6a","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1719981424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714155721","updateDate":1714155721000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"uyv-a9k-8l7","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734395826000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1719981423","updateDate":1719981424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-j45","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process is tracing privileged processes or sshd for possible credential dumping","enabled":true,"expression":"(ptrace.request + == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request + == PTRACE_PEEKUSR) \u0026\u0026 ptrace.tracee.euid == 0 \u0026\u0026 process.comm + not in [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"sensitive_tracing","product_tags":["tactic:TA0004-privilege-escalation","technique:T1055-process-injection","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"7s9-sfq-2km","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1732552624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734395824","updateDate":1734395826000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"mtg-s1f-xy5","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1716050223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1732552624","updateDate":1732552624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-ev8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + wrmsr program executed","enabled":true,"expression":"exec.comm == \"wrmsr\"","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"exec_wrmsr","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fsu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process is masquerading as a kernel thread by using bracket notation in its + name","enabled":true,"expression":"(exec.comm in [r\"^\\[.*\\]$\"] || exec.argv0 + in [r\"^\\[.*\\]$\"]) \u0026\u0026 (process.parent.ppid !=2 || process.args + != \"\")","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"kernel_process_masquerade","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"rc4-b53-3sj","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715863024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1716050222","updateDate":1716050224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ctc-pux-luh","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737951387000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715863024","updateDate":1715863024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ssm-zlm-vqh","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1720312626000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1737951387","updateDate":1737951389000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-fsq","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - cryptominer was potentially executed","enabled":true,"expression":"exec.cmdline - in [~\"*cpu-priority*\", ~\"*donate-level*\", ~\"*randomx-1gb-pages*\", ~\"*stratum+tcp*\", - ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", - ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os == - \"windows\""],"monitoring":["CWS_DD"],"name":"windows_cryptominer_process","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qnj","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process made an outbound IRC connection","enabled":true,"expression":"connect.addr.port - == 6667 \u0026\u0026 connect.addr.is_public == true","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"irc_connection","product_tags":["tactic:TA0011-command-and-control","technique:T1071-application-layer-protocol","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"eue-gqs-59v","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715503024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1720312624","updateDate":1720312626000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"lrg-avx-x1k","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + kernel module was loaded from memory","enabled":true,"expression":"load_module.loaded_from_memory + == true","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"kernel_module_load_from_memory","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"9n1-l1g-u4k","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1721853424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715503024","updateDate":1715503024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ocv-we5-g5y","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715661423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1721853423","updateDate":1721853424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"w6f-wte-i63","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.path + != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.name + !~ \"runc*\"\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"ssl_certificate_tampering_link","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"647-nlb-uld","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + network utility (such as nmap) commonly used in intrusion attacks was executed","enabled":true,"expression":"exec.file.name + in [\"nmap\", \"masscan\", \"fping\", \"zmap\", \"zgrab\", \"zgrab2\", \"rustscan\", + \"pnscan\"] \u0026\u0026 exec.args_flags not in [\"V\", \"version\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"common_net_intrusion_util","product_tags":["tactic:TA0007-discovery","technique:T1046-network-service-discovery","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-8j2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + web application spawned a shell or shell utility","enabled":true,"expression":"(exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path + in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"]) + \u0026\u0026\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", + \"httpd\"] || process.parent.file.name =~ \"php*\")","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"potential_web_shell_parent","product_tags":["tactic:TA0002-execution","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mmo","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(open.flags + \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n(open.file.path + in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"])) \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"sudoers_policy_modified_open","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-550","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path + in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"]\n || rename.file.destination.path + in [\"/etc/sudoers\",~\"/etc/sudoers.d/*\"])\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"sudoers_policy_modified_rename","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mxb","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + host file system was mounted in a container","enabled":true,"expression":"mount.source.path + == \"/\" \u0026\u0026 mount.fs_type != \"overlay\" \u0026\u0026 container.id + != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"mount_host_fs","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d4i","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"NTDS + file referenced in commandline","enabled":true,"expression":"exec.cmdline + =~ \"*ntds.dit*\"","filters":["os == \"windows\""],"monitoring":["threat-detection.policy"],"name":"ntds_in_commandline","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"afj-5sv-2wb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + container management utility was executed in a container","enabled":true,"expression":"exec.file.name + in [\"docker\", \"kubectl\", \"ctr\"] \u0026\u0026 container.id != \"\"","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"suspicious_container_client","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","technique:T1610-deploy-container","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"4bk-eaa-j5w","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1728664623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715661422","updateDate":1715661423000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-0fx","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell - process spawned from print server","enabled":true,"expression":"exec.file.name - != \"\" \u0026\u0026 process.parent.file.name == \"foomatic-rip\"","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"cups_spawned_shell","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"2s5-ipa-ooo","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process wrote to a dynamic linker config file","enabled":true,"expression":"open.file.path - in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] - \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) - \u003e 0 \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\"] \u0026\u0026 process.ancestors.file.path not in - [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", - \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", - \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", - \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", - \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", - \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", - ~\"/opt/datadog-installer/**\"] \u0026\u0026 process.argv0 not in [\"runc\", - \"/usr/bin/runc\", \"/usr/sbin/runc\"]","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"dynamic_linker_config_write","product_tags":["tactic:TA0004-privilege-escalation","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"hgr-nny-7zr","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1720471023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1728664622","updateDate":1728664623000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"5ok-zd7-gf9","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1748012897594,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"initial + description","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"khuiwwlgzk","product_tags":["compliance_framework:HIPAA"],"updateDate":1748012897594,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"n8l-rby-b42","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1735072624000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1720471022","updateDate":1720471024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"91f-pyq-54k","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n link.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (link.file.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || - link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" - ])\n)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"ssh_authorized_keys_link","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"0i7-z9o-zed","type":"agent_rule","attributes":{"actions":[{"set":{"name":"processes_accessing","field":"process.file.path","append":true,"ttl":60000000000},"disabled":false}],"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - Kubernetes pod service account token was accessed","enabled":true,"expression":"open.file.path - in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"]\n\u0026\u0026 - open.file.name == \"token\"\n\u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", - \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", - \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", - \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", - \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", - \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", - ~\"/opt/datadog-installer/**\"]\n\u0026\u0026 process.file.path not in [\"/usr/bin/cilium-agent\", - \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", - \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", - \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", - \"/nginx-ingress-controller\", \"/cluster-autoscaler\", \"/cluster-proportional-autoscaler\", - \"/haproxy-ingress-controller\", \"/kube-state-metrics\", \"/fluent-bit-gke-exporter\", - \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", - \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", - \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", - \"/usr/local/bin/cluster-autoscaler\"]\n\u0026\u0026 process.file.path not - in ${processes_accessing}\n\u0026\u0026 process.ancestors.file.path not in - [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", - \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", - \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", - \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", - \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", - \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", - ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"k8s_pod_service_account_token_accessed","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-myb","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers - policy file may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path - == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"sudoers_policy_modified_link","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"3hj-2t8-ydm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1729787824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735072624","updateDate":1735072624000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"f4p-2wj-hrf","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715459823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1729787824","updateDate":1729787824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ro3-z56-52j","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1732221423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715459822","updateDate":1715459824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"uis-h13-41q","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os + == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"cron_at_job_creation_open","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"9ym-18v-5zi","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"monitoring":["compliance.policy"],"name":"pci_11_5_critical_binaries_link","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j1b","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Looney + Tunables (CVE-2023-4911) exploit attempted","enabled":true,"expression":"exec.file.mode + \u0026 S_ISUID \u003e 0 \u0026\u0026 exec.file.uid == 0 \u0026\u0026 exec.uid + != 0 \u0026\u0026 exec.envs in [~\"*GLIBC_TUNABLES*\"]","filters":["os == + \"linux\""],"monitoring":["threat-detection.policy"],"name":"looney_tunables_exploit","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"50t-g20-n4o","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1710772096000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"","enabled":true,"expression":"open.file.name + == \"etc/shadow/password\"","filters":["os == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"Randomname","updateDate":1710772096000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"rsm-fam-pfp","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714869424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1732221423","updateDate":1732221424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"w3d-qp8-3yb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1716309424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1714869424","updateDate":1714869424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-h19","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + container breakout CVE-2024-21626 was successful","enabled":true,"expression":"chdir.syscall.path + =~ \"/proc/self/fd/*\" \u0026\u0026 chdir.file.path == \"/sys/fs/cgroup\" + \u0026\u0026 process.file.name =~ \"runc.*\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"runc_leaky_fd","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"35e-29w-qhu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715128624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1715128624","updateDate":1715128624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"sic-1px-69u","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1717418225000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1717418224","updateDate":1717418225000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"vxv-90c-vm4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714279023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714279022","updateDate":1714279024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"m7d-vlh-3yq","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Package + management was detected in a container","enabled":true,"expression":"exec.file.path + in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\"","filters":["os + == \"linux\""],"monitoring":["best-practice.policy","threat-detection.policy"],"name":"package_management_in_container","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection","policy:best-practice"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-jm5","type":"agent_rule","attributes":{"actions":[{"set":{"name":"core_pattern_write_container_id","field":"container.id","scope":"container","ttl":1800000000000,"inherited":false},"disabled":false}],"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Detect + any attempt to modify /proc/sys/kernel/core_pattern from a container, which + might result to escape to host when a core dump is triggered.","enabled":true,"expression":"open.file.name + == \"core_pattern\" \u0026\u0026\nopen.file.filesystem == \"proc\" \u0026\u0026\nopen.flags + \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 \ncontainer.id + != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"core_pattern_write","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"jx5-yfk-osv","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746789254740,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746789254","updateDate":1746789254740,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"dkb-9ud-0ca","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + container loaded a new kernel module","enabled":true,"expression":"load_module.name + != \"\" \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"kernel_module_load_container","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"5jy-8qa-vwx","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1724216976000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1716309424","updateDate":1716309424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"zdz-ued-luw","type":"agent_rule","attributes":{"category":"Process + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testrustupdateacsmthreatsagentrulereturnsbadrequestresponse1724216976","updateDate":1724216976000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"zdz-ued-luw","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1714797424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714797424","updateDate":1714797424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"nue-wxi-y3i","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735720623000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714797424","updateDate":1714797424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"1m6-dg0-lq9","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714624623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1735720623","updateDate":1735720626000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-969","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process - arguments indicating possible netcat shell detected","enabled":true,"expression":"exec.file.name - in [\"netcat\", \"nc\", \"ncat\"] \u0026\u0026 ((exec.args_flags in [\"l\"] - \u0026\u0026 exec.args_flags in [\"p\"]) || (exec.args_flags in [\"n\"] \u0026\u0026 - exec.args_flags in [\"v\"]) || (exec.args in [~\"*/bin/bash*\", ~\"*/bin/sh*\"]))","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"netcat_shell","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"bwn-zl7-d0k","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746097915502,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714624623","updateDate":1714624624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"fxe-inc-9zj","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1719938223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746097915","updateDate":1746097915502,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"eor-xnf-mac","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746616279688,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1719938222","updateDate":1719938225000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"orc-g8c-fmh","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746097919884,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746616279","updateDate":1746616279688,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"h4n-yuq-2mp","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715632623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746097919","updateDate":1746097919884,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"43q-0jv-1zb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746616279053,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715632622","updateDate":1715632624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ylx-z1o-jjd","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746184343494,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746616279","updateDate":1746616279053,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"qoe-y42-hqp","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1716554224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746184343","updateDate":1746184343494,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"ti4-rku-0ke","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746789271799,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1716554224","updateDate":1716554224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"rv8-utm-cs5","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746702690686,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746789271","updateDate":1746789271799,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"wri-hx3-4n3","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM - may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || rename.file.destination.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"pam_modification_rename","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qn0","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsenter - used to breakout of container","enabled":true,"expression":"exec.file.name - == \"nsenter\" \u0026\u0026 exec.args_options in [\"target=1\", \"t=1\"] \u0026\u0026 - container.id != \"\"","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"nsenter_in_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ev9-rxn-om1","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733272623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746702690","updateDate":1746702690686,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"tps-9zv-vpp","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734899823000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733272622","updateDate":1733272626000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-dpm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process attempted to enable writing to model-specific registers","enabled":true,"expression":"exec.comm - == \"modprobe\" \u0026\u0026 process.args =~ \"*msr*allow_writes*\"","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"kernel_msr_write","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-88h","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Egress - traffic allowed using iptables","enabled":true,"expression":"exec.comm == - \"iptables\" \u0026\u0026 process.args in [r\"OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] - \u0026\u0026 process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"iptables_egress_allowed","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d4i","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"NTDS - file referenced in commandline","enabled":true,"expression":"exec.cmdline - =~ \"*ntds.dit*\"","filters":["os == \"windows\""],"monitoring":["CWS_DD"],"name":"ntds_in_commandline","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"syl-o29-0dq","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714826223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734899823","updateDate":1734899825000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"w95-d3h-c3r","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1735864623000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714826223","updateDate":1714826223000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"6ak-6po-dd6","type":"agent_rule","attributes":{"category":"Process + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1735864622","updateDate":1735864625000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-ehx","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + auditd rules file was modified without using auditctl","enabled":true,"expression":"open.file.path + in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] \u0026\u0026 + open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 + process.file.name != \"auditctl\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"auditd_rule_file_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-18q","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Tar + archive created","enabled":true,"expression":"exec.file.path == \"/usr/bin/tar\" + \u0026\u0026 exec.args_flags in [\"create\",\"c\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"tar_execution","product_tags":["tactic:TA0009-collection","technique:T1560-archive-collected-data","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"6ak-6po-dd6","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1716640623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1716640622","updateDate":1716640624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-bus","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - executable bit was added to a newly created file","enabled":true,"expression":"chmod.file.in_upper_layer - \u0026\u0026\nchmod.file.change_time \u003c 30s \u0026\u0026\ncontainer.id - != \"\" \u0026\u0026\nchmod.file.destination.mode != chmod.file.mode \u0026\u0026\nchmod.file.destination.mode - \u0026 S_IXUSR|S_IXGRP|S_IXOTH \u003e 0 \u0026\u0026\nprocess.argv in [\"+x\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"executable_bit_added","product_tags":["tactic:TA0005-defense-evasion","technique:T1222-file-and-directory-permissions-modification","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"pfu-dvh-e5w","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM - may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid - != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"pam_modification_chown","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qf8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"sharpup - tool used for local privilege escalation","enabled":true,"expression":"exec.file.name - == \"sharpup.exe\" \u0026\u0026 exec.cmdline in [~\"*HijackablePaths*\", ~\"*UnquotedServicePath*\", - ~\"*ProcessDLLHijack*\", ~\"*ModifiableServiceBinaries*\", ~\"*ModifiableScheduledTask*\", - ~\"*DomainGPPPassword*\", ~\"*CachedGPPPassword*\"]","filters":["os == \"windows\""],"monitoring":["CWS_DD"],"name":"sharpup_tool_usage","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"k8w-brg-51l","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715445426000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1716640622","updateDate":1716640624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"hcr-3py-6it","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1736807340000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715445424","updateDate":1715445426000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"dtv-dxk-3pn","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746616272397,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1736807340","updateDate":1736807342000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"x2p-h4q-sxd","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746702682078,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746616272","updateDate":1746616272397,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"qes-e3j-s1d","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746443538639,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746702682","updateDate":1746702682078,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"fyq-x5u-mv1","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"kernel_module_utimes","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-5wh","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"a + SUID file was executed","enabled":true,"expression":"(setuid.euid == 0 || + setuid.uid == 0) \u0026\u0026 process.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 + process.file.uid == 0 \u0026\u0026 process.uid != 0 \u0026\u0026 process.file.path + != \"/usr/bin/sudo\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"suid_file_execution","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-eck","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Dll + written to a suspicious directory","enabled":true,"expression":"create.file.name + =~ \"*.dll\" \u0026\u0026 create.file.device_path not in [~\"\\Device\\*\\Windows\\System32\\**\", + ~\"\\Device\\*\\ProgramData\\docker\\**\"] \u0026\u0026 process.file.name + != \"dockerd.exe\"","filters":["os == \"windows\""],"monitoring":["threat-detection.policy"],"name":"suspicious_dll_write","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","technique:T1610-deploy-container","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"qo2-qin-6hg","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714351023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746443538","updateDate":1746443538639,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"ro4-rju-1vq","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - GCP IMDS was called via a network utility","enabled":true,"expression":"exec.comm - in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", - ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"gcp_imds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-u1r","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process deleted common system log files","enabled":true,"expression":"unlink.file.path - in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", - \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", - \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] \u0026\u0026 - process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"delete_system_log","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-vez","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows - winlogon registry key modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*\"]","filters":["os - == \"windows\""],"monitoring":["CWS_DD"],"name":"winlogon_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"xg0-u09-xir","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733603824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714351022","updateDate":1714351024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"mzh-gda-c24","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715762223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733603824","updateDate":1733603824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"kv9-026-vhz","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715762222","updateDate":1715762224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"kv9-026-vhz","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", @@ -620,158 +873,109 @@ http_interactions: \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"credential_modified_utimes","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"dmf-a2c-odj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - symbolic link for shell history was created targeting /dev/null","enabled":true,"expression":"exec.comm - == \"ln\" \u0026\u0026 exec.args in [~\"*.*history*\", \"/dev/null\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"shell_history_symlink","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"vsk-ewy-s83","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714451823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714451823","updateDate":1714451824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-4tl","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Certutil - was executed to transmit or decode a potentially malicious file","enabled":true,"expression":"exec.file.name - == \"certutil.exe\" \u0026\u0026 ((exec.cmdline =~ \"*urlcache*\" \u0026\u0026 - exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")","filters":["os - == \"windows\""],"monitoring":["CWS_DD"],"name":"certutil_usage","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"fry-rzn-glo","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1748012434322,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"initial - description","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"obtppsoxzh","product_tags":["compliance_framework:HIPAA"],"updateDate":1748012434322,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"x2p-h4q-sxd","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746702682078,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746702682","updateDate":1746702682078,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-m9i","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows - environment variable registry key modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\Environment*\"]","filters":["os - == \"windows\""],"monitoring":["CWS_DD"],"name":"windows_system_enviroment_variable_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"w0z-64n-bss","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - network utility was executed in a container","enabled":true,"expression":"(exec.comm - in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] - ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id - != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", - ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"net_util_in_container","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"0zl-ilo-guv","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1716050224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1716050224","updateDate":1716050224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"svl-2s4-jd4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1730450224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1730450223","updateDate":1730450224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"nio-59w-ip8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714927026000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1714927026","updateDate":1714927026000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"qoe-y42-hqp","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1716554224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"credential_modified_utimes","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"xg2-lum-j2a","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714783024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1716554224","updateDate":1716554224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ges-qo5-4p8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746635709720,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1714783024","updateDate":1714783024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"sz5-kvy-3kd","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1732927024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testgetacsmthreatsagentrulereturnsokresponse1746635709","updateDate":1746635709720,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"y0y-3gl-645","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n unlink.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (unlink.file.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"ssh_authorized_keys_unlink","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oil","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - unshare utility was executed in a container","enabled":true,"expression":"exec.comm - == \"unshare\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"unshare_in_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6lj","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"windows - explorer file has been modified","enabled":true,"expression":"write.file.device_path - in [~\"\\Device\\*\\windows\\explorer.exe\"]","filters":["os == \"windows\""],"monitoring":["CWS_DD"],"name":"windows_explorer_executable_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ab6","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Recently - modified file requested credentials from IMDS","enabled":true,"expression":"imds.url - =~ \"/*/meta-data/iam/security-credentials/*\" \u0026\u0026 (process.parent.file.modification_time - \u003c 120s || process.file.modification_time \u003c 30s)","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"modified_file_requesting_imds_creds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qem","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - user was deleted via an interactive session","enabled":true,"expression":"exec.file.name - in [\"userdel\", \"deluser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"user_deleted_tty","product_tags":["tactic:TA0040-impact","technique:T1531-account-access-removal","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"xxc-35o-apy","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1729427824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1732927024","updateDate":1732927024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"mgl-xtg-ctl","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715027823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1729427824","updateDate":1729427824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"zkc-kqn-frn","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746616273510,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715027822","updateDate":1715027824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"mcv-y5o-zg5","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || + link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", + ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", + \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"cron_at_job_creation_link","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"kid-vkk-fj9","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715603823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746616273","updateDate":1746616273510,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"hsx-x1l-3zb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746097926103,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715603822","updateDate":1715603824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"klx-4zm-eg5","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746184334893,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746097925","updateDate":1746097926103,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"44y-bei-bqj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746633539277,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsokresponse1746633538","updateDate":1746633539277,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-0pf","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process attempted to overwrite the container entrypoint","enabled":true,"expression":"open.file.path - == \"/proc/self/fd/1\" \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY - \u003e 0 \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"overwrite_entrypoint","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"269-p6y-i3p","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742473183000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1742473182","updateDate":1742473183000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"mgl-xtg-ctl","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715027823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715027822","updateDate":1715027824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"xjd-huv-ice","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746611612739,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746184334","updateDate":1746184334893,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"56y-vsb-zqu","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"kernel_module_open","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"jlt-y4v-dax","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", + ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"] || unlink.file.path + in [ ~\"/etc/systemd/user/**\", ~\"/usr/lib/systemd/user/**\", ~\"/home/*/.config/systemd/user/**\", + ~\"/home/*/.local/share/systemd/user/**\", ~\"/run/systemd/user/**\"])\n \u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"systemd_modification_unlink","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-g5v","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process connected to an SSH server","enabled":true,"expression":"connect.addr.port + == 22 \u0026\u0026 (connect.addr.family == AF_INET || connect.addr.family + == AF_INET6) \u0026\u0026 connect.addr.ip not in [127.0.0.0/8, 0.0.0.0/32, + ::1/128, ::/128]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"ssh_outbound_connection","product_tags":["tactic:TA0008-lateral-movement","technique:T1563-remote-service-session-hijacking","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"94l-lhd-e33","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid + || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"kernel_module_chown","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-i9x","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n open.flags + \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path + in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 container.id != \"\" \u0026\u0026 + container.created_at \u003e 90s \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"nsswitch_conf_mod_open_v2","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"hgr-nny-7zr","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1720471023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsokresponse1746611612","updateDate":1746611612739,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-jl7","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"openssl - used to establish backdoor","enabled":true,"expression":"exec.comm == \"openssl\" - \u0026\u0026 exec.args =~ \"*s_client*\"","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"openssl_backdoor","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"uhw-kuq-ute","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1721119025000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1720471022","updateDate":1720471024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"egv-kvz-h9q","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746529942370,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1721119024","updateDate":1721119025000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"710-xzg-ays","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714480623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746529942","updateDate":1746529942370,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"zkc-kqn-frn","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746616273510,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714480623","updateDate":1714480624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"434-kuh-g0w","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746184344309,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746616273","updateDate":1746616273510,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-4tl","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Certutil + was executed to transmit or decode a potentially malicious file","enabled":true,"expression":"exec.file.name + == \"certutil.exe\" \u0026\u0026 ((exec.cmdline =~ \"*urlcache*\" \u0026\u0026 + exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")","filters":["os + == \"windows\""],"monitoring":["threat-detection.policy"],"name":"certutil_usage","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oy4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + tool used to dump process memory has been executed","enabled":true,"expression":"exec.file.name + in [\"procmon.exe\",\"procdump.exe\"]","filters":["os == \"windows\""],"monitoring":["threat-detection.policy"],"name":"procdump_execution","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"ro3-z56-52j","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1732221423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746184344","updateDate":1746184344309,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"uis-h13-41q","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 - process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 - process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"cron_at_job_creation_open","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"dkb-9ud-0ca","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - container loaded a new kernel module","enabled":true,"expression":"load_module.name - != \"\" \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"kernel_module_load_container","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"1ej-lz6-3iy","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735648624000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1732221423","updateDate":1732221424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"vyd-2vb-tnk","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1738469890000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735648624","updateDate":1735648624000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"tw0-y2e-9wf","type":"agent_rule","attributes":{"category":"Process + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1738469890","updateDate":1738469890000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"tw0-y2e-9wf","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1738627773000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testgocreateacsmthreatsagentrulereturnsokresponse1738627773","updateDate":1738627773000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"qzk-a8h-ikx","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746195394785,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsokresponse1746195394","updateDate":1746195394785,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"v5x-8l4-d6a","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell - History was Deleted","enabled":true,"expression":"open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) - \u003e 0 \u0026\u0026 open.file.name in [\".bash_history\", \".zsh_history\", - \".fish_history\", \"fish_history\", \".dash_history\", \".sh_history\"] \u0026\u0026 - open.file.path in [~\"/root/*\", ~\"/home/**\"] \u0026\u0026 process.file.name - == \"truncate\"","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"shell_history_truncated","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"td2-31c-ln4","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive - credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chown.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path - not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", - \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", - \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid - != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"credential_modified_chown","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"lli-czr-q4y","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive - credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (link.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-3b9","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n open.flags + \u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \u003e 0 \u0026\u0026\n (open.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", @@ -780,731 +984,758 @@ http_interactions: \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"credential_modified_link","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"rc4-b53-3sj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715863024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.id != \"\" + \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"credential_modified_open_v2","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-7m7","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + auditctl command was used to modify auditd","enabled":true,"expression":"exec.file.name + == \"auditctl\" \u0026\u0026 exec.args_flags not in [\"s\", \"l\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"auditctl_usage","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"iyj-haq-dvu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715373426000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715863024","updateDate":1715863024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"bjk-8om-6ua","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746184333160,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1715373425","updateDate":1715373426000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"912-lu2-2sg","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1731203077000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746184333","updateDate":1746184333160,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-41f","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH - initiated a connection on a nonstandard port","enabled":true,"expression":"connect.addr.port - in [80, 8080, 88, 443, 8443, 4444] \u0026\u0026 process.file.name == \"ssh\"","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"ssh_nonstandard_connection","product_tags":["tactic:TA0008-lateral-movement","technique:T1021-remote-services","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7vi-w5r-h15","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical - system binaries may have been modified","enabled":true,"expression":"(\n (chmod.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testpythoncreateacsmthreatsagentrulereturnsokresponse1731203077","updateDate":1731203077000,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"qba-1qm-uj5","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1721075824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1721075824","updateDate":1721075824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"981-x7o-izo","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1735749424000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735749424","updateDate":1735749424000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ocv-we5-g5y","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715661423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715661422","updateDate":1715661423000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ya9-48i-611","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734496623000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734496623","updateDate":1734496625000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"v5x-8l4-d6a","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell + History was Deleted","enabled":true,"expression":"open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) + \u003e 0 \u0026\u0026 open.file.name in [\".bash_history\", \".zsh_history\", + \".fish_history\", \"fish_history\", \".dash_history\", \".sh_history\"] \u0026\u0026 + open.file.path in [~\"/root/*\", ~\"/home/**\"] \u0026\u0026 process.file.name + == \"truncate\"","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"shell_history_truncated","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"wwy-h4d-pwm","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", + ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"])\n \u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 + (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"systemd_modification_chown","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qem","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + user was deleted via an interactive session","enabled":true,"expression":"exec.file.name + in [\"userdel\", \"deluser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"pci_11_5_critical_binaries_chmod","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-3b9","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive - credential files were modified using a non-standard tool","enabled":true,"expression":"(\n open.flags - \u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \u003e 0 \u0026\u0026\n (open.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path - not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", - \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", - \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.id != \"\" - \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"credential_modified_open_v2","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"piq-bha-m6t","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714279024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"user_deleted_tty","product_tags":["tactic:TA0040-impact","technique:T1531-account-access-removal","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"jf1-ep2-li7","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1745209090000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714279024","updateDate":1714279024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"fiw-wuv-ueg","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734914224000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1745209090","updateDate":1745209090000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"1cw-vgz-eaz","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746628446463,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734914224","updateDate":1734914224000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"tjr-ib4-gya","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714509423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746628446","updateDate":1746628446463,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-qf8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"sharpup + tool used for local privilege escalation","enabled":true,"expression":"exec.file.name + == \"sharpup.exe\" \u0026\u0026 exec.cmdline in [~\"*HijackablePaths*\", ~\"*UnquotedServicePath*\", + ~\"*ProcessDLLHijack*\", ~\"*ModifiableServiceBinaries*\", ~\"*ModifiableScheduledTask*\", + ~\"*DomainGPPPassword*\", ~\"*CachedGPPPassword*\"]","filters":["os == \"windows\""],"monitoring":["threat-detection.policy"],"name":"sharpup_tool_usage","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"rta-b8v-4uf","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714322223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714509423","updateDate":1714509424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"z0t-qdd-lkb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746630384644,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714322222","updateDate":1714322224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"hsg-toh-i57","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1723610223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746630384","updateDate":1746630384644,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"t5u-qdx-650","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n rename.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (rename.file.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || - rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", - ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"ssh_authorized_keys_rename","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mmo","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers - policy file may have been modified without authorization","enabled":true,"expression":"(open.flags - \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n(open.file.path - == \"/etc/sudoers\")) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", - \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"sudoers_policy_modified_open","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"yep-euy-ttp","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714552623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1723610223","updateDate":1723610224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"bjk-8om-6ua","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746184333160,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714552623","updateDate":1714552624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3xf-404-qez","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714667823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746184333","updateDate":1746184333160,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"07u-iqk-me5","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746631377837,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714667823","updateDate":1714667824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-7ez","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process - arguments indicating possible php shell detected","enabled":true,"expression":"exec.file.name - == \"php\" \u0026\u0026 exec.args_flags in [\"r\"] \u0026\u0026 ((exec.args - in [~\"*socket_bind*\", ~\"*socket_listen*\", ~\"*socket_accept*\", ~\"*socket_create*\", - ~\"*socket_write*\", ~\"*socket_read*\"]) || (exec.args in [~\"*/bin/bash*\", - ~\"*/bin/sh*\"]))","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"php_shell","product_tags":["tactic:TA0001-initial-access","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6ql","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"memfd - object created","enabled":true,"expression":"exec.file.name =~ \"memfd*\" - \u0026\u0026 exec.file.path == \"\" \u0026\u0026 process.parent.file.path - not in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\" , - \"/run/docker/runtime-runc/moby/*\", \"/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/runc\"] - \u0026\u0026 !(process.comm == \"dd-ipc-helper\" \u0026\u0026 exec.file.name - in [\"memfd:spawn_worker_trampoline (deleted)\", \"memfd:spawn_worker_trampoline\"])","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"memfd_create","product_tags":["tactic:TA0005-defense-evasion","technique:T1620-reflective-code-loading","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"mq1-y7n-kf2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - database application spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsokresponse1746631377","updateDate":1746631377837,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"wgv-wsb-pse","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + AWS IMDS was called via a network utility","enabled":true,"expression":"exec.comm + in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", + ~\"*169.254.170.2/*/credentials?id=*\"]","filters":["os == \"linux\""],"monitoring":["best-practice.policy","threat-detection.policy"],"name":"aws_imds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-jed","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + registry hives file location key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\hivelist*\"]","filters":["os + == \"windows\""],"monitoring":["compliance.policy"],"name":"registry_hives_file_path_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"y0y-3gl-645","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n unlink.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (unlink.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os + == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"ssh_authorized_keys_unlink","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"48s-46n-g4w","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", + ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"])\n \u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 + chmod.file.destination.mode != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"systemd_modification_chmod","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"qd9-39s-51s","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1721666223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1721666223","updateDate":1721666224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-xg6","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"a + critical windows file was modified","enabled":true,"expression":"write.file.device_path + in [~\"\\Device\\*\\windows\\system32\\**\"]","filters":["os == \"windows\""],"monitoring":["compliance.policy"],"name":"critical_windows_files_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-zse","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PHP + web application spawning shell","enabled":true,"expression":"exec.file.name + in [~\"powershell*\",\"cmd.exe\"] \u0026\u0026 process.parent.file.name in + [\"php.exe\",\"php-cgi.exe\"]","filters":["os == \"windows\""],"monitoring":["threat-detection.policy"],"name":"php_spawning_shell","product_tags":["tactic:TA0002-execution","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-925","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + shell with a TTY was executed in a container","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path - in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"]) - \u0026\u0026\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] - \u0026\u0026\n!(process.parent.file.name == \"initdb\" \u0026\u0026\nexec.args - == \"-c locale -a\") \u0026\u0026\n!(process.parent.file.name == \"postgres\" - \u0026\u0026\nexec.args == ~\"*pg_wal*\")","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"database_shell_execution","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"rjm-biu-bqq","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715272623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + ] \u0026\u0026 process.tty_name != \"\" \u0026\u0026 process.container.id + != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"tty_shell_in_container","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"dtv-dxk-3pn","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746616272397,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715272622","updateDate":1715272624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"qk2-gkn-517","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1730162223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746616272","updateDate":1746616272397,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"ehh-ypb-9pl","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + compiler was executed inside of a container","enabled":true,"expression":"(exec.comm + in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || exec.file.name in [\"javac\", + \"clang\", \"gcc\", \"bcc\"] || (exec.file.name == \"go\" \u0026\u0026 exec.args + in [~\"*build*\", ~\"*run*\"])) \u0026\u0026 container.id !=\"\" \u0026\u0026 + process.ancestors.file.path != \"/usr/bin/cilium-agent\"","filters":["os == + \"linux\""],"monitoring":["best-practice.policy","threat-detection.policy"],"name":"compiler_in_container","product_tags":["tactic:TA0005-defense-evasion","technique:T1027-obfuscated-files-or-information","policy:best-practice","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"lkj-jnb-khe","type":"agent_rule","attributes":{"actions":[{"set":{"name":"imds_v1_usage_services","field":"process.file.name","append":true,"ttl":10000000000,"inherited":false},"disabled":false}],"category":"Network + Activity","creationDate":1752506673000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + AWS IMDSv1 request was issued","disabled":["best-practice.policy"],"enabled":false,"expression":"imds.cloud_provider + == \"aws\" \u0026\u0026 imds.aws.is_imds_v2 == false \u0026\u0026 process.file.name + not in ${imds_v1_usage_services}","filters":["os == \"linux\""],"name":"imds_v1_usage","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice"],"updateDate":1752506673000,"updater":{"name":"Datadog","handle":""}}},{"id":"zt8-od0-yxu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1730205424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1730162223","updateDate":1730162225000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"szu-tkm-xvx","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746443529377,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1730205423","updateDate":1730205424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-n3u","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + shell folders registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell + Folders*\", ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User + Shell Folders*\"]","filters":["os == \"windows\""],"monitoring":["compliance.policy"],"name":"windows_shell_folders_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"caz-yrk-14e","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process resolved a DNS name associated with cryptomining activity","enabled":true,"expression":"dns.question.name + in [~\"*.minexmr.com\", \"minexmr.com\", ~\"*.nanopool.org\", \"nanopool.org\", + ~\"*.supportxmr.com\", \"supportxmr.com\", ~\"*.c3pool.com\", \"c3pool.com\", + ~\"*.p2pool.io\", \"p2pool.io\", ~\"*.ethermine.org\", \"ethermine.org\", + ~\"*.f2pool.com\", \"f2pool.com\", ~\"*.poolin.me\", \"poolin.me\", ~\"*.rplant.xyz\", + \"rplant.xyz\", ~\"*.miningocean.org\", \"miningocean.org\"] \u0026\u0026 + process.file.name != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"mining_pool_lookup","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-hbr","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"process + arguments match sliver c2 implant","enabled":true,"expression":"exec.cmdline + =~ \"*NoExit *\" \u0026\u0026 exec.cmdline =~ \"*Command *\" \u0026\u0026 + exec.cmdline =~ \"*[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*\"","filters":["os + == \"windows\""],"monitoring":["threat-detection.policy"],"name":"sliver_c2_implant_execution","product_tags":["tactic:TA0011-command-and-control","technique:T1071-application-layer-protocol","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-76q","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + cryptographic blocking policy modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType + 0\\CryptSIPDllRemoveSignedDataMsg*\"]","filters":["os == \"windows\""],"monitoring":["threat-detection.policy"],"name":"windows_cryptographic_blocking_policy_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"ycc-lv0-6oj","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1730939824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746443529","updateDate":1746443529377,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-uv8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"systemctl - used to stop a service","enabled":true,"expression":"exec.file.name == \"systemctl\" - \u0026\u0026 exec.args in [~\"*stop*\"]","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"service_stop","product_tags":["tactic:TA0040-impact","technique:T1489-service-stop","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oi1","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process - arguments indicating possible socat shell detected","enabled":true,"expression":"((exec.file.name - == \"socat\") || (exec.comm == \"socat\")) \u0026\u0026 exec.args in [~\"*/bin/bash*\", - ~\"*/bin/sh*\", ~\"*exec*\", ~\"*pty*\", ~\"*setsid*\", ~\"*stderr*\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"socat_shell","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qwm","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - kubeconfig file was accessed","enabled":true,"expression":"open.file.path - in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","filters":["os == - \"linux\""],"monitoring":["CWS_DD"],"name":"read_kubeconfig","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"vyd-2vb-tnk","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1738469890000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1730939824","updateDate":1730939824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"v14-hvg-0fd","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1735216626000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1738469890","updateDate":1738469890000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"00d-kfn-fwm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1740025013000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735216624","updateDate":1735216626000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"aij-phz-7iz","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746630373819,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1740025013","updateDate":1740025019000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"912-lu2-2sg","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1731203077000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testgetacsmthreatsagentrulereturnsokresponse1746630373","updateDate":1746630373819,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"qzk-a8h-ikx","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746195394785,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testpythoncreateacsmthreatsagentrulereturnsokresponse1731203077","updateDate":1731203077000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"qfa-phf-txa","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746529940327,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsokresponse1746195394","updateDate":1746195394785,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"44y-bei-bqj","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746633539277,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746529940","updateDate":1746529940327,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"07y-k18-cih","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - user was created via an interactive session","enabled":true,"expression":"exec.file.name - in [\"useradd\", \"newusers\", \"adduser\"] \u0026\u0026 exec.tty_name !=\"\" - \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] - \u0026\u0026 exec.args_flags not in [\"D\"]","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"user_created_tty","product_tags":["tactic:TA0003-persistence","technique:T1136-create-account","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7zw-qbm-y6d","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - service may have been modified without authorization","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsokresponse1746633538","updateDate":1746633539277,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"2rq-drz-11u","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process unlinked a dynamic linker config file","enabled":true,"expression":"unlink.file.path + in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] + \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"systemd_modification_open","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ucb-5zb-rmj","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - new kernel module was added","enabled":true,"expression":"(\n (link.file.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"dynamic_linker_config_unlink","product_tags":["tactic:TA0004-privilege-escalation","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"fmr-do0-8np","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1748003540353,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"initial + description","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"fcggsfqidc","product_tags":["compliance_framework:HIPAA"],"updateDate":1748003540353,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"8rl-d3i-xyv","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746195378531,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testcreateacsmthreatsagentrulereturnsokresponse1746195378","updateDate":1746195378531,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"o5t-b08-86p","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (rename.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"kernel_module_link","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ag7-847-gm6","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746529951029,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746529950","updateDate":1746529951029,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"v64-qmf-tal","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1740543488000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ + \"runc*\"","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"ssl_certificate_tampering_rename","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-xv7","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kernel + modules were listed using the kmod command","enabled":true,"expression":"exec.comm + == \"kmod\" \u0026\u0026 exec.args in [~\"*list*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"kmod_list","product_tags":["tactic:TA0007-discovery","technique:T1082-system-information-discovery","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"hlp-8dr-0i3","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1725467825000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1740543488","updateDate":1740543488000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"wt2-84b-uy6","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737433133000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1725467823","updateDate":1725467825000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ps4-63s-bzc","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714567023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1737433133","updateDate":1737433133000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"kvo-o7f-pgu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746789257870,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714567023","updateDate":1714567024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"l9m-5ce-g9i","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734525423000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746789257","updateDate":1746789257870,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-h1x","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - Docker socket was referenced in a cURL command","enabled":true,"expression":"exec.file.name - == \"curl\" \u0026\u0026 exec.args_flags in [\"unix-socket\"] \u0026\u0026 - exec.args in [~\"*docker.sock*\"] \u0026\u0026 container.id != \"\"","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"curl_docker_socket","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"kpm-7kh-xz5","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process attempted to inject code into another process","enabled":true,"expression":"ptrace.request - == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request - == PTRACE_POKEUSR","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"ptrace_injection","product_tags":["tactic:TA0005-defense-evasion","technique:T1055-process-injection","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"jlt-y4v-dax","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - service may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734525422","updateDate":1734525423000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-qwu","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) + \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e + 90s","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"ssh_authorized_keys_open_v2","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"07y-k18-cih","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + user was created via an interactive session","enabled":true,"expression":"exec.file.name + in [\"useradd\", \"newusers\", \"adduser\"] \u0026\u0026 exec.tty_name !=\"\" + \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"systemd_modification_unlink","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"dou-40j-cpw","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1721378223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] + \u0026\u0026 exec.args_flags not in [\"D\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"user_created_tty","product_tags":["tactic:TA0003-persistence","technique:T1136-create-account","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"4mx-n6o-mmb","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os + == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"cron_at_job_creation_utimes","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"sej-11b-ey6","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Potential + Dirty pipe exploitation attempt","enabled":true,"expression":"(splice.pipe_entry_flag + \u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \u0026\u0026 (splice.pipe_exit_flag \u0026 + PIPE_BUF_FLAG_CAN_MERGE) == 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 + process.gid != 0)","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"dirty_pipe_attempt","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qnj","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process made an outbound IRC connection","enabled":true,"expression":"connect.addr.port + == 6667 \u0026\u0026 connect.addr.is_public == true","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"irc_connection","product_tags":["tactic:TA0011-command-and-control","technique:T1071-application-layer-protocol","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bv2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process + matches known relay attack tool","enabled":true,"expression":"exec.file.name + in [~\"*PetitPotam*\", ~\"*RottenPotato*\", ~\"*HotPotato*\", ~\"*JuicyPotato*\", + ~\"*just_dce_*\", ~\"*Juicy Potato*\", \"rot.exe\", \"Potato.exe\", \"SpoolSample.exe\", + \"Responder.exe\", ~\"*smbrelayx*\", ~\"*smbrelayx*\", ~\"*ntlmrelayx*\", + ~\"*LocalPotato*\"] || exec.cmdline in [~\"*Invoke-Tater*\", ~\"*smbrelay*\", + ~\"*ntlmrelay*\", ~\"*cme smb*\", ~\"*ntlm:NTLMhash*\", ~\"*Invoke-PetitPotam*\"]","filters":["os + == \"windows\""],"monitoring":["threat-detection.policy"],"name":"relay_attack_tool_execution","product_tags":["tactic:TA0006-credential-access","technique:T1555-credentials-from-password-stores","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"aoo-snu-t5u","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714423023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1721378223","updateDate":1721378224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"eqx-iiy-wru","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746195384460,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714423023","updateDate":1714423024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"710-xzg-ays","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714480623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testgetacsmthreatsagentrulereturnsokresponse1746195384","updateDate":1746195384460,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"pz7-rvb-ckm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734692969000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714480623","updateDate":1714480624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"oed-ka8-syl","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1711550899000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1734692969","updateDate":1734692970000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"rsm-fam-pfp","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714869424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"my_agent_rule","updateDate":1711550899000,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"vca-vvl-m7a","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746631358513,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1714869424","updateDate":1714869424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"0t6-uce-ee0","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734899824000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testcreateacsmthreatsagentrulereturnsokresponse1746631358","updateDate":1746631358513,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"pxk-42u-fga","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", + ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\" ])\n) \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os + == \"linux\""],"monitoring":["compliance.policy"],"name":"pam_modification_utimes","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"5zt-j5u-aqm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715287024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734899824","updateDate":1734899824000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"voe-mel-8yq","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746611600937,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715287024","updateDate":1715287024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"uhw-kuq-ute","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1721119025000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testgetacsmthreatsagentrulereturnsokresponse1746611600","updateDate":1746611600937,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-fn2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell - profile was modified","enabled":true,"expression":"open.file.path in [~\"/home/*/*profile\", - ~\"/home/*/*rc\"] \u0026\u0026 open.flags \u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) - \u003e 0","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"shell_profile_modification","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-x51","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Safeboot - registry modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\"]","filters":["os - == \"windows\""],"monitoring":["CWS_DD"],"name":"safeboot_modification","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"xh4-cv2-cfa","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1719031023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1721119024","updateDate":1721119025000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"xw4-uw8-mmx","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1725885424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1719031022","updateDate":1719031024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"fyp-i9k-cv7","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746630386239,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1725885424","updateDate":1725885424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"m77-qgu-c48","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1717677423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsokresponse1746630385","updateDate":1746630386239,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-49j","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - known kubernetes pentesting tool has been executed","enabled":true,"expression":"(exec.file.name - in [ ~\"python*\" ] \u0026\u0026 (\"KubiScan.py\" in exec.argv || \"kubestriker\" - in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"offensive_k8s_tool","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"mqh-lgo-brj","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path - in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode - != chmod.file.mode \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"nsswitch_conf_mod_chmod","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"k95-kl4-jxt","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714696623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1717677422","updateDate":1717677424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"yel-n8d-fhc","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746443527243,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714696623","updateDate":1714696627000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"5rb-4q9-p5g","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1716813423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746443527","updateDate":1746443527243,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"w7o-w48-j34","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", + ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\" ])\n)","filters":["os == + \"linux\""],"monitoring":["compliance.policy"],"name":"pam_modification_open","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bnt","type":"agent_rule","attributes":{"actions":[{"filter":"${process.correlation_key} + != \"\"","set":{"name":"parent_correlation_keys","default_value":"","append":true,"scope":"process","expression":"${process.correlation_key}","inherited":true},"disabled":false},{"set":{"name":"correlation_key","default_value":"","scope":"process","expression":"\"cgroup_${builtins.uuid4}\"","inherited":true},"disabled":false}],"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Track + execution context from cgroup","enabled":true,"expression":"exec.cgroup.id + != process.parent.cgroup.id \u0026\u0026 ${process.correlation_key} in [\"\", + ~\"cgroup_*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"execution_context_cgroup","product_tags":["policy:threat-detection"],"silent":true,"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-kjt","type":"agent_rule","attributes":{"actions":[{"filter":"${process.correlation_key} + != \"\"","set":{"name":"parent_correlation_keys","default_value":"","append":true,"scope":"process","expression":"${process.correlation_key}","inherited":true},"disabled":false},{"set":{"name":"correlation_key","default_value":"","scope":"process","expression":"\"service_new_cgroup_${builtins.uuid4}\"","inherited":true},"disabled":false}],"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Track + execution context from new service cgroup write","enabled":true,"expression":"cgroup_write.pid + \u003e 0 \u0026\u0026 (process.envs in [\"DD_SERVICE\", \"OTEL_SERVICE_NAME\"] + || \"tags.datadoghq.com/service\" in container.tags) \u0026\u0026 ${process.correlation_key} + in [~\"service_*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"execution_context_service_new_cgroup_write","product_tags":["policy:threat-detection"],"silent":true,"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-psd","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process connected to a paste site","enabled":true,"expression":"connect.addr.hostname + in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\", \"rentry.co\", + \"transfer.sh\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"paste_site_domain","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-uv8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"systemctl + used to stop a service","enabled":true,"expression":"exec.file.name == \"systemctl\" + \u0026\u0026 exec.args in [~\"*stop*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"service_stop","product_tags":["tactic:TA0040-impact","technique:T1489-service-stop","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"3kk-4rm-qug","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1718426224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1716813422","updateDate":1716813424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"b79-xcg-63p","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1719059824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1718426224","updateDate":1718426224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"l57-d8u-edg","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1733546224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1719059824","updateDate":1719059824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"k1r-tva-i6e","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1727829423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733546224","updateDate":1733546224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"wwv-c72-w2g","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1745986689000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1727829422","updateDate":1727829425000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"cx8-x1r-vs8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746630369591,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptgetacsmthreatsagentrulereturnsokresponse1745986689","updateDate":1745986689000,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"htc-275-0wt","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n chmod.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chmod.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) + \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os + == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"ssh_authorized_keys_chmod","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"7y2-ihu-hm2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + network utility was executed","enabled":true,"expression":"(exec.comm in [\"socat\", + \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm + in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id == \"\" + \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" + ]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"net_util","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"wgq-lg4-tas","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SELinux + enforcement status was disabled","enabled":true,"expression":"selinux.enforce.status + in [\"permissive\", \"disabled\"] \u0026\u0026 process.ancestors.args != ~\"*BECOME-SUCCESS*\"","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"selinux_disable_enforcement","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-hlr","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Tunneling + or port forwarding tool used","enabled":true,"expression":"((exec.comm == + \"pivotnacci\" || exec.comm == \"gost\") \u0026\u0026 process.args_flags in + [\"L\", \"C\", \"R\"]) || (exec.comm in [\"ssh\", \"sshd\"] \u0026\u0026 process.args_flags + in [\"R\", \"L\", \"D\", \"w\"] \u0026\u0026 process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] + ) || (exec.comm == \"sshuttle\" \u0026\u0026 process.args_flags in [\"r\", + \"remote\", \"l\", \"listen\"]) || (exec.comm == \"socat\" \u0026\u0026 process.args + in [r\"(TCP4-LISTEN:|SOCKS)\"]) || (exec.comm in [\"iodine\", \"iodined\", + \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", + \"ngrok\"] \u0026\u0026 process.parent.comm in [\"bash\", \"dash\", \"ash\", + \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","filters":["os == + \"linux\""],"monitoring":["threat-detection.policy"],"name":"tunnel_traffic","product_tags":["tactic:TA0011-command-and-control","technique:T1572-protocol-tunneling","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"ges-qo5-4p8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746635709720,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testdeleteacsmthreatsagentrulereturnsokresponse1746630369","updateDate":1746630369591,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"9l7-am7-hy6","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1736986169000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testgetacsmthreatsagentrulereturnsokresponse1746635709","updateDate":1746635709720,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"rno-53m-mf3","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714538225000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testgocreateacsmthreatsagentrulereturnsokresponse1736986169","updateDate":1736986169000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"8tp-dmg-o8w","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746702691437,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714538225","updateDate":1714538225000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"5b4-k0v-rzw","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734424624000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746702691","updateDate":1746702691437,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"e5h-onu-f7l","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n open.flags - \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path - in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"nsswitch_conf_mod_open","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"xgw-28i-480","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - container executed a new binary not found in the container image","enabled":true,"expression":"container.id - != \"\" \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.modification_time - \u003c 30s \u0026\u0026 exec.file.name != \"\"","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"new_binary_execution_in_container","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"sfj-gky-roy","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1732869424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734424623","updateDate":1734424624000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-y7j","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e + 90s","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"pci_11_5_critical_binaries_open_v2","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-lc2","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Remote + access was created using a terminal-sharing service","enabled":true,"expression":"connect.addr.hostname + in [\"ssh.tmate.io\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"tmate_usage","product_tags":["tactic:TA0011-command-and-control","technique:T1219-remote-access-tools","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"ulx-voj-zk3","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714883824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1732869424","updateDate":1732869424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"o9g-ptk-2zv","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733575024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1714883824","updateDate":1714883824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"e6l-qo1-y2e","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714682223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733575024","updateDate":1733575024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"shf-bur-1id","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735288624000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714682223","updateDate":1714682224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"uqg-z0t-83n","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715575023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735288624","updateDate":1735288624000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"isj-kzv-ebz","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746633518640,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715575022","updateDate":1715575024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"6w8-3xn-j4c","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1736066223000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testcreateacsmthreatsagentrulereturnsokresponse1746633518","updateDate":1746633518640,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-dnj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - AWS CLI utility was executed","enabled":true,"expression":"exec.file.name - == \"aws\"","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"aws_cli_usage","product_tags":["tactic:TA0002-execution","technique:T1651-cloud-administration-command","policy:best-practice","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tp8","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process opened a model-specific register (MSR) configuration file","enabled":true,"expression":"open.file.path - == \"/sys/module/msr/parameters/allow_writes\" \u0026\u0026 open.flags \u0026 - O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"open_msr_writes","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wgq-lg4-tas","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SELinux - enforcement status was disabled","enabled":true,"expression":"selinux.enforce.status - in [\"permissive\", \"disabled\"] \u0026\u0026 process.ancestors.args != ~\"*BECOME-SUCCESS*\"","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"selinux_disable_enforcement","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ukn-yjf-h6a","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1719981424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1736066222","updateDate":1736066224000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-pnt","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process connected to a penetration testing domain","enabled":true,"expression":"connect.addr.hostname + in [~\"*.interact.sh\", ~\"*.oast.pro\", ~\"*.oast.live\", ~\"*.oast.fun\", + ~\"*.oast.me\", ~\"*.burpcollaborator.net\", ~\"*.oastify.com\", ~\"*canarytokens.com\", + ~\"*.requestbin.net\", ~\"*.dnslog.cn\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"pentest_domain","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"vvb-sfk-jn1","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1724647024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1719981423","updateDate":1719981424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"f5p-men-xz3","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735994224000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1724647024","updateDate":1724647024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"uyv-a9k-8l7","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734395826000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735994224","updateDate":1735994224000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"64n-p6m-uq1","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - service may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", - ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in - [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"systemd_modification_link","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-o13","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - configuration directory for an ssh worm","enabled":true,"expression":"open.file.path - in [~\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] - \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) - \u003e 0","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"ssh_it_tool_config_write","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"e6l-qo1-y2e","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714682223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734395824","updateDate":1734395826000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"6bp-g7f-vgp","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746789261585,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714682223","updateDate":1714682224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-ly8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - auditd configuration file was modified without using auditctl","enabled":true,"expression":"open.file.path - == \"/etc/audit/auditd.conf\" \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) - \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == - \"linux\""],"monitoring":["CWS_DD"],"name":"auditd_config_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"qt9-i99-q9p","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path - in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"nsswitch_conf_mod_utimes","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"4yt-ize-avz","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Omiagent - spawns a privileged child process","enabled":true,"expression":"exec.uid \u003e= - 0 \u0026\u0026 process.ancestors.file.name == \"omiagent\"","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"omigod","product_tags":["tactic:TA0002-execution","technique:T1203-exploitation-for-client-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-npv","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Detects - CVE-2022-0543","enabled":true,"expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" - \u0026\u0026 open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", - \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", - \"libc-2.37.so\"]) \u0026\u0026 process.ancestors.comm in [\"redis-check-rdb\", - \"redis-server\"]","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"redis_sandbox_escape","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"jeh-18e-m9h","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - interactive shell was started inside of a container","enabled":true,"expression":"exec.file.path - in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] \u0026\u0026 exec.args_flags in [\"i\"] \u0026\u0026 container.id !=\"\"","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"interactive_shell_in_container","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"qba-1qm-uj5","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1721075824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746789261","updateDate":1746789261585,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"8tp-dmg-o8w","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746702691437,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1721075824","updateDate":1721075824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"2dz-kyt-nme","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - new kernel module was added","enabled":true,"expression":"(\n (chmod.file.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"kernel_module_chmod","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ibc","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - mount utility was executed in a container","enabled":true,"expression":"exec.comm - == \"mount\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"mount_in_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ogb-clp-hot","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chmod.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 - process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 - chmod.file.destination.mode != chmod.file.mode\n\u0026\u0026 process.file.path + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746702691","updateDate":1746702691437,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"q0u-s8m-8pd","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"cron_at_job_creation_chmod","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-zo8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Recently - written or modified suid file has been executed","enabled":true,"expression":"((process.file.mode - \u0026 S_ISUID \u003e 0) \u0026\u0026 process.file.modification_time \u003c - 30s) \u0026\u0026 exec.file.name != \"\" \u0026\u0026 process.ancestors.file.path - not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", - \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", - \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", - \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", - \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", - \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", - ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"suspicious_suid_execution","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"tr5-g9p-4jx","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734799023000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"monitoring":["compliance.policy"],"name":"pci_11_5_critical_binaries_utimes","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"ftd-d3e-byt","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1721666224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734799023","updateDate":1734799025000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"pix-a2q-opu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746633525563,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1721666224","updateDate":1721666224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"xxc-35o-apy","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1729427824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testgetacsmthreatsagentrulereturnsokresponse1746633525","updateDate":1746633525563,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"5c8-aij-182","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1720156180000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1729427824","updateDate":1729427824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"v8l-tbq-nkc","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746611597548,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testrustgetacsmthreatsagentrulereturnsokresponse1720156180","updateDate":1720156180000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"sqi-q1z-onu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Network - utility executed with suspicious URI","enabled":true,"expression":"exec.comm - in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*.php*\", - ~\"*.jpg*\"] ","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"net_unusual_request","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"jf1-ep2-li7","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1745209090000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testdeleteacsmthreatsagentrulereturnsokresponse1746611597","updateDate":1746611597548,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"m23-qb9-9s8","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os + == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"cron_at_job_creation_unlink","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-vqm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + scheduled task was created","enabled":true,"expression":"exec.cmdline in [~\"*at.exe\",~\"*schtasks*\"] + \u0026\u0026 exec.cmdline =~ \"*create*\"","filters":["os == \"windows\""],"monitoring":["threat-detection.policy"],"name":"scheduled_task_creation","product_tags":["tactic:TA0003-persistence","technique:T1053-scheduled-task-or-job","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"3xf-404-qez","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714667823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1745209090","updateDate":1745209090000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"9n1-l1g-u4k","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1721853424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714667823","updateDate":1714667824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"g9j-hhf-7at","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1722703023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1721853423","updateDate":1721853424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"1l2-7qh-mfa","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1717432623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1722703023","updateDate":1722703024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"o9g-ptk-2zv","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1733575024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1717432622","updateDate":1717432626000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-nip","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Browser - WebDriver spawned shell","enabled":true,"expression":"process.parent.file.name - in [~\"chromedriver*\", \"geckodriver\"] \u0026\u0026 exec.file.name not in - [\"chrome\", \"google-chrome\", \"chromium\", \"firefox\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"webdriver_spawned_shell","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"rpc-ji0-zfu","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"ssh_authorized_keys_open","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j1p","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows - Known DLLs location registry key modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\KnownDLLs*\"]","filters":["os - == \"windows\""],"monitoring":["CWS_DD"],"name":"known_dll_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1574-hijack-execution-flow","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"bou-hvm-24h","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715474223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733575024","updateDate":1733575024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-ly8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + auditd configuration file was modified without using auditctl","enabled":true,"expression":"open.file.path + == \"/etc/audit/auditd.conf\" \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) + \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == + \"linux\""],"monitoring":["threat-detection.policy"],"name":"auditd_config_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"k1r-tva-i6e","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1727829423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715474222","updateDate":1715474224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"lhe-ksz-xyj","type":"agent_rule","attributes":{"category":"Process + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1727829422","updateDate":1727829425000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"lhe-ksz-xyj","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1711595493000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testjavagetacsmthreatsagentrulereturnsokresponse1711595493","updateDate":1711595493000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-zp4","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"microsoft - security essentials executable modified","enabled":true,"expression":"write.file.device_path - in [~\"\\Device\\*\\Program Files\\Microsoft Security Client\\msseces.exe\"]","filters":["os - == \"windows\""],"monitoring":["CWS_DD"],"name":"windows_security_essentials_executable_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"50t-g20-n4o","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1710772096000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"","enabled":true,"expression":"open.file.name - == \"etc/shadow/password\"","filters":["os == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"Randomname","updateDate":1710772096000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"veg-qf4-lgr","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1719967025000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1719967024","updateDate":1719967025000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"1cw-vgz-eaz","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746628446463,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746628446","updateDate":1746628446463,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-g5v","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process connected to an SSH server","enabled":true,"expression":"connect.addr.port - == 22 \u0026\u0026 connect.addr.family \u0026 (AF_INET|AF_INET6) \u003e 0 - \u0026\u0026 connect.addr.ip not in [127.0.0.0/8, 0.0.0.0/32, ::1/128, ::/128]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"ssh_outbound_connection","product_tags":["tactic:TA0008-lateral-movement","technique:T1563-remote-service-session-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-dar","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - shell made an outbound network connection","enabled":true,"expression":"connect.addr.family - \u0026 (AF_INET|AF_INET6) \u003e 0 \u0026\u0026 process.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"] - \u0026\u0026 connect.addr.is_public == true","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"shell_net_connection","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-do7","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Possible - ransomware note created under common user directories","enabled":true,"expression":"open.flags - \u0026 O_CREAT \u003e 0\n\u0026\u0026 open.file.path in [~\"/home/**\", ~\"/root/**\", - ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", - ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n\u0026\u0026 - open.file.name in [r\"(?i)(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom)\"] - \u0026\u0026 open.file.name not in [r\"\\.lock$\"]","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"ransomware_note","product_tags":["tactic:TA0040-impact","technique:T1490-inhibit-system-recovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"aij-phz-7iz","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746630373819,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testgetacsmthreatsagentrulereturnsokresponse1746630373","updateDate":1746630373819,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"lrg-avx-x1k","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - kernel module was loaded from memory","enabled":true,"expression":"load_module.loaded_from_memory - == true","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"kernel_module_load_from_memory","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wqf","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows - update registry key modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsUpdate*\"]","filters":["os - == \"windows\""],"monitoring":["CWS_DD"],"name":"windows_update_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wgv-wsb-pse","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - AWS IMDS was called via a network utility","enabled":true,"expression":"exec.comm - in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", - ~\"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"aws_imds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"mda-uab-xow","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1723178226000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1723178224","updateDate":1723178226000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"b7w-xgg-ocq","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1717130223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"97d-p9d-x1d","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714941423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1717130222","updateDate":1717130226000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"fxe-inc-9zj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1719938223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714941422","updateDate":1714941424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"a9f-o95-atg","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715128623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1719938222","updateDate":1719938225000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"0rc-s4t-d0f","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735562223000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715128622","updateDate":1715128624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"hsx-x1l-3zb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746097926103,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1735562223","updateDate":1735562225000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"9ws-qol-qpn","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746529951975,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746097925","updateDate":1746097926103,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"pz7-rvb-ckm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734692969000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746529951","updateDate":1746529951975,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"xg2-lum-j2a","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714783024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1734692969","updateDate":1734692970000,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"pfu-dvh-e5w","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", + ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\" ])\n) \u0026\u0026 (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os + == \"linux\""],"monitoring":["compliance.policy"],"name":"pam_modification_chown","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"2s5-ipa-ooo","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process wrote to a dynamic linker config file","enabled":true,"expression":"open.file.path + in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] + \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) + \u003e 0 \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"] \u0026\u0026 process.ancestors.file.path not in + [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", + \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", + \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", + \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", + \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", + \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", + ~\"/opt/datadog-installer/**\"] \u0026\u0026 process.argv0 not in [\"runc\", + \"/usr/bin/runc\", \"/usr/sbin/runc\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"dynamic_linker_config_write","product_tags":["tactic:TA0004-privilege-escalation","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"jbe-827-tq7","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1732768624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1714783024","updateDate":1714783024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"uqg-z0t-83n","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715575023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1732768624","updateDate":1732768624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"rgf-wo7-4fj","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715402226000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715575022","updateDate":1715575024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-guo","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process was executed matching arguments for a UAC bypass technique common - in powershell empire","enabled":true,"expression":"exec.cmdline in [~\"*-NoP - -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)*\", - ~\"*-NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);*\"]","filters":["os - == \"windows\""],"monitoring":["CWS_DD"],"name":"powershell_empire_uac_bypass","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-h19","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - container breakout CVE-2024-21626 was successful","enabled":true,"expression":"chdir.syscall.path - =~ \"/proc/self/fd/*\" \u0026\u0026 chdir.file.path == \"/sys/fs/cgroup\" - \u0026\u0026 process.file.name =~ \"runc.*\"","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"runc_leaky_fd","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j1b","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Looney - Tunables (CVE-2023-4911) exploit attempted","enabled":true,"expression":"exec.file.mode - \u0026 S_ISUID \u003e 0 \u0026\u0026 exec.file.uid == 0 \u0026\u0026 exec.uid - != 0 \u0026\u0026 exec.envs in [~\"*GLIBC_TUNABLES*\"]","filters":["os == - \"linux\""],"monitoring":["CWS_DD"],"name":"looney_tunables_exploit","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"2rq-drz-11u","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process unlinked a dynamic linker config file","enabled":true,"expression":"unlink.file.path - in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] - \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"dynamic_linker_config_unlink","product_tags":["tactic:TA0004-privilege-escalation","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"1gj-w3o-5qw","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1746013904000,"creator":{"name":"Thibault Viennot","handle":"thibault.viennot@datadoghq.com"},"defaultRule":false,"description":"im - a rule","disabled":["CWS_CUSTOM-canary"],"enabled":false,"expression":"open.file.name - == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"ssotlbqrax","updateDate":1746013904000,"updater":{"name":"Thibault - Viennot","handle":"thibault.viennot@datadoghq.com"}}},{"id":"orc-g8c-fmh","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746097919884,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1715402224","updateDate":1715402226000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"nor-y5a-3sn","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715373423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746097919","updateDate":1746097919884,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"g7f-kfr-tdb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Python - code was provided on the command line","enabled":true,"expression":"exec.file.name - == ~\"python*\" \u0026\u0026 exec.args_flags in [\"c\"] \u0026\u0026 exec.args - in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", ~\"*-c*/bash*\", ~\"*-c*/bin/sh*\", - ~\"*-c*pty.spawn*\"] \u0026\u0026 exec.args !~ \"*setuptools*\"","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"python_cli_code","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mxb","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - host file system was mounted in a container","enabled":true,"expression":"mount.source.path - == \"/\" \u0026\u0026 mount.fs_type != \"overlay\" \u0026\u0026 container.id - != \"\"","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"mount_host_fs","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"cvn-qsw-ibn","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1716410225000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715373422","updateDate":1715373424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"nue-wxi-y3i","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1735720623000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1716410224","updateDate":1716410225000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"4qm-ikt-fpr","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1721954224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1735720623","updateDate":1735720626000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"91f-pyq-54k","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n link.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (link.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || + link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" + ])\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"ssh_authorized_keys_link","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"7zw-qbm-y6d","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", + ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"] || open.file.path + in [ ~\"/etc/systemd/user/**\", ~\"/usr/lib/systemd/user/**\", ~\"/home/*/.config/systemd/user/**\", + ~\"/home/*/.local/share/systemd/user/**\", ~\"/run/systemd/user/**\"])\n \u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"systemd_modification_open","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-o1o","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process made a connection to a port associated with P2PInfect malware","enabled":true,"expression":"(connect.addr.family + == AF_INET || connect.addr.family == AF_INET6) \u0026\u0026 connect.addr.is_public + == true \u0026\u0026 connect.addr.port \u003e= 60100 \u0026\u0026 connect.addr.port + \u003c= 60150","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"p2pinfect_connection","product_tags":["tactic:TA0011-command-and-control","technique:T1071-application-layer-protocol","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wv3","type":"agent_rule","attributes":{"actions":[{"hash":{},"disabled":false}],"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Redis + module has been created","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) + \u003e 0 \u0026\u0026 open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name + in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) \u0026\u0026 process.file.name in + [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"redis_save_module","product_tags":["tactic:TA0002-execution","technique:T1129-shared-modules","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"7zf-mmz-56y","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746616270272,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1721954223","updateDate":1721954224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"4bk-eaa-j5w","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1728664623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746616270","updateDate":1746616270272,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"e5h-onu-f7l","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n open.flags + \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path + in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"nsswitch_conf_mod_open","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-o13","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + configuration directory for an ssh worm","enabled":true,"expression":"open.file.path + in [~\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] + \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) + \u003e 0","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"ssh_it_tool_config_write","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"prk-6q1-g0m","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n ( rename.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", + ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"] \n || + rename.file.path in [ ~\"/etc/systemd/user/**\", ~\"/usr/lib/systemd/user/**\", + ~\"/home/*/.config/systemd/user/**\", ~\"/home/*/.local/share/systemd/user/**\", + ~\"/run/systemd/user/**\"]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", + ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", ~\"/usr/local/lib/systemd/system/**\", + ~\"/run/systemd/system/**\"] \n || rename.file.destination.path in [ ~\"/etc/systemd/user/**\", + ~\"/usr/lib/systemd/user/**\", ~\"/home/*/.config/systemd/user/**\", ~\"/home/*/.local/share/systemd/user/**\", + ~\"/run/systemd/user/**\"])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", + \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"systemd_modification_rename","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fbb","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Library + libpam.so hooked using eBPF","enabled":true,"expression":"bpf.cmd == BPF_MAP_CREATE + \u0026\u0026 process.args in [r\"libpam\\.so\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"libpam_ebpf_hook","product_tags":["tactic:TA0006-credential-access","technique:T1056-input-capture","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"w3d-qp8-3yb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1716309424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1728664622","updateDate":1728664623000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"v8l-tbq-nkc","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746611597548,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1716309424","updateDate":1716309424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ulc-hn1-cz5","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1725295024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testdeleteacsmthreatsagentrulereturnsokresponse1746611597","updateDate":1746611597548,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-beh","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Dotnet_dump - was used to dump a process memory","enabled":true,"expression":"exec.cmdline - =~ \"*dotnet-dump*\" \u0026\u0026 exec.cmdline =~ \"*collect*\"","filters":["os - == \"windows\""],"monitoring":["CWS_DD"],"name":"dotnet_dump_execution","product_tags":["tactic:TA0009-collection","technique:T1005-data-from-local-system","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-a41","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - base64 command was used to decode information","enabled":true,"expression":"exec.file.name - == \"base64\" \u0026\u0026 exec.args_flags in [\"d\"]","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"base64_decode","product_tags":["tactic:TA0005-defense-evasion","technique:T1140-deobfuscate-or-decode-files-or-information","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ps4-63s-bzc","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714567023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1725295023","updateDate":1725295024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3cv-rwp-2t7","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1724215024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714567023","updateDate":1714567024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"7ts-208-rn4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - AppArmor profile was modified in an interactive session","enabled":true,"expression":"exec.file.name - in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] \u0026\u0026 exec.tty_name - !=\"\"","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"apparmor_modified_tty","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"e7g-3t1-hpu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1716352624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1724215024","updateDate":1724215024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3ht-mqm-ybx","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746628432905,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1716352624","updateDate":1716352624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ftd-d3e-byt","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1721666224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testdeleteacsmthreatsagentrulereturnsokresponse1746628432","updateDate":1746628432905,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"kvo-o7f-pgu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746789257870,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1721666224","updateDate":1721666224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"7s9-sfq-2km","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1732552624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746789257","updateDate":1746789257870,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"fyp-i9k-cv7","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746630386239,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1732552624","updateDate":1732552624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"rta-b8v-4uf","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714322223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsokresponse1746630385","updateDate":1746630386239,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"hba-kfe-1xr","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n utimes.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (utimes.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os + == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"ssh_authorized_keys_utimes","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"1gj-w3o-5qw","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1746013904000,"creator":{"name":"Thibault Viennot","handle":"thibault.viennot@datadoghq.com"},"defaultRule":false,"description":"im + a rule","disabled":["CWS_CUSTOM-canary"],"enabled":false,"expression":"open.file.name + == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"ssotlbqrax","updateDate":1746013904000,"updater":{"name":"Thibault + Viennot","handle":"thibault.viennot@datadoghq.com"}}},{"id":"tth-j42-vc4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1732591470000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714322222","updateDate":1714322224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"wpz-bim-6rb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process was spawned with indicators of exploitation of CVE-2021-4034","enabled":true,"expression":"(exec.file.path - == \"/usr/bin/pkexec\" \u0026\u0026 exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] - \u0026\u0026 exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] \u0026\u0026 - exec.uid != 0)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"pwnkit_privilege_escalation","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"o5t-b08-86p","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n (rename.file.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testjavacreateacsmthreatsagentrulereturnsokresponse1732591469","updateDate":1732591470000,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"y5i-yxn-27t","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ - \"runc*\"","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"ssl_certificate_tampering_rename","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"48s-46n-g4w","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - service may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.mode != + chmod.file.destination.mode\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 + process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"systemd_modification_chmod","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"li0-j5t-0hv","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1724848624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 + process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"ssl_certificate_tampering_chmod","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-npv","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Detects + CVE-2022-0543","enabled":true,"expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" + \u0026\u0026 open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", + \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", + \"libc-2.37.so\"]) \u0026\u0026 process.ancestors.comm in [\"redis-check-rdb\", + \"redis-server\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"redis_sandbox_escape","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"b79-xcg-63p","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1719059824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1724848624","updateDate":1724848624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"m7d-vlh-3yq","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Package - management was detected in a container","enabled":true,"expression":"exec.file.path - in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\"","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"package_management_in_container","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection","policy:best-practice"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wwy-h4d-pwm","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - service may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid - != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"systemd_modification_chown","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"v2b-cd3-clr","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path - in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid - != chown.file.uid || chown.file.destination.gid != chown.file.gid) \u0026\u0026 - process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"nsswitch_conf_mod_chown","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wvg-hbj-6o2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1720600623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1719059824","updateDate":1719059824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"kbx-ylg-k86","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734597423000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1720600622","updateDate":1720600624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"rec-v3q-e1c","type":"agent_rule","attributes":{"category":"Process + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734597422","updateDate":1734597424000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"rec-v3q-e1c","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1734770223000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734770223","updateDate":1734770227000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ekr-3xj-8yj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735619823000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1735619823","updateDate":1735619825000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"kas-gb6-imd","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746611611223,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746611610","updateDate":1746611611223,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"xa1-b6v-n2l","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (rename.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || - rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", - ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", - \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"cron_at_job_creation_rename","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"rgf-wo7-4fj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715402226000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734770223","updateDate":1734770227000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"34t-hic-8cn","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", + ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\"])\n) \u0026\u0026 chmod.file.destination.mode + != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"pam_modification_chmod","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-a41","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + base64 command was used to decode information","enabled":true,"expression":"exec.file.name + == \"base64\" \u0026\u0026 exec.args_flags in [\"d\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"base64_decode","product_tags":["tactic:TA0005-defense-evasion","technique:T1140-deobfuscate-or-decode-files-or-information","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"f2b-qds-3f4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1718815023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1715402224","updateDate":1715402226000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"d2g-d0v-w1l","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1732019824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1718815022","updateDate":1718815024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"gds-0mc-sle","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1733330223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1732019824","updateDate":1732019824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"1m6-dg0-lq9","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714624623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733330222","updateDate":1733330225000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"j8a-wic-bvi","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + LD_PRELOAD variable is populated by a link to a suspicious file directory","enabled":true,"expression":"exec.envs + in [~\"LD_PRELOAD=*/tmp/*\", ~\"LD_PRELOAD=/dev/shm/*\"]","filters":["os == + \"linux\""],"monitoring":["threat-detection.policy"],"name":"ld_preload_unusual_library_path","product_tags":["tactic:TA0004-privilege-escalation","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"stq-uwx-efd","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715531824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714624623","updateDate":1714624624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"7sd-d1r-ts5","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714840623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1715531824","updateDate":1715531824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"qsg-ezg-tyb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746628429225,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714840622","updateDate":1714840624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-ev8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - wrmsr program executed","enabled":true,"expression":"exec.comm == \"wrmsr\"","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"exec_wrmsr","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"hhl-9nk-8ls","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715819826000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testcreateacsmthreatsagentrulereturnsokresponse1746628428","updateDate":1746628429225,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-lel","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Perl + executed with suspicious argument","enabled":true,"expression":"exec.file.name + == ~\"perl*\" \u0026\u0026 exec.args_flags in [\"e\"] \u0026\u0026 (exec.args + in [~\"*SOCK_STREAM*\", ~\"*sockaddr_in*\"])","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"perl_shell","product_tags":["tactic:TA0001-initial-access","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wqf","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + update registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsUpdate*\"]","filters":["os + == \"windows\""],"monitoring":["threat-detection.policy"],"name":"windows_update_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"b7w-xgg-ocq","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1717130223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715819824","updateDate":1715819826000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3ox-06e-x4c","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734093424000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1717130222","updateDate":1717130226000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-oag","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"systemd + spawned shell","enabled":true,"expression":"exec.file.path in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] \u0026\u0026 process.ancestors.file.path == \"/usr/lib/systemd/systemd-executor\" + \u0026\u0026 process.parent.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"systemd_spawned_shell","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"vma-z5w-bi9","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734179823000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734093423","updateDate":1734093424000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-bgf","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734179822","updateDate":1734179825000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"fpa-r6g-2em","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"monitoring":["compliance.policy"],"name":"pci_11_5_critical_binaries_open","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bgf","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A hidden file was executed in a suspicious folder","enabled":true,"expression":"exec.file.name =~ \".*\" \u0026\u0026 exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", - ~\"/dev/shm/**\"]","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"hidden_file_executed","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wwc-6it-t7i","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path - in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" - ])\n)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"nsswitch_conf_mod_link","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-l8e","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers - policy file may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path - == \"/etc/sudoers\")\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid - || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"sudoers_policy_modified_chown","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"qd9-39s-51s","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1721666223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1721666223","updateDate":1721666224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ya9-48i-611","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734496623000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734496623","updateDate":1734496625000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"cdy-cvp-oqz","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1728617680000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testjavacreateacsmthreatsagentrulereturnsokresponse1728617679","updateDate":1728617680000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-u7b","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Known - offensive tool crackmap exec executed","enabled":true,"expression":"exec.cmdline - in [~\"*crackmapexec*\", ~\"*cme.exe*\", ~\"*cme.py*\"]","filters":["os == - \"windows\""],"monitoring":["CWS_DD"],"name":"crackmap_exec_executed","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-hbr","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"process - arguments match sliver c2 implant","enabled":true,"expression":"exec.cmdline - =~ \"*NoExit *\" \u0026\u0026 exec.cmdline =~ \"*Command *\" \u0026\u0026 - exec.cmdline =~ \"*[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*\"","filters":["os - == \"windows\""],"monitoring":["CWS_DD"],"name":"sliver_c2_implant_execution","product_tags":["tactic:TA0011-command-and-control","technique:T1071-application-layer-protocol","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"hlp-8dr-0i3","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1725467825000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + ~\"/dev/shm/**\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"hidden_file_executed","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"4ov-ang-2gx","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + DNS lookup was done for a IP check service","enabled":true,"expression":"dns.question.name + in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", + \"whatismyip.akamai.com\"] \u0026\u0026 process.file.name != \"\"","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"ip_check_domain","product_tags":["tactic:TA0007-discovery","technique:T1016-system-network-configuration-discovery","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-vez","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + winlogon registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*\"]","filters":["os + == \"windows\""],"monitoring":["threat-detection.policy"],"name":"winlogon_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"24l-rs9-d0x","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1710500975000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1725467823","updateDate":1725467825000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"a1s-8yo-pst","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746630365537,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptgetacsmthreatsagentrulereturnsokresponse1710500975","updateDate":1710500975000,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"sen-ldk-nvs","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746635722158,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testcreateacsmthreatsagentrulereturnsokresponse1746630365","updateDate":1746630365537,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"73h-yo0-427","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1725240870000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsokresponse1746635721","updateDate":1746635722158,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-myb","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path + in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"]\n || link.file.destination.path + in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"])\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"sudoers_policy_modified_link","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"4sz-cc7-ukd","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1733560627000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testpythoncreateacsmthreatsagentrulereturnsokresponse1725240869","updateDate":1725240870000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-wv3","type":"agent_rule","attributes":{"actions":[{"hash":{},"disabled":false}],"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Redis - module has been created","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) - \u003e 0 \u0026\u0026 open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name - in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) \u0026\u0026 process.file.name in - [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"redis_save_module","product_tags":["tactic:TA0002-execution","technique:T1129-shared-modules","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"n8l-rby-b42","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735072624000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733560624","updateDate":1733560627000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"xg0-u09-xir","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1733603824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735072624","updateDate":1735072624000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"vca-vvl-m7a","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746631358513,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733603824","updateDate":1733603824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"7rw-grx-l7u","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1726331823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testcreateacsmthreatsagentrulereturnsokresponse1746631358","updateDate":1746631358513,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-5wh","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"a - SUID file was executed","enabled":true,"expression":"(setuid.euid == 0 || - setuid.uid == 0) \u0026\u0026 process.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 - process.file.uid == 0 \u0026\u0026 process.uid != 0 \u0026\u0026 process.file.path - != \"/usr/bin/sudo\"","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"suid_file_execution","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7q3-6aa-pix","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n chown.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chown.file.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) - \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid - != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"ssh_authorized_keys_chown","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"v14-hvg-0fd","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735216626000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1726331822","updateDate":1726331823000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"kfi-eog-4ml","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746631376325,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735216624","updateDate":1735216626000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"rwf-5af-jaw","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733618223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746631375","updateDate":1746631376325,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"20v-gdb-0ha","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"kernel_module_unlink","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"7vi-w5r-h15","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (chmod.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os + == \"linux\""],"monitoring":["compliance.policy"],"name":"pci_11_5_critical_binaries_chmod","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"dmf-a2c-odj","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + symbolic link for shell history was created targeting /dev/null","enabled":true,"expression":"exec.comm + == \"ln\" \u0026\u0026 exec.args in [~\"*.*history*\", \"/dev/null\"]","filters":["os + == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"shell_history_symlink","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-2wg","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"find + command searching for container management socket","enabled":true,"expression":"exec.comm + == \"find\" \u0026\u0026 exec.args in [~\"*.sock*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"find_mgmt_socket","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"vax-ch9-i9h","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746529944308,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733618222","updateDate":1733618223000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"gyo-ajy-16h","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746633521705,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746529944","updateDate":1746529944308,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"7ts-208-rn4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + AppArmor profile was modified in an interactive session","enabled":true,"expression":"exec.file.name + in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] \u0026\u0026 exec.tty_name + !=\"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"apparmor_modified_tty","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"y0s-toi-yyk","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746097927076,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testdeleteacsmthreatsagentrulereturnsokresponse1746633521","updateDate":1746633521705,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-2k6","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Suspicious - usage of ntdsutil","enabled":true,"expression":"exec.file.name == \"ntdsutil.exe\" - \u0026\u0026 exec.cmdline in [~\"*ntds*\", ~\"*create*\"]","filters":["os - == \"windows\""],"monitoring":["CWS_DD"],"name":"suspicious_ntdsutil_usage","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"s9m-foq-qqz","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive - credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chmod.file.path + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746097926","updateDate":1746097927076,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"c2g-31u-jpk","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + Azure IMDS was called via a network utility","enabled":true,"expression":"exec.comm + in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","filters":["os + == \"linux\""],"monitoring":["best-practice.policy","threat-detection.policy"],"name":"azure_imds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"q08-c9l-rsp","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (unlink.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", @@ -1513,402 +1744,188 @@ http_interactions: \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode - != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"credential_modified_chmod","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-eck","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Dll - written to a suspicious directory","enabled":true,"expression":"create.file.name - =~ \"*.dll\" \u0026\u0026 create.file.device_path not in [~\"\\Device\\*\\Windows\\System32\\**\", - ~\"\\Device\\*\\ProgramData\\docker\\**\"] \u0026\u0026 process.file.name - != \"dockerd.exe\"","filters":["os == \"windows\""],"monitoring":["CWS_DD"],"name":"suspicious_dll_write","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","technique:T1610-deploy-container","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-s07","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers - policy file may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path - == \"/etc/sudoers\")\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"sudoers_policy_modified_utimes","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ulx-voj-zk3","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714883824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1714883824","updateDate":1714883824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"07u-iqk-me5","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746631377837,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsokresponse1746631377","updateDate":1746631377837,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"sen-ldk-nvs","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746635722158,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsokresponse1746635721","updateDate":1746635722158,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"2vn-l1s-b0y","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733013424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733013424","updateDate":1733013424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"981-x7o-izo","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735749424000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"credential_modified_unlink","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"sif-d9p-wzg","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path + in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" + ])\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"nsswitch_conf_mod_rename","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"wri-hx3-4n3","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", + ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\" ]\n || rename.file.destination.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\", ~\"/lib/security/*\", ~\"/usr/lib/security/*\", + ~\"/lib64/security/*\", ~\"/usr/lib64/security/*\" ])\n)","filters":["os == + \"linux\""],"monitoring":["compliance.policy"],"name":"pam_modification_rename","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ngk","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process established a connection to ngrok","enabled":true,"expression":"connect.addr.hostname + in [~\"*.tunnel*.ngrok.com\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"ngrok_domain","product_tags":["tactic:TA0011-command-and-control","technique:T1102-web-service","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tp8","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process opened a model-specific register (MSR) configuration file","enabled":true,"expression":"open.file.path + == \"/sys/module/msr/parameters/allow_writes\" \u0026\u0026 open.flags \u0026 + O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"open_msr_writes","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"d2g-d0v-w1l","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1732019824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735749424","updateDate":1735749424000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"clk-fln-75d","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746443537713,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1732019824","updateDate":1732019824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"bwn-zl7-d0k","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746097915502,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746443537","updateDate":1746443537713,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-n3u","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows - shell folders registry key modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell - Folders*\", ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User - Shell Folders*\"]","filters":["os == \"windows\""],"monitoring":["CWS_DD"],"name":"windows_shell_folders_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"klx-4zm-eg5","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746184334893,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746097915","updateDate":1746097915502,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"yv4-twv-nsx","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746184336905,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746184334","updateDate":1746184334893,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-tlf","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"the - windows hosts file was modified","enabled":true,"expression":"write.file.device_path - in [~\"\\Device\\*\\windows\\system32\\Drivers\\etc\\hosts\"]","filters":["os - == \"windows\""],"monitoring":["CWS_DD"],"name":"windows_hosts_file_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"9y1-cbb-p03","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n (unlink.file.path - in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in - [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ - \"runc*\"","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"ssl_certificate_tampering_unlink","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7rw-grx-l7u","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1726331823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746184336","updateDate":1746184336905,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"z0t-qdd-lkb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746630384644,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1726331822","updateDate":1726331823000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3gy-keh-bpb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746635700702,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746630384","updateDate":1746630384644,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-6jw","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process + environment variables match cryptocurrency miner","enabled":true,"expression":"exec.envs + in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"cryptominer_envs","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"yep-euy-ttp","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714552623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testcreateacsmthreatsagentrulereturnsokresponse1746635700","updateDate":1746635700702,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"pxk-42u-fga","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM - may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"pam_modification_utimes","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-8j2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - web application spawned a shell or shell utility","enabled":true,"expression":"(exec.file.path - in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path - in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"]) - \u0026\u0026\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", - \"httpd\"] || process.parent.file.name =~ \"php*\")","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"potential_web_shell_parent","product_tags":["tactic:TA0002-execution","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-x7z","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process - executed with arguments common with Inveigh tool usage","enabled":true,"expression":"exec.cmdline - in [~\"*SpooferIP*\", ~\"*ReplyToIPs*\", ~\"*ReplyToDomains*\", ~\"*ReplyToMACs*\", - ~\"*SnifferIP*\"]","filters":["os == \"windows\""],"monitoring":["CWS_DD"],"name":"inveigh_tool_usage","product_tags":["tactic:TA0009-collection","technique:T1557-adversary-in-the-middle","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"dfr-by9-sx8","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell - History was Deleted","enabled":true,"expression":"unlink.file.name in [\".bash_history\", - \".zsh_history\", \".fish_history\", \"fish_history\", \".dash_history\", - \".sh_history\"] \u0026\u0026 unlink.file.path in [~\"/root/**\", ~\"/home/**\"] - \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"shell_history_deleted","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d4w","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - file executed from /dev/shm/ directory","enabled":true,"expression":"exec.file.path - == \"/dev/shm/**\"","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"devshm_execution","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mr5","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process - hidden using mount","enabled":true,"expression":"mount.mountpoint.path in - [~\"/proc/1*\", ~\"/proc/2*\", ~\"/proc/3*\", ~\"/proc/4*\", ~\"/proc/5*\", - ~\"/proc/6*\", ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"mount_proc_hide","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"sic-1px-69u","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1717418225000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714552623","updateDate":1714552624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"7sd-d1r-ts5","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714840623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1717418224","updateDate":1717418225000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"f4p-2wj-hrf","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715459823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714840622","updateDate":1714840624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"bec-cnc-wlz","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746631362067,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715459822","updateDate":1715459824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"460-gys-lqp","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - DNS lookup was done for a pastebin-like site","enabled":true,"expression":"dns.question.name - in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\", \"rentry.co\", - \"transfer.sh\"] \u0026\u0026 process.file.name != \"\"","filters":["os == - \"linux\""],"monitoring":["CWS_DD"],"name":"paste_site","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-4y4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - suspicious bitsadmin command has been executed","enabled":true,"expression":"exec.file.name - == \"bitsadmin.exe\" \u0026\u0026 exec.cmdline in [~\"*addfile*\", ~\"*create*\", - ~\"*resume*\"]","filters":["os == \"windows\""],"monitoring":["CWS_DD"],"name":"suspicious_bitsadmin_usage","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"pb3-26n-452","type":"agent_rule","attributes":{"category":"Process + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testdeleteacsmthreatsagentrulereturnsokresponse1746631361","updateDate":1746631362067,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-3v0","type":"agent_rule","attributes":{"actions":[{"set":{"name":"chain_exec_unlink","field":"exec.file.path","append":true,"scope":"cgroup","ttl":30000000000,"inherited":false},"disabled":false},{"set":{"name":"exec_new_file_in_cgroup","field":"exec.file.path","append":true,"scope":"cgroup","size":10000,"ttl":1800000000000,"inherited":false},"disabled":false},{"set":{"name":"correlation_key_file_path","field":"exec.file.path","scope":"cgroup","inherited":false},"disabled":false}],"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + recently modified file was executed","enabled":true,"expression":"exec.file.change_time + \u003c 30s \u0026\u0026 cgroup.file.inode != 0 \u0026\u0026 exec.file.path + not in ${cgroup.exec_new_file_in_cgroup}","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"exec_new_file","product_tags":["policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d1i","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process + memory was dumped using the minidump function from comsvcs.dll","enabled":true,"expression":"exec.cmdline + =~ \"*MiniDump*\" \u0026\u0026 exec.cmdline =~ \"*comsvcs*\"","filters":["os + == \"windows\""],"monitoring":["threat-detection.policy"],"name":"minidump_usage","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qn0","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsenter + used to breakout of container","enabled":true,"expression":"exec.file.name + == \"nsenter\" \u0026\u0026 exec.args_options in [\"target=1\", \"t=1\"] \u0026\u0026 + container.id != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"nsenter_in_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"pb3-26n-452","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1719981423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1719981422","updateDate":1719981424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"l9m-5ce-g9i","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734525423000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734525422","updateDate":1734525423000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"tlu-qlm-1ow","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - runc binary was modified in a non-standard way","enabled":true,"expression":"open.file.path - in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n\u0026\u0026 - open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0\n\u0026\u0026 - process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n\u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"runc_modification","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oy4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - tool used to dump process memory has been executed","enabled":true,"expression":"exec.file.name - in [\"procmon.exe\",\"procdump.exe\"]","filters":["os == \"windows\""],"monitoring":["CWS_DD"],"name":"procdump_execution","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qt6","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ - \"runc*\"\n\u0026\u0026 container.id != \"\"\n\u0026\u0026 container.created_at - \u003e 90s","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"ssl_certificate_tampering_open_v2","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ycc-lv0-6oj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1730939824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1730939824","updateDate":1730939824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"5jy-8qa-vwx","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1724216976000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testrustupdateacsmthreatsagentrulereturnsbadrequestresponse1724216976","updateDate":1724216976000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"xw4-uw8-mmx","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1725885424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1725885424","updateDate":1725885424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"wwv-c72-w2g","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1745986689000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptgetacsmthreatsagentrulereturnsokresponse1745986689","updateDate":1745986689000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-b5z","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"process - arguments match rubeus credential theft tool","enabled":true,"expression":"exec.cmdline - in [~\"*asreproast*\", ~\"*/service:krbtgt*\", ~\"*dump /luid:0x*\", ~\"*kerberoast*\", - ~\"*createonly /program*\", ~\"*ptt /ticket*\", ~\"*impersonateuser*\", ~\"*renew - /ticket*\", ~\"*asktgt /user*\", ~\"*harvest /interval*\", ~\"*s4u /user*\", - ~\"*hash /password*\", ~\"*golden /aes256*\", ~\"*silver /user*\", \"*rubeus*\"]","filters":["os - == \"windows\""],"monitoring":["CWS_DD"],"name":"rubeus_execution","product_tags":["tactic:TA0006-credential-access","technique:T1558-steal-or-forge-kerberos-tickets","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"htc-275-0wt","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n chmod.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chmod.file.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) - \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"ssh_authorized_keys_chmod","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"a52-req-ghm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Exfiltration - attempt via network utility","enabled":true,"expression":"exec.comm in [\"wget\", - \"curl\", \"lwp-download\"] \u0026\u0026\nexec.args_options in [ ~\"post-file=*\", - ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] \u0026\u0026\nexec.args - not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"net_util_exfiltration","product_tags":["tactic:TA0010-exfiltration","technique:T1048-exfiltration-over-alternative-protocol","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-b7s","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kubernetes - DNS enumeration","enabled":true,"expression":"dns.question.name == \"any.any.svc.cluster.local\" - \u0026\u0026 dns.question.type == SRV \u0026\u0026 container.id != \"\"","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"kubernetes_dns_enumeration","product_tags":["tactic:TA0007-discovery","technique:T1046-network-service-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"l57-d8u-edg","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733546224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733546224","updateDate":1733546224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-hlr","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Tunneling - or port forwarding tool used","enabled":true,"expression":"((exec.comm == - \"pivotnacci\" || exec.comm == \"gost\") \u0026\u0026 process.args_flags in - [\"L\", \"C\", \"R\"]) || (exec.comm in [\"ssh\", \"sshd\"] \u0026\u0026 process.args_flags - in [\"R\", \"L\", \"D\", \"w\"] \u0026\u0026 process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] - ) || (exec.comm == \"sshuttle\" \u0026\u0026 process.args_flags in [\"r\", - \"remote\", \"l\", \"listen\"]) || (exec.comm == \"socat\" \u0026\u0026 process.args - in [r\"(TCP4-LISTEN:|SOCKS)\"]) || (exec.comm in [\"iodine\", \"iodined\", - \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", - \"ngrok\"] \u0026\u0026 process.parent.comm in [\"bash\", \"dash\", \"ash\", - \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","filters":["os == - \"linux\""],"monitoring":["CWS_DD"],"name":"tunnel_traffic","product_tags":["tactic:TA0011-command-and-control","technique:T1572-protocol-tunneling","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6x2","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Service - registry runkey modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\", - ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CurrentVersion\\RunServices\"]","filters":["os - == \"windows\""],"monitoring":["CWS_DD"],"name":"registry_service_runkey_modified","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mfu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - Jupyter notebook executed a shell","enabled":true,"expression":"(exec.file.name - in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] - || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name - in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) - \u0026\u0026 process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"jupyter_shell_execution","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"tf1-bgq-7bb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714883824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714883824","updateDate":1714883824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"nor-y5a-3sn","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715373423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715373422","updateDate":1715373424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"mzh-gda-c24","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715762223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715762222","updateDate":1715762224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"zvy-zhs-mba","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746628436281,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testgetacsmthreatsagentrulereturnsokresponse1746628435","updateDate":1746628436281,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-qwu","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) - \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e - 90s","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"ssh_authorized_keys_open_v2","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"191-ty1-ede","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ - \"runc*\"","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"ssl_certificate_tampering_open","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ehx","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - auditd rules file was modified without using auditctl","enabled":true,"expression":"open.file.path - in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] \u0026\u0026 - open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 - process.file.name != \"auditctl\"","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"auditd_rule_file_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"kyr-sg6-us9","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n (chown.file.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid - != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 - process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ - \"runc*\"","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"ssl_certificate_tampering_chown","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"tb2-3ij-eep","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1732667824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1732667824","updateDate":1732667824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"vxv-90c-vm4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714279023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714279022","updateDate":1714279024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"43q-0jv-1zb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746616279053,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746616279","updateDate":1746616279053,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"zfb-ixo-o4w","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - suspicious file was written by a network utility","enabled":true,"expression":"open.flags - \u0026 O_CREAT \u003e 0 \u0026\u0026 process.comm in [\"wget\", \"curl\", - \"lwp-download\"]\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 - open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path - in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"net_file_download","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7y2-ihu-hm2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - network utility was executed","enabled":true,"expression":"(exec.comm in [\"socat\", - \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm - in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id == \"\" - \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" - ]","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"net_util","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"5t3-iiv-rv5","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - kernel module was loaded","enabled":true,"expression":"load_module.loaded_from_memory - == false \u0026\u0026 load_module.name not in [\"nf_tables\", \"iptable_filter\", - \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", - \"ipt_REJECT\", \"iptable_raw\", \"udp_diag\", \"inet_diag\"] \u0026\u0026 - process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", - \"apt.systemd.daily\", \"xtables-legacy-multi\", \"ssm-agent-worker\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"kernel_module_load","product_tags":["tactic:TA0003-persistence","tactic:TA0040-impact","tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"yel-n8d-fhc","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746443527243,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1719981422","updateDate":1719981424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"isj-kzv-ebz","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746633518640,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746443527","updateDate":1746443527243,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-wok","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Device - rule created","enabled":true,"expression":"open.file.path in [~\"/etc/udev/rules.d/*\", - ~\"/lib/udev/rules.d/*\", ~\"/usr/lib/udev/rules.d/*\", ~\"/usr/local/lib/udev/rules.d/*\", - ~\"/run/udev/rules.d/*\"] \u0026\u0026 open.flags \u0026 O_CREAT \u003e 0","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"udev_modification","product_tags":["tactic:TA0003-persistence","technique:T1546-event-triggered-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"w60-a8d-qrd","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734439024000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testcreateacsmthreatsagentrulereturnsokresponse1746633518","updateDate":1746633518640,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-cyz","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + shell spawned from a git clone which could be exploitation of CVE-2025-48384","enabled":true,"expression":"exec.comm + in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"] + \u0026\u0026 process.ancestors[A].comm == \"git\" \u0026\u0026 process.ancestors[A].argv + in [\"clone\"] \u0026\u0026 process.ancestors[A].args_flags in [\"recursive\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"git_cve_2025_48384","product_tags":["tactic:TA0002-execution","technique:T1203-exploitation-for-client-execution","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ibc","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + mount utility was executed in a container","enabled":true,"expression":"exec.comm + == \"mount\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"mount_in_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6x2","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Service + registry runkey modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\", + ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CurrentVersion\\RunServices\"]","filters":["os + == \"windows\""],"monitoring":["threat-detection.policy"],"name":"registry_service_runkey_modified","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"ybl-tp8-aab","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1730263023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734439023","updateDate":1734439024000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"a9f-o95-atg","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715128623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1730263022","updateDate":1730263025000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"a66-2qy-xwe","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1733128623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715128622","updateDate":1715128624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"kid-vkk-fj9","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715603823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733128622","updateDate":1733128625000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"mq1-y7n-kf2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + database application spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path + in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"]) + \u0026\u0026\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] + \u0026\u0026\n!(process.parent.file.name == \"initdb\" \u0026\u0026\nexec.args + == \"-c locale -a\") \u0026\u0026\n!(process.parent.file.name == \"postgres\" + \u0026\u0026\nexec.args == ~\"*pg_wal*\")","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"database_shell_execution","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-x9u","type":"agent_rule","attributes":{"actions":[{"filter":"${process.correlation_key} + != \"\"","set":{"name":"parent_correlation_keys","default_value":"","append":true,"scope":"process","expression":"${process.correlation_key}","inherited":true},"disabled":false},{"set":{"name":"correlation_key","default_value":"","scope":"process","expression":"\"interactive_shell_${builtins.uuid4}\"","inherited":true},"disabled":false}],"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Track + execution context from interactive shell","enabled":true,"expression":"exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] \u0026\u0026 (process.tty_name != \"\" || exec.args_flags in [\"i\"]) \u0026\u0026 + ${process.correlation_key} in [\"\", ~\"cgroup_*\", ~\"auid_*\", ~\"service_*\", + ~\"service_new_cgroup_*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"execution_context_interactive_shell","product_tags":["policy:threat-detection"],"silent":true,"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-juz","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + privileged container was created","enabled":true,"expression":"exec.file.name + != \"\" \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at + \u003c 1s \u0026\u0026 process.cap_permitted \u0026 CAP_SYS_ADMIN \u003e 0","filters":["os + == \"linux\""],"monitoring":["best-practice.policy","threat-detection.policy"],"name":"deploy_priv_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection","policy:best-practice"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-0fx","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell + process spawned from print server","enabled":true,"expression":"exec.file.name + != \"\" \u0026\u0026 process.parent.file.name == \"foomatic-rip\"","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"cups_spawned_shell","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-u7b","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Known + offensive tool crackmap exec executed","enabled":true,"expression":"exec.cmdline + in [~\"*crackmapexec*\", ~\"*cme.exe*\", ~\"*cme.py*\"]","filters":["os == + \"windows\""],"monitoring":["threat-detection.policy"],"name":"crackmap_exec_executed","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"897-56j-4uj","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1735907824000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715603822","updateDate":1715603824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3ay-9ve-3i3","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1732451823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735907823","updateDate":1735907824000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"269-p6y-i3p","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742473183000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1732451822","updateDate":1732451823000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"v9x-9ib-tr7","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737288363000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"im - a rule","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"qljifimbbh","updateDate":1737288363000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"sim-wjp-rxz","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1748011504465,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"initial - description","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"rawfdmzxlc","product_tags":["compliance_framework:HIPAA"],"updateDate":1748011504465,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"rv8-utm-cs5","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746702690686,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1742473182","updateDate":1742473183000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"lf1-s8g-yf7","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715503023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746702690","updateDate":1746702690686,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"ssp-47a-p20","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical - system binaries may have been modified","enabled":true,"expression":"(\n (unlink.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715503022","updateDate":1715503024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-s07","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path + in [\"/etc/sudoers\", ~\"/etc/sudoers.d/*\"])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"pci_11_5_critical_binaries_unlink","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6oh","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - Registry runkey has been modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\", - ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\", - ~\"HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\", - ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal - Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows - NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce\", - ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal - Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\RunonceEx\"]","filters":["os - == \"windows\""],"monitoring":["CWS_DD"],"name":"registry_runkey_modified","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ulc-hn1-cz5","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1725295024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os + == \"linux\""],"monitoring":["compliance.policy"],"name":"sudoers_policy_modified_utimes","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"t5u-qdx-650","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n rename.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (rename.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || + rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", + ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"ssh_authorized_keys_rename","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tlf","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"the + windows hosts file was modified","enabled":true,"expression":"write.file.device_path + in [~\"\\Device\\*\\windows\\system32\\Drivers\\etc\\hosts\"]","filters":["os + == \"windows\""],"monitoring":["compliance.policy"],"name":"windows_hosts_file_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-beh","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Dotnet_dump + was used to dump a process memory","enabled":true,"expression":"exec.cmdline + =~ \"*dotnet-dump*\" \u0026\u0026 exec.cmdline =~ \"*collect*\"","filters":["os + == \"windows\""],"monitoring":["threat-detection.policy"],"name":"dotnet_dump_execution","product_tags":["tactic:TA0009-collection","technique:T1005-data-from-local-system","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"4yt-ize-avz","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Omiagent + spawns a privileged child process","enabled":true,"expression":"exec.uid \u003e= + 0 \u0026\u0026 process.ancestors.file.name == \"omiagent\"","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"omigod","product_tags":["tactic:TA0002-execution","technique:T1203-exploitation-for-client-execution","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"nio-59w-ip8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714927026000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1725295023","updateDate":1725295024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"caz-yrk-14e","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process resolved a DNS name associated with cryptomining activity","enabled":true,"expression":"dns.question.name - in [~\"*.minexmr.com\", \"minexmr.com\", ~\"*.nanopool.org\", \"nanopool.org\", - ~\"*.supportxmr.com\", \"supportxmr.com\", ~\"*.c3pool.com\", \"c3pool.com\", - ~\"*.p2pool.io\", \"p2pool.io\", ~\"*.ethermine.org\", \"ethermine.org\", - ~\"*.f2pool.com\", \"f2pool.com\", ~\"*.poolin.me\", \"poolin.me\", ~\"*.rplant.xyz\", - \"rplant.xyz\", ~\"*.miningocean.org\", \"miningocean.org\"] \u0026\u0026 - process.file.name != \"\"","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"mining_pool_lookup","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-7m7","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - auditctl command was used to modify auditd","enabled":true,"expression":"exec.file.name - == \"auditctl\" \u0026\u0026 exec.args_flags not in [\"s\", \"l\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"auditctl_usage","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"4mx-n6o-mmb","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (utimes.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 - process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 - process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"cron_at_job_creation_utimes","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-550","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers - policy file may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path - == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"sudoers_policy_modified_rename","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"l2e-aka-bw6","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - passwd or chpasswd utility was used to modify an account password","enabled":true,"expression":"exec.file.path - in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] \u0026\u0026 exec.args_flags - not in [\"S\", \"status\"]","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"passwd_execution","product_tags":["tactic:TA0003-persistence","tactic:TA0040-impact","technique:T1098-account-manipulation","technique:T1531-account-access-removal","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-xg6","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"a - critical windows file was modified","enabled":true,"expression":"write.file.device_path - in [~\"\\Device\\*\\windows\\system32\\**\"]","filters":["os == \"windows\""],"monitoring":["CWS_DD"],"name":"critical_windows_files_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"zu3-7yi-3w0","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714696626000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1714927026","updateDate":1714927026000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"cvn-qsw-ibn","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1716410225000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1714696624","updateDate":1714696626000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"f2b-qds-3f4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1718815023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1716410224","updateDate":1716410225000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"mda-uab-xow","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1723178226000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1718815022","updateDate":1718815024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"qsg-ezg-tyb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746628429225,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1723178224","updateDate":1723178226000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"wt2-84b-uy6","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737433133000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testcreateacsmthreatsagentrulereturnsokresponse1746628428","updateDate":1746628429225,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"yv4-twv-nsx","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746184336905,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1737433133","updateDate":1737433133000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"tjr-ib4-gya","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714509423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746184336","updateDate":1746184336905,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-0en","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - debugfs was executed in a container","enabled":true,"expression":"exec.comm - == \"debugfs\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"debugfs_in_container","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"20v-gdb-0ha","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - new kernel module was added","enabled":true,"expression":"(\n (unlink.file.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"kernel_module_unlink","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"9f3-haw-91q","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714509423","updateDate":1714509424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"jr3-0m8-jlj","type":"agent_rule","attributes":{"actions":[{"hash":{},"disabled":false}],"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process launched with arguments associated with cryptominers","enabled":true,"expression":"exec.args_options + in [~\"cpu-priority*\", ~\"donate-level*\", ~\"wallet-address*\"] || exec.args_flags + == \"randomx-1gb-pages\" || exec.args in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", + ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", + ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"cryptominer_args","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-r6p","type":"agent_rule","attributes":{"actions":[{"set":{"name":"correlation_key_file_path","field":"unlink.file.path","scope":"cgroup","inherited":false},"disabled":false}],"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + file was deleted shortly after it was executed","enabled":true,"expression":"unlink.file.path + in ${cgroup.chain_exec_unlink}","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"delete_new_process","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-5ew","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + container management utility listed images","enabled":true,"expression":"exec.file.name + in [\"docker\", \"kubectl\", \"ctr\"] \u0026\u0026 exec.args in [\"image list\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"enum_images","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"ujx-skx-369","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1744258690000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1744258690","updateDate":1744258690000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"3hj-2t8-ydm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1729787824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1729787824","updateDate":1729787824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"9f3-haw-91q","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The AWS EKS service account token was accessed","enabled":true,"expression":"open.file.path =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", @@ -1917,71 +1934,48 @@ http_interactions: \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", - ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"aws_eks_service_account_token_accessed","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"gds-0mc-sle","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733330223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733330222","updateDate":1733330225000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-wnn","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows - firewall configuration registry key modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\*\"]","filters":["os - == \"windows\""],"monitoring":["CWS_DD"],"name":"windows_firewall_configuration_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"34t-hic-8cn","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM - may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode - != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"pam_modification_chmod","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"sif-d9p-wzg","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path - in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" - ])\n)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"nsswitch_conf_mod_rename","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-i9x","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n open.flags - \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path - in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 container.id != \"\" \u0026\u0026 - container.created_at \u003e 90s \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"nsswitch_conf_mod_open_v2","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"hba-kfe-1xr","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n utimes.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (utimes.file.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"ssh_authorized_keys_utimes","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"d7t-4i4-tex","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1722659826000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1722659824","updateDate":1722659826000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"sz5-kvy-3kd","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1732927024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1732927024","updateDate":1732927024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"g9j-hhf-7at","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1722703023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1722703023","updateDate":1722703024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ayv-hqe-lx8","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n (utimes.file.path - in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in - [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ - \"runc*\"","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"ssl_certificate_tampering_utimes","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"bwj-n0m-ut5","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714653425000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714653424","updateDate":1714653425000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ssm-zlm-vqh","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1720312626000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1720312624","updateDate":1720312626000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"zsr-y94-6u2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734482226000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734482224","updateDate":1734482226000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"o4r-6tp-yk0","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714466223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"aws_eks_service_account_token_accessed","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-9rk","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Local + account groups were enumerated after container start up","enabled":true,"expression":"exec.file.name + in [\"tcpdump\", \"tshark\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"network_sniffing_tool","product_tags":["tactic:TA0007-discovery","technique:T1040-network-sniffing","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"wpz-bim-6rb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process was spawned with indicators of exploitation of CVE-2021-4034","enabled":true,"expression":"(exec.file.path + == \"/usr/bin/pkexec\" \u0026\u0026 exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] + \u0026\u0026 exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] \u0026\u0026 + exec.uid != 0)","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"pwnkit_privilege_escalation","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"vsk-ewy-s83","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714451823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714466223","updateDate":1714466224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"56y-vsb-zqu","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - new kernel module was added","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714451823","updateDate":1714451824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"yjj-o5q-x00","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\", + ~\"/usr/local/lib/systemd/system/**\", ~\"/run/systemd/system/**\"] || utimes.file.path + in [ ~\"/etc/systemd/user/**\", ~\"/usr/lib/systemd/user/**\", ~\"/home/*/.config/systemd/user/**\", + ~\"/home/*/.local/share/systemd/user/**\", ~\"/run/systemd/user/**\"])\n \u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", + \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"systemd_modification_utimes","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-nin","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + DNS request was made for a chatroom domain","enabled":true,"expression":"dns.question.name + in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"chatroom_request","product_tags":["tactic:TA0011-command-and-control","technique:T1572-protocol-tunneling","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-x7z","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process + executed with arguments common with Inveigh tool usage","enabled":true,"expression":"exec.cmdline + in [~\"*SpooferIP*\", ~\"*ReplyToIPs*\", ~\"*ReplyToDomains*\", ~\"*ReplyToMACs*\", + ~\"*SnifferIP*\"]","filters":["os == \"windows\""],"monitoring":["threat-detection.policy"],"name":"inveigh_tool_usage","product_tags":["tactic:TA0009-collection","technique:T1557-adversary-in-the-middle","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tig","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + user was added to the sudo group","enabled":true,"expression":"exec.file.name + == \"usermod\" \u0026\u0026 (exec.args_flags in [\"aG\"] || exec.args_flags + in [\"G\"]) \u0026\u0026 exec.args_flags not in [\"r\"] \u0026\u0026 (exec.argv + == \"sudo\" || exec.argv == \"wheel\")","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"usermod_privileged_group","product_tags":["tactic:TA0004-privilege-escalation","technique:T1098-account-manipulation","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"ro4-rju-1vq","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + GCP IMDS was called via a network utility","enabled":true,"expression":"exec.comm + in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", + ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","filters":["os + == \"linux\""],"monitoring":["best-practice.policy","threat-detection.policy"],"name":"gcp_imds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"2dz-kyt-nme","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (chmod.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", @@ -1989,67 +1983,83 @@ http_interactions: not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"kernel_module_open","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"1ys-tf8-u32","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735562224000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + != \"/usr/bin/kmod\"\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os + == \"linux\""],"monitoring":["compliance.policy"],"name":"kernel_module_chmod","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"1ej-lz6-3iy","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1735648624000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735562224","updateDate":1735562224000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"vax-ch9-i9h","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746529944308,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735648624","updateDate":1735648624000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-zp4","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"microsoft + security essentials executable modified","enabled":true,"expression":"write.file.device_path + in [~\"\\Device\\*\\Program Files\\Microsoft Security Client\\msseces.exe\"]","filters":["os + == \"windows\""],"monitoring":["compliance.policy"],"name":"windows_security_essentials_executable_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"3gy-keh-bpb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746635700702,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746529944","updateDate":1746529944308,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"q08-c9l-rsp","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive - credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (unlink.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path - not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", - \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", - \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"credential_modified_unlink","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"vvb-sfk-jn1","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1724647024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testcreateacsmthreatsagentrulereturnsokresponse1746635700","updateDate":1746635700702,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"zvy-zhs-mba","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746628436281,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1724647024","updateDate":1724647024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"qo2-qin-6hg","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714351023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testgetacsmthreatsagentrulereturnsokresponse1746628435","updateDate":1746628436281,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"tb2-3ij-eep","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1732667824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714351022","updateDate":1714351024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3ht-mqm-ybx","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746628432905,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1732667824","updateDate":1732667824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"es7-rhv-nra","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714797423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testdeleteacsmthreatsagentrulereturnsokresponse1746628432","updateDate":1746628432905,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"jx5-yfk-osv","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746789254740,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714797422","updateDate":1714797424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"9ji-2p2-v00","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1721248623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptcreateacsmthreatsagentrulereturnsokresponse1746789254","updateDate":1746789254740,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-y27","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"RC - scripts modified","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) - \u003e 0 \u0026\u0026 (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) - \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1721248623","updateDate":1721248625000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"xiu-ghq-4zi","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"rc_scripts_modified","product_tags":["tactic:TA0003-persistence","technique:T1037-boot-or-logon-initialization-scripts","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"afj-5sv-2wb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - container management utility was executed in a container","enabled":true,"expression":"exec.file.name - in [\"docker\", \"kubectl\"] \u0026\u0026 container.id != \"\"","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"suspicious_container_client","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","technique:T1610-deploy-container","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-brb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"regedit - used to export critical registry hive","enabled":true,"expression":"exec.file.name - in [\"reg.exe\", \"regedit.exe\"] \u0026\u0026 exec.cmdline in [~\"*hklm*\", - ~\"*hkey_local_machine*\", ~\"*system*\", ~\"*sam*\", ~\"*security*\"]","filters":["os - == \"windows\""],"monitoring":["CWS_DD"],"name":"critical_registry_export","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"6bp-g7f-vgp","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746789261585,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"pci_11_5_critical_binaries_chown","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-88h","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Egress + traffic allowed using iptables","enabled":true,"expression":"exec.comm == + \"iptables\" \u0026\u0026 process.args in [r\"OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] + \u0026\u0026 process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"iptables_egress_allowed","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"mdn-0hh-uw1","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734050226000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746789261","updateDate":1746789261585,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"647-nlb-uld","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - network utility (such as nmap) commonly used in intrusion attacks was executed","enabled":true,"expression":"exec.file.name - in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", - \"pnscan\"] \u0026\u0026 exec.args_flags not in [\"V\", \"version\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"common_net_intrusion_util","product_tags":["tactic:TA0007-discovery","technique:T1046-network-service-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fbb","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Library - libpam.so hooked using eBPF","enabled":true,"expression":"bpf.cmd == BPF_MAP_CREATE - \u0026\u0026 process.args in [r\"libpam\\.so\"]","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"libpam_ebpf_hook","product_tags":["tactic:TA0006-credential-access","technique:T1056-input-capture","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"smg-le8-msf","type":"agent_rule","attributes":{"actions":[{"hash":{},"disabled":false}],"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734050223","updateDate":1734050226000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"krx-co0-pz2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715531823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715531822","updateDate":1715531824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"wwc-6it-t7i","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path + in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" + ])\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"nsswitch_conf_mod_link","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"9l7-am7-hy6","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1736986169000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testgocreateacsmthreatsagentrulereturnsokresponse1736986169","updateDate":1736986169000,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-6ql","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"memfd + object created","enabled":true,"expression":"exec.file.name =~ \"memfd*\" + \u0026\u0026 exec.file.path == \"\" \u0026\u0026 process.parent.file.path + not in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\" , + \"/run/docker/runtime-runc/moby/*\", \"/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/runc\"] + \u0026\u0026 !(process.comm == \"dd-ipc-helper\" \u0026\u0026 exec.file.name + in [\"memfd:spawn_worker_trampoline (deleted)\", \"memfd:spawn_worker_trampoline\"])","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"memfd_create","product_tags":["tactic:TA0005-defense-evasion","technique:T1620-reflective-code-loading","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-jl7","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"openssl + used to establish backdoor","enabled":true,"expression":"exec.comm == \"openssl\" + \u0026\u0026 exec.args =~ \"*s_client*\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"openssl_backdoor","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"pwu-7u7-iiq","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process uses an anti-debugging technique to block debuggers","enabled":true,"expression":"ptrace.request + == PTRACE_TRACEME \u0026\u0026 process.file.name != \"\"","filters":["os == + \"linux\""],"monitoring":["threat-detection.policy"],"name":"ptrace_antidebug","product_tags":["tactic:TA0005-defense-evasion","technique:T1622-debugger-evasion","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"tf1-bgq-7bb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714883824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714883824","updateDate":1714883824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"rjm-biu-bqq","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715272623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715272622","updateDate":1715272624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"smg-le8-msf","type":"agent_rule","attributes":{"actions":[{"hash":{},"disabled":false}],"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A compiler wrote a suspicious file in a container","enabled":true,"expression":"open.flags \u0026 O_CREAT \u003e 0\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path @@ -2058,23 +2068,58 @@ http_interactions: in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.file.name in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.ancestors.file.name in [\"javac\", \"clang\", \"gcc\", \"bcc\"])\n\u0026\u0026 process.file.name not in [\"pip\", - ~\"python*\"]\n\u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"compile_after_delivery","product_tags":["tactic:TA0005-defense-evasion","tactic:TA0004-privilege-escalation","technique:T1027-obfuscated-files-or-information","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"c2g-31u-jpk","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - Azure IMDS was called via a network utility","enabled":true,"expression":"exec.comm - in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"azure_imds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ybg-c9d-29b","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1723034223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + ~\"python*\"]\n\u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"compile_after_delivery","product_tags":["tactic:TA0005-defense-evasion","tactic:TA0004-privilege-escalation","technique:T1027-obfuscated-files-or-information","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"422-svi-03v","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Potential + Dirty pipe exploitation","enabled":true,"expression":"(splice.pipe_exit_flag + \u0026 PIPE_BUF_FLAG_CAN_MERGE) \u003e 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 + process.gid != 0)","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"dirty_pipe_exploitation","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"9of-ebc-ypn","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1733143023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1723034223","updateDate":1723034224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"bec-cnc-wlz","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746631362067,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733143022","updateDate":1733143023000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ceu-3h6-qug","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1740269813000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testdeleteacsmthreatsagentrulereturnsokresponse1746631361","updateDate":1746631362067,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"xx5-jk7-v7j","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746631365451,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1740269813","updateDate":1740269814000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-mr5","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process + hidden using mount","enabled":true,"expression":"mount.mountpoint.path in + [~\"/proc/1*\", ~\"/proc/2*\", ~\"/proc/3*\", ~\"/proc/4*\", ~\"/proc/5*\", + ~\"/proc/6*\", ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"mount_proc_hide","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"fii-ysi-7bu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1715618226000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715618224","updateDate":1715618226000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"2vn-l1s-b0y","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1733013424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733013424","updateDate":1733013424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3ay-9ve-3i3","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1732451823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1732451822","updateDate":1732451823000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"clk-fln-75d","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746443537713,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsbadrequestresponse1746443537","updateDate":1746443537713,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-tat","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + RPC COM debugging registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows*\"]","filters":["os + == \"windows\""],"monitoring":["compliance.policy"],"name":"windows_com_rpc_debugging_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-hc1","type":"agent_rule","attributes":{"actions":[{"filter":"${process.correlation_key} + != \"\"","set":{"name":"parent_correlation_keys","default_value":"","append":true,"scope":"process","expression":"${process.correlation_key}","inherited":true},"disabled":false},{"set":{"name":"correlation_key","default_value":"","scope":"process","expression":"\"auid_${builtins.uuid4}\"","inherited":true},"disabled":false}],"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Track + execution context from auid","enabled":true,"expression":"exec.auid \u003e= + 0 \u0026\u0026 exec.auid != AUDIT_AUID_UNSET \u0026\u0026 ${process.correlation_key} + in [\"\", ~\"cgroup_*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"execution_context_auid","product_tags":["policy:threat-detection"],"silent":true,"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-y27","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"RC + scripts modified","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) + \u003e 0 \u0026\u0026 (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) + \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"rc_scripts_modified","product_tags":["tactic:TA0003-persistence","technique:T1037-boot-or-logon-initialization-scripts","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"qes-e3j-s1d","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746443538639,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testgetacsmthreatsagentrulereturnsokresponse1746631365","updateDate":1746631365451,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"0yj-grp-cmx","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive - credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (rename.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746443538","updateDate":1746443538639,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"lli-czr-q4y","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (link.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", @@ -2083,206 +2128,305 @@ http_interactions: \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"credential_modified_rename","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-o1o","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process made a connection to a port associated with P2PInfect malware","enabled":true,"expression":"connect.addr.family - \u0026 (AF_INET|AF_INET6) \u003e 0 \u0026\u0026 connect.addr.is_public == - true \u0026\u0026 connect.addr.port \u003e= 60100 \u0026\u0026 connect.addr.port - \u003c= 60150","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"p2pinfect_connection","product_tags":["tactic:TA0011-command-and-control","technique:T1071-application-layer-protocol","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"gx3-4a5-w9a","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - kernel module was loaded from memory inside a container","enabled":true,"expression":"load_module.loaded_from_memory - == true \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"kernel_module_load_from_memory_container","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"4fo-giq-5f8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715416623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715416622","updateDate":1715416624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"tps-9zv-vpp","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734899823000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"credential_modified_link","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"rpc-ji0-zfu","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os + == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"ssh_authorized_keys_open","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qt6","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ + \"runc*\"\n\u0026\u0026 container.id != \"\"\n\u0026\u0026 container.created_at + \u003e 90s","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"ssl_certificate_tampering_open_v2","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"szu-tkm-xvx","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746443529377,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734899823","updateDate":1734899825000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-nin","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - DNS request was made for a chatroom domain","enabled":true,"expression":"dns.question.name - in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"chatroom_request","product_tags":["tactic:TA0011-command-and-control","technique:T1572-protocol-tunneling","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"iyj-haq-dvu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715373426000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746443529","updateDate":1746443529377,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"aw7-tup-sy0","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746628448155,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1715373425","updateDate":1715373426000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-nv0","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - rclone utility was executed","enabled":true,"expression":"exec.file.name in - [\"rclone\", \"rsync\", \"sftp\", \"ftp\", \"scp\", \"dcp\", \"rcp\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"file_sync_exfil","product_tags":["tactic:TA0010-exfiltration","technique:T1048-exfiltration-over-alternative-protocol","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"prk-6q1-g0m","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - service may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", - ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsokresponse1746628447","updateDate":1746628448155,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ayv-hqe-lx8","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"systemd_modification_rename","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"4mu-d2x-fyk","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path - in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"nsswitch_conf_mod_unlink","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ezw-7rm-wca","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735634224000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1735634224","updateDate":1735634224000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"mdn-0hh-uw1","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734050226000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ + \"runc*\"","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"ssl_certificate_tampering_utimes","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-5xt","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Detect + attempts to trigger a coredump after modifying /proc/sys/kernel/core_pattern.","enabled":true,"expression":"exit.cause + == COREDUMPED \u0026\u0026 container.id == ${container.core_pattern_write_container_id}","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"coredump_triggered","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fqm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + whoami command was executed","enabled":true,"expression":"exec.comm == \"whoami\"","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"exec_whoami","product_tags":["tactic:TA0007-discovery","technique:T1033-system-owner-or-user-discovery","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"l2e-aka-bw6","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + passwd or chpasswd utility was used to modify an account password","enabled":true,"expression":"exec.file.path + in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] \u0026\u0026 exec.args_flags + not in [\"S\", \"status\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"passwd_execution","product_tags":["tactic:TA0003-persistence","tactic:TA0040-impact","technique:T1098-account-manipulation","technique:T1531-account-access-removal","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oi1","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process + arguments indicating possible socat shell detected","enabled":true,"expression":"((exec.file.name + == \"socat\") || (exec.comm == \"socat\")) \u0026\u0026 exec.args in [~\"*/bin/bash*\", + ~\"*/bin/sh*\", ~\"*exec*\", ~\"*pty*\", ~\"*setsid*\", ~\"*stderr*\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"socat_shell","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-gqa","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + boot registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\IniFileMapping\\SYSTEM.ini\\boot*\"]","filters":["os + == \"windows\""],"monitoring":["threat-detection.policy"],"name":"windows_boot_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"veg-qf4-lgr","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1719967025000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734050223","updateDate":1734050226000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"897-56j-4uj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735907824000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1719967024","updateDate":1719967025000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"li0-j5t-0hv","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1724848624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735907823","updateDate":1735907824000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"lf1-s8g-yf7","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715503023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1724848624","updateDate":1724848624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"o4r-6tp-yk0","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714466223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715503022","updateDate":1715503024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"d5b-olo-ecr","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746789273109,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714466223","updateDate":1714466224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"kax-qcg-qu0","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714581423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1746789272","updateDate":1746789273109,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"35e-29w-qhu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715128624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714581423","updateDate":1714581424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"wnk-nli-nbp","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 + (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"cron_at_job_creation_chown","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-m7t","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + LD_AUDIT variable is populated by a link to a suspicious file directory","enabled":true,"expression":"process.envs + in [\"LD_AUDIT\"] \u0026\u0026 \n(\n mmap.file.path in [~\"/home/*\", ~\"/tmp/*\", + ~\"/dev/shm/*\"] || \n mmap.file.in_upper_layer == true\n) \u0026\u0026\nmmap.protection + \u0026 (PROT_EXEC) \u003e 0 ","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"ld_audit_unusual_library_path","product_tags":["tactic:TA0004-privilege-escalation","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-0pf","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process attempted to overwrite the container entrypoint","enabled":true,"expression":"open.file.path + == \"/proc/self/fd/1\" \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY + \u003e 0 \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"overwrite_entrypoint","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"pix-a2q-opu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746633525563,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1715128624","updateDate":1715128624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3kk-4rm-qug","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1718426224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testgetacsmthreatsagentrulereturnsokresponse1746633525","updateDate":1746633525563,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"73h-yo0-427","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1725240870000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1718426224","updateDate":1718426224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"w95-d3h-c3r","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735864623000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testpythoncreateacsmthreatsagentrulereturnsokresponse1725240869","updateDate":1725240870000,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-u1r","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process deleted common system log files","enabled":true,"expression":"unlink.file.path + in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", + \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", + \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] \u0026\u0026 + process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"delete_system_log","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"qt9-i99-q9p","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path + in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"nsswitch_conf_mod_utimes","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"ev9-rxn-om1","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1733272623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1735864622","updateDate":1735864625000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ohq-oxe-jb4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1726883002000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733272622","updateDate":1733272626000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"5c8-aij-182","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1720156180000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testpythoncreateacsmthreatsagentrulereturnsokresponse1726883002","updateDate":1726883002000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"gyq-tpv-vvr","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746195381263,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testrustgetacsmthreatsagentrulereturnsokresponse1720156180","updateDate":1720156180000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"krq-ced-idm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746702684947,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testdeleteacsmthreatsagentrulereturnsokresponse1746195381","updateDate":1746195381263,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"422-svi-03v","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Potential - Dirty pipe exploitation","enabled":true,"expression":"(splice.pipe_exit_flag - \u0026 PIPE_BUF_FLAG_CAN_MERGE) \u003e 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 - process.gid != 0)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"dirty_pipe_exploitation","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"stq-uwx-efd","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715531824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746702684","updateDate":1746702684947,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-cjm","type":"agent_rule","attributes":{"actions":[{"filter":"${process.correlation_key} + != \"\"","set":{"name":"parent_correlation_keys","default_value":"","append":true,"scope":"process","expression":"${process.correlation_key}","inherited":true},"disabled":false},{"set":{"name":"correlation_key","default_value":"","scope":"process","expression":"\"cgroup_${builtins.uuid4}\"","inherited":true},"disabled":false}],"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Track + execution context from cgroup write","enabled":true,"expression":"cgroup_write.pid + \u003e 0 \u0026\u0026 ${process.correlation_key} in [\"\", ~\"cgroup_*\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"execution_context_cgroup_write","product_tags":["policy:threat-detection"],"silent":true,"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-7ez","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process + arguments indicating possible php shell detected","enabled":true,"expression":"exec.file.name + == \"php\" \u0026\u0026 exec.args_flags in [\"r\"] \u0026\u0026 ((exec.args + in [~\"*socket_bind*\", ~\"*socket_listen*\", ~\"*socket_accept*\", ~\"*socket_create*\", + ~\"*socket_write*\", ~\"*socket_read*\"]) || (exec.args in [~\"*/bin/bash*\", + ~\"*/bin/sh*\"]))","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"php_shell","product_tags":["tactic:TA0001-initial-access","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"gfp-rvz-fcq","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746633537526,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1715531824","updateDate":1715531824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"9ji-2p2-v00","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1721248623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1746633537","updateDate":1746633537526,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-dnj","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + AWS CLI utility was executed","enabled":true,"expression":"exec.file.name + == \"aws\"","filters":["os == \"linux\""],"monitoring":["best-practice.policy","threat-detection.policy"],"name":"aws_cli_usage","product_tags":["tactic:TA0002-execution","technique:T1651-cloud-administration-command","policy:best-practice","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ipl","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process checked the public IP address of the host","enabled":true,"expression":"connect.addr.hostname + in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", + \"whatismyip.akamai.com\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"ip_lookup_domain","product_tags":["tactic:TA0007-discovery","technique:T1016-system-network-configuration-discovery","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-b7s","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kubernetes + DNS enumeration","enabled":true,"expression":"dns.question.name == \"any.any.svc.cluster.local\" + \u0026\u0026 dns.question.type == SRV \u0026\u0026 container.id != \"\"","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"kubernetes_dns_enumeration","product_tags":["tactic:TA0007-discovery","technique:T1046-network-service-discovery","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"b68-yq9-x3q","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1733200623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1721248623","updateDate":1721248625000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"q0u-s8m-8pd","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical - system binaries may have been modified","enabled":true,"expression":"(\n (utimes.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733200622","updateDate":1733200625000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"kyr-sg6-us9","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"pci_11_5_critical_binaries_utimes","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j45","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process is tracing privileged processes or sshd for possible credential dumping","enabled":true,"expression":"(ptrace.request - == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request - == PTRACE_PEEKUSR) \u0026\u0026 ptrace.tracee.euid == 0 \u0026\u0026 process.comm - not in [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"sensitive_tracing","product_tags":["tactic:TA0004-privilege-escalation","technique:T1055-process-injection","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tat","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows - RPC COM debugging registry key modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows*\"]","filters":["os - == \"windows\""],"monitoring":["CWS_DD"],"name":"windows_com_rpc_debugging_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"rno-53m-mf3","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714538225000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 + process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ + \"runc*\"","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"ssl_certificate_tampering_chown","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6lj","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"windows + explorer file has been modified","enabled":true,"expression":"write.file.device_path + in [~\"\\Device\\*\\windows\\explorer.exe\"]","filters":["os == \"windows\""],"monitoring":["compliance.policy"],"name":"windows_explorer_executable_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d4w","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + file executed from /dev/shm/ directory","enabled":true,"expression":"exec.file.path + == ~\"/dev/shm/**\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"devshm_execution","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-t06","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"find + command searching for sensitive files","enabled":true,"expression":"exec.comm + == \"find\" \u0026\u0026 exec.args in [~\"*credentials*\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"find_credentials","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"z2v-n54-g9a","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1733661423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714538225","updateDate":1714538225000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"zt8-od0-yxu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1730205424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733661422","updateDate":1733661424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"tr5-g9p-4jx","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1734799023000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1730205423","updateDate":1730205424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"97d-p9d-x1d","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714941423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734799023","updateDate":1734799025000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"cdy-cvp-oqz","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1728617680000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714941422","updateDate":1714941424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"5ok-zd7-gf9","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1748012897594,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"initial - description","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"khuiwwlgzk","product_tags":["compliance_framework:HIPAA"],"updateDate":1748012897594,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"tth-j42-vc4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1732591470000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testjavacreateacsmthreatsagentrulereturnsokresponse1728617679","updateDate":1728617680000,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"ohq-oxe-jb4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1726883002000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testjavacreateacsmthreatsagentrulereturnsokresponse1732591469","updateDate":1732591470000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"900-1sj-xhs","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM - may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"pam_modification_unlink","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"jbe-827-tq7","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1732768624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testpythoncreateacsmthreatsagentrulereturnsokresponse1726883002","updateDate":1726883002000,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"uor-lfz-jrm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746097917859,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746097917","updateDate":1746097917859,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"j7w-ifp-raw","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746702683438,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746702683","updateDate":1746702683438,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"0yj-grp-cmx","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (rename.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", + \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["compliance.policy"],"name":"credential_modified_rename","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"ogb-clp-hot","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chmod.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 + chmod.file.destination.mode != chmod.file.mode\n\u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os + == \"linux\""],"monitoring":["compliance.policy","threat-detection.policy"],"name":"cron_at_job_creation_chmod","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"zu3-7yi-3w0","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714696626000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1732768624","updateDate":1732768624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3xd-vam-hd2","type":"agent_rule","attributes":{"category":"Process + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1714696624","updateDate":1714696626000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3xd-vam-hd2","type":"agent_rule","attributes":{"category":"Process Activity","creationDate":1730479023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1730479022","updateDate":1730479024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-fqm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - whoami command was executed","enabled":true,"expression":"exec.comm == \"whoami\"","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"exec_whoami","product_tags":["tactic:TA0007-discovery","technique:T1033-system-owner-or-user-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"b68-yq9-x3q","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733200623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1730479022","updateDate":1730479024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-mfu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + Jupyter notebook executed a shell","enabled":true,"expression":"(exec.file.name + in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] + || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name + in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) + \u0026\u0026 process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"jupyter_shell_execution","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-49j","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + known kubernetes pentesting tool has been executed","enabled":true,"expression":"(exec.file.name + in [ ~\"python*\" ] \u0026\u0026 (\"KubiScan.py\" in exec.argv || \"kubestriker\" + in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"offensive_k8s_tool","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-4y4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + suspicious bitsadmin command has been executed","enabled":true,"expression":"exec.file.name + == \"bitsadmin.exe\" \u0026\u0026 exec.cmdline in [~\"*addfile*\", ~\"*create*\", + ~\"*resume*\"]","filters":["os == \"windows\""],"monitoring":["threat-detection.policy"],"name":"suspicious_bitsadmin_usage","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"e7g-3t1-hpu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1716352624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733200622","updateDate":1733200625000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"bcc-gqn-ty6","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746443531257,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1716352624","updateDate":1716352624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-m9i","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1753453274000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + environment variable registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\Environment*\"]","filters":["os + == \"windows\""],"monitoring":["compliance.policy"],"name":"windows_system_enviroment_variable_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-nv0","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + rclone utility was executed","enabled":true,"expression":"exec.file.name in + [\"rclone\", \"rsync\", \"sftp\", \"ftp\", \"scp\", \"dcp\", \"rcp\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"file_sync_exfil","product_tags":["tactic:TA0010-exfiltration","technique:T1048-exfiltration-over-alternative-protocol","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"f5p-men-xz3","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1735994224000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptgetacsmthreatsagentrulereturnsokresponse1746443531","updateDate":1746443531257,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"sej-11b-ey6","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Potential - Dirty pipe exploitation attempt","enabled":true,"expression":"(splice.pipe_entry_flag - \u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \u0026\u0026 (splice.pipe_exit_flag \u0026 - PIPE_BUF_FLAG_CAN_MERGE) == 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 - process.gid != 0)","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"dirty_pipe_attempt","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-9rk","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Local - account groups were enumerated after container start up","enabled":true,"expression":"exec.file.name - in [\"tcpdump\", \"tshark\"]","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"network_sniffing_tool","product_tags":["tactic:TA0007-discovery","technique:T1040-network-sniffing","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"4mc-0xr-vlw","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714264624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735994224","updateDate":1735994224000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"xjd-huv-ice","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1746611612739,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1714264624","updateDate":1714264624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"9wz-mgt-zkp","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715546226000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testupdateacsmthreatsagentrulereturnsokresponse1746611612","updateDate":1746611612739,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"5t3-iiv-rv5","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + kernel module was loaded","enabled":true,"expression":"load_module.loaded_from_memory + == false \u0026\u0026 load_module.name not in [\"nf_tables\", \"iptable_filter\", + \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", + \"ipt_REJECT\", \"iptable_raw\", \"udp_diag\", \"inet_diag\"] \u0026\u0026 + process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", + \"apt.systemd.daily\", \"xtables-legacy-multi\", \"ssm-agent-worker\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"kernel_module_load","product_tags":["tactic:TA0003-persistence","tactic:TA0040-impact","tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"a52-req-ghm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Exfiltration + attempt via network utility","enabled":true,"expression":"exec.comm in [\"wget\", + \"curl\", \"lwp-download\"] \u0026\u0026\nexec.args_options in [ ~\"post-file=*\", + ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] \u0026\u0026\nexec.args + not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"net_util_exfiltration","product_tags":["tactic:TA0010-exfiltration","technique:T1048-exfiltration-over-alternative-protocol","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"bwj-n0m-ut5","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1714653425000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715546226","updateDate":1715546226000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"j7w-ifp-raw","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1746702683438,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714653424","updateDate":1714653425000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"xh4-cv2-cfa","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1719031023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptdeleteacsmthreatsagentrulereturnsokresponse1746702683","updateDate":1746702683438,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-6jw","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process - environment variables match cryptocurrency miner","enabled":true,"expression":"exec.envs - in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"cryptominer_envs","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"mcv-y5o-zg5","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (link.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || - link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", - ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", - \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"cron_at_job_creation_link","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-gqa","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows - boot registry key modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\IniFileMapping\\SYSTEM.ini\\boot*\"]","filters":["os - == \"windows\""],"monitoring":["CWS_DD"],"name":"windows_boot_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-jed","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows - registry hives file location key modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\hivelist*\"]","filters":["os - == \"windows\""],"monitoring":["CWS_DD"],"name":"registry_hives_file_path_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-18q","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Tar - archive created","enabled":true,"expression":"exec.file.path == \"/usr/bin/tar\" - \u0026\u0026 exec.args_flags in [\"create\",\"c\"]","filters":["os == \"linux\""],"monitoring":["CWS_DD"],"name":"tar_execution","product_tags":["tactic:TA0009-collection","technique:T1560-archive-collected-data","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"kbx-ylg-k86","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734597423000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1719031022","updateDate":1719031024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"fry-rzn-glo","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1748012434322,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"initial + description","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"obtppsoxzh","product_tags":["compliance_framework:HIPAA"],"updateDate":1748012434322,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ctc-pux-luh","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1737951387000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"Test Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734597422","updateDate":1734597424000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"def-000-vqm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - scheduled task was created","enabled":true,"expression":"exec.cmdline in [~\"*at.exe\",~\"*schtasks*\"] - \u0026\u0026 exec.cmdline =~ \"*create*\"","filters":["os == \"windows\""],"monitoring":["CWS_DD"],"name":"scheduled_task_creation","product_tags":["tactic:TA0003-persistence","technique:T1053-scheduled-task-or-job","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ehh-ypb-9pl","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - compiler was executed inside of a container","enabled":true,"expression":"(exec.comm - in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || exec.file.name in [\"javac\", - \"clang\", \"gcc\", \"bcc\"] || (exec.file.name == \"go\" \u0026\u0026 exec.args - in [~\"*build*\", ~\"*run*\"])) \u0026\u0026 container.id !=\"\" \u0026\u0026 - process.ancestors.file.path != \"/usr/bin/cilium-agent\"","filters":["os == - \"linux\""],"monitoring":["CWS_DD"],"name":"compiler_in_container","product_tags":["tactic:TA0005-defense-evasion","technique:T1027-obfuscated-files-or-information","policy:best-practice","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"a66-2qy-xwe","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733128623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1737951387","updateDate":1737951389000,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"def-000-h1x","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + container management socket was referenced in a cURL command","enabled":true,"expression":"exec.file.name + == \"curl\" \u0026\u0026 exec.args_flags in [\"unix-socket\"] \u0026\u0026 + exec.args in [~\"*docker.sock*\", ~\"*dockershim.sock*\", ~\"*containerd.sock*\", + ~\"*crio.sock*\", ~\"*frakti.sock*\", ~\"*rktlet.sock*\"] \u0026\u0026 container.id + != \"\"","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"curl_mgmt_socket","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"w0z-64n-bss","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + network utility was executed in a container","enabled":true,"expression":"(exec.comm + in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] + ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id + != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", + ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"monitoring":["threat-detection.policy"],"name":"net_util_in_container","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fsq","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + cryptominer was potentially executed","enabled":true,"expression":"exec.cmdline + in [~\"*cpu-priority*\", ~\"*donate-level*\", ~\"*randomx-1gb-pages*\", ~\"*stratum+tcp*\", + ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", + ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os == + \"windows\""],"monitoring":["threat-detection.policy"],"name":"windows_cryptominer_process","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}},{"id":"nco-423-hiu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1733531824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733128622","updateDate":1733128625000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"yjj-o5q-x00","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - service may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"monitoring":["CWS_DD"],"name":"systemd_modification_utimes","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}}]}' + == \"linux\""],"monitoring":["CWS_CUSTOM-canary"],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733531824","updateDate":1733531824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"def-000-bus","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1754579371000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + executable bit was added to a newly created file","enabled":true,"expression":"chmod.file.in_upper_layer + \u0026\u0026\nchmod.file.change_time \u003c 30s \u0026\u0026\ncontainer.id + != \"\" \u0026\u0026\nchmod.file.destination.mode != chmod.file.mode \u0026\u0026\nchmod.file.destination.mode + \u0026 S_IXUSR|S_IXGRP|S_IXOTH \u003e 0 \u0026\u0026\nprocess.argv in [\"+x\"]","filters":["os + == \"linux\""],"monitoring":["threat-detection.policy"],"name":"executable_bit_added","product_tags":["tactic:TA0005-defense-evasion","technique:T1222-file-and-directory-permissions-modification","policy:threat-detection"],"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""}}}]}' headers: Content-Type: - application/json diff --git a/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-policies-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-policies-returns-OK-response.frozen index ceabe116efcd..c74022f8cce6 100644 --- a/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-policies-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-policies-returns-OK-response.frozen @@ -1 +1 @@ -2025-05-27T10:25:16.741Z \ No newline at end of file +2025-10-10T15:21:24.672Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-policies-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-policies-returns-OK-response.yml index 5728fc1b7f36..2dbd7b2bff93 100644 --- a/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-policies-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Get-all-Workload-Protection-policies-returns-OK-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Tue, 27 May 2025 10:25:16 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:24 GMT request: body: null headers: @@ -10,17 +10,167 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":[{"id":"tq0-tji-i5m","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747597121","policyVersion":"3","priority":1000000010,"ruleCount":226,"updateDate":1747597121931,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"flw-lrk-xzo","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747539521","policyVersion":"3","priority":1000000009,"ruleCount":226,"updateDate":1747539521946,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"bod-mnz-hk1","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747525121","policyVersion":"3","priority":1000000008,"ruleCount":226,"updateDate":1747525122007,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"hxv-ezx-44x","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747481921","policyVersion":"3","priority":1000000007,"ruleCount":226,"updateDate":1747481921965,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ahl-zxe-fbg","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747467521","policyVersion":"3","priority":1000000006,"ruleCount":226,"updateDate":1747467521937,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"d1j-pkc-rhm","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747453121","policyVersion":"3","priority":1000000005,"ruleCount":226,"updateDate":1747453121950,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"qve-9uc-uih","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747438721","policyVersion":"3","priority":1000000004,"ruleCount":226,"updateDate":1747438721983,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"gwd-neb-qml","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747424321","policyVersion":"3","priority":1000000003,"ruleCount":226,"updateDate":1747424321971,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"CWS_CUSTOM-canary","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"disabledRulesCount":2,"enabled":false,"monitoringRulesCount":496,"name":"Canary - Custom Policy","policyVersion":"58298","priority":1000000002,"ruleCount":498,"updateDate":1748012897594,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"CWS_DD","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":true,"disabledRulesCount":1,"enabled":true,"monitoringRulesCount":225,"name":"Datadog - Managed Policy","policyVersion":"1.43.0-rc80","priority":0,"ruleCount":226,"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}}]}' + string: '{"data":[{"id":"0qm-ldp-cdh","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1759403557","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759403557986,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"1fg-gur-iug","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1759921987","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759921988117,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"1ur-zhi-a34","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionpolicyreturnsokresponse1759922005","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759922005241,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"2gb-saj-ohv","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptgetaworkloadprotectionpolicyreturnsokresponse1760008346","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760008346802,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"3fz-wlp-u1m","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionagentrulereturnsbadrequestresponse1760094706","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760094706697,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"4ul-ae4-a5f","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionagentrulereturnsnotfoundresponse1759403571","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759403572006,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"5eu-zrh-6qz","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionpolicyreturnsbadrequestresponse1759490000","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759490000789,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"5mk-9fs-vob","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionpolicyreturnsbadrequestresponse1760008353","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760008353149,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"61r-pdn-owk","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulereturnsokresponse1760094693","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760094693430,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"7af-oqj-hw9","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionagentrulereturnsnotfoundresponse1760008352","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760008352502,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"8dd-bbq-42y","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionpolicyreturnsbadrequestresponse1759749059","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759749059897,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"8hx-gox-gxc","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:test"]],"monitoringRulesCount":0,"name":"my_agent_policy","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760094695038,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"8ne-d1b-bqa","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionagentrulereturnsbadrequestresponse1759489998","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759489999185,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"8pd-3pm-ozt","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptgetaworkloadprotectionpolicyreturnsokresponse1760094701","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760094702060,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"9id-zf7-nsz","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptgetaworkloadprotectionagentrulereturnsokresponse1760008345","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760008345581,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"CWS_CUSTOM-canary","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"disabledRulesCount":1,"enabled":false,"monitoringRulesCount":271,"name":"Canary + Custom Policy","pinned":false,"policyVersion":"58422","ruleCount":272,"updateDate":1748012897594,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"afj-civ-fqh","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptdeleteaworkloadprotectionpolicyreturnsokresponse1759489986","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759489986782,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"aor-qrj-scv","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptdeleteaworkloadprotectionagentrulereturnsokresponse1760008341","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760008341344,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"b4s-j9s-ox7","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptdeleteaworkloadprotectionagentrulereturnsokresponse1760094695","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760094696071,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"best-practice.policy","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":true,"disabledRulesCount":1,"enabled":true,"monitoringRulesCount":7,"name":"Best-practice + Policy","pinned":false,"policyVersion":"1.51.0-rc3","ruleCount":8,"updateDate":1752506673000,"updater":{"name":"Datadog","handle":""},"versions":[{"Name":"1.47.0-rc2","Date":"2025-06-03T15:29:24Z"},{"Name":"1.51.0-rc3","Date":"2025-07-14T15:24:33Z"}]}},{"id":"bos-hym-c0i","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptdeleteaworkloadprotectionpolicyreturnsokresponse1760094697","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760094697533,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"bqw-jt8-7kf","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1759835455","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759835455739,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"bzv-8ti-3kq","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptdeleteaworkloadprotectionagentrulereturnsokresponse1759835457","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759835457099,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"compliance.policy","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":true,"disabledRulesCount":0,"enabled":true,"monitoringRulesCount":90,"name":"Compliance + Policy","pinned":false,"policyVersion":"1.53.0-rc4","ruleCount":90,"updateDate":1753453274000,"updater":{"name":"Datadog","handle":""},"versions":[{"Name":"1.47.0-rc2","Date":"2025-06-03T15:29:24Z"},{"Name":"1.53.0-rc4","Date":"2025-07-25T14:21:14Z"}]}},{"id":"coq-c5l-xug","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionpolicyreturnsbadrequestresponse1760094708","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760094708291,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"ctp-dsz-se5","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulereturnsokresponse1759489982","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759489982758,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"dkv-ks4-cf0","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptdeleteaworkloadprotectionpolicyreturnsokresponse1759403561","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759403561834,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"dlo-tpx-c6i","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulereturnsbadrequestresponse1759403556","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759403556615,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"drb-olr-ypa","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionagentrulereturnsnotfoundresponse1759489999","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759490000070,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"dzg-8nn-q5y","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionpolicyreturnsokresponse1759749060","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759749060698,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"eki-ric-rep","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptgetaworkloadprotectionpolicyreturnsokresponse1759921996","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759921996722,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"eti-zze-wf9","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulereturnsokresponse1759921987","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759921987345,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"exd-abb-4ag","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptgetaworkloadprotectionpolicyreturnsokresponse1759489993","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759489993978,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"fuu-xha-kon","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptgetaworkloadprotectionagentrulereturnsokresponse1759835460","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759835460627,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"fw7-twr-i4q","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptdeleteaworkloadprotectionpolicyreturnsokresponse1759749051","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759749051417,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"gpd-fh3-lx9","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionagentrulereturnsbadrequestresponse1759403571","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759403571251,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"gsv-uce-7tb","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1760094694","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760094694204,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"h4c-iqu-bmb","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionagentrulereturnsbadrequestresponse1759749058","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759749058798,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"hav-jsh-x4g","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulereturnsbadrequestresponse1759489981","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759489982035,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"hc6-pw9-vyl","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulereturnsokresponse1759835455","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759835455277,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"hdv-v2h-b57","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptdeleteaworkloadprotectionagentrulereturnsokresponse1759921990","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759921990318,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"ic4-3pt-11g","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptdeleteaworkloadprotectionagentrulereturnsokresponse1759403560","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759403560298,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"ieh-pvl-oao","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulereturnsokresponse1759403557","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759403557227,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"j2v-vgf-aso","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionagentrulereturnsnotfoundresponse1759922003","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759922003235,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"j8d-3z6-sij","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionpolicyreturnsokresponse1759403573","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759403573915,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"jmy-eqd-9pe","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptdeleteaworkloadprotectionagentrulereturnsokresponse1759489985","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759489985611,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"kjg-r0g-o0o","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionagentrulereturnsbadrequestresponse1759922002","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759922002498,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"kvl-3dk-tdr","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptgetaworkloadprotectionagentrulereturnsokresponse1759403565","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759403565216,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"lav-guj-ax5","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptgetaworkloadprotectionpolicyreturnsokresponse1759835461","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759835461422,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"m4e-nsj-ebv","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionagentrulereturnsnotfoundresponse1759749059","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759749059418,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"m9x-wbv-8zz","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptdeleteaworkloadprotectionpolicyreturnsokresponse1760008342","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760008342470,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"mf0-fhj-cdf","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionagentrulereturnsnotfoundresponse1760094707","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760094707394,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"nck-dsm-imm","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1760008339","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760008339556,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"nzs-doa-1ky","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptgetaworkloadprotectionagentrulereturnsokresponse1759921995","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759921995444,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"oo1-wfe-kb4","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulereturnsbadrequestresponse1760008337","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760008337724,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"p6w-rwc-iwd","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionpolicyreturnsokresponse1759490001","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759490002034,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"pgt-jx3-wnu","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionpolicyreturnsbadrequestresponse1759835466","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759835466538,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"plv-krt-ysp","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptdeleteaworkloadprotectionpolicyreturnsokresponse1759921991","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759921991797,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"py6-pbq-w5x","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptgetaworkloadprotectionagentrulereturnsokresponse1760094700","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760094700657,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"quf-26f-nei","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionpolicyreturnsokresponse1759835467","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759835467806,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"qv0-gwh-t0d","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptgetaworkloadprotectionagentrulereturnsokresponse1759489992","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759489992557,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"rdz-vx2-obu","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionpolicyreturnsbadrequestresponse1759403572","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759403572677,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"rig-pjz-aas","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptdeleteaworkloadprotectionagentrulereturnsokresponse1759749050","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759749050580,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"rl9-j23-rlg","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptgetaworkloadprotectionagentrulereturnsokresponse1759749053","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759749053515,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"ruo-9zv-ciy","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptdeleteaworkloadprotectionpolicyreturnsokresponse1759835457","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759835457860,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"s6u-r7b-aux","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulereturnsokresponse1759749048","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759749048821,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"ss5-mzk-2y7","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptgetaworkloadprotectionpolicyreturnsokresponse1759749054","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759749054295,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"swe-pri-c1b","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionagentrulereturnsnotfoundresponse1759835465","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759835465933,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"t3p-mv9-ph6","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulereturnsbadrequestresponse1760094692","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760094692801,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"threat-detection.policy","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":true,"disabledRulesCount":0,"enabled":true,"monitoringRulesCount":188,"name":"Threat-detection + Policy","pinned":false,"policyVersion":"1.54.0-rc9","ruleCount":188,"updateDate":1754579371000,"updater":{"name":"Datadog","handle":""},"versions":[{"Name":"1.47.1-rc3","Date":"2025-06-11T18:19:50Z"},{"Name":"1.53.0-rc8","Date":"2025-07-25T14:21:14Z"},{"Name":"1.54.0-rc9","Date":"2025-08-07T15:09:31Z"}]}},{"id":"tv4-pid-5av","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionpolicyreturnsokresponse1760008354","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760008354262,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"u44-skd-fga","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1759489983","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759489983520,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"vh0-exp-zlb","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulewithsetactionreturnsokresponse1759749049","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759749049301,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"w0q-xbc-gfe","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionagentrulereturnsbadrequestresponse1759835465","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759835465396,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"wbs-o5r-jsf","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulereturnsokresponse1760008338","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760008338651,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"wpz-e8h-wft","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulereturnsbadrequestresponse1759921986","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759921986620,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"wq9-liw-r3n","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionpolicyreturnsbadrequestresponse1759922003","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759922003973,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"xjb-scd-ssk","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionagentrulereturnsbadrequestresponse1760008351","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760008351818,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"yid-2ax-jdx","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulereturnsbadrequestresponse1759749048","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759749048149,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"yx3-nvm-0sf","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptcreateaworkloadprotectionagentrulereturnsbadrequestresponse1759835454","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759835454464,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"z2g-22x-8fl","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptupdateaworkloadprotectionpolicyreturnsokresponse1760094709","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1760094709498,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"zal-0mi-lzp","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":0,"name":"testtypescriptgetaworkloadprotectionpolicyreturnsokresponse1759403566","pinned":false,"policyVersion":"1","ruleCount":0,"updateDate":1759403566325,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}]}' headers: Content-Type: - application/json diff --git a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Bad-Request-response.frozen b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Bad-Request-response.frozen index 682f302b0fec..c3b0e27af6e1 100644 --- a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Bad-Request-response.frozen +++ b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Bad-Request-response.frozen @@ -1 +1 @@ -2025-06-13T15:16:28.583Z \ No newline at end of file +2025-10-10T15:21:25.356Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Bad-Request-response.yml b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Bad-Request-response.yml index 61a45ee8194e..ae70a191ef22 100644 --- a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Bad-Request-response.yml +++ b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Bad-Request-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Fri, 13 Jun 2025 15:16:28 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:25 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testupdateaworkloadprotectionagentrulereturnsbadrequestresponse1749827788"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testupdateaworkloadprotectionagentrulereturnsbadrequestresponse1760109685"},"type":"policy"}}' headers: Accept: - application/json @@ -14,20 +14,20 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"fuv-zyk-wli","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testupdateaworkloadprotectionagentrulereturnsbadrequestresponse1749827788","policyVersion":"1","priority":1000000013,"ruleCount":226,"updateDate":1749827789001,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + string: '{"data":{"id":"ipm-pga-f7v","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testupdateaworkloadprotectionagentrulereturnsbadrequestresponse1760109685","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760109685700,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 13 Jun 2025 15:16:28 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:25 GMT request: body: encoding: UTF-8 string: '{"data":{"attributes":{"actions":[{"set":{"name":"test_set","scope":"process","value":"test_value"}},{"hash":{}}],"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testupdateaworkloadprotectionagentrulereturnsbadrequestresponse1749827788","policy_id":"fuv-zyk-wli","product_tags":["security:attack","technique:T1059"]},"type":"agent_rule"}}' + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testupdateaworkloadprotectionagentrulereturnsbadrequestresponse1760109685","policy_id":"ipm-pga-f7v","product_tags":["security:attack","technique:T1059"]},"type":"agent_rule"}}' headers: Accept: - application/json @@ -38,29 +38,29 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"f8u-th8-0er","type":"agent_rule","attributes":{"actions":[{"set":{"name":"test_set","value":"test_value","scope":"process"},"disabled":false},{"hash":{},"disabled":false}],"category":"Process - Activity","creationDate":1749827789457,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My + string: '{"data":{"id":"eqm-2k6-tav","type":"agent_rule","attributes":{"actions":[{"set":{"name":"test_set","value":"test_value","scope":"process","inherited":false},"disabled":false},{"hash":{},"disabled":false}],"category":"Process + Activity","creationDate":1760109686541,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"monitoring":["fuv-zyk-wli"],"name":"testupdateaworkloadprotectionagentrulereturnsbadrequestresponse1749827788","product_tags":["security:attack","technique:T1059"],"updateDate":1749827789457,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + == \"linux\""],"monitoring":["ipm-pga-f7v"],"name":"testupdateaworkloadprotectionagentrulereturnsbadrequestresponse1760109685","product_tags":["security:attack","technique:T1059"],"updateDate":1760109686541,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Fri, 13 Jun 2025 15:16:28 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:25 GMT request: body: encoding: UTF-8 string: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","policy_id":"fuv-zyk-wli","product_tags":[]},"id":"invalid-agent-rule-id","type":"agent_rule"}}' + == \"sh\"","policy_id":"ipm-pga-f7v","product_tags":[]},"id":"invalid-agent-rule-id","type":"agent_rule"}}' headers: Accept: - application/json Content-Type: - application/json method: PATCH - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/f8u-th8-0er + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/eqm-2k6-tav response: body: encoding: UTF-8 @@ -73,14 +73,14 @@ http_interactions: status: code: 400 message: Bad Request -- recorded_at: Fri, 13 Jun 2025 15:16:28 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:25 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/f8u-th8-0er + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/eqm-2k6-tav response: body: encoding: UTF-8 @@ -91,14 +91,14 @@ http_interactions: status: code: 204 message: No Content -- recorded_at: Fri, 13 Jun 2025 15:16:28 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:25 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/fuv-zyk-wli + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/ipm-pga-f7v response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Not-Found-response.frozen b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Not-Found-response.frozen index 449fb397a29e..3b744c66e827 100644 --- a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Not-Found-response.frozen +++ b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-05-27T10:25:20.364Z \ No newline at end of file +2025-10-10T15:21:29.350Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Not-Found-response.yml b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Not-Found-response.yml index 51f241d32278..e7ddbd57878d 100644 --- a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Not-Found-response.yml +++ b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-agent-rule-returns-Not-Found-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Tue, 27 May 2025 10:25:20 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:29 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testupdateaworkloadprotectionagentrulereturnsnotfoundresponse1748341520"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testupdateaworkloadprotectionagentrulereturnsnotfoundresponse1760109689"},"type":"policy"}}' headers: Accept: - application/json @@ -14,20 +14,20 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"tox-zep-tvj","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testupdateaworkloadprotectionagentrulereturnsnotfoundresponse1748341520","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1748341520649,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + string: '{"data":{"id":"o6h-d6x-6ed","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testupdateaworkloadprotectionagentrulereturnsnotfoundresponse1760109689","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760109689734,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Tue, 27 May 2025 10:25:20 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:29 GMT request: body: encoding: UTF-8 string: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","policy_id":"tox-zep-tvj","product_tags":[]},"id":"non-existent-rule-id","type":"agent_rule"}}' + == \"sh\"","policy_id":"o6h-d6x-6ed","product_tags":[]},"id":"non-existent-rule-id","type":"agent_rule"}}' headers: Accept: - application/json @@ -47,14 +47,14 @@ http_interactions: status: code: 404 message: Not Found -- recorded_at: Tue, 27 May 2025 10:25:20 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:29 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/tox-zep-tvj + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/o6h-d6x-6ed response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Bad-Request-response.frozen b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Bad-Request-response.frozen index 3fc8d9474e70..3eeac850d22c 100644 --- a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Bad-Request-response.frozen +++ b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Bad-Request-response.frozen @@ -1 +1 @@ -2025-05-27T10:25:22.099Z \ No newline at end of file +2025-10-10T15:21:31.894Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Bad-Request-response.yml b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Bad-Request-response.yml index dde272b81f66..57ef1e0abb43 100644 --- a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Bad-Request-response.yml +++ b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Bad-Request-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Tue, 27 May 2025 10:25:22 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:31 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testupdateaworkloadprotectionpolicyreturnsbadrequestresponse1748341522"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testupdateaworkloadprotectionpolicyreturnsbadrequestresponse1760109691"},"type":"policy"}}' headers: Accept: - application/json @@ -14,26 +14,26 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"ihh-rif-yh3","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testupdateaworkloadprotectionpolicyreturnsbadrequestresponse1748341522","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1748341522393,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + string: '{"data":{"id":"wun-ynf-q3m","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testupdateaworkloadprotectionpolicyreturnsbadrequestresponse1760109691","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760109692276,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Tue, 27 May 2025 10:25:22 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:31 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:test"],"hostTagsLists":[["env:test"]],"name":""},"id":"ihh-rif-yh3","type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:test"],"hostTagsLists":[["env:test"]],"name":""},"id":"wun-ynf-q3m","type":"policy"}}' headers: Accept: - application/json Content-Type: - application/json method: PATCH - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/ihh-rif-yh3 + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/wun-ynf-q3m response: body: encoding: UTF-8 @@ -45,14 +45,14 @@ http_interactions: status: code: 400 message: Bad Request -- recorded_at: Tue, 27 May 2025 10:25:22 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:31 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/ihh-rif-yh3 + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/wun-ynf-q3m response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Not-Found-response.frozen b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Not-Found-response.frozen index f01fbde9f203..95841c391b77 100644 --- a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Not-Found-response.frozen +++ b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-05-27T10:25:23.729Z \ No newline at end of file +2025-10-10T15:21:34.620Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Not-Found-response.yml b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Not-Found-response.yml index 707ef1358881..d8ce8ee1c78f 100644 --- a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Not-Found-response.yml +++ b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-Not-Found-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Tue, 27 May 2025 10:25:23 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:34 GMT request: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-OK-response.frozen index e2c575ad1f91..e3979f2e798f 100644 --- a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-OK-response.frozen @@ -1 +1 @@ -2025-05-27T10:25:24.176Z \ No newline at end of file +2025-10-10T15:21:35.321Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-OK-response.yml index 9998aee19387..9855d7062187 100644 --- a/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Update-a-Workload-Protection-policy-returns-OK-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Tue, 27 May 2025 10:25:24 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:35 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testupdateaworkloadprotectionpolicyreturnsokresponse1748341524"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testupdateaworkloadprotectionpolicyreturnsokresponse1760109695"},"type":"policy"}}' headers: Accept: - application/json @@ -14,45 +14,45 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"qn1-4by-5zr","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testupdateaworkloadprotectionpolicyreturnsokresponse1748341524","policyVersion":"1","priority":1000000011,"ruleCount":226,"updateDate":1748341524459,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + string: '{"data":{"id":"cqp-anw-jba","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:staging"]],"monitoringRulesCount":7,"name":"testupdateaworkloadprotectionpolicyreturnsokresponse1760109695","pinned":false,"policyVersion":"1","ruleCount":8,"updateDate":1760109695685,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Tue, 27 May 2025 10:25:24 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:35 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"Updated agent policy","enabled":true,"hostTagsLists":[["env:test"]],"name":"updated_agent_policy"},"id":"qn1-4by-5zr","type":"policy"}}' + string: '{"data":{"attributes":{"description":"Updated agent policy","enabled":true,"hostTagsLists":[["env:test"]],"name":"updated_agent_policy"},"id":"cqp-anw-jba","type":"policy"}}' headers: Accept: - application/json Content-Type: - application/json method: PATCH - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/qn1-4by-5zr + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/cqp-anw-jba response: body: encoding: UTF-8 - string: '{"data":{"id":"qn1-4by-5zr","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"Updated - agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:test"]],"monitoringRulesCount":225,"name":"updated_agent_policy","policyVersion":"2","priority":1000000011,"ruleCount":226,"updateDate":1748341525121,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' + string: '{"data":{"id":"cqp-anw-jba","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"Updated + agent policy","disabledRulesCount":0,"enabled":true,"hostTagsLists":[["env:test"]],"monitoringRulesCount":0,"name":"updated_agent_policy","pinned":false,"policyVersion":"2","ruleCount":0,"updateDate":1760109696865,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}}}' headers: Content-Type: - application/json status: code: 200 message: OK -- recorded_at: Tue, 27 May 2025 10:25:24 GMT +- recorded_at: Fri, 10 Oct 2025 15:21:35 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/qn1-4by-5zr + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/cqp-anw-jba response: body: encoding: UTF-8 diff --git a/examples/v2/csm-threats/CreateCSMThreatsAgentPolicy.rb b/examples/v2/csm-threats/CreateCSMThreatsAgentPolicy.rb index 4ccb8725dd35..8687d59637e1 100644 --- a/examples/v2/csm-threats/CreateCSMThreatsAgentPolicy.rb +++ b/examples/v2/csm-threats/CreateCSMThreatsAgentPolicy.rb @@ -13,7 +13,7 @@ "env:test", ], ], - name: "my_agent_policy", + name: "my_agent_policy_2", }), type: DatadogAPIClient::V2::CloudWorkloadSecurityAgentPolicyType::POLICY, }), diff --git a/examples/v2/csm-threats/CreateCSMThreatsAgentRule.rb b/examples/v2/csm-threats/CreateCSMThreatsAgentRule.rb index ab0b7930f713..b5f7661acc48 100644 --- a/examples/v2/csm-threats/CreateCSMThreatsAgentRule.rb +++ b/examples/v2/csm-threats/CreateCSMThreatsAgentRule.rb @@ -12,6 +12,7 @@ description: "My Agent rule", enabled: true, expression: 'exec.file.name == "sh"', + agent_version: "> 7.60", filters: [], name: "examplecsmthreat", policy_id: POLICY_DATA_ID, diff --git a/examples/v2/csm-threats/CreateCSMThreatsAgentRule_1295653933.rb b/examples/v2/csm-threats/CreateCSMThreatsAgentRule_1295653933.rb index 0d18f4c7649c..e2b348a45dfb 100644 --- a/examples/v2/csm-threats/CreateCSMThreatsAgentRule_1295653933.rb +++ b/examples/v2/csm-threats/CreateCSMThreatsAgentRule_1295653933.rb @@ -22,6 +22,7 @@ name: "test_set", value: "test_value", scope: "process", + inherited: true, }), }), DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleAction.new({ diff --git a/examples/v2/csm-threats/CreateCSMThreatsAgentRule_1363354233.rb b/examples/v2/csm-threats/CreateCSMThreatsAgentRule_1363354233.rb new file mode 100644 index 000000000000..944833e9ecdc --- /dev/null +++ b/examples/v2/csm-threats/CreateCSMThreatsAgentRule_1363354233.rb @@ -0,0 +1,33 @@ +# Create a Workload Protection agent rule with set action with expression returns "OK" response + +require "datadog_api_client" +api_instance = DatadogAPIClient::V2::CSMThreatsAPI.new + +# there is a valid "policy_rc" in the system +POLICY_DATA_ID = ENV["POLICY_DATA_ID"] + +body = DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleCreateRequest.new({ + data: DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleCreateData.new({ + attributes: DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleCreateAttributes.new({ + description: "My Agent rule with set action with expression", + enabled: true, + expression: 'exec.file.name == "sh"', + filters: [], + name: "examplecsmthreat", + policy_id: POLICY_DATA_ID, + product_tags: [], + actions: [ + DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleAction.new({ + set: DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleActionSet.new({ + name: "test_set", + expression: "open.file.path", + default_value: "/dev/null", + scope: "process", + }), + }), + ], + }), + type: DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleType::AGENT_RULE, + }), +}) +p api_instance.create_csm_threats_agent_rule(body) diff --git a/features/v2/csm_threats.feature b/features/v2/csm_threats.feature index 4783aea35e11..be43d01881d8 100644 --- a/features/v2/csm_threats.feature +++ b/features/v2/csm_threats.feature @@ -57,7 +57,7 @@ Feature: CSM Threats Scenario: Create a Workload Protection agent rule returns "OK" response Given there is a valid "policy_rc" in the system And new "CreateCSMThreatsAgentRule" request - And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": [], "name": "{{ unique_lower_alnum }}", "policy_id": "{{ policy.data.id }}", "product_tags": []}, "type": "agent_rule"}} + And body with value {"data": {"attributes": {"description": "My Agent rule", "enabled": true, "expression": "exec.file.name == \"sh\"", "agent_version": "> 7.60", "filters": [], "name": "{{ unique_lower_alnum }}", "policy_id": "{{ policy.data.id }}", "product_tags": []}, "type": "agent_rule"}} When the request is sent Then the response status is 200 OK @@ -65,7 +65,15 @@ Feature: CSM Threats Scenario: Create a Workload Protection agent rule with set action returns "OK" response Given there is a valid "policy_rc" in the system And new "CreateCSMThreatsAgentRule" request - And body with value {"data": {"attributes": {"description": "My Agent rule with set action", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": [], "name": "{{ unique_lower_alnum }}", "policy_id": "{{ policy.data.id }}", "product_tags": [], "actions": [{"set": {"name": "test_set", "value": "test_value", "scope": "process"}}, {"hash": {}}]}, "type": "agent_rule"}} + And body with value {"data": {"attributes": {"description": "My Agent rule with set action", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": [], "name": "{{ unique_lower_alnum }}", "policy_id": "{{ policy.data.id }}", "product_tags": [], "actions": [{"set": {"name": "test_set", "value": "test_value", "scope": "process", "inherited": true}}, {"hash": {}}]}, "type": "agent_rule"}} + When the request is sent + Then the response status is 200 OK + + @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend + Scenario: Create a Workload Protection agent rule with set action with expression returns "OK" response + Given there is a valid "policy_rc" in the system + And new "CreateCSMThreatsAgentRule" request + And body with value {"data": {"attributes": {"description": "My Agent rule with set action with expression", "enabled": true, "expression": "exec.file.name == \"sh\"", "filters": [], "name": "{{ unique_lower_alnum }}", "policy_id": "{{ policy.data.id }}", "product_tags": [], "actions": [{"set": {"name": "test_set", "expression": "open.file.path", "default_value": "/dev/null", "scope": "process"}}]}, "type": "agent_rule"}} When the request is sent Then the response status is 200 OK @@ -86,7 +94,7 @@ Feature: CSM Threats @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Create a Workload Protection policy returns "OK" response Given new "CreateCSMThreatsAgentPolicy" request - And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTagsLists": [["env:test"]], "name": "my_agent_policy"}, "type": "policy"}} + And body with value {"data": {"attributes": {"description": "My agent policy", "enabled": true, "hostTagsLists": [["env:test"]], "name": "my_agent_policy_2"}, "type": "policy"}} When the request is sent Then the response status is 200 OK @@ -152,7 +160,7 @@ Feature: CSM Threats @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Get a Workload Protection agent rule (US1-FED) returns "Not Found" response Given new "GetCloudWorkloadSecurityAgentRule" request - And request contains "agent_rule_id" parameter with value "non-existent-rule-id" + And request contains "agent_rule_id" parameter with value "abc-def-ghi" When the request is sent Then the response status is 404 Not Found @@ -167,7 +175,7 @@ Feature: CSM Threats @team:DataDog/k9-cloud-security-platform @team:DataDog/k9-cws-backend Scenario: Get a Workload Protection agent rule returns "Not Found" response Given new "GetCSMThreatsAgentRule" request - And request contains "agent_rule_id" parameter with value "non-existent-rule-id" + And request contains "agent_rule_id" parameter with value "abc-def-ghi" When the request is sent Then the response status is 404 Not Found diff --git a/lib/datadog_api_client/inflector.rb b/lib/datadog_api_client/inflector.rb index c52769e3632c..cdc8b1b5d87c 100644 --- a/lib/datadog_api_client/inflector.rb +++ b/lib/datadog_api_client/inflector.rb @@ -1481,6 +1481,7 @@ def overrides "v2.cloud_workload_security_agent_policy_update_data" => "CloudWorkloadSecurityAgentPolicyUpdateData", "v2.cloud_workload_security_agent_policy_updater_attributes" => "CloudWorkloadSecurityAgentPolicyUpdaterAttributes", "v2.cloud_workload_security_agent_policy_update_request" => "CloudWorkloadSecurityAgentPolicyUpdateRequest", + "v2.cloud_workload_security_agent_policy_version" => "CloudWorkloadSecurityAgentPolicyVersion", "v2.cloud_workload_security_agent_rule_action" => "CloudWorkloadSecurityAgentRuleAction", "v2.cloud_workload_security_agent_rule_action_metadata" => "CloudWorkloadSecurityAgentRuleActionMetadata", "v2.cloud_workload_security_agent_rule_action_set" => "CloudWorkloadSecurityAgentRuleActionSet", diff --git a/lib/datadog_api_client/v2/models/cloud_workload_security_agent_policy_attributes.rb b/lib/datadog_api_client/v2/models/cloud_workload_security_agent_policy_attributes.rb index a18ec2c2dc69..9ee61a7c7b1b 100644 --- a/lib/datadog_api_client/v2/models/cloud_workload_security_agent_policy_attributes.rb +++ b/lib/datadog_api_client/v2/models/cloud_workload_security_agent_policy_attributes.rb @@ -48,6 +48,9 @@ class CloudWorkloadSecurityAgentPolicyAttributes # The name of the policy attr_accessor :name + # Whether the policy is pinned + attr_accessor :pinned + # The version of the policy attr_accessor :policy_version @@ -66,6 +69,9 @@ class CloudWorkloadSecurityAgentPolicyAttributes # The attributes of the user who last updated the policy attr_accessor :updater + # The versions of the policy + attr_accessor :versions + attr_accessor :additional_properties # Attribute mapping from ruby-style variable name to JSON key. @@ -81,12 +87,14 @@ def self.attribute_map :'host_tags_lists' => :'hostTagsLists', :'monitoring_rules_count' => :'monitoringRulesCount', :'name' => :'name', + :'pinned' => :'pinned', :'policy_version' => :'policyVersion', :'priority' => :'priority', :'rule_count' => :'ruleCount', :'update_date' => :'updateDate', :'updated_at' => :'updatedAt', - :'updater' => :'updater' + :'updater' => :'updater', + :'versions' => :'versions' } end @@ -103,12 +111,14 @@ def self.openapi_types :'host_tags_lists' => :'Array>', :'monitoring_rules_count' => :'Integer', :'name' => :'String', + :'pinned' => :'Boolean', :'policy_version' => :'String', :'priority' => :'Integer', :'rule_count' => :'Integer', :'update_date' => :'Integer', :'updated_at' => :'Integer', - :'updater' => :'CloudWorkloadSecurityAgentPolicyUpdaterAttributes' + :'updater' => :'CloudWorkloadSecurityAgentPolicyUpdaterAttributes', + :'versions' => :'Array' } end @@ -170,6 +180,10 @@ def initialize(attributes = {}) self.name = attributes[:'name'] end + if attributes.key?(:'pinned') + self.pinned = attributes[:'pinned'] + end + if attributes.key?(:'policy_version') self.policy_version = attributes[:'policy_version'] end @@ -193,6 +207,12 @@ def initialize(attributes = {}) if attributes.key?(:'updater') self.updater = attributes[:'updater'] end + + if attributes.key?(:'versions') + if (value = attributes[:'versions']).is_a?(Array) + self.versions = value + end + end end # Check to see if the all the properties in the model are valid @@ -281,12 +301,14 @@ def ==(o) host_tags_lists == o.host_tags_lists && monitoring_rules_count == o.monitoring_rules_count && name == o.name && + pinned == o.pinned && policy_version == o.policy_version && priority == o.priority && rule_count == o.rule_count && update_date == o.update_date && updated_at == o.updated_at && updater == o.updater && + versions == o.versions && additional_properties == o.additional_properties end @@ -294,7 +316,7 @@ def ==(o) # @return [Integer] Hash code # @!visibility private def hash - [blocking_rules_count, datadog_managed, description, disabled_rules_count, enabled, host_tags, host_tags_lists, monitoring_rules_count, name, policy_version, priority, rule_count, update_date, updated_at, updater, additional_properties].hash + [blocking_rules_count, datadog_managed, description, disabled_rules_count, enabled, host_tags, host_tags_lists, monitoring_rules_count, name, pinned, policy_version, priority, rule_count, update_date, updated_at, updater, versions, additional_properties].hash end end end diff --git a/lib/datadog_api_client/v2/models/cloud_workload_security_agent_policy_version.rb b/lib/datadog_api_client/v2/models/cloud_workload_security_agent_policy_version.rb new file mode 100644 index 000000000000..849f7e5e8278 --- /dev/null +++ b/lib/datadog_api_client/v2/models/cloud_workload_security_agent_policy_version.rb @@ -0,0 +1,123 @@ +=begin +#Datadog API V2 Collection + +#Collection of all Datadog Public endpoints. + +The version of the OpenAPI document: 1.0 +Contact: support@datadoghq.com +Generated by: https://github.com/DataDog/datadog-api-client-ruby/tree/master/.generator + + Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + This product includes software developed at Datadog (https://www.datadoghq.com/). + Copyright 2020-Present Datadog, Inc. + +=end + +require 'date' +require 'time' + +module DatadogAPIClient::V2 + # The versions of the policy + class CloudWorkloadSecurityAgentPolicyVersion + include BaseGenericModel + + # The date and time the version was created + attr_accessor :date + + # The version of the policy + attr_accessor :name + + attr_accessor :additional_properties + + # Attribute mapping from ruby-style variable name to JSON key. + # @!visibility private + def self.attribute_map + { + :'date' => :'Date', + :'name' => :'Name' + } + end + + # Attribute type mapping. + # @!visibility private + def self.openapi_types + { + :'date' => :'String', + :'name' => :'String' + } + end + + # List of attributes with nullable: true + # @!visibility private + def self.openapi_nullable + Set.new([ + :'date', + ]) + end + + # Initializes the object + # @param attributes [Hash] Model attributes in the form of hash + # @!visibility private + def initialize(attributes = {}) + if (!attributes.is_a?(Hash)) + fail ArgumentError, "The input argument (attributes) must be a hash in `DatadogAPIClient::V2::CloudWorkloadSecurityAgentPolicyVersion` initialize method" + end + + self.additional_properties = {} + # check to see if the attribute exists and convert string to symbol for hash key + attributes = attributes.each_with_object({}) { |(k, v), h| + if (!self.class.attribute_map.key?(k.to_sym)) + self.additional_properties[k.to_sym] = v + else + h[k.to_sym] = v + end + } + + if attributes.key?(:'date') + self.date = attributes[:'date'] + end + + if attributes.key?(:'name') + self.name = attributes[:'name'] + end + end + + # Returns the object in the form of hash, with additionalProperties support. + # @return [Hash] Returns the object in the form of hash + # @!visibility private + def to_hash + hash = {} + self.class.attribute_map.each_pair do |attr, param| + value = self.send(attr) + if value.nil? + is_nullable = self.class.openapi_nullable.include?(attr) + next if !is_nullable || (is_nullable && !instance_variable_defined?(:"@#{attr}")) + end + + hash[param] = _to_hash(value) + end + self.additional_properties.each_pair do |attr, value| + hash[attr] = value + end + hash + end + + # Checks equality by comparing each attribute. + # @param o [Object] Object to be compared + # @!visibility private + def ==(o) + return true if self.equal?(o) + self.class == o.class && + date == o.date && + name == o.name && + additional_properties == o.additional_properties + end + + # Calculates hash code according to all attributes. + # @return [Integer] Hash code + # @!visibility private + def hash + [date, name, additional_properties].hash + end + end +end diff --git a/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_action_set.rb b/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_action_set.rb index a423168281d5..f351203acc94 100644 --- a/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_action_set.rb +++ b/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_action_set.rb @@ -21,22 +21,31 @@ module DatadogAPIClient::V2 class CloudWorkloadSecurityAgentRuleActionSet include BaseGenericModel - # Whether the value should be appended to the field + # Whether the value should be appended to the field. attr_accessor :append + # The default value of the set action + attr_accessor :default_value + + # The expression of the set action. + attr_accessor :expression + # The field of the set action attr_accessor :field + # Whether the value should be inherited. + attr_accessor :inherited + # The name of the set action attr_accessor :name - # The scope of the set action + # The scope of the set action. attr_accessor :scope - # The size of the set action + # The size of the set action. attr_accessor :size - # The time to live of the set action + # The time to live of the set action. attr_accessor :ttl # The value of the set action @@ -49,7 +58,10 @@ class CloudWorkloadSecurityAgentRuleActionSet def self.attribute_map { :'append' => :'append', + :'default_value' => :'default_value', + :'expression' => :'expression', :'field' => :'field', + :'inherited' => :'inherited', :'name' => :'name', :'scope' => :'scope', :'size' => :'size', @@ -63,7 +75,10 @@ def self.attribute_map def self.openapi_types { :'append' => :'Boolean', + :'default_value' => :'String', + :'expression' => :'String', :'field' => :'String', + :'inherited' => :'Boolean', :'name' => :'String', :'scope' => :'String', :'size' => :'Integer', @@ -94,10 +109,22 @@ def initialize(attributes = {}) self.append = attributes[:'append'] end + if attributes.key?(:'default_value') + self.default_value = attributes[:'default_value'] + end + + if attributes.key?(:'expression') + self.expression = attributes[:'expression'] + end + if attributes.key?(:'field') self.field = attributes[:'field'] end + if attributes.key?(:'inherited') + self.inherited = attributes[:'inherited'] + end + if attributes.key?(:'name') self.name = attributes[:'name'] end @@ -146,7 +173,10 @@ def ==(o) return true if self.equal?(o) self.class == o.class && append == o.append && + default_value == o.default_value && + expression == o.expression && field == o.field && + inherited == o.inherited && name == o.name && scope == o.scope && size == o.size && @@ -159,7 +189,7 @@ def ==(o) # @return [Integer] Hash code # @!visibility private def hash - [append, field, name, scope, size, ttl, value, additional_properties].hash + [append, default_value, expression, field, inherited, name, scope, size, ttl, value, additional_properties].hash end end end diff --git a/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_attributes.rb b/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_attributes.rb index 3f143cc94c10..1a70d6b89ea1 100644 --- a/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_attributes.rb +++ b/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_attributes.rb @@ -69,6 +69,9 @@ class CloudWorkloadSecurityAgentRuleAttributes # The list of product tags associated with the rule attr_accessor :product_tags + # Whether the rule is silent. + attr_accessor :silent + # The ID of the user who updated the rule attr_accessor :update_author_uu_id @@ -106,6 +109,7 @@ def self.attribute_map :'monitoring' => :'monitoring', :'name' => :'name', :'product_tags' => :'product_tags', + :'silent' => :'silent', :'update_author_uu_id' => :'updateAuthorUuId', :'update_date' => :'updateDate', :'updated_at' => :'updatedAt', @@ -134,6 +138,7 @@ def self.openapi_types :'monitoring' => :'Array', :'name' => :'String', :'product_tags' => :'Array', + :'silent' => :'Boolean', :'update_author_uu_id' => :'String', :'update_date' => :'Integer', :'updated_at' => :'Integer', @@ -244,6 +249,10 @@ def initialize(attributes = {}) end end + if attributes.key?(:'silent') + self.silent = attributes[:'silent'] + end + if attributes.key?(:'update_author_uu_id') self.update_author_uu_id = attributes[:'update_author_uu_id'] end @@ -307,6 +316,7 @@ def ==(o) monitoring == o.monitoring && name == o.name && product_tags == o.product_tags && + silent == o.silent && update_author_uu_id == o.update_author_uu_id && update_date == o.update_date && updated_at == o.updated_at && @@ -319,7 +329,7 @@ def ==(o) # @return [Integer] Hash code # @!visibility private def hash - [actions, agent_constraint, blocking, category, creation_author_uu_id, creation_date, creator, default_rule, description, disabled, enabled, expression, filters, monitoring, name, product_tags, update_author_uu_id, update_date, updated_at, updater, version, additional_properties].hash + [actions, agent_constraint, blocking, category, creation_author_uu_id, creation_date, creator, default_rule, description, disabled, enabled, expression, filters, monitoring, name, product_tags, silent, update_author_uu_id, update_date, updated_at, updater, version, additional_properties].hash end end end diff --git a/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_create_attributes.rb b/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_create_attributes.rb index a3f84955a5e4..359d417ca9a9 100644 --- a/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_create_attributes.rb +++ b/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_create_attributes.rb @@ -24,36 +24,42 @@ class CloudWorkloadSecurityAgentRuleCreateAttributes # The array of actions the rule can perform if triggered attr_accessor :actions - # The blocking policies that the rule belongs to + # Constrain the rule to specific versions of the Datadog Agent. + attr_accessor :agent_version + + # The blocking policies that the rule belongs to. attr_accessor :blocking # The description of the Agent rule. attr_accessor :description - # The disabled policies that the rule belongs to + # The disabled policies that the rule belongs to. attr_accessor :disabled - # Whether the Agent rule is enabled + # Whether the Agent rule is enabled. attr_accessor :enabled # The SECL expression of the Agent rule. attr_reader :expression - # The platforms the Agent rule is supported on + # The platforms the Agent rule is supported on. attr_accessor :filters - # The monitoring policies that the rule belongs to + # The monitoring policies that the rule belongs to. attr_accessor :monitoring # The name of the Agent rule. attr_reader :name - # The ID of the policy where the Agent rule is saved + # The ID of the policy where the Agent rule is saved. attr_accessor :policy_id - # The list of product tags associated with the rule + # The list of product tags associated with the rule. attr_accessor :product_tags + # Whether the rule is silent. + attr_accessor :silent + attr_accessor :additional_properties # Attribute mapping from ruby-style variable name to JSON key. @@ -61,6 +67,7 @@ class CloudWorkloadSecurityAgentRuleCreateAttributes def self.attribute_map { :'actions' => :'actions', + :'agent_version' => :'agent_version', :'blocking' => :'blocking', :'description' => :'description', :'disabled' => :'disabled', @@ -70,7 +77,8 @@ def self.attribute_map :'monitoring' => :'monitoring', :'name' => :'name', :'policy_id' => :'policy_id', - :'product_tags' => :'product_tags' + :'product_tags' => :'product_tags', + :'silent' => :'silent' } end @@ -79,6 +87,7 @@ def self.attribute_map def self.openapi_types { :'actions' => :'Array', + :'agent_version' => :'String', :'blocking' => :'Array', :'description' => :'String', :'disabled' => :'Array', @@ -88,7 +97,8 @@ def self.openapi_types :'monitoring' => :'Array', :'name' => :'String', :'policy_id' => :'String', - :'product_tags' => :'Array' + :'product_tags' => :'Array', + :'silent' => :'Boolean' } end @@ -124,6 +134,10 @@ def initialize(attributes = {}) end end + if attributes.key?(:'agent_version') + self.agent_version = attributes[:'agent_version'] + end + if attributes.key?(:'blocking') if (value = attributes[:'blocking']).is_a?(Array) self.blocking = value @@ -173,6 +187,10 @@ def initialize(attributes = {}) self.product_tags = value end end + + if attributes.key?(:'silent') + self.silent = attributes[:'silent'] + end end # Check to see if the all the properties in the model are valid @@ -231,6 +249,7 @@ def ==(o) return true if self.equal?(o) self.class == o.class && actions == o.actions && + agent_version == o.agent_version && blocking == o.blocking && description == o.description && disabled == o.disabled && @@ -241,6 +260,7 @@ def ==(o) name == o.name && policy_id == o.policy_id && product_tags == o.product_tags && + silent == o.silent && additional_properties == o.additional_properties end @@ -248,7 +268,7 @@ def ==(o) # @return [Integer] Hash code # @!visibility private def hash - [actions, blocking, description, disabled, enabled, expression, filters, monitoring, name, policy_id, product_tags, additional_properties].hash + [actions, agent_version, blocking, description, disabled, enabled, expression, filters, monitoring, name, policy_id, product_tags, silent, additional_properties].hash end end end diff --git a/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_update_attributes.rb b/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_update_attributes.rb index a88c87eb04be..9129282a1615 100644 --- a/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_update_attributes.rb +++ b/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_update_attributes.rb @@ -24,6 +24,9 @@ class CloudWorkloadSecurityAgentRuleUpdateAttributes # The array of actions the rule can perform if triggered attr_accessor :actions + # Constrain the rule to specific versions of the Datadog Agent + attr_accessor :agent_version + # The blocking policies that the rule belongs to attr_accessor :blocking @@ -48,6 +51,9 @@ class CloudWorkloadSecurityAgentRuleUpdateAttributes # The list of product tags associated with the rule attr_accessor :product_tags + # Whether the rule is silent. + attr_accessor :silent + attr_accessor :additional_properties # Attribute mapping from ruby-style variable name to JSON key. @@ -55,6 +61,7 @@ class CloudWorkloadSecurityAgentRuleUpdateAttributes def self.attribute_map { :'actions' => :'actions', + :'agent_version' => :'agent_version', :'blocking' => :'blocking', :'description' => :'description', :'disabled' => :'disabled', @@ -62,7 +69,8 @@ def self.attribute_map :'expression' => :'expression', :'monitoring' => :'monitoring', :'policy_id' => :'policy_id', - :'product_tags' => :'product_tags' + :'product_tags' => :'product_tags', + :'silent' => :'silent' } end @@ -71,6 +79,7 @@ def self.attribute_map def self.openapi_types { :'actions' => :'Array', + :'agent_version' => :'String', :'blocking' => :'Array', :'description' => :'String', :'disabled' => :'Array', @@ -78,7 +87,8 @@ def self.openapi_types :'expression' => :'String', :'monitoring' => :'Array', :'policy_id' => :'String', - :'product_tags' => :'Array' + :'product_tags' => :'Array', + :'silent' => :'Boolean' } end @@ -114,6 +124,10 @@ def initialize(attributes = {}) end end + if attributes.key?(:'agent_version') + self.agent_version = attributes[:'agent_version'] + end + if attributes.key?(:'blocking') if (value = attributes[:'blocking']).is_a?(Array) self.blocking = value @@ -153,6 +167,10 @@ def initialize(attributes = {}) self.product_tags = value end end + + if attributes.key?(:'silent') + self.silent = attributes[:'silent'] + end end # Returns the object in the form of hash, with additionalProperties support. @@ -182,6 +200,7 @@ def ==(o) return true if self.equal?(o) self.class == o.class && actions == o.actions && + agent_version == o.agent_version && blocking == o.blocking && description == o.description && disabled == o.disabled && @@ -190,6 +209,7 @@ def ==(o) monitoring == o.monitoring && policy_id == o.policy_id && product_tags == o.product_tags && + silent == o.silent && additional_properties == o.additional_properties end @@ -197,7 +217,7 @@ def ==(o) # @return [Integer] Hash code # @!visibility private def hash - [actions, blocking, description, disabled, enabled, expression, monitoring, policy_id, product_tags, additional_properties].hash + [actions, agent_version, blocking, description, disabled, enabled, expression, monitoring, policy_id, product_tags, silent, additional_properties].hash end end end