diff --git a/.apigentools-info b/.apigentools-info index afae103b436..eadb203a792 100644 --- a/.apigentools-info +++ b/.apigentools-info @@ -4,13 +4,13 @@ "spec_versions": { "v1": { "apigentools_version": "1.6.6", - "regenerated": "2025-05-14 15:44:21.910071", - "spec_repo_commit": "64f5e7ee" + "regenerated": "2025-05-15 12:25:30.145904", + "spec_repo_commit": "7d24e85a" }, "v2": { "apigentools_version": "1.6.6", - "regenerated": "2025-05-14 15:44:21.925869", - "spec_repo_commit": "64f5e7ee" + "regenerated": "2025-05-15 12:25:30.167772", + "spec_repo_commit": "7d24e85a" } } } \ No newline at end of file diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml index 094dc6eb79f..fb8c8481bd0 100644 --- a/.generator/schemas/v2/openapi.yaml +++ b/.generator/schemas/v2/openapi.yaml @@ -7469,6 +7469,50 @@ components: type: string kill: $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleKill' + metadata: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleActionMetadata' + set: + $ref: '#/components/schemas/CloudWorkloadSecurityAgentRuleActionSet' + type: object + CloudWorkloadSecurityAgentRuleActionMetadata: + description: The metadata action applied on the scope matching the rule + properties: + image_tag: + description: The image tag of the metadata action + type: string + service: + description: The service of the metadata action + type: string + short_image: + description: The short image of the metadata action + type: string + type: object + CloudWorkloadSecurityAgentRuleActionSet: + description: The set action applied on the scope matching the rule + properties: + append: + description: Whether the value should be appended to the field + type: boolean + field: + description: The field of the set action + type: string + name: + description: The name of the set action + type: string + scope: + description: The scope of the set action + type: string + size: + description: The size of the set action + format: int64 + type: integer + ttl: + description: The time to live of the set action + format: int64 + type: integer + value: + description: The value of the set action + type: string type: object CloudWorkloadSecurityAgentRuleActions: description: The array of actions the rule can perform if triggered @@ -7484,6 +7528,11 @@ components: agentConstraint: description: The version of the Agent type: string + blocking: + description: The blocking policies that the rule belongs to + items: + type: string + type: array category: description: The category of the Agent rule example: Process Activity @@ -7507,6 +7556,11 @@ components: description: The description of the Agent rule example: My Agent rule type: string + disabled: + description: The disabled policies that the rule belongs to + items: + type: string + type: array enabled: description: Whether the Agent rule is enabled example: true @@ -7520,6 +7574,11 @@ components: items: type: string type: array + monitoring: + description: The monitoring policies that the rule belongs to + items: + type: string + type: array name: description: The name of the Agent rule example: my_agent_rule @@ -7554,10 +7613,20 @@ components: CloudWorkloadSecurityAgentRuleCreateAttributes: description: Create a new Cloud Workload Security Agent rule. properties: + blocking: + description: The blocking policies that the rule belongs to + items: + type: string + type: array description: description: The description of the Agent rule. example: My Agent rule type: string + disabled: + description: The disabled policies that the rule belongs to + items: + type: string + type: array enabled: description: Whether the Agent rule is enabled example: true @@ -7571,6 +7640,11 @@ components: items: type: string type: array + monitoring: + description: The monitoring policies that the rule belongs to + items: + type: string + type: array name: description: The name of the Agent rule. example: my_agent_rule @@ -7661,10 +7735,20 @@ components: CloudWorkloadSecurityAgentRuleUpdateAttributes: description: Update an existing Cloud Workload Security Agent rule properties: + blocking: + description: The blocking policies that the rule belongs to + items: + type: string + type: array description: description: The description of the Agent rule example: My Agent rule type: string + disabled: + description: The disabled policies that the rule belongs to + items: + type: string + type: array enabled: description: Whether the Agent rule is enabled example: true @@ -7673,6 +7757,11 @@ components: description: The SECL expression of the Agent rule example: exec.file.name == "sh" type: string + monitoring: + description: The monitoring policies that the rule belongs to + items: + type: string + type: array policy_id: description: The ID of the policy where the Agent rule is saved example: a8c8e364-6556-434d-b798-a4c23de29c0b diff --git a/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.frozen b/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.frozen index c290cdbad60..0ea50fe83ac 100644 --- a/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.frozen +++ b/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.frozen @@ -1 +1 @@ -2025-04-15T09:10:06.353Z \ No newline at end of file +2025-05-15T11:49:04.463Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.yml b/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.yml index a4b964a58d8..42efbd8db41 100644 --- a/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.yml +++ b/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Tue, 15 Apr 2025 09:10:06 GMT +- recorded_at: Thu, 15 May 2025 11:49:04 GMT request: body: encoding: UTF-8 @@ -14,9 +14,8 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"errors":[{"title":"failed to create policy"}]} - - ' + string: '{"errors":["input_validation_error(Field ''tags'' is invalid: cannot + have both the new and the legacy field populated)"]}' headers: Content-Type: - application/json diff --git a/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-OK-response.frozen index 3eef66a9c7a..1047e7a0891 100644 --- a/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-15T09:10:06.769Z \ No newline at end of file +2025-05-15T11:49:04.847Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-OK-response.yml index 6db607d1542..b258c19a55f 100644 --- a/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-policy-returns-OK-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Tue, 15 Apr 2025 09:10:06 GMT +- recorded_at: Thu, 15 May 2025 11:49:04 GMT request: body: encoding: UTF-8 @@ -14,8 +14,8 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"4op-0bb-yom","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:test"]],"monitoringRulesCount":225,"name":"my_agent_policy","policyVersion":"1","priority":1000000001,"ruleCount":226,"updateDate":1744708206895,"updater":{"name":"CI + string: '{"data":{"id":"oem-itj-6yc","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:test"]],"monitoringRulesCount":225,"name":"my_agent_policy","policyVersion":"1","priority":1000000070,"ruleCount":226,"updateDate":1747309744898,"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' headers: Content-Type: @@ -23,14 +23,14 @@ http_interactions: status: code: 200 message: OK -- recorded_at: Tue, 15 Apr 2025 09:10:06 GMT +- recorded_at: Thu, 15 May 2025 11:49:04 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/4op-0bb-yom + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/oem-itj-6yc response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.frozen b/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.frozen index f989accc05d..f6fa6b7c064 100644 --- a/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.frozen +++ b/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:45.280Z \ No newline at end of file +2025-05-15T11:49:06.272Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.yml b/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.yml index 0bc80b8d020..2858bc8d2a8 100644 --- a/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.yml +++ b/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Tue, 01 Apr 2025 14:30:45 GMT +- recorded_at: Thu, 15 May 2025 11:49:06 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testcreateacsmthreatsagentrulereturnsbadrequestresponse1743517845"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testcreateacsmthreatsagentrulereturnsbadrequestresponse1747309746"},"type":"policy"}}' headers: Accept: - application/json @@ -14,8 +14,8 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"mrs-qdn-jq8","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testcreateacsmthreatsagentrulereturnsbadrequestresponse1743517845","policyVersion":"1","priority":1000000001,"ruleCount":226,"updateDate":1743517845323,"updater":{"name":"CI + string: '{"data":{"id":"bdb-fa5-mym","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testcreateacsmthreatsagentrulereturnsbadrequestresponse1747309746","policyVersion":"1","priority":1000000070,"ruleCount":226,"updateDate":1747309746340,"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' headers: Content-Type: @@ -23,11 +23,11 @@ http_interactions: status: code: 200 message: OK -- recorded_at: Tue, 01 Apr 2025 14:30:45 GMT +- recorded_at: Thu, 15 May 2025 11:49:06 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name","filters":[],"name":"my_agent_rule","policy_id":"mrs-qdn-jq8","product_tags":[]},"type":"agent_rule"}}' + string: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name","filters":[],"name":"my_agent_rule","policy_id":"bdb-fa5-mym","product_tags":[]},"type":"agent_rule"}}' headers: Accept: - application/json @@ -38,22 +38,22 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"errors":["input_validation_error(Field ''name'' is invalid: rule - `my_agent_rule` error: multiple definition with the same ID)"]}' + string: '{"errors":["input_validation_error(Field ''expression'' is invalid: + rule `my_agent_rule` error: rule syntax error: bool expected: 1:1: exec.file.name\n^)"]}' headers: Content-Type: - application/json status: code: 400 message: Bad Request -- recorded_at: Tue, 01 Apr 2025 14:30:45 GMT +- recorded_at: Thu, 15 May 2025 11:49:06 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/mrs-qdn-jq8 + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/bdb-fa5-mym response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-OK-response.frozen index d00c1e7e923..ff7237615fb 100644 --- a/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:46.809Z \ No newline at end of file +2025-05-15T11:49:07.692Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-OK-response.yml index 2a09a491380..588a19029a8 100644 --- a/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-returns-OK-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Tue, 01 Apr 2025 14:30:46 GMT +- recorded_at: Thu, 15 May 2025 11:49:07 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testcreateacsmthreatsagentrulereturnsokresponse1743517846"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testcreateacsmthreatsagentrulereturnsokresponse1747309747"},"type":"policy"}}' headers: Accept: - application/json @@ -14,8 +14,8 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"eeq-02h-jhh","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testcreateacsmthreatsagentrulereturnsokresponse1743517846","policyVersion":"1","priority":1000000001,"ruleCount":226,"updateDate":1743517846856,"updater":{"name":"CI + string: '{"data":{"id":"nto-1nm-yyn","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testcreateacsmthreatsagentrulereturnsokresponse1747309747","policyVersion":"1","priority":1000000070,"ruleCount":226,"updateDate":1747309747726,"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' headers: Content-Type: @@ -23,12 +23,12 @@ http_interactions: status: code: 200 message: OK -- recorded_at: Tue, 01 Apr 2025 14:30:46 GMT +- recorded_at: Thu, 15 May 2025 11:49:07 GMT request: body: encoding: UTF-8 string: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","filters":[],"name":"testcreateacsmthreatsagentrulereturnsokresponse1743517846","policy_id":"eeq-02h-jhh","product_tags":[]},"type":"agent_rule"}}' + == \"sh\"","filters":[],"name":"testcreateacsmthreatsagentrulereturnsokresponse1747309747","policy_id":"nto-1nm-yyn","product_tags":[]},"type":"agent_rule"}}' headers: Accept: - application/json @@ -39,10 +39,10 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"ree-4gw-dk6","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1743517847344,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + string: '{"data":{"id":"uqt-hyg-2ve","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1747309748100,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testcreateacsmthreatsagentrulereturnsokresponse1743517846","updateDate":1743517847344,"updater":{"name":"CI + == \"linux\""],"monitoring":["nto-1nm-yyn"],"name":"testcreateacsmthreatsagentrulereturnsokresponse1747309747","product_tags":[],"updateDate":1747309748100,"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' headers: Content-Type: @@ -50,14 +50,14 @@ http_interactions: status: code: 200 message: OK -- recorded_at: Tue, 01 Apr 2025 14:30:46 GMT +- recorded_at: Thu, 15 May 2025 11:49:07 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/ree-4gw-dk6 + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/uqt-hyg-2ve response: body: encoding: UTF-8 @@ -68,14 +68,14 @@ http_interactions: status: code: 204 message: No Content -- recorded_at: Tue, 01 Apr 2025 14:30:46 GMT +- recorded_at: Thu, 15 May 2025 11:49:07 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/eeq-02h-jhh + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/nto-1nm-yyn response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-with-set-action-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-with-set-action-returns-OK-response.frozen new file mode 100644 index 00000000000..222e6fcb256 --- /dev/null +++ b/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-with-set-action-returns-OK-response.frozen @@ -0,0 +1 @@ +2025-05-15T11:49:10.442Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-with-set-action-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-with-set-action-returns-OK-response.yml new file mode 100644 index 00000000000..3d80d940107 --- /dev/null +++ b/cassettes/features/v2/csm_threats/Create-a-CSM-Threats-Agent-rule-with-set-action-returns-OK-response.yml @@ -0,0 +1,90 @@ +http_interactions: +- recorded_at: Thu, 15 May 2025 11:49:10 GMT + request: + body: + encoding: UTF-8 + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testcreateacsmthreatsagentrulewithsetactionreturnsokresponse1747309750"},"type":"policy"}}' + headers: + Accept: + - application/json + Content-Type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy + response: + body: + encoding: UTF-8 + string: '{"data":{"id":"xyq-ard-uy3","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testcreateacsmthreatsagentrulewithsetactionreturnsokresponse1747309750","policyVersion":"1","priority":1000000070,"ruleCount":226,"updateDate":1747309750488,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' + headers: + Content-Type: + - application/json + status: + code: 200 + message: OK +- recorded_at: Thu, 15 May 2025 11:49:10 GMT + request: + body: + encoding: UTF-8 + string: '{"data":{"attributes":{"actions":[{"set":{"name":"test_set","scope":"process","value":"test_value"}}],"description":"My + Agent rule with set action","enabled":true,"expression":"exec.file.name == + \"sh\"","filters":[],"name":"testcreateacsmthreatsagentrulewithsetactionreturnsokresponse1747309750","policy_id":"xyq-ard-uy3","product_tags":[]},"type":"agent_rule"}}' + headers: + Accept: + - application/json + Content-Type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules + response: + body: + encoding: UTF-8 + string: '{"data":{"id":"0xd-0i0-cnc","type":"agent_rule","attributes":{"actions":[{"set":{"name":"test_set","value":"test_value","scope":"process"},"disabled":false}],"category":"Process + Activity","creationDate":1747309750900,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + Agent rule with set action","enabled":true,"expression":"exec.file.name == + \"sh\"","filters":["os == \"linux\""],"monitoring":["xyq-ard-uy3"],"name":"testcreateacsmthreatsagentrulewithsetactionreturnsokresponse1747309750","product_tags":[],"updateDate":1747309750900,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' + headers: + Content-Type: + - application/json + status: + code: 200 + message: OK +- recorded_at: Thu, 15 May 2025 11:49:10 GMT + request: + body: null + headers: + Accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/0xd-0i0-cnc + response: + body: + encoding: UTF-8 + string: '' + headers: + Content-Type: + - application/json + status: + code: 204 + message: No Content +- recorded_at: Thu, 15 May 2025 11:49:10 GMT + request: + body: null + headers: + Accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/xyq-ard-uy3 + response: + body: + encoding: UTF-8 + string: '' + headers: + Content-Type: + - application/json + status: + code: 204 + message: No Content +recorded_with: VCR 6.0.0 diff --git a/cassettes/features/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.frozen b/cassettes/features/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.frozen index 569f1f18978..aa54f5c7d26 100644 --- a/cassettes/features/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.frozen +++ b/cassettes/features/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.frozen @@ -1 +1 @@ -2025-04-18T09:10:11.610Z \ No newline at end of file +2025-05-15T11:49:13.094Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.yml b/cassettes/features/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.yml index 87b53a9a31c..77cb8e5de7f 100644 --- a/cassettes/features/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.yml +++ b/cassettes/features/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Fri, 18 Apr 2025 09:10:11 GMT +- recorded_at: Thu, 15 May 2025 11:49:13 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1744967411"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1747309753"},"type":"policy"}}' headers: Accept: - application/json @@ -14,8 +14,8 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"byc-7rh-p5l","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1744967411","policyVersion":"1","priority":1000000002,"ruleCount":226,"updateDate":1744967411964,"updater":{"name":"CI + string: '{"data":{"id":"ouu-6xr-bab","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testcreateacloudworkloadsecurityagentrulereturnsbadrequestresponse1747309753","policyVersion":"1","priority":1000000070,"ruleCount":226,"updateDate":1747309753145,"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' headers: Content-Type: @@ -23,7 +23,7 @@ http_interactions: status: code: 200 message: OK -- recorded_at: Fri, 18 Apr 2025 09:10:11 GMT +- recorded_at: Thu, 15 May 2025 11:49:13 GMT request: body: encoding: UTF-8 @@ -48,14 +48,14 @@ http_interactions: status: code: 400 message: Bad Request -- recorded_at: Fri, 18 Apr 2025 09:10:11 GMT +- recorded_at: Thu, 15 May 2025 11:49:13 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/byc-7rh-p5l + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/ouu-6xr-bab response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen index 8ad981fd20f..9d74bc8607f 100644 --- a/cassettes/features/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:49.909Z \ No newline at end of file +2025-05-15T11:49:14.223Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.yml index 87ccef5f5ba..6405608d87b 100644 --- a/cassettes/features/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Create-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Tue, 01 Apr 2025 14:30:49 GMT +- recorded_at: Thu, 15 May 2025 11:49:14 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1743517849"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1747309754"},"type":"policy"}}' headers: Accept: - application/json @@ -14,8 +14,8 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"4o4-2ha-t4b","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1743517849","policyVersion":"1","priority":1000000001,"ruleCount":226,"updateDate":1743517849954,"updater":{"name":"CI + string: '{"data":{"id":"ub7-nwt-ghr","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1747309754","policyVersion":"1","priority":1000000070,"ruleCount":226,"updateDate":1747309754274,"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' headers: Content-Type: @@ -23,12 +23,12 @@ http_interactions: status: code: 200 message: OK -- recorded_at: Tue, 01 Apr 2025 14:30:49 GMT +- recorded_at: Thu, 15 May 2025 11:49:14 GMT request: body: encoding: UTF-8 string: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","filters":[],"name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1743517849"},"type":"agent_rule"}}' + == \"sh\"","filters":[],"name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1747309754"},"type":"agent_rule"}}' headers: Accept: - application/json @@ -39,8 +39,8 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"amk-lsa-s1q","attributes":{"version":1,"name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1743517849","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1743517850483,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1743517850483,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"CI + string: '{"data":{"id":"sgv-vge-luo","attributes":{"version":1,"name":"testcreateacloudworkloadsecurityagentrulereturnsokresponse1747309754","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1747309755217,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1747309755217,"filters":[],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"}} @@ -51,14 +51,14 @@ http_interactions: status: code: 200 message: OK -- recorded_at: Tue, 01 Apr 2025 14:30:49 GMT +- recorded_at: Thu, 15 May 2025 11:49:14 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/amk-lsa-s1q + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/sgv-vge-luo response: body: encoding: UTF-8 @@ -67,14 +67,14 @@ http_interactions: status: code: 204 message: No Content -- recorded_at: Tue, 01 Apr 2025 14:30:49 GMT +- recorded_at: Thu, 15 May 2025 11:49:14 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/4o4-2ha-t4b + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/ub7-nwt-ghr response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-Not-Found-response.frozen b/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-Not-Found-response.frozen index 2907715a1f0..862ea739747 100644 --- a/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-Not-Found-response.frozen +++ b/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:50.953Z \ No newline at end of file +2025-05-15T11:49:15.782Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-Not-Found-response.yml b/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-Not-Found-response.yml index 78dfd189fab..ac7dccbf4bd 100644 --- a/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-Not-Found-response.yml +++ b/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-Not-Found-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Tue, 01 Apr 2025 14:30:50 GMT +- recorded_at: Thu, 15 May 2025 11:49:15 GMT request: body: null headers: diff --git a/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-OK-response.frozen index b90ca64b48f..528c29f5261 100644 --- a/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:51.116Z \ No newline at end of file +2025-05-15T11:49:15.901Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-OK-response.yml index b84ce7dcb05..5425c3b4324 100644 --- a/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-policy-returns-OK-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Tue, 01 Apr 2025 14:30:51 GMT +- recorded_at: Thu, 15 May 2025 11:49:15 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testdeleteacsmthreatsagentpolicyreturnsokresponse1743517851"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testdeleteacsmthreatsagentpolicyreturnsokresponse1747309755"},"type":"policy"}}' headers: Accept: - application/json @@ -14,8 +14,8 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"794-4tf-osj","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testdeleteacsmthreatsagentpolicyreturnsokresponse1743517851","policyVersion":"1","priority":1000000001,"ruleCount":226,"updateDate":1743517851168,"updater":{"name":"CI + string: '{"data":{"id":"sqz-yz1-wkv","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testdeleteacsmthreatsagentpolicyreturnsokresponse1747309755","policyVersion":"1","priority":1000000070,"ruleCount":226,"updateDate":1747309755933,"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' headers: Content-Type: @@ -23,14 +23,14 @@ http_interactions: status: code: 200 message: OK -- recorded_at: Tue, 01 Apr 2025 14:30:51 GMT +- recorded_at: Thu, 15 May 2025 11:49:15 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/794-4tf-osj + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/sqz-yz1-wkv response: body: encoding: UTF-8 @@ -41,14 +41,14 @@ http_interactions: status: code: 204 message: No Content -- recorded_at: Tue, 01 Apr 2025 14:30:51 GMT +- recorded_at: Thu, 15 May 2025 11:49:15 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/794-4tf-osj + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/sqz-yz1-wkv response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-Not-Found-response.frozen b/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-Not-Found-response.frozen index 9c683d57fe5..e66ea7c85b1 100644 --- a/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-Not-Found-response.frozen +++ b/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:52.038Z \ No newline at end of file +2025-05-15T11:49:16.718Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-Not-Found-response.yml b/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-Not-Found-response.yml index bfdf3dd4750..825e8947b00 100644 --- a/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-Not-Found-response.yml +++ b/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-Not-Found-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Tue, 01 Apr 2025 14:30:52 GMT +- recorded_at: Thu, 15 May 2025 11:49:16 GMT request: body: null headers: diff --git a/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-OK-response.frozen index 369e24ad10b..5fb76505247 100644 --- a/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:52.133Z \ No newline at end of file +2025-05-15T11:49:17.005Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-OK-response.yml index e0c8bf312a6..4821f6fee03 100644 --- a/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Delete-a-CSM-Threats-Agent-rule-returns-OK-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Tue, 01 Apr 2025 14:30:52 GMT +- recorded_at: Thu, 15 May 2025 11:49:17 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testdeleteacsmthreatsagentrulereturnsokresponse1743517852"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testdeleteacsmthreatsagentrulereturnsokresponse1747309757"},"type":"policy"}}' headers: Accept: - application/json @@ -14,8 +14,8 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"kqm-fhb-eay","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testdeleteacsmthreatsagentrulereturnsokresponse1743517852","policyVersion":"1","priority":1000000001,"ruleCount":226,"updateDate":1743517852178,"updater":{"name":"CI + string: '{"data":{"id":"esf-fbh-ofa","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testdeleteacsmthreatsagentrulereturnsokresponse1747309757","policyVersion":"1","priority":1000000070,"ruleCount":226,"updateDate":1747309757037,"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' headers: Content-Type: @@ -23,12 +23,12 @@ http_interactions: status: code: 200 message: OK -- recorded_at: Tue, 01 Apr 2025 14:30:52 GMT +- recorded_at: Thu, 15 May 2025 11:49:17 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","name":"testdeleteacsmthreatsagentrulereturnsokresponse1743517852","policy_id":"kqm-fhb-eay","product_tags":["security:attack","technique:T1059"]},"type":"agent_rule"}}' + string: '{"data":{"attributes":{"actions":[{"set":{"name":"test_set","scope":"process","value":"test_value"}}],"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testdeleteacsmthreatsagentrulereturnsokresponse1747309757","policy_id":"esf-fbh-ofa","product_tags":["security:attack","technique:T1059"]},"type":"agent_rule"}}' headers: Accept: - application/json @@ -39,10 +39,10 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"pjy-nkm-0wb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1743517852458,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + string: '{"data":{"id":"pdb-88d-vs4","type":"agent_rule","attributes":{"actions":[{"set":{"name":"test_set","value":"test_value","scope":"process"},"disabled":false}],"category":"Process + Activity","creationDate":1747309757421,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testdeleteacsmthreatsagentrulereturnsokresponse1743517852","updateDate":1743517852458,"updater":{"name":"CI + == \"linux\""],"monitoring":["esf-fbh-ofa"],"name":"testdeleteacsmthreatsagentrulereturnsokresponse1747309757","product_tags":["security:attack","technique:T1059"],"updateDate":1747309757421,"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' headers: Content-Type: @@ -50,14 +50,14 @@ http_interactions: status: code: 200 message: OK -- recorded_at: Tue, 01 Apr 2025 14:30:52 GMT +- recorded_at: Thu, 15 May 2025 11:49:17 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/pjy-nkm-0wb?policy_id=kqm-fhb-eay + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/pdb-88d-vs4?policy_id=esf-fbh-ofa response: body: encoding: UTF-8 @@ -68,14 +68,14 @@ http_interactions: status: code: 204 message: No Content -- recorded_at: Tue, 01 Apr 2025 14:30:52 GMT +- recorded_at: Thu, 15 May 2025 11:49:17 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/pjy-nkm-0wb + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/pdb-88d-vs4 response: body: encoding: UTF-8 @@ -88,14 +88,14 @@ http_interactions: status: code: 404 message: Not Found -- recorded_at: Tue, 01 Apr 2025 14:30:52 GMT +- recorded_at: Thu, 15 May 2025 11:49:17 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/kqm-fhb-eay + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/esf-fbh-ofa response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.frozen b/cassettes/features/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.frozen index c943cdfcd91..73c521ff2be 100644 --- a/cassettes/features/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.frozen +++ b/cassettes/features/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:54.389Z \ No newline at end of file +2025-05-15T11:49:19.503Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.yml b/cassettes/features/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.yml index 84da024449d..9157297ddca 100644 --- a/cassettes/features/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.yml +++ b/cassettes/features/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Tue, 01 Apr 2025 14:30:54 GMT +- recorded_at: Thu, 15 May 2025 11:49:19 GMT request: body: null headers: diff --git a/cassettes/features/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen index 5d92123426a..4acf4fd12cb 100644 --- a/cassettes/features/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-18T09:10:13.237Z \ No newline at end of file +2025-05-15T11:49:19.551Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.yml index fda2cde2a96..7f776bbfe26 100644 --- a/cassettes/features/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Delete-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.yml @@ -1,10 +1,10 @@ http_interactions: -- recorded_at: Fri, 18 Apr 2025 09:10:13 GMT +- recorded_at: Thu, 15 May 2025 11:49:19 GMT request: body: encoding: UTF-8 string: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","name":"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1744967413"},"type":"agent_rule"}}' + == \"sh\"","name":"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1747309759"},"type":"agent_rule"}}' headers: Accept: - application/json @@ -15,8 +15,8 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"ghk-tsf-neq","attributes":{"version":1,"name":"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1744967413","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1744967413434,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1744967413434,"filters":["os + string: '{"data":{"id":"mdm-2ki-w2c","attributes":{"version":1,"name":"testdeleteacloudworkloadsecurityagentrulereturnsokresponse1747309759","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1747309759860,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1747309759860,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"}} @@ -27,14 +27,14 @@ http_interactions: status: code: 200 message: OK -- recorded_at: Fri, 18 Apr 2025 09:10:13 GMT +- recorded_at: Thu, 15 May 2025 11:49:19 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ghk-tsf-neq + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/mdm-2ki-w2c response: body: encoding: UTF-8 @@ -43,18 +43,18 @@ http_interactions: status: code: 204 message: No Content -- recorded_at: Fri, 18 Apr 2025 09:10:13 GMT +- recorded_at: Thu, 15 May 2025 11:49:19 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ghk-tsf-neq + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/mdm-2ki-w2c response: body: encoding: UTF-8 - string: '{"errors":["not_found(Agent rule not found: agentRuleId=ghk-tsf-neq)"]} + string: '{"errors":["not_found(Agent rule not found: agentRuleId=mdm-2ki-w2c)"]} ' headers: diff --git a/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-Not-Found-response.frozen b/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-Not-Found-response.frozen index 24a790d0a6e..42e197266d6 100644 --- a/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-Not-Found-response.frozen +++ b/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:54.462Z \ No newline at end of file +2025-05-15T11:49:20.081Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-Not-Found-response.yml b/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-Not-Found-response.yml index 6763c03a707..37c6072c2bd 100644 --- a/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-Not-Found-response.yml +++ b/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-Not-Found-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Tue, 01 Apr 2025 14:30:54 GMT +- recorded_at: Thu, 15 May 2025 11:49:20 GMT request: body: null headers: diff --git a/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-OK-response.frozen index 76a83128373..f6298625d2a 100644 --- a/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:54.711Z \ No newline at end of file +2025-05-15T11:49:20.203Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-OK-response.yml index 1c1c37fe413..9e5f7f7525f 100644 --- a/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-policy-returns-OK-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Tue, 01 Apr 2025 14:30:54 GMT +- recorded_at: Thu, 15 May 2025 11:49:20 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testgetacsmthreatsagentpolicyreturnsokresponse1743517854"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testgetacsmthreatsagentpolicyreturnsokresponse1747309760"},"type":"policy"}}' headers: Accept: - application/json @@ -14,8 +14,8 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"egv-qkr-ihb","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testgetacsmthreatsagentpolicyreturnsokresponse1743517854","policyVersion":"1","priority":1000000001,"ruleCount":226,"updateDate":1743517854753,"updater":{"name":"CI + string: '{"data":{"id":"6v0-ufi-yxu","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testgetacsmthreatsagentpolicyreturnsokresponse1747309760","policyVersion":"1","priority":1000000070,"ruleCount":226,"updateDate":1747309760242,"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' headers: Content-Type: @@ -23,19 +23,19 @@ http_interactions: status: code: 200 message: OK -- recorded_at: Tue, 01 Apr 2025 14:30:54 GMT +- recorded_at: Thu, 15 May 2025 11:49:20 GMT request: body: null headers: Accept: - application/json method: GET - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/egv-qkr-ihb + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/6v0-ufi-yxu response: body: encoding: UTF-8 - string: '{"data":{"id":"egv-qkr-ihb","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testgetacsmthreatsagentpolicyreturnsokresponse1743517854","policyVersion":"1","priority":1000000001,"ruleCount":226,"updateDate":1743517854753,"updater":{"name":"CI + string: '{"data":{"id":"6v0-ufi-yxu","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testgetacsmthreatsagentpolicyreturnsokresponse1747309760","policyVersion":"1","priority":1000000070,"ruleCount":226,"updateDate":1747309760242,"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' headers: Content-Type: @@ -43,14 +43,14 @@ http_interactions: status: code: 200 message: OK -- recorded_at: Tue, 01 Apr 2025 14:30:54 GMT +- recorded_at: Thu, 15 May 2025 11:49:20 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/egv-qkr-ihb + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/6v0-ufi-yxu response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-Not-Found-response.frozen b/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-Not-Found-response.frozen index a6328571453..d33c6da2e2a 100644 --- a/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-Not-Found-response.frozen +++ b/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:55.749Z \ No newline at end of file +2025-05-15T11:49:21.248Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-Not-Found-response.yml b/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-Not-Found-response.yml index 7995b90d745..e1b75625d62 100644 --- a/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-Not-Found-response.yml +++ b/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-Not-Found-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Tue, 01 Apr 2025 14:30:55 GMT +- recorded_at: Thu, 15 May 2025 11:49:21 GMT request: body: null headers: diff --git a/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-OK-response.frozen index 5c69286972a..e8cd8cf20a6 100644 --- a/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:56.067Z \ No newline at end of file +2025-05-15T11:49:21.436Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-OK-response.yml index 365d2d4b1a2..c0ad21946a3 100644 --- a/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Get-a-CSM-Threats-Agent-rule-returns-OK-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Tue, 01 Apr 2025 14:30:56 GMT +- recorded_at: Thu, 15 May 2025 11:49:21 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testgetacsmthreatsagentrulereturnsokresponse1743517856"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testgetacsmthreatsagentrulereturnsokresponse1747309761"},"type":"policy"}}' headers: Accept: - application/json @@ -14,8 +14,8 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"lxh-tyq-n9u","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testgetacsmthreatsagentrulereturnsokresponse1743517856","policyVersion":"1","priority":1000000001,"ruleCount":226,"updateDate":1743517856115,"updater":{"name":"CI + string: '{"data":{"id":"1jz-taz-md3","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testgetacsmthreatsagentrulereturnsokresponse1747309761","policyVersion":"1","priority":1000000070,"ruleCount":226,"updateDate":1747309761485,"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' headers: Content-Type: @@ -23,12 +23,12 @@ http_interactions: status: code: 200 message: OK -- recorded_at: Tue, 01 Apr 2025 14:30:56 GMT +- recorded_at: Thu, 15 May 2025 11:49:21 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","name":"testgetacsmthreatsagentrulereturnsokresponse1743517856","policy_id":"lxh-tyq-n9u","product_tags":["security:attack","technique:T1059"]},"type":"agent_rule"}}' + string: '{"data":{"attributes":{"actions":[{"set":{"name":"test_set","scope":"process","value":"test_value"}}],"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testgetacsmthreatsagentrulereturnsokresponse1747309761","policy_id":"1jz-taz-md3","product_tags":["security:attack","technique:T1059"]},"type":"agent_rule"}}' headers: Accept: - application/json @@ -39,10 +39,10 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"k1m-gqh-zqm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1743517856488,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + string: '{"data":{"id":"lko-dbx-hgq","type":"agent_rule","attributes":{"actions":[{"set":{"name":"test_set","value":"test_value","scope":"process"},"disabled":false}],"category":"Process + Activity","creationDate":1747309762008,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testgetacsmthreatsagentrulereturnsokresponse1743517856","updateDate":1743517856488,"updater":{"name":"CI + == \"linux\""],"monitoring":["1jz-taz-md3"],"name":"testgetacsmthreatsagentrulereturnsokresponse1747309761","product_tags":["security:attack","technique:T1059"],"updateDate":1747309762008,"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' headers: Content-Type: @@ -50,21 +50,21 @@ http_interactions: status: code: 200 message: OK -- recorded_at: Tue, 01 Apr 2025 14:30:56 GMT +- recorded_at: Thu, 15 May 2025 11:49:21 GMT request: body: null headers: Accept: - application/json method: GET - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/k1m-gqh-zqm?policy_id=lxh-tyq-n9u + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/lko-dbx-hgq?policy_id=1jz-taz-md3 response: body: encoding: UTF-8 - string: '{"data":{"id":"k1m-gqh-zqm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1743517856000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + string: '{"data":{"id":"lko-dbx-hgq","type":"agent_rule","attributes":{"actions":[{"set":{"name":"test_set","value":"test_value","scope":"process"},"disabled":false}],"category":"Process + Activity","creationDate":1747309762008,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testgetacsmthreatsagentrulereturnsokresponse1743517856","updateDate":1743517856000,"updater":{"name":"CI + == \"linux\""],"monitoring":["1jz-taz-md3"],"name":"testgetacsmthreatsagentrulereturnsokresponse1747309761","product_tags":["security:attack","technique:T1059"],"updateDate":1747309762008,"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' headers: Content-Type: @@ -72,14 +72,14 @@ http_interactions: status: code: 200 message: OK -- recorded_at: Tue, 01 Apr 2025 14:30:56 GMT +- recorded_at: Thu, 15 May 2025 11:49:21 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/k1m-gqh-zqm + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/lko-dbx-hgq response: body: encoding: UTF-8 @@ -90,14 +90,14 @@ http_interactions: status: code: 204 message: No Content -- recorded_at: Tue, 01 Apr 2025 14:30:56 GMT +- recorded_at: Thu, 15 May 2025 11:49:21 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/lxh-tyq-n9u + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/1jz-taz-md3 response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.frozen b/cassettes/features/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.frozen index 881abb7569a..b35f56d6bdb 100644 --- a/cassettes/features/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.frozen +++ b/cassettes/features/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:58.452Z \ No newline at end of file +2025-05-15T11:49:24.504Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.yml b/cassettes/features/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.yml index 98d3631d553..84c53072fa5 100644 --- a/cassettes/features/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.yml +++ b/cassettes/features/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Tue, 01 Apr 2025 14:30:58 GMT +- recorded_at: Thu, 15 May 2025 11:49:24 GMT request: body: null headers: diff --git a/cassettes/features/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen index 72cbb497c85..97ebf84ef21 100644 --- a/cassettes/features/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-18T09:10:13.933Z \ No newline at end of file +2025-05-15T11:49:24.574Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.yml index c2bdf6674c0..03ac2809d8a 100644 --- a/cassettes/features/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Get-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.yml @@ -1,10 +1,10 @@ http_interactions: -- recorded_at: Fri, 18 Apr 2025 09:10:13 GMT +- recorded_at: Thu, 15 May 2025 11:49:24 GMT request: body: encoding: UTF-8 string: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1744967413"},"type":"agent_rule"}}' + == \"sh\"","name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1747309764"},"type":"agent_rule"}}' headers: Accept: - application/json @@ -15,8 +15,8 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"ajb-znb-t3g","attributes":{"version":1,"name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1744967413","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1744967414208,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1744967414208,"filters":["os + string: '{"data":{"id":"axj-sqc-arv","attributes":{"version":1,"name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1747309764","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1747309765074,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1747309765074,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"}} @@ -27,19 +27,19 @@ http_interactions: status: code: 200 message: OK -- recorded_at: Fri, 18 Apr 2025 09:10:13 GMT +- recorded_at: Thu, 15 May 2025 11:49:24 GMT request: body: null headers: Accept: - application/json method: GET - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ajb-znb-t3g + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/axj-sqc-arv response: body: encoding: UTF-8 - string: '{"data":{"id":"ajb-znb-t3g","attributes":{"version":1,"name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1744967413","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1744967414208,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1744967414208,"filters":["os + string: '{"data":{"id":"axj-sqc-arv","attributes":{"version":1,"name":"testgetacloudworkloadsecurityagentrulereturnsokresponse1747309764","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1747309765074,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1747309765074,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"}} @@ -50,14 +50,14 @@ http_interactions: status: code: 200 message: OK -- recorded_at: Fri, 18 Apr 2025 09:10:13 GMT +- recorded_at: Thu, 15 May 2025 11:49:24 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/ajb-znb-t3g + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/axj-sqc-arv response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Get-all-CSM-Threats-Agent-policies-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Get-all-CSM-Threats-Agent-policies-returns-OK-response.frozen index 8fe4f3f1934..39a6822805b 100644 --- a/cassettes/features/v2/csm_threats/Get-all-CSM-Threats-Agent-policies-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Get-all-CSM-Threats-Agent-policies-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:58.530Z \ No newline at end of file +2025-05-15T11:49:25.280Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Get-all-CSM-Threats-Agent-policies-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Get-all-CSM-Threats-Agent-policies-returns-OK-response.yml index 920a16f0b95..6fa2c4a4e8e 100644 --- a/cassettes/features/v2/csm_threats/Get-all-CSM-Threats-Agent-policies-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Get-all-CSM-Threats-Agent-policies-returns-OK-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Tue, 01 Apr 2025 14:30:58 GMT +- recorded_at: Thu, 15 May 2025 11:49:25 GMT request: body: null headers: @@ -10,9 +10,37 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":[{"id":"CWS_CUSTOM-canary","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"disabledRulesCount":1,"enabled":false,"hostTags":[],"monitoringRulesCount":418,"name":"Datadog - Managed Policy","policyVersion":"53221","priority":1000000000,"ruleCount":419,"updateDate":1742473183000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"CWS_DD","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":true,"disabledRulesCount":1,"enabled":true,"monitoringRulesCount":225,"name":"Datadog - Managed Policy","policyVersion":"1.40.0-rc76","priority":0,"ruleCount":226,"updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}}]}' + string: '{"data":[{"id":"gxu-c6v-pka","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":226,"name":"examplegetacsmthreatsagentrulereturnsokresponse1747260251","policyVersion":"2","priority":1000000069,"ruleCount":227,"updateDate":1747260252444,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"1os-ptz-he9","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":226,"name":"examplegetacsmthreatsagentrulereturnsokresponse1747217050","policyVersion":"2","priority":1000000066,"ruleCount":227,"updateDate":1747217052175,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ddu-dat-9cx","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":226,"name":"examplegetacsmthreatsagentrulereturnsokresponse1747188251","policyVersion":"2","priority":1000000061,"ruleCount":227,"updateDate":1747188252541,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"oiv-iar-6uj","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"examplecreateacsmthreatsagentrulereturnsokresponse1747188247","policyVersion":"3","priority":1000000058,"ruleCount":226,"updateDate":1747188247541,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"n6v-uoj-6jv","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1747173848","policyVersion":"3","priority":1000000056,"ruleCount":226,"updateDate":1747173848994,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"zay-klh-gzk","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"examplecreateacloudworkloadsecurityagentrulereturnsokresponse1747145048","policyVersion":"1","priority":1000000053,"ruleCount":226,"updateDate":1747145052780,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"t0c-318-ksc","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"examplecreateacloudworkloadsecurityagentrulereturnsokresponse1747130648","policyVersion":"1","priority":1000000048,"ruleCount":226,"updateDate":1747130648466,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"mnq-jea-ord","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"examplegetacsmthreatsagentrulereturnsokresponse1747116251","policyVersion":"3","priority":1000000045,"ruleCount":226,"updateDate":1747116251418,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"hjq-1ou-gxj","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"examplecreateacloudworkloadsecurityagentrulereturnsokresponse1747116248","policyVersion":"1","priority":1000000044,"ruleCount":226,"updateDate":1747116249173,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"zt3-q2u-xka","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":226,"name":"examplegetacsmthreatsagentrulereturnsokresponse1747058651","policyVersion":"2","priority":1000000041,"ruleCount":227,"updateDate":1747058653022,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"n52-kmk-gy5","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":226,"name":"examplecreateacsmthreatsagentrulereturnsokresponse1747058647","policyVersion":"2","priority":1000000039,"ruleCount":227,"updateDate":1747058651011,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"lwi-ota-cdp","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":226,"name":"examplecreateacsmthreatsagentrulereturnsokresponse1747029847","policyVersion":"2","priority":1000000037,"ruleCount":227,"updateDate":1747029850531,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"eme-xsc-20m","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":226,"name":"examplegetacsmthreatsagentrulereturnsokresponse1747001050","policyVersion":"2","priority":1000000035,"ruleCount":227,"updateDate":1747001052678,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"acr-3t9-p0d","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"examplecreateacloudworkloadsecurityagentrulereturnsokresponse1747001048","policyVersion":"1","priority":1000000033,"ruleCount":226,"updateDate":1747001048728,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"hw2-pev-bdl","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"examplegetacsmthreatsagentrulereturnsokresponse1746986651","policyVersion":"3","priority":1000000030,"ruleCount":226,"updateDate":1746986651360,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"mm8-gf5-1mh","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1746986648","policyVersion":"3","priority":1000000029,"ruleCount":226,"updateDate":1746986649139,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"wfe-tga-w8i","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"examplecreateacloudworkloadsecurityagentrulereturnsokresponse1746943448","policyVersion":"1","priority":1000000025,"ruleCount":226,"updateDate":1746943448597,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"kz9-gsr-aet","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1746929048","policyVersion":"3","priority":1000000022,"ruleCount":226,"updateDate":1746929049088,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"u2n-mby-zu5","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"examplegetacsmthreatsagentpolicyreturnsokresponse1746914646","policyVersion":"1","priority":1000000018,"ruleCount":226,"updateDate":1746914646907,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ygu-bj5-cnb","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":226,"name":"examplegetacsmthreatsagentrulereturnsokresponse1746900250","policyVersion":"2","priority":1000000017,"ruleCount":227,"updateDate":1746900252089,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"8h9-6l9-ofq","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1746885848","policyVersion":"3","priority":1000000012,"ruleCount":226,"updateDate":1746885849173,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"x6i-kv0-iby","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"examplecreateacloudworkloadsecurityagentrulereturnsokresponse1746871448","policyVersion":"1","priority":1000000009,"ruleCount":226,"updateDate":1746871448758,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"wry-lqz-m1l","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"examplegetacsmthreatsagentpolicyreturnsokresponse1746842646","policyVersion":"1","priority":1000000006,"ruleCount":226,"updateDate":1746842646921,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ljy-djc-pxw","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":226,"name":"examplecreateacsmthreatsagentrulereturnsokresponse1746828247","policyVersion":"2","priority":1000000005,"ruleCount":227,"updateDate":1746828252931,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"kmt-lzi-f6r","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"examplegetacsmthreatsagentpolicyreturnsokresponse1746813847","policyVersion":"1","priority":1000000003,"ruleCount":226,"updateDate":1746813847517,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"CWS_CUSTOM-canary","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"disabledRulesCount":2,"enabled":false,"monitoringRulesCount":491,"name":"Datadog + Managed Policy","policyVersion":"58193","priority":1000000002,"ruleCount":493,"updateDate":1746789273109,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"hdo-seh-iaa","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testupdateacsmthreatsagentrulereturnsokresponse1744718519","policyVersion":"1","priority":1000000001,"ruleCount":226,"updateDate":1744718520126,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"CWS_DD","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":true,"disabledRulesCount":1,"enabled":true,"monitoringRulesCount":225,"name":"Datadog + Managed Policy","policyVersion":"1.43.0-rc80","priority":0,"ruleCount":226,"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}}]}' headers: Content-Type: - application/json diff --git a/cassettes/features/v2/csm_threats/Get-all-CSM-Threats-Agent-rules-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Get-all-CSM-Threats-Agent-rules-returns-OK-response.frozen index 7ee9fb8020f..0fb29cfc53d 100644 --- a/cassettes/features/v2/csm_threats/Get-all-CSM-Threats-Agent-rules-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Get-all-CSM-Threats-Agent-rules-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:58.771Z \ No newline at end of file +2025-05-15T11:49:25.503Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Get-all-CSM-Threats-Agent-rules-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Get-all-CSM-Threats-Agent-rules-returns-OK-response.yml index e16464410ae..37e068e6c17 100644 --- a/cassettes/features/v2/csm_threats/Get-all-CSM-Threats-Agent-rules-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Get-all-CSM-Threats-Agent-rules-returns-OK-response.yml @@ -1,761 +1,223 @@ http_interactions: -- recorded_at: Tue, 01 Apr 2025 14:30:58 GMT +- recorded_at: Thu, 15 May 2025 11:49:25 GMT + request: + body: + encoding: UTF-8 + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testgetallcsmthreatsagentrulesreturnsokresponse1747309765"},"type":"policy"}}' + headers: + Accept: + - application/json + Content-Type: + - application/json + method: POST + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy + response: + body: + encoding: UTF-8 + string: '{"data":{"id":"v5l-ynv-guh","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testgetallcsmthreatsagentrulesreturnsokresponse1747309765","policyVersion":"1","priority":1000000070,"ruleCount":226,"updateDate":1747309765555,"updater":{"name":"CI + Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' + headers: + Content-Type: + - application/json + status: + code: 200 + message: OK +- recorded_at: Thu, 15 May 2025 11:49:25 GMT request: body: null headers: Accept: - application/json method: GET - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules?policy_id=v5l-ynv-guh response: body: encoding: UTF-8 - string: '{"data":[{"id":"50t-g20-n4o","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1710772096000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"","enabled":true,"expression":"open.file.name - == \"etc/shadow/password\"","filters":["os == \"linux\""],"name":"Randomname","updateDate":1710772096000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"4mc-0xr-vlw","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714264624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1714264624","updateDate":1714264624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"zu3-7yi-3w0","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714696626000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1714696624","updateDate":1714696626000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"xg2-lum-j2a","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714783024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1714783024","updateDate":1714783024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"rsm-fam-pfp","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714869424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1714869424","updateDate":1714869424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ulx-voj-zk3","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714883824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1714883824","updateDate":1714883824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"nio-59w-ip8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714927026000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1714927026","updateDate":1714927026000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"5zt-j5u-aqm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715287024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715287024","updateDate":1715287024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"k8w-brg-51l","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715445426000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715445424","updateDate":1715445426000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"eue-gqs-59v","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715503024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715503024","updateDate":1715503024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"9wz-mgt-zkp","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715546226000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715546226","updateDate":1715546226000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"fii-ysi-7bu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715618226000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715618224","updateDate":1715618226000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"hhl-9nk-8ls","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715819826000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715819824","updateDate":1715819826000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"rc4-b53-3sj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715863024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1715863024","updateDate":1715863024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"w3d-qp8-3yb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1716309424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1716309424","updateDate":1716309424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"cvn-qsw-ibn","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1716410225000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1716410224","updateDate":1716410225000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"vyd-2vb-tnk","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1738469890000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplecreateacsmthreatsagentrulereturnsokresponse1738469890","updateDate":1738469890000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ulc-hn1-cz5","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1725295024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1725295023","updateDate":1725295024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"jbe-827-tq7","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1732768624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1732768624","updateDate":1732768624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ezw-7rm-wca","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735634224000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampledeleteacsmthreatsagentrulereturnsokresponse1735634224","updateDate":1735634224000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"p4n-ijm-zeu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714155721000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714155721","updateDate":1714155721000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"piq-bha-m6t","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714279024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714279024","updateDate":1714279024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"rno-53m-mf3","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714538225000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714538225","updateDate":1714538225000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"bwj-n0m-ut5","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714653425000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714653424","updateDate":1714653425000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"hk2-qrd-3jt","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714667824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714667824","updateDate":1714667824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"zdz-ued-luw","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714797424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714797424","updateDate":1714797424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"tf1-bgq-7bb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714883824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1714883824","updateDate":1714883824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"35e-29w-qhu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715128624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1715128624","updateDate":1715128624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"iyj-haq-dvu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715373426000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1715373425","updateDate":1715373426000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"rgf-wo7-4fj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715402226000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1715402224","updateDate":1715402226000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"stq-uwx-efd","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715531824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1715531824","updateDate":1715531824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"i0b-hk0-7h3","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715560625000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1715560625","updateDate":1715560625000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"0zl-ilo-guv","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1716050224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1716050224","updateDate":1716050224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"e7g-3t1-hpu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1716352624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1716352624","updateDate":1716352624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"qoe-y42-hqp","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1716554224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1716554224","updateDate":1716554224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"sic-1px-69u","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1717418225000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1717418224","updateDate":1717418225000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3kk-4rm-qug","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1718426224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1718426224","updateDate":1718426224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"b79-xcg-63p","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1719059824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1719059824","updateDate":1719059824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"veg-qf4-lgr","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1719967025000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1719967024","updateDate":1719967025000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ukn-yjf-h6a","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1719981424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1719981423","updateDate":1719981424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ssm-zlm-vqh","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1720312626000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1720312624","updateDate":1720312626000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"qba-1qm-uj5","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1721075824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1721075824","updateDate":1721075824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"uhw-kuq-ute","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1721119025000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1721119024","updateDate":1721119025000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ftd-d3e-byt","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1721666224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1721666224","updateDate":1721666224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"9n1-l1g-u4k","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1721853424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1721853423","updateDate":1721853424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"4qm-ikt-fpr","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1721954224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1721954223","updateDate":1721954224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"d7t-4i4-tex","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1722659826000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1722659824","updateDate":1722659826000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"mda-uab-xow","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1723178226000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1723178224","updateDate":1723178226000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3cv-rwp-2t7","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1724215024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1724215024","updateDate":1724215024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"vvb-sfk-jn1","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1724647024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1724647024","updateDate":1724647024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"li0-j5t-0hv","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1724848624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1724848624","updateDate":1724848624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"hlp-8dr-0i3","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1725467825000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1725467823","updateDate":1725467825000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"xw4-uw8-mmx","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1725885424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1725885424","updateDate":1725885424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3gw-vkx-b7s","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1728419826000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1728419824","updateDate":1728419826000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"xxc-35o-apy","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1729427824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1729427824","updateDate":1729427824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3hj-2t8-ydm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1729787824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1729787824","updateDate":1729787824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"zt8-od0-yxu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1730205424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1730205423","updateDate":1730205424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"svl-2s4-jd4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1730450224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1730450223","updateDate":1730450224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ycc-lv0-6oj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1730939824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1730939824","updateDate":1730939824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"d2g-d0v-w1l","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1732019824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1732019824","updateDate":1732019824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"7s9-sfq-2km","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1732552624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1732552624","updateDate":1732552624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"tb2-3ij-eep","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1732667824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1732667824","updateDate":1732667824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"sfj-gky-roy","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1732869424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1732869424","updateDate":1732869424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"sz5-kvy-3kd","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1732927024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1732927024","updateDate":1732927024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"2vn-l1s-b0y","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733013424000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733013424","updateDate":1733013424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"nco-423-hiu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733531824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733531824","updateDate":1733531824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"l57-d8u-edg","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733546224000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733546224","updateDate":1733546224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"4sz-cc7-ukd","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733560627000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733560624","updateDate":1733560627000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"o9g-ptk-2zv","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733575024000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733575024","updateDate":1733575024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"xg0-u09-xir","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733603824000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733603824","updateDate":1733603824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"fog-8k1-fzi","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733704624000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733704624","updateDate":1733704624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"wzz-ni8-56v","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733963824000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1733963824","updateDate":1733963824000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"mdn-0hh-uw1","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734050226000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734050223","updateDate":1734050226000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"3ox-06e-x4c","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734093424000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734093423","updateDate":1734093424000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"uyv-a9k-8l7","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734395826000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734395824","updateDate":1734395826000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"5b4-k0v-rzw","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734424624000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734424623","updateDate":1734424624000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"w60-a8d-qrd","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734439024000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734439023","updateDate":1734439024000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"zsr-y94-6u2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734482226000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734482224","updateDate":1734482226000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"0t6-uce-ee0","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734899824000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734899824","updateDate":1734899824000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"fiw-wuv-ueg","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734914224000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1734914224","updateDate":1734914224000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"n8l-rby-b42","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735072624000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735072624","updateDate":1735072624000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"v14-hvg-0fd","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735216626000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735216624","updateDate":1735216626000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"shf-bur-1id","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735288624000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735288624","updateDate":1735288624000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"18r-273-a6u","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735547824000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735547824","updateDate":1735547824000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"1ys-tf8-u32","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735562224000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735562224","updateDate":1735562224000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"1ej-lz6-3iy","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735648624000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735648624","updateDate":1735648624000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"981-x7o-izo","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735749424000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735749424","updateDate":1735749424000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"897-56j-4uj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735907824000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735907823","updateDate":1735907824000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"f5p-men-xz3","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735994224000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1735994224","updateDate":1735994224000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"wt2-84b-uy6","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737433133000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1737433133","updateDate":1737433133000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"269-p6y-i3p","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1742473183000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"examplegetacsmthreatsagentrulereturnsokresponse1742473182","updateDate":1742473183000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"vxv-90c-vm4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714279023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714279022","updateDate":1714279024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"rta-b8v-4uf","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714322223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714322222","updateDate":1714322224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"qo2-qin-6hg","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714351023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714351022","updateDate":1714351024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"aoo-snu-t5u","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714423023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714423023","updateDate":1714423024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"vsk-ewy-s83","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714451823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714451823","updateDate":1714451824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"o4r-6tp-yk0","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714466223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714466223","updateDate":1714466224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"710-xzg-ays","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714480623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714480623","updateDate":1714480624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"tjr-ib4-gya","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714509423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714509423","updateDate":1714509424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"yep-euy-ttp","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714552623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714552623","updateDate":1714552624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ps4-63s-bzc","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714567023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714567023","updateDate":1714567024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"kax-qcg-qu0","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714581423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714581423","updateDate":1714581424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"245-ynt-xcy","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714610223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714610223","updateDate":1714610224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"1m6-dg0-lq9","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714624623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714624623","updateDate":1714624624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3xf-404-qez","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714667823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714667823","updateDate":1714667824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"e6l-qo1-y2e","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714682223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714682223","updateDate":1714682224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"k95-kl4-jxt","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714696623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714696623","updateDate":1714696627000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"es7-rhv-nra","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714797423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714797422","updateDate":1714797424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"syl-o29-0dq","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714826223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714826223","updateDate":1714826223000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"7sd-d1r-ts5","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714840623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714840622","updateDate":1714840624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"97d-p9d-x1d","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1714941423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1714941422","updateDate":1714941424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"mgl-xtg-ctl","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715027823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715027822","updateDate":1715027824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"a9f-o95-atg","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715128623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715128622","updateDate":1715128624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"rjm-biu-bqq","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715272623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715272622","updateDate":1715272624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"nor-y5a-3sn","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715373423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715373422","updateDate":1715373424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"4fo-giq-5f8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715416623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715416622","updateDate":1715416624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"c79-8dg-klx","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715445423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715445422","updateDate":1715445424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"f4p-2wj-hrf","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715459823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715459822","updateDate":1715459824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"bou-hvm-24h","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715474223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715474222","updateDate":1715474224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"lf1-s8g-yf7","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715503023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715503022","updateDate":1715503024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"krx-co0-pz2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715531823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715531822","updateDate":1715531824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"uqg-z0t-83n","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715575023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715575022","updateDate":1715575024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"kid-vkk-fj9","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715603823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715603822","updateDate":1715603824000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"h4n-yuq-2mp","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715632623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715632622","updateDate":1715632624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ocv-we5-g5y","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715661423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715661422","updateDate":1715661423000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"mzh-gda-c24","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715762223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1715762222","updateDate":1715762224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"mtg-s1f-xy5","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1716050223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1716050222","updateDate":1716050224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"6ak-6po-dd6","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1716640623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1716640622","updateDate":1716640624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"5rb-4q9-p5g","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1716813423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1716813422","updateDate":1716813424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"b7w-xgg-ocq","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1717130223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1717130222","updateDate":1717130226000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"1l2-7qh-mfa","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1717432623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1717432622","updateDate":1717432626000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"m77-qgu-c48","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1717677423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1717677422","updateDate":1717677424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"f2b-qds-3f4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1718815023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1718815022","updateDate":1718815024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"xh4-cv2-cfa","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1719031023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1719031022","updateDate":1719031024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"fxe-inc-9zj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1719938223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1719938222","updateDate":1719938225000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"pb3-26n-452","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1719981423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1719981422","updateDate":1719981424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"hgr-nny-7zr","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1720471023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1720471022","updateDate":1720471024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"wvg-hbj-6o2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1720600623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1720600622","updateDate":1720600624000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"9ji-2p2-v00","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1721248623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1721248623","updateDate":1721248625000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"dou-40j-cpw","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1721378223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1721378223","updateDate":1721378224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"qd9-39s-51s","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1721666223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1721666223","updateDate":1721666224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"g9j-hhf-7at","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1722703023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1722703023","updateDate":1722703024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ybg-c9d-29b","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1723034223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1723034223","updateDate":1723034224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"hsg-toh-i57","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1723610223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1723610223","updateDate":1723610224000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"tiy-95c-mkc","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1723797423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1723797423","updateDate":1723797424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"7rw-grx-l7u","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1726331823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1726331822","updateDate":1726331823000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"k1r-tva-i6e","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1727829423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1727829422","updateDate":1727829425000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"4bk-eaa-j5w","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1728664623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1728664622","updateDate":1728664623000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"qk2-gkn-517","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1730162223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1730162223","updateDate":1730162225000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ybl-tp8-aab","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1730263023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1730263022","updateDate":1730263025000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3xd-vam-hd2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1730479023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1730479022","updateDate":1730479024000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ro3-z56-52j","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1732221423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1732221423","updateDate":1732221424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"3ay-9ve-3i3","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1732451823000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1732451822","updateDate":1732451823000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"a66-2qy-xwe","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733128623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733128622","updateDate":1733128625000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"9of-ebc-ypn","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733143023000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733143022","updateDate":1733143023000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"b68-yq9-x3q","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733200623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733200622","updateDate":1733200625000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"ev9-rxn-om1","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733272623000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733272622","updateDate":1733272626000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"gds-0mc-sle","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733330223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733330222","updateDate":1733330225000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"rwf-5af-jaw","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733618223000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733618222","updateDate":1733618223000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"z2v-n54-g9a","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1733661423000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1733661422","updateDate":1733661424000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"vma-z5w-bi9","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734179823000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734179822","updateDate":1734179825000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ya9-48i-611","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734496623000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734496623","updateDate":1734496625000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"l9m-5ce-g9i","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734525423000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734525422","updateDate":1734525423000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"kbx-ylg-k86","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734597423000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734597422","updateDate":1734597424000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"rec-v3q-e1c","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734770223000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734770223","updateDate":1734770227000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"tr5-g9p-4jx","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734799023000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734799023","updateDate":1734799025000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"tps-9zv-vpp","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734899823000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1734899823","updateDate":1734899825000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"0rc-s4t-d0f","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735562223000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1735562223","updateDate":1735562225000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ekr-3xj-8yj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735619823000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1735619823","updateDate":1735619825000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"p6o-t98-nm1","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735691823000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1735691823","updateDate":1735691824000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"nue-wxi-y3i","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735720623000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1735720623","updateDate":1735720626000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"w95-d3h-c3r","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1735864623000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1735864622","updateDate":1735864625000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"6w8-3xn-j4c","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1736066223000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1736066222","updateDate":1736066224000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"hcr-3py-6it","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1736807340000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1736807340","updateDate":1736807342000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"00d-kfn-fwm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1740025013000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1740025013","updateDate":1740025019000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"ceu-3h6-qug","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1740269813000,"creator":{"name":"frog","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"exampleupdateacsmthreatsagentrulereturnsokresponse1740269813","updateDate":1740269814000,"updater":{"name":"frog","handle":"frog@datadoghq.com"}}},{"id":"oed-ka8-syl","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1711550899000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"my_agent_rule","updateDate":1711550899000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"v9x-9ib-tr7","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737288363000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"im - a rule","enabled":true,"expression":"open.file.name == \"etc/shadow/password\"","filters":["os - == \"linux\""],"name":"qljifimbbh","updateDate":1737288363000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"ast-isd-tty","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1715645381000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testgocreateacsmthreatsagentrulereturnsokresponse1715645381","updateDate":1715645381000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"9l7-am7-hy6","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1736986169000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testgocreateacsmthreatsagentrulereturnsokresponse1736986169","updateDate":1736986169000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"tw0-y2e-9wf","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1738627773000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testgocreateacsmthreatsagentrulereturnsokresponse1738627773","updateDate":1738627773000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"cdy-cvp-oqz","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1728617680000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testjavacreateacsmthreatsagentrulereturnsokresponse1728617679","updateDate":1728617680000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"tth-j42-vc4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1732591470000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testjavacreateacsmthreatsagentrulereturnsokresponse1732591469","updateDate":1732591470000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"lhe-ksz-xyj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1711595493000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testjavagetacsmthreatsagentrulereturnsokresponse1711595493","updateDate":1711595493000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"73h-yo0-427","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1725240870000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testpythoncreateacsmthreatsagentrulereturnsokresponse1725240869","updateDate":1725240870000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"ohq-oxe-jb4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1726883002000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testpythoncreateacsmthreatsagentrulereturnsokresponse1726883002","updateDate":1726883002000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"912-lu2-2sg","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1731203077000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testpythoncreateacsmthreatsagentrulereturnsokresponse1731203077","updateDate":1731203077000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"5c8-aij-182","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1720156180000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testrustgetacsmthreatsagentrulereturnsokresponse1720156180","updateDate":1720156180000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"5jy-8qa-vwx","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1724216976000,"creator":{"name":"","handle":"frog@datadoghq.com"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testrustupdateacsmthreatsagentrulereturnsbadrequestresponse1724216976","updateDate":1724216976000,"updater":{"name":"","handle":"frog@datadoghq.com"}}},{"id":"24l-rs9-d0x","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1710500975000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testtypescriptgetacsmthreatsagentrulereturnsokresponse1710500975","updateDate":1710500975000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"pz7-rvb-ckm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1734692969000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1734692969","updateDate":1734692970000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"ctc-pux-luh","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737951387000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"Test - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1737951387","updateDate":1737951389000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"v64-qmf-tal","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1740543488000,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My - Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testtypescriptupdateacsmthreatsagentrulereturnsokresponse1740543488","updateDate":1740543488000,"updater":{"name":"CI - Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}},{"id":"7ts-208-rn4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - AppArmor profile was modified in an interactive session","enabled":true,"expression":"exec.file.name - in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] \u0026\u0026 exec.tty_name - !=\"\"","filters":["os == \"linux\""],"name":"apparmor_modified_tty","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-7m7","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - auditctl command was used to modify auditd","enabled":true,"expression":"exec.file.name - == \"auditctl\" \u0026\u0026 exec.args_flags not in [\"s\", \"l\"]","filters":["os - == \"linux\""],"name":"auditctl_usage","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ly8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - auditd configuration file was modified without using auditctl","enabled":true,"expression":"open.file.path - == \"/etc/audit/auditd.conf\" \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) - \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == - \"linux\""],"name":"auditd_config_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ehx","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - auditd rules file was modified without using auditctl","enabled":true,"expression":"open.file.path - in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] \u0026\u0026 - open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 - process.file.name != \"auditctl\"","filters":["os == \"linux\""],"name":"auditd_rule_file_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-dnj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - AWS CLI utility was executed","enabled":true,"expression":"exec.file.name - == \"aws\"","filters":["os == \"linux\""],"name":"aws_cli_usage","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"9f3-haw-91q","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - AWS EKS service account token was accessed","enabled":true,"expression":"open.file.path - =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" \u0026\u0026 open.file.name - == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", - \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", - \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", - \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", - \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", - \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", - ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"name":"aws_eks_service_account_token_accessed","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"wgv-wsb-pse","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - AWS IMDS was called via a network utility","enabled":true,"expression":"exec.comm - in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", - ~\"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","filters":["os - == \"linux\""],"name":"aws_imds","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"c2g-31u-jpk","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - Azure IMDS was called via a network utility","enabled":true,"expression":"exec.comm - in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","filters":["os - == \"linux\""],"name":"azure_imds","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-a41","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - base64 command was used to decode information","enabled":true,"expression":"exec.file.name - == \"base64\" \u0026\u0026 exec.args_flags in [\"d\"]","filters":["os == \"linux\""],"name":"base64_decode","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-4tl","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Certutil - was executed to transmit or decode a potentially malicious file","enabled":true,"expression":"exec.file.name - == \"certutil.exe\" \u0026\u0026 ((exec.cmdline =~ \"*urlcache*\" \u0026\u0026 - exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")","filters":["os - == \"windows\""],"name":"certutil_usage","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-nin","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - DNS request was made for a chatroom domain","enabled":true,"expression":"dns.question.name - in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"]","filters":["os - == \"linux\""],"name":"chatroom_request","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"647-nlb-uld","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - network utility (nmap) commonly used in intrusion attacks was executed","enabled":true,"expression":"exec.file.name - in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", - \"pnscan\"] \u0026\u0026 exec.args_flags not in [\"V\", \"version\"]","filters":["os - == \"linux\""],"name":"common_net_intrusion_util","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"smg-le8-msf","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - compiler wrote a suspicious file in a container","enabled":true,"expression":"open.flags - \u0026 O_CREAT \u003e 0\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" - \u0026\u0026 open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path - in [~\"/var/tmp/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n\u0026\u0026 - (process.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.ancestors.comm - in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.file.name in [\"javac\", - \"clang\", \"gcc\", \"bcc\"] || process.ancestors.file.name in [\"javac\", - \"clang\", \"gcc\", \"bcc\"])\n\u0026\u0026 process.file.name not in [\"pip\", - ~\"python*\"]\n\u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"compile_after_delivery","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"ehh-ypb-9pl","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - compiler was executed inside of a container","enabled":true,"expression":"(exec.comm - in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || exec.file.name in [\"javac\", - \"clang\", \"gcc\", \"bcc\"] || (exec.file.name == \"go\" \u0026\u0026 exec.args - in [~\"*build*\", ~\"*run*\"])) \u0026\u0026 container.id !=\"\" \u0026\u0026 - process.ancestors.file.path != \"/usr/bin/cilium-agent\"","filters":["os == - \"linux\""],"name":"compiler_in_container","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-u7b","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Known - offensive tool crackmap exec executed","enabled":true,"expression":"exec.cmdline - in [~\"*crackmapexec*\", ~\"*cme.exe*\", ~\"*cme.py*\"]","filters":["os == - \"windows\""],"name":"crackmap_exec_executed","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"s9m-foq-qqz","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive - credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chmod.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path - not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", - \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", - \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode - != chmod.file.mode","filters":["os == \"linux\""],"name":"credential_modified_chmod","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"td2-31c-ln4","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive - credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chown.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path - not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", - \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", - \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path + string: '{"data":[{"id":"def-000-vjv","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Command + executed via WMI","enabled":true,"expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] + \u0026\u0026 process.parent.file.name == \"WmiPrvSE.exe\"","filters":["os + == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"wmi_spawning_shell","product_tags":["tactic:TA0002-execution","technique:T1047-windows-management-instrumentation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-0pf","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process attempted to overwrite the container entrypoint","enabled":true,"expression":"open.file.path + == \"/proc/self/fd/1\" \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY + \u003e 0 \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"overwrite_entrypoint","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"e5h-onu-f7l","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n open.flags + \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path + in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"nsswitch_conf_mod_open","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-t06","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"find + command searching for sensitive files","enabled":true,"expression":"exec.comm + == \"find\" \u0026\u0026 exec.args in [~\"*credentials*\"]","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"find_credentials","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ogb-clp-hot","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chmod.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 + chmod.file.destination.mode != chmod.file.mode\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid - != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os - == \"linux\""],"name":"credential_modified_chown","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"lli-czr-q4y","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive - credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (link.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path - not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", - \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", - \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"cron_at_job_creation_chmod","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wpz-bim-6rb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process was spawned with indicators of exploitation of CVE-2021-4034","enabled":true,"expression":"(exec.file.path + == \"/usr/bin/pkexec\" \u0026\u0026 exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] + \u0026\u0026 exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] \u0026\u0026 + exec.uid != 0)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"pwnkit_privilege_escalation","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"pxk-42u-fga","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_link","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-3b9","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive - credential files were modified using a non-standard tool","enabled":true,"expression":"(\n open.flags - \u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \u003e 0 \u0026\u0026\n (open.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path - not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", - \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", - \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"pam_modification_utimes","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"caz-yrk-14e","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process resolved a DNS name associated with cryptomining activity","enabled":true,"expression":"dns.question.name + in [~\"*.minexmr.com\", \"minexmr.com\", ~\"*.nanopool.org\", \"nanopool.org\", + ~\"*.supportxmr.com\", \"supportxmr.com\", ~\"*.c3pool.com\", \"c3pool.com\", + ~\"*.p2pool.io\", \"p2pool.io\", ~\"*.ethermine.org\", \"ethermine.org\", + ~\"*.f2pool.com\", \"f2pool.com\", ~\"*.poolin.me\", \"poolin.me\", ~\"*.rplant.xyz\", + \"rplant.xyz\", ~\"*.miningocean.org\", \"miningocean.org\"] \u0026\u0026 + process.file.name != \"\"","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"mining_pool_lookup","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"sej-11b-ey6","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Potential + Dirty pipe exploitation attempt","enabled":true,"expression":"(splice.pipe_entry_flag + \u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \u0026\u0026 (splice.pipe_exit_flag \u0026 + PIPE_BUF_FLAG_CAN_MERGE) == 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 + process.gid != 0)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"dirty_pipe_attempt","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-m9i","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + environment variable registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\Environment*\"]","filters":["os + == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"windows_system_enviroment_variable_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"q0u-s8m-8pd","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.created_at - \u003e 90s","filters":["os == \"linux\""],"name":"credential_modified_open_v2","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"0yj-grp-cmx","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive - credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (rename.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path - not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", - \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", - \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"pci_11_5_critical_binaries_utimes","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"uis-h13-41q","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"cron_at_job_creation_open","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-hlr","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Tunneling + or port forwarding tool used","enabled":true,"expression":"((exec.comm == + \"pivotnacci\" || exec.comm == \"gost\") \u0026\u0026 process.args_flags in + [\"L\", \"C\", \"R\"]) || (exec.comm in [\"ssh\", \"sshd\"] \u0026\u0026 process.args_flags + in [\"R\", \"L\", \"D\", \"w\"] \u0026\u0026 process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] + ) || (exec.comm == \"sshuttle\" \u0026\u0026 process.args_flags in [\"r\", + \"remote\", \"l\", \"listen\"]) || (exec.comm == \"socat\" \u0026\u0026 process.args + in [r\"(TCP4-LISTEN:|SOCKS)\"]) || (exec.comm in [\"iodine\", \"iodined\", + \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", + \"ngrok\"] \u0026\u0026 process.parent.comm in [\"bash\", \"dash\", \"ash\", + \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","filters":["os == + \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"tunnel_traffic","product_tags":["tactic:TA0011-command-and-control","technique:T1572-protocol-tunneling","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"647-nlb-uld","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + network utility (such as nmap) commonly used in intrusion attacks was executed","enabled":true,"expression":"exec.file.name + in [\"nmap\", \"masscan\", \"fping\", \"zgrab\", \"zgrab2\", \"rustscan\", + \"pnscan\"] \u0026\u0026 exec.args_flags not in [\"V\", \"version\"]","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"common_net_intrusion_util","product_tags":["tactic:TA0007-discovery","technique:T1046-network-service-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"y0y-3gl-645","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n unlink.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (unlink.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"ssh_authorized_keys_unlink","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-but","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + java process spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path + in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"])\n\u0026\u0026 + process.parent.file.name in [\"java\", \"jspawnhelper\"]","filters":["os == + \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"java_shell_execution_parent","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j45","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process is tracing privileged processes or sshd for possible credential dumping","enabled":true,"expression":"(ptrace.request + == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request + == PTRACE_PEEKUSR) \u0026\u0026 ptrace.tracee.euid == 0 \u0026\u0026 process.comm + not in [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"sensitive_tracing","product_tags":["tactic:TA0004-privilege-escalation","technique:T1055-process-injection","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tlf","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"the + windows hosts file was modified","enabled":true,"expression":"write.file.device_path + in [~\"\\Device\\*\\windows\\system32\\Drivers\\etc\\hosts\"]","filters":["os + == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"windows_hosts_file_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qwu","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) + \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e + 90s","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"ssh_authorized_keys_open_v2","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-x7z","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process + executed with arguments common with Inveigh tool usage","enabled":true,"expression":"exec.cmdline + in [~\"*SpooferIP*\", ~\"*ReplyToIPs*\", ~\"*ReplyToDomains*\", ~\"*ReplyToMACs*\", + ~\"*SnifferIP*\"]","filters":["os == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"inveigh_tool_usage","product_tags":["tactic:TA0009-collection","technique:T1557-adversary-in-the-middle","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-guo","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process was executed matching arguments for a UAC bypass technique common + in powershell empire","enabled":true,"expression":"exec.cmdline in [~\"*-NoP + -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)*\", + ~\"*-NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);*\"]","filters":["os + == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"powershell_empire_uac_bypass","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bxs","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path + == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"sudoers_policy_modified_unlink","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-h19","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + container breakout CVE-2024-21626 was successful","enabled":true,"expression":"chdir.syscall.path + =~ \"/proc/self/fd/*\" \u0026\u0026 chdir.file.path == \"/sys/fs/cgroup\" + \u0026\u0026 process.file.name =~ \"runc.*\"","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"runc_leaky_fd","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-7ez","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process + arguments indicating possible php shell detected","enabled":true,"expression":"exec.file.name + == \"php\" \u0026\u0026 exec.args_flags in [\"r\"] \u0026\u0026 ((exec.args + in [~\"*socket_bind*\", ~\"*socket_listen*\", ~\"*socket_accept*\", ~\"*socket_create*\", + ~\"*socket_write*\", ~\"*socket_read*\"]) || (exec.args in [~\"*/bin/bash*\", + ~\"*/bin/sh*\"]))","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"php_shell","product_tags":["tactic:TA0001-initial-access","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"w0z-64n-bss","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + network utility was executed in a container","enabled":true,"expression":"(exec.comm + in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] + ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id + != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", + ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"net_util_in_container","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-49j","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + known kubernetes pentesting tool has been executed","enabled":true,"expression":"(exec.file.name + in [ ~\"python*\" ] \u0026\u0026 (\"KubiScan.py\" in exec.argv || \"kubestriker\" + in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"offensive_k8s_tool","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-y27","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"RC + scripts modified","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) + \u003e 0 \u0026\u0026 (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) + \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"rc_scripts_modified","product_tags":["tactic:TA0003-persistence","technique:T1037-boot-or-logon-initialization-scripts","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"460-gys-lqp","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + DNS lookup was done for a pastebin-like site","enabled":true,"expression":"dns.question.name + in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\", \"rentry.co\", + \"transfer.sh\"] \u0026\u0026 process.file.name != \"\"","filters":["os == + \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"paste_site","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"o5t-b08-86p","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (rename.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_rename","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"q08-c9l-rsp","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive - credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (unlink.file.path - in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path - not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", - \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", - \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_unlink","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"kv9-026-vhz","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ + \"runc*\"","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"ssl_certificate_tampering_rename","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"kv9-026-vhz","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (utimes.file.path in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", @@ -765,25 +227,13 @@ http_interactions: \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"credential_modified_utimes","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-brb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"regedit - used to export critical registry hive","enabled":true,"expression":"exec.file.name - in [\"reg.exe\", \"regedit.exe\"] \u0026\u0026 exec.cmdline in [~\"*hklm*\", - ~\"*hkey_local_machine*\", ~\"*system*\", ~\"*sam*\", ~\"*security*\"]","filters":["os - == \"windows\""],"name":"critical_registry_export","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-xg6","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"a - critical windows file was modified","enabled":true,"expression":"write.file.device_path - in [~\"\\Device\\*\\windows\\system32\\**\"]","filters":["os == \"windows\""],"name":"critical_windows_files_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"ogb-clp-hot","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chmod.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 - process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 - chmod.file.destination.mode != chmod.file.mode\n\u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os - == \"linux\""],"name":"cron_at_job_creation_chmod","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"wnk-nli-nbp","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"credential_modified_utimes","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ly8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + auditd configuration file was modified without using auditctl","enabled":true,"expression":"open.file.path + == \"/etc/audit/auditd.conf\" \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) + \u003e 0 \u0026\u0026 process.file.name != \"auditctl\"","filters":["os == + \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"auditd_config_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wnk-nli-nbp","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n) \u0026\u0026 @@ -791,115 +241,295 @@ http_interactions: != chown.file.gid)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_chown","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"mcv-y5o-zg5","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (link.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || - link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", - ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", - \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_link","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"uis-h13-41q","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n open.flags + ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"cron_at_job_creation_chown","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"191-ty1-ede","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 - process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 - process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os - == \"linux\""],"name":"cron_at_job_creation_open","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"xa1-b6v-n2l","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (rename.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || - rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", - ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", - \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"name":"cron_at_job_creation_rename","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"m23-qb9-9s8","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (unlink.file.path - in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 - process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 - process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os - == \"linux\""],"name":"cron_at_job_creation_unlink","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"4mx-n6o-mmb","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ + \"runc*\"","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"ssl_certificate_tampering_open","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-jl7","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"openssl + used to establish backdoor","enabled":true,"expression":"exec.comm == \"openssl\" + \u0026\u0026 exec.args =~ \"*s_client*\"","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"openssl_backdoor","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-41f","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH + initiated a connection on a nonstandard port","enabled":true,"expression":"connect.addr.port + in [80, 8080, 88, 443, 8443, 4444] \u0026\u0026 process.file.name == \"ssh\"","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"ssh_nonstandard_connection","product_tags":["tactic:TA0008-lateral-movement","technique:T1021-remote-services","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mxb","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + host file system was mounted in a container","enabled":true,"expression":"mount.source.path + == \"/\" \u0026\u0026 mount.fs_type != \"overlay\" \u0026\u0026 container.id + != \"\"","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"mount_host_fs","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-4tl","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Certutil + was executed to transmit or decode a potentially malicious file","enabled":true,"expression":"exec.file.name + == \"certutil.exe\" \u0026\u0026 ((exec.cmdline =~ \"*urlcache*\" \u0026\u0026 + exec.cmdline =~ \"*split*\") || exec.cmdline =~ \"*decode*\")","filters":["os + == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"certutil_usage","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-nv0","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + rclone utility was executed","enabled":true,"expression":"exec.file.name in + [\"rclone\", \"rsync\", \"sftp\", \"ftp\", \"scp\", \"dcp\", \"rcp\"]","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"file_sync_exfil","product_tags":["tactic:TA0010-exfiltration","technique:T1048-exfiltration-over-alternative-protocol","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"lkj-jnb-khe","type":"agent_rule","attributes":{"actions":[{"set":{"name":"imds_v1_usage_services","field":"process.file.name","append":true,"ttl":10000000000},"disabled":false}],"category":"Network + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + AWS IMDSv1 request was issued","disabled":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"enabled":false,"expression":"imds.cloud_provider + == \"aws\" \u0026\u0026 imds.aws.is_imds_v2 == false \u0026\u0026 process.file.name + not in ${imds_v1_usage_services}","filters":["os == \"linux\""],"name":"imds_v1_usage","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fbb","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Library + libpam.so hooked using eBPF","enabled":true,"expression":"bpf.cmd == BPF_MAP_CREATE + \u0026\u0026 process.args in [r\"libpam\\.so\"]","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"libpam_ebpf_hook","product_tags":["tactic:TA0006-credential-access","technique:T1056-input-capture","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d1i","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process + memory was dumped using the minidump function from comsvcs.dll","enabled":true,"expression":"exec.cmdline + =~ \"*MiniDump*\" \u0026\u0026 exec.cmdline =~ \"*comsvcs*\"","filters":["os + == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"minidump_usage","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-8j2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + web application spawned a shell or shell utility","enabled":true,"expression":"(exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path + in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"]) + \u0026\u0026\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", + \"httpd\"] || process.parent.file.name =~ \"php*\")","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"potential_web_shell_parent","product_tags":["tactic:TA0002-execution","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ssp-47a-p20","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"pci_11_5_critical_binaries_unlink","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"v5x-8l4-d6a","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell + History was Deleted","enabled":true,"expression":"open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) + \u003e 0 \u0026\u0026 open.file.name in [\".bash_history\", \".zsh_history\", + \".fish_history\", \"fish_history\", \".dash_history\", \".sh_history\"] \u0026\u0026 + open.file.path in [~\"/root/*\", ~\"/home/**\"] \u0026\u0026 process.file.name + == \"truncate\"","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"shell_history_truncated","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7ts-208-rn4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + AppArmor profile was modified in an interactive session","enabled":true,"expression":"exec.file.name + in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] \u0026\u0026 exec.tty_name + !=\"\"","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"apparmor_modified_tty","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"2dz-kyt-nme","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (chmod.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"kernel_module_chmod","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wv3","type":"agent_rule","attributes":{"actions":[{"hash":{},"disabled":false}],"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Redis + module has been created","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) + \u003e 0 \u0026\u0026 open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name + in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) \u0026\u0026 process.file.name in + [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"redis_save_module","product_tags":["tactic:TA0002-execution","technique:T1129-shared-modules","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-dpm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process attempted to enable writing to model-specific registers","enabled":true,"expression":"exec.comm + == \"modprobe\" \u0026\u0026 process.args =~ \"*msr*allow_writes*\"","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"kernel_msr_write","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"j8a-wic-bvi","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + LD_PRELOAD variable is populated by a link to a suspicious file directory","enabled":true,"expression":"exec.envs + in [~\"LD_PRELOAD=*/tmp/*\", ~\"LD_PRELOAD=/dev/shm/*\"]","filters":["os == + \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"ld_preload_unusual_library_path","product_tags":["tactic:TA0004-privilege-escalation","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-nin","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + DNS request was made for a chatroom domain","enabled":true,"expression":"dns.question.name + in [\"discord.com\", \"api.telegram.org\", \"cdn.discordapp.com\"]","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"chatroom_request","product_tags":["tactic:TA0011-command-and-control","technique:T1572-protocol-tunneling","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"9ym-18v-5zi","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"pci_11_5_critical_binaries_link","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ro4-rju-1vq","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + GCP IMDS was called via a network utility","enabled":true,"expression":"exec.comm + in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", + ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"gcp_imds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-eho","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Container + escape attempted by overwriting release_agent","enabled":true,"expression":"open.file.name + == \"release_agent\" \u0026\u0026 open.file.path in [\"/tmp/**\", \"/home/**\", + \"/root/**\", \"/*\"] \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY + \u003e 0","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"release_agent_escape","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"sif-d9p-wzg","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path + in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" + ])\n)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"nsswitch_conf_mod_rename","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-7m7","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + auditctl command was used to modify auditd","enabled":true,"expression":"exec.file.name + == \"auditctl\" \u0026\u0026 exec.args_flags not in [\"s\", \"l\"]","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"auditctl_usage","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oil","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + unshare utility was executed in a container","enabled":true,"expression":"exec.comm + == \"unshare\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"unshare_in_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-925","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + shell with a TTY was executed in a container","enabled":true,"expression":"exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] \u0026\u0026 process.tty_name != \"\" \u0026\u0026 process.container.id + != \"\"","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"tty_shell_in_container","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"fyq-x5u-mv1","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"kernel_module_utimes","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-a65","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Web + application requested IMDSv1 credentials","enabled":true,"expression":"imds.aws.is_imds_v2 + == false \u0026\u0026 imds.url =~ \"*/*/meta-data/iam/security-credentials/*\" + \u0026\u0026 (process.ancestors.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", + \"httpd\"] || process.ancestors.file.name =~ \"php*\" || process.ancestors.file.name + == \"java\")","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"webapp_imds_V1_request","product_tags":["tactic:TA0040-impact","technique:T1531-account-access-removal","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"xgw-28i-480","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + container executed a new binary not found in the container image","enabled":true,"expression":"container.id + != \"\" \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.modification_time + \u003c 30s \u0026\u0026 exec.file.name != \"\"","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"new_binary_execution_in_container","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wok","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Device + rule created","enabled":true,"expression":"open.file.path in [~\"/etc/udev/rules.d/*\", + ~\"/lib/udev/rules.d/*\", ~\"/usr/lib/udev/rules.d/*\", ~\"/usr/local/lib/udev/rules.d/*\", + ~\"/run/udev/rules.d/*\"] \u0026\u0026 open.flags \u0026 O_CREAT \u003e 0","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"udev_modification","product_tags":["tactic:TA0003-persistence","technique:T1546-event-triggered-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"4mx-n6o-mmb","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (utimes.file.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os - == \"linux\""],"name":"cron_at_job_creation_utimes","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"jr3-0m8-jlj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process launched with arguments associated with cryptominers","enabled":true,"expression":"exec.args_options - in [~\"cpu-priority*\", ~\"donate-level*\"] || exec.args_flags == \"randomx-1gb-pages\" - || exec.args in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", - ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", - ~\"*yespower*\"]","filters":["os == \"linux\""],"name":"cryptominer_args","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6jw","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process - environment variables match cryptocurrency miner","enabled":true,"expression":"exec.envs - in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","filters":["os - == \"linux\""],"name":"cryptominer_envs","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-0fx","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell - process spawned from print server","enabled":true,"expression":"exec.file.name - != \"\" \u0026\u0026 process.parent.file.name == \"foomatic-rip\"","filters":["os - == \"linux\""],"name":"cups_spawned_shell","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-h1x","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"cron_at_job_creation_utimes","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"0yj-grp-cmx","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (rename.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || rename.file.destination.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", + \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"credential_modified_rename","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"4ov-ang-2gx","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + DNS lookup was done for a IP check service","enabled":true,"expression":"dns.question.name + in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", + \"whatismyip.akamai.com\"] \u0026\u0026 process.file.name != \"\"","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"ip_check_domain","product_tags":["tactic:TA0007-discovery","technique:T1016-system-network-configuration-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fqm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + whoami command was executed","enabled":true,"expression":"exec.comm == \"whoami\"","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"exec_whoami","product_tags":["tactic:TA0007-discovery","technique:T1033-system-owner-or-user-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wgv-wsb-pse","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + AWS IMDS was called via a network utility","enabled":true,"expression":"exec.comm + in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/latest/meta-data/iam/security-credentials/*\", + ~\"*169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\", ~\"*169.254.170.2/*/credentials?id=*\"]","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"aws_imds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-xv7","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kernel + modules were listed using the kmod command","enabled":true,"expression":"exec.comm + == \"kmod\" \u0026\u0026 exec.args in [~\"*list*\"]","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"kmod_list","product_tags":["tactic:TA0007-discovery","technique:T1082-system-information-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-4y4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + suspicious bitsadmin command has been executed","enabled":true,"expression":"exec.file.name + == \"bitsadmin.exe\" \u0026\u0026 exec.cmdline in [~\"*addfile*\", ~\"*create*\", + ~\"*resume*\"]","filters":["os == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"suspicious_bitsadmin_usage","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"dfr-by9-sx8","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell + History was Deleted","enabled":true,"expression":"unlink.file.name in [\".bash_history\", + \".zsh_history\", \".fish_history\", \"fish_history\", \".dash_history\", + \".sh_history\"] \u0026\u0026 unlink.file.path in [~\"/root/**\", ~\"/home/**\"] + \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"shell_history_deleted","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"qt9-i99-q9p","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path + in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"nsswitch_conf_mod_utimes","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ayv-hqe-lx8","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in + [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ + \"runc*\"","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"ssl_certificate_tampering_utimes","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"4yt-ize-avz","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Omiagent + spawns a privileged child process","enabled":true,"expression":"exec.uid \u003e= + 0 \u0026\u0026 process.ancestors.file.name == \"omiagent\"","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"omigod","product_tags":["tactic:TA0002-execution","technique:T1203-exploitation-for-client-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6x2","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Service + registry runkey modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\", + ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CurrentVersion\\RunServices\"]","filters":["os + == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"registry_service_runkey_modified","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"m7d-vlh-3yq","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Package + management was detected in a container","enabled":true,"expression":"exec.file.path + in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\"","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"package_management_in_container","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection","policy:best-practice"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-h1x","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The Docker socket was referenced in a cURL command","enabled":true,"expression":"exec.file.name == \"curl\" \u0026\u0026 exec.args_flags in [\"unix-socket\"] \u0026\u0026 exec.args in [~\"*docker.sock*\"] \u0026\u0026 container.id != \"\"","filters":["os - == \"linux\""],"name":"curl_docker_socket","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"mq1-y7n-kf2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - database application spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path - in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path - in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"]) - \u0026\u0026\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] - \u0026\u0026\n!(process.parent.file.name == \"initdb\" \u0026\u0026\nexec.args - == \"-c locale -a\") \u0026\u0026\n!(process.parent.file.name == \"postgres\" - \u0026\u0026\nexec.args == ~\"*pg_wal*\")","filters":["os == \"linux\""],"name":"database_shell_execution","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-0en","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - debugfs was executed in a container","enabled":true,"expression":"exec.comm - == \"debugfs\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"debugfs_in_container","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-u1r","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process deleted common system log files","enabled":true,"expression":"unlink.file.path - in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", - \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", - \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] \u0026\u0026 - process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"name":"delete_system_log","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-juz","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - privileged container was created","enabled":true,"expression":"exec.file.name - != \"\" \u0026\u0026 container.created_at \u003c 1s \u0026\u0026 process.cap_permitted - \u0026 CAP_SYS_ADMIN \u003e 0","filters":["os == \"linux\""],"name":"deploy_priv_container","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d4w","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - file executed from /dev/shm/ directory","enabled":true,"expression":"exec.file.path - == \"/dev/shm/**\"","filters":["os == \"linux\""],"name":"devshm_execution","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"sej-11b-ey6","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Potential - Dirty pipe exploitation attempt","enabled":true,"expression":"(splice.pipe_entry_flag - \u0026 PIPE_BUF_FLAG_CAN_MERGE) != 0 \u0026\u0026 (splice.pipe_exit_flag \u0026 - PIPE_BUF_FLAG_CAN_MERGE) == 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 - process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_attempt","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"422-svi-03v","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Potential - Dirty pipe exploitation","enabled":true,"expression":"(splice.pipe_exit_flag - \u0026 PIPE_BUF_FLAG_CAN_MERGE) \u003e 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 - process.gid != 0)","filters":["os == \"linux\""],"name":"dirty_pipe_exploitation","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-beh","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Dotnet_dump - was used to dump a process memory","enabled":true,"expression":"exec.cmdline - =~ \"*dotnet-dump*\" \u0026\u0026 exec.cmdline =~ \"*collect*\"","filters":["os - == \"windows\""],"name":"dotnet_dump_execution","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"2rq-drz-11u","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process unlinked a dynamic linker config file","enabled":true,"expression":"unlink.file.path - in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] - \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"curl_docker_socket","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"kpm-7kh-xz5","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process attempted to inject code into another process","enabled":true,"expression":"ptrace.request + == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request + == PTRACE_POKEUSR","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"ptrace_injection","product_tags":["tactic:TA0005-defense-evasion","technique:T1055-process-injection","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-g5v","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process connected to an SSH server","enabled":true,"expression":"connect.addr.port + == 22 \u0026\u0026 connect.addr.family \u0026 (AF_INET|AF_INET6) \u003e 0 + \u0026\u0026 connect.addr.ip not in [127.0.0.0/8, 0.0.0.0/32, ::1/128, ::/128]","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"ssh_outbound_connection","product_tags":["tactic:TA0008-lateral-movement","technique:T1563-remote-service-session-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"9y1-cbb-p03","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in + [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ + \"runc*\"","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"ssl_certificate_tampering_unlink","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-gqa","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + boot registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\IniFileMapping\\SYSTEM.ini\\boot*\"]","filters":["os + == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"windows_boot_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"64n-p6m-uq1","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", + ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in + [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"systemd_modification_link","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"xiu-ghq-4zi","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os - == \"linux\""],"name":"dynamic_linker_config_unlink","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"2s5-ipa-ooo","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"pci_11_5_critical_binaries_chown","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"2s5-ipa-ooo","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A process wrote to a dynamic linker config file","enabled":true,"expression":"open.file.path in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) @@ -913,90 +543,339 @@ http_interactions: \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", - ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"name":"dynamic_linker_config_write","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-4xu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kernel - modules were listed using the lsmod command","enabled":true,"expression":"exec.comm - == \"lsmod\"","filters":["os == \"linux\""],"name":"exec_lsmod","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fqm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - whoami command was executed","enabled":true,"expression":"exec.comm == \"whoami\"","filters":["os - == \"linux\""],"name":"exec_whoami","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ev8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - wrmsr program executed","enabled":true,"expression":"exec.comm == \"wrmsr\"","filters":["os - == \"linux\""],"name":"exec_wrmsr","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bus","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - executable bit was added to a newly created file","enabled":true,"expression":"chmod.file.in_upper_layer - \u0026\u0026\nchmod.file.change_time \u003c 30s \u0026\u0026\ncontainer.id - != \"\" \u0026\u0026\nchmod.file.destination.mode != chmod.file.mode \u0026\u0026\nchmod.file.destination.mode - \u0026 S_IXUSR|S_IXGRP|S_IXOTH \u003e 0 \u0026\u0026\nprocess.argv in [\"+x\"]","filters":["os - == \"linux\""],"name":"executable_bit_added","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-nv0","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - rclone utility was executed","enabled":true,"expression":"exec.file.name in - [\"rclone\", \"rsync\", \"sftp\", \"ftp\", \"scp\", \"dcp\", \"rcp\"]","filters":["os - == \"linux\""],"name":"file_sync_exfil","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-t06","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"find - command searching for sensitive files","enabled":true,"expression":"exec.comm - == \"find\" \u0026\u0026 exec.args in [~\"*credentials*\"]","filters":["os - == \"linux\""],"name":"find_credentials","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"ro4-rju-1vq","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - GCP IMDS was called via a network utility","enabled":true,"expression":"exec.comm - in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token\", - ~\"*169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token\"]","filters":["os - == \"linux\""],"name":"gcp_imds","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bgf","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + ~\"/opt/datadog-installer/**\"] \u0026\u0026 process.argv0 not in [\"runc\", + \"/usr/bin/runc\", \"/usr/sbin/runc\"]","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"dynamic_linker_config_write","product_tags":["tactic:TA0004-privilege-escalation","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bgf","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A hidden file was executed in a suspicious folder","enabled":true,"expression":"exec.file.name =~ \".*\" \u0026\u0026 exec.file.path in [~\"/home/**\", ~\"/tmp/**\", ~\"/var/tmp/**\", - ~\"/dev/shm/**\"]","filters":["os == \"linux\""],"name":"hidden_file_executed","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"lkj-jnb-khe","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - AWS IMDSv1 request was issued","enabled":false,"expression":"imds.cloud_provider - == \"aws\" \u0026\u0026 imds.aws.is_imds_v2 == false \u0026\u0026 process.file.name - not in ${imds_v1_usage_services}","filters":["os == \"linux\""],"name":"imds_v1_usage","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"jeh-18e-m9h","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An - interactive shell was started inside of a container","enabled":true,"expression":"exec.file.path - in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] \u0026\u0026 exec.args_flags in [\"i\"] \u0026\u0026 container.id !=\"\"","filters":["os - == \"linux\""],"name":"interactive_shell_in_container","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-x7z","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process - executed with arguments common with Inveigh tool usage","enabled":true,"expression":"exec.cmdline - in [~\"*SpooferIP*\", ~\"*ReplyToIPs*\", ~\"*ReplyToDomains*\", ~\"*ReplyToMACs*\", - ~\"*SnifferIP*\"]","filters":["os == \"windows\""],"name":"inveigh_tool_usage","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"4ov-ang-2gx","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - DNS lookup was done for a IP check service","enabled":true,"expression":"dns.question.name - in [\"icanhazip.com\", \"ip-api.com\", \"myip.opendns.com\", \"checkip.amazonaws.com\", - \"whatismyip.akamai.com\"] \u0026\u0026 process.file.name != \"\"","filters":["os - == \"linux\""],"name":"ip_check_domain","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-88h","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Egress - traffic allowed using iptables","enabled":true,"expression":"exec.comm == - \"iptables\" \u0026\u0026 process.args in [r\"OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] - \u0026\u0026 process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","filters":["os - == \"linux\""],"name":"iptables_egress_allowed","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qnj","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process made an outbound IRC connection","enabled":true,"expression":"connect.addr.port - == 6667 \u0026\u0026 connect.addr.is_public == true","filters":["os == \"linux\""],"name":"irc_connection","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-but","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - java process spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path - in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path - in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"])\n\u0026\u0026 - process.parent.file.name in [\"java\", \"jspawnhelper\"]","filters":["os == - \"linux\""],"name":"java_shell_execution_parent","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mfu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - Jupyter notebook executed a shell","enabled":true,"expression":"(exec.file.name - in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] - || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name - in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) - \u0026\u0026 process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","filters":["os - == \"linux\""],"name":"jupyter_shell_execution","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"0i7-z9o-zed","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - Kubernetes pod service account token was accessed","enabled":true,"expression":"open.file.path - in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"] - \u0026\u0026 open.file.name == \"token\" \u0026\u0026 process.file.path not - in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", + ~\"/dev/shm/**\"]","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"hidden_file_executed","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-zp4","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"microsoft + security essentials executable modified","enabled":true,"expression":"write.file.device_path + in [~\"\\Device\\*\\Program Files\\Microsoft Security Client\\msseces.exe\"]","filters":["os + == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"windows_security_essentials_executable_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-npv","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Detects + CVE-2022-0543","enabled":true,"expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" + \u0026\u0026 open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", + \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", + \"libc-2.37.so\"]) \u0026\u0026 process.ancestors.comm in [\"redis-check-rdb\", + \"redis-server\"]","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"redis_sandbox_escape","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-eck","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Dll + written to a suspicious directory","enabled":true,"expression":"create.file.name + =~ \"*.dll\" \u0026\u0026 create.file.device_path not in [~\"\\Device\\*\\Windows\\System32\\**\", + ~\"\\Device\\*\\ProgramData\\docker\\**\"] \u0026\u0026 process.file.name + != \"dockerd.exe\"","filters":["os == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"suspicious_dll_write","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","technique:T1610-deploy-container","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-beh","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Dotnet_dump + was used to dump a process memory","enabled":true,"expression":"exec.cmdline + =~ \"*dotnet-dump*\" \u0026\u0026 exec.cmdline =~ \"*collect*\"","filters":["os + == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"dotnet_dump_execution","product_tags":["tactic:TA0009-collection","technique:T1005-data-from-local-system","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"td2-31c-ln4","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chown.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", + \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"credential_modified_chown","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-5wh","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"a + SUID file was executed","enabled":true,"expression":"(setuid.euid == 0 || + setuid.uid == 0) \u0026\u0026 process.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 + process.file.uid == 0 \u0026\u0026 process.uid != 0 \u0026\u0026 process.file.path + != \"/usr/bin/sudo\"","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"suid_file_execution","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"smg-le8-msf","type":"agent_rule","attributes":{"actions":[{"hash":{},"disabled":false}],"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + compiler wrote a suspicious file in a container","enabled":true,"expression":"open.flags + \u0026 O_CREAT \u003e 0\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" + \u0026\u0026 open.file.name in [~\"*.ko\", ~\".*\"])\n || open.file.path + in [~\"/var/tmp/**\", ~\"/root/**\", ~\"*/bin/*\", ~\"/usr/local/lib/**\"]\n)\n\u0026\u0026 + (process.comm in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.ancestors.comm + in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || process.file.name in [\"javac\", + \"clang\", \"gcc\", \"bcc\"] || process.ancestors.file.name in [\"javac\", + \"clang\", \"gcc\", \"bcc\"])\n\u0026\u0026 process.file.name not in [\"pip\", + ~\"python*\"]\n\u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"compile_after_delivery","product_tags":["tactic:TA0005-defense-evasion","tactic:TA0004-privilege-escalation","technique:T1027-obfuscated-files-or-information","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"07y-k18-cih","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + user was created via an interactive session","enabled":true,"expression":"exec.file.name + in [\"useradd\", \"newusers\", \"adduser\"] \u0026\u0026 exec.tty_name !=\"\" + \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] + \u0026\u0026 exec.args_flags not in [\"D\"]","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"user_created_tty","product_tags":["tactic:TA0003-persistence","technique:T1136-create-account","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-76q","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + cryptographic blocking policy modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType + 0\\CryptSIPDllRemoveSignedDataMsg*\"]","filters":["os == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"windows_cryptographic_blocking_policy_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"w7o-w48-j34","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"pam_modification_open","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"m23-qb9-9s8","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"])\n \u0026\u0026 + process.file.path not in [ \"/usr/bin/at\", \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"cron_at_job_creation_unlink","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-zo8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Recently + written or modified suid file has been executed","enabled":true,"expression":"((process.file.mode + \u0026 S_ISUID \u003e 0) \u0026\u0026 process.file.modification_time \u003c + 30s) \u0026\u0026 exec.file.name != \"\" \u0026\u0026 process.ancestors.file.path + not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", - ~\"/opt/datadog-installer/**\"] \u0026\u0026 process.file.path not in [\"/usr/bin/cilium-agent\", + ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"suspicious_suid_execution","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"56y-vsb-zqu","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path + != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"kernel_module_open","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-0fx","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell + process spawned from print server","enabled":true,"expression":"exec.file.name + != \"\" \u0026\u0026 process.parent.file.name == \"foomatic-rip\"","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"cups_spawned_shell","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-b5z","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"process + arguments match rubeus credential theft tool","enabled":true,"expression":"exec.cmdline + in [~\"*asreproast*\", ~\"*/service:krbtgt*\", ~\"*dump /luid:0x*\", ~\"*kerberoast*\", + ~\"*createonly /program*\", ~\"*ptt /ticket*\", ~\"*impersonateuser*\", ~\"*renew + /ticket*\", ~\"*asktgt /user*\", ~\"*harvest /interval*\", ~\"*s4u /user*\", + ~\"*hash /password*\", ~\"*golden /aes256*\", ~\"*silver /user*\", \"*rubeus*\"]","filters":["os + == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"rubeus_execution","product_tags":["tactic:TA0006-credential-access","technique:T1558-steal-or-forge-kerberos-tickets","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"jeh-18e-m9h","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + interactive shell was started inside of a container","enabled":true,"expression":"exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] \u0026\u0026 exec.args_flags in [\"i\"] \u0026\u0026 container.id !=\"\"","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"interactive_shell_in_container","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"c2g-31u-jpk","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + Azure IMDS was called via a network utility","enabled":true,"expression":"exec.comm + in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*169.254.169.254/metadata/identity/oauth2/token?api-version=*\"]","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"azure_imds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:best-practice","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"91f-pyq-54k","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n link.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (link.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || + link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" + ])\n)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"ssh_authorized_keys_link","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wwc-6it-t7i","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path + in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" + ])\n)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"nsswitch_conf_mod_link","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-s07","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path + == \"/etc/sudoers\")\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"sudoers_policy_modified_utimes","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ev8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + wrmsr program executed","enabled":true,"expression":"exec.comm == \"wrmsr\"","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"exec_wrmsr","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wri-hx3-4n3","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || rename.file.destination.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"pam_modification_rename","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"tlu-qlm-1ow","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + runc binary was modified in a non-standard way","enabled":true,"expression":"open.file.path + in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n\u0026\u0026 + open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0\n\u0026\u0026 + process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", + \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", + \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n\u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"runc_modification","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qn0","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsenter + used to breakout of container","enabled":true,"expression":"exec.file.name + == \"nsenter\" \u0026\u0026 exec.args_options in [\"target=1\", \"t=1\"] \u0026\u0026 + container.id != \"\"","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"nsenter_in_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"afj-5sv-2wb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + container management utility was executed in a container","enabled":true,"expression":"exec.file.name + in [\"docker\", \"kubectl\"] \u0026\u0026 container.id != \"\"","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"suspicious_container_client","product_tags":["tactic:TA0002-execution","technique:T1609-container-administration-command","technique:T1610-deploy-container","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-uv8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"systemctl + used to stop a service","enabled":true,"expression":"exec.file.name == \"systemctl\" + \u0026\u0026 exec.args in [~\"*stop*\"]","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"service_stop","product_tags":["tactic:TA0040-impact","technique:T1489-service-stop","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7vi-w5r-h15","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n (chmod.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"pci_11_5_critical_binaries_chmod","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6lj","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"windows + explorer file has been modified","enabled":true,"expression":"write.file.device_path + in [~\"\\Device\\*\\windows\\explorer.exe\"]","filters":["os == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"windows_explorer_executable_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"900-1sj-xhs","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"pam_modification_unlink","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"jlt-y4v-dax","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"systemd_modification_unlink","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"dmf-a2c-odj","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + symbolic link for shell history was created targeting /dev/null","enabled":true,"expression":"exec.comm + == \"ln\" \u0026\u0026 exec.args in [~\"*.*history*\", \"/dev/null\"]","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"shell_history_symlink","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ehx","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + auditd rules file was modified without using auditctl","enabled":true,"expression":"open.file.path + in [\"/etc/audit/rules.d/audit.rules\", \"/etc/audit/audit.rules\"] \u0026\u0026 + open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026 + process.file.name != \"auditctl\"","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"auditd_rule_file_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fn2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell + profile was modified","enabled":true,"expression":"open.file.path in [~\"/home/*/*profile\", + ~\"/home/*/*rc\"] \u0026\u0026 open.flags \u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) + \u003e 0","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"shell_profile_modification","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-i9x","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n open.flags + \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path + in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 container.id != \"\" \u0026\u0026 + container.created_at \u003e 90s \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"nsswitch_conf_mod_open_v2","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7zw-qbm-y6d","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"systemd_modification_open","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oi1","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process + arguments indicating possible socat shell detected","enabled":true,"expression":"((exec.file.name + == \"socat\") || (exec.comm == \"socat\")) \u0026\u0026 exec.args in [~\"*/bin/bash*\", + ~\"*/bin/sh*\", ~\"*exec*\", ~\"*pty*\", ~\"*setsid*\", ~\"*stderr*\"]","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"socat_shell","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"fpa-r6g-2em","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical + system binaries may have been modified","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path + in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", + ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"pci_11_5_critical_binaries_open","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oy4","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + tool used to dump process memory has been executed","enabled":true,"expression":"exec.file.name + in [\"procmon.exe\",\"procdump.exe\"]","filters":["os == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"procdump_execution","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-u7b","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Known + offensive tool crackmap exec executed","enabled":true,"expression":"exec.cmdline + in [~\"*crackmapexec*\", ~\"*cme.exe*\", ~\"*cme.py*\"]","filters":["os == + \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"crackmap_exec_executed","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"htc-275-0wt","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n chmod.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chmod.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) + \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"ssh_authorized_keys_chmod","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-xg6","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"a + critical windows file was modified","enabled":true,"expression":"write.file.device_path + in [~\"\\Device\\*\\windows\\system32\\**\"]","filters":["os == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"critical_windows_files_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"lli-czr-q4y","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (link.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ]\n || link.file.destination.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", + \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"credential_modified_link","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"t5u-qdx-650","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n rename.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (rename.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || + rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", + ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"ssh_authorized_keys_rename","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-o1o","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process made a connection to a port associated with P2PInfect malware","enabled":true,"expression":"connect.addr.family + \u0026 (AF_INET|AF_INET6) \u003e 0 \u0026\u0026 connect.addr.is_public == + true \u0026\u0026 connect.addr.port \u003e= 60100 \u0026\u0026 connect.addr.port + \u003c= 60150","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"p2pinfect_connection","product_tags":["tactic:TA0011-command-and-control","technique:T1071-application-layer-protocol","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-o13","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + configuration directory for an ssh worm","enabled":true,"expression":"open.file.path + in [~\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] + \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) + \u003e 0","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"ssh_it_tool_config_write","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6jw","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process + environment variables match cryptocurrency miner","enabled":true,"expression":"exec.envs + in [\"POOL_USER\", \"POOL_URL\", \"POOL_PASS\", \"DONATE_LEVEL\"]","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"cryptominer_envs","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-u1r","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process deleted common system log files","enabled":true,"expression":"unlink.file.path + in [\"/var/run/utmp\", \"/var/log/wtmp\", \"/var/log/btmp\", \"/var/log/lastlog\", + \"/var/log/faillog\", \"/var/log/syslog\", \"/var/log/messages\", \"/var/log/secure\", + \"/var/log/auth.log\", \"/var/log/boot.log\", \"/var/log/kern.log\"] \u0026\u0026 + process.comm not in [\"dockerd\", \"containerd\"]","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"delete_system_log","product_tags":["tactic:TA0005-defense-evasion","technique:T1070-indicator-removal","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"yjj-o5q-x00","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"systemd_modification_utimes","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wnn","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + firewall configuration registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\*\"]","filters":["os + == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"windows_firewall_configuration_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j1b","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Looney + Tunables (CVE-2023-4911) exploit attempted","enabled":true,"expression":"exec.file.mode + \u0026 S_ISUID \u003e 0 \u0026\u0026 exec.file.uid == 0 \u0026\u0026 exec.uid + != 0 \u0026\u0026 exec.envs in [~\"*GLIBC_TUNABLES*\"]","filters":["os == + \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"looney_tunables_exploit","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-dar","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + shell made an outbound network connection","enabled":true,"expression":"connect.addr.family + \u0026 (AF_INET|AF_INET6) \u003e 0 \u0026\u0026 process.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"] + \u0026\u0026 connect.addr.is_public == true","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"shell_net_connection","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-88h","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Egress + traffic allowed using iptables","enabled":true,"expression":"exec.comm == + \"iptables\" \u0026\u0026 process.args in [r\"OUTPUT.*((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4}.*ACCEPT\"] + \u0026\u0026 process.args not in [r\"(127\\.)|(10\\.)|(172\\.1[6-9]\\.)|(172\\.2[0-9]\\.)|(^172\\.3[0-1]\\.)|(192\\.168\\.)|(169\\.254\\.)\"]","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"iptables_egress_allowed","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bus","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + executable bit was added to a newly created file","enabled":true,"expression":"chmod.file.in_upper_layer + \u0026\u0026\nchmod.file.change_time \u003c 30s \u0026\u0026\ncontainer.id + != \"\" \u0026\u0026\nchmod.file.destination.mode != chmod.file.mode \u0026\u0026\nchmod.file.destination.mode + \u0026 S_IXUSR|S_IXGRP|S_IXOTH \u003e 0 \u0026\u0026\nprocess.argv in [\"+x\"]","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"executable_bit_added","product_tags":["tactic:TA0005-defense-evasion","technique:T1222-file-and-directory-permissions-modification","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-550","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path + == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"sudoers_policy_modified_rename","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"0i7-z9o-zed","type":"agent_rule","attributes":{"actions":[{"set":{"name":"processes_accessing","field":"process.file.path","append":true,"ttl":60000000000},"disabled":false}],"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + Kubernetes pod service account token was accessed","enabled":true,"expression":"open.file.path + in [~\"/var/run/secrets/kubernetes.io/serviceaccount/**\", ~\"/run/secrets/kubernetes.io/serviceaccount/**\"]\n\u0026\u0026 + open.file.name == \"token\"\n\u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", + \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", + \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", + \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", + \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", + \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", + ~\"/opt/datadog-installer/**\"]\n\u0026\u0026 process.file.path not in [\"/usr/bin/cilium-agent\", \"/coredns\", \"/usr/bin/cilium-operator\", \"/manager\", \"/fluent-bit/bin/fluent-bit\", \"/usr/local/bin/cloud-node-manager\", \"/secrets-store-csi\", \"/bin/secrets-store-csi-driver-provider-aws\", \"/usr/bin/calico-node\", \"/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent\", @@ -1005,39 +884,68 @@ http_interactions: \"/bin/external-secrets\", \"/node-termination-handler\", \"/fluent-bit-gke-exporter\", \"/bin/vault\", \"/usr/local/bin/kubectl\", \"/local-provisioner\", \"/usr/bin/gitlab-runner\", \"/usr/local/bin/vaultd\", \"/usr/local/bin/trace-driveline-writer\", \"/usr/local/bin/registration-controller\", - \"/usr/local/bin/cluster-autoscaler\"] \u0026\u0026 process.ancestors.file.path - not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", + \"/usr/local/bin/cluster-autoscaler\"]\n\u0026\u0026 process.file.path not + in ${processes_accessing}\n\u0026\u0026 process.ancestors.file.path not in + [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", - ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"name":"k8s_pod_service_account_token_accessed","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"2dz-kyt-nme","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - new kernel module was added","enabled":true,"expression":"(\n (chmod.file.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os - == \"linux\""],"name":"kernel_module_chmod","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"94l-lhd-e33","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - new kernel module was added","enabled":true,"expression":"(\n (chown.file.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path + ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"k8s_pod_service_account_token_accessed","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"x7i-34j-1rv","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || link.file.destination.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"pam_modification_link","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"zfb-ixo-o4w","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + suspicious file was written by a network utility","enabled":true,"expression":"open.flags + \u0026 O_CREAT \u003e 0 \u0026\u0026 process.comm in [\"wget\", \"curl\", + \"lwp-download\"]\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 + open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path + in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"net_file_download","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ab6","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Recently + modified file requested credentials from IMDS","enabled":true,"expression":"imds.url + =~ \"/*/meta-data/iam/security-credentials/*\" \u0026\u0026 (process.parent.file.modification_time + \u003c 120s || process.file.modification_time \u003c 30s)","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"modified_file_requesting_imds_creds","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-9rk","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Local + account groups were enumerated after container start up","enabled":true,"expression":"exec.file.name + in [\"tcpdump\", \"tshark\"]","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"network_sniffing_tool","product_tags":["tactic:TA0007-discovery","technique:T1040-network-sniffing","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"w6f-wte-i63","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.path + != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid - || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"kernel_module_chown","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"ucb-5zb-rmj","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - new kernel module was added","enabled":true,"expression":"(\n (link.file.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.name + !~ \"runc*\"\n)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"ssl_certificate_tampering_link","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qwm","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + kubeconfig file was accessed","enabled":true,"expression":"open.file.path + in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","filters":["os == + \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"read_kubeconfig","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"l2e-aka-bw6","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + passwd or chpasswd utility was used to modify an account password","enabled":true,"expression":"exec.file.path + in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] \u0026\u0026 exec.args_flags + not in [\"S\", \"status\"]","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"passwd_execution","product_tags":["tactic:TA0003-persistence","tactic:TA0040-impact","technique:T1098-account-manipulation","technique:T1531-account-access-removal","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"lrg-avx-x1k","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + kernel module was loaded from memory","enabled":true,"expression":"load_module.loaded_from_memory + == true","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"kernel_module_load_from_memory","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6ql","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"memfd + object created","enabled":true,"expression":"exec.file.name =~ \"memfd*\" + \u0026\u0026 exec.file.path == \"\" \u0026\u0026 process.parent.file.path + not in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\" , + \"/run/docker/runtime-runc/moby/*\", \"/x86_64-bottlerocket-linux-gnu/sys-root/usr/bin/runc\"] + \u0026\u0026 !(process.comm == \"dd-ipc-helper\" \u0026\u0026 exec.file.name + in [\"memfd:spawn_worker_trampoline (deleted)\", \"memfd:spawn_worker_trampoline\"])","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"memfd_create","product_tags":["tactic:TA0005-defense-evasion","technique:T1620-reflective-code-loading","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"20v-gdb-0ha","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (unlink.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", @@ -1045,27 +953,50 @@ http_interactions: not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_link","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"5t3-iiv-rv5","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - kernel module was loaded","enabled":true,"expression":"load_module.loaded_from_memory - == false \u0026\u0026 load_module.name not in [\"nf_tables\", \"iptable_filter\", - \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", - \"ipt_REJECT\", \"iptable_raw\", \"udp_diag\", \"inet_diag\"] \u0026\u0026 - process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", - \"apt.systemd.daily\", \"xtables-legacy-multi\", \"ssm-agent-worker\"]","filters":["os - == \"linux\""],"name":"kernel_module_load","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"dkb-9ud-0ca","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - container loaded a new kernel module","enabled":true,"expression":"load_module.name - != \"\" \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_container","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"lrg-avx-x1k","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - kernel module was loaded from memory","enabled":true,"expression":"load_module.loaded_from_memory - == true","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"gx3-4a5-w9a","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - kernel module was loaded from memory inside a container","enabled":true,"expression":"load_module.loaded_from_memory - == true \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"name":"kernel_module_load_from_memory_container","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"56y-vsb-zqu","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - new kernel module was added","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"kernel_module_unlink","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"pfu-dvh-e5w","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"pam_modification_chown","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qem","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + user was deleted via an interactive session","enabled":true,"expression":"exec.file.name + in [\"userdel\", \"deluser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"user_deleted_tty","product_tags":["tactic:TA0040-impact","technique:T1531-account-access-removal","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-brb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"regedit + used to export critical registry hive","enabled":true,"expression":"exec.file.name + in [\"reg.exe\", \"regedit.exe\"] \u0026\u0026 exec.cmdline in [~\"*hklm*\", + ~\"*hkey_local_machine*\", ~\"*system*\", ~\"*sam*\", ~\"*security*\"]","filters":["os + == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"critical_registry_export","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7y2-ihu-hm2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + network utility was executed","enabled":true,"expression":"(exec.comm in [\"socat\", + \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm + in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id == \"\" + \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" + ]","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"net_util","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-nip","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Browser + WebDriver spawned shell","enabled":true,"expression":"process.parent.file.name + in [~\"chromedriver*\", \"geckodriver\"] \u0026\u0026 exec.file.name not in + [\"chrome\", \"google-chrome\", \"chromium\", \"firefox\"]","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"webdriver_spawned_shell","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-jed","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + registry hives file location key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\hivelist*\"]","filters":["os + == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"registry_hives_file_path_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"hba-kfe-1xr","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n utimes.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (utimes.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"ssh_authorized_keys_utimes","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-a41","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + base64 command was used to decode information","enabled":true,"expression":"exec.file.name + == \"base64\" \u0026\u0026 exec.args_flags in [\"d\"]","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"base64_decode","product_tags":["tactic:TA0005-defense-evasion","technique:T1140-deobfuscate-or-decode-files-or-information","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ucb-5zb-rmj","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || link.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", @@ -1073,10 +1004,56 @@ http_interactions: not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_open","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"3i1-zpd-ycj","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - new kernel module was added","enabled":true,"expression":"(\n (rename.file.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path + != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"kernel_module_link","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-n3u","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + shell folders registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell + Folders*\", ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User + Shell Folders*\"]","filters":["os == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"windows_shell_folders_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6oh","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + Registry runkey has been modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\", + ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\", + ~\"HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\", + ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal + Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows + NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce\", + ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal + Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\RunonceEx\"]","filters":["os + == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"registry_runkey_modified","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"mcv-y5o-zg5","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (link.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || + link.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", + ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", + \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"cron_at_job_creation_link","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-l8e","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path + == \"/etc/sudoers\")\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid + || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"sudoers_policy_modified_chown","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"g7f-kfr-tdb","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Python + code was provided on the command line","enabled":true,"expression":"exec.file.name + == ~\"python*\" \u0026\u0026 exec.args_flags in [\"c\"] \u0026\u0026 exec.args + in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", ~\"*-c*/bash*\", ~\"*-c*/bin/sh*\", + ~\"*-c*pty.spawn*\"] \u0026\u0026 exec.args !~ \"*setuptools*\"","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"python_cli_code","product_tags":["tactic:TA0002-execution","technique:T1059-command-and-scripting-interpreter","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wqf","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + update registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsUpdate*\"]","filters":["os + == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"windows_update_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"48s-46n-g4w","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"systemd_modification_chmod","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"94l-lhd-e33","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (chown.file.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", @@ -1084,9 +1061,94 @@ http_interactions: not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_rename","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"20v-gdb-0ha","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - new kernel module was added","enabled":true,"expression":"(\n (unlink.file.path + != \"/usr/bin/kmod\"\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid + || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"kernel_module_chown","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"jr3-0m8-jlj","type":"agent_rule","attributes":{"actions":[{"hash":{},"disabled":false}],"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process launched with arguments associated with cryptominers","enabled":true,"expression":"exec.args_options + in [~\"cpu-priority*\", ~\"donate-level*\"] || exec.args_flags == \"randomx-1gb-pages\" + || exec.args in [~\"*stratum+tcp*\", ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", + ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", ~\"*stratum2+ssl*\", ~\"*nicehash*\", + ~\"*yespower*\"]","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"cryptominer_args","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"7q3-6aa-pix","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n chown.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chown.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) + \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"ssh_authorized_keys_chown","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mfu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + Jupyter notebook executed a shell","enabled":true,"expression":"(exec.file.name + in [\"cat\",\"chgrp\",\"chmod\",\"chown\",\"cp\",\"date\",\"dd\",\"df\",\"dir\",\"echo\",\"ln\",\"ls\",\"mkdir\",\"mknod\",\"mktemp\",\"mv\",\"pwd\",\"readlink\",\"rm\",\"rmdir\",\"sleep\",\"stty\",\"sync\",\"touch\",\"uname\",\"vdir\",\"arch\",\"b2sum\",\"base32\",\"base64\",\"basename\",\"chcon\",\"cksum\",\"comm\",\"csplit\",\"cut\",\"dircolors\",\"dirname\",\"du\",\"env\",\"expand\",\"expr\",\"factor\",\"fmt\",\"fold\",\"groups\",\"head\",\"hostid\",\"id\",\"install\",\"join\",\"link\",\"logname\",\"md5sum\",\"textutils\",\"mkfifo\",\"nice\",\"nl\",\"nohup\",\"nproc\",\"numfmt\",\"od\",\"paste\",\"pathchk\",\"pinky\",\"pr\",\"printenv\",\"printf\",\"ptx\",\"realpath\",\"runcon\",\"seq\",\"sha1sum\",\"sha224sum\",\"sha256sum\",\"sha384sum\",\"sha512sum\",\"shred\",\"shuf\",\"sort\",\"split\",\"stat\",\"stdbuf\",\"sum\",\"tac\",\"tail\",\"tee\",\"test\",\"timeout\",\"tr\",\"truncate\",\"tsort\",\"tty\",\"unexpand\",\"uniq\",\"unlink\",\"users\",\"wc\",\"who\",\"whoami\",\"chroot\"] + || exec.file.name in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.name + in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"]) + \u0026\u0026 process.ancestors.comm in [\"jupyter-noteboo\", \"jupyter-lab\"]","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"jupyter_shell_execution","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-dnj","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + AWS CLI utility was executed","enabled":true,"expression":"exec.file.name + == \"aws\"","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"aws_cli_usage","product_tags":["tactic:TA0002-execution","technique:T1651-cloud-administration-command","policy:best-practice","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-juz","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + privileged container was created","enabled":true,"expression":"exec.file.name + != \"\" \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at + \u003c 1s \u0026\u0026 process.cap_permitted \u0026 CAP_SYS_ADMIN \u003e 0","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"deploy_priv_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection","policy:best-practice"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-zse","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PHP + web application spawning shell","enabled":true,"expression":"exec.file.name + in [~\"powershell*\",\"cmd.exe\"] \u0026\u0026 process.parent.file.name in + [\"php.exe\",\"php-cgi.exe\"]","filters":["os == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"php_spawning_shell","product_tags":["tactic:TA0002-execution","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-hbr","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"process + arguments match sliver c2 implant","enabled":true,"expression":"exec.cmdline + =~ \"*NoExit *\" \u0026\u0026 exec.cmdline =~ \"*Command *\" \u0026\u0026 + exec.cmdline =~ \"*[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*\"","filters":["os + == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"sliver_c2_implant_execution","product_tags":["tactic:TA0011-command-and-control","technique:T1071-application-layer-protocol","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-0en","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + debugfs was executed in a container","enabled":true,"expression":"exec.comm + == \"debugfs\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"debugfs_in_container","product_tags":["tactic:TA0007-discovery","technique:T1613-container-and-resource-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-crv","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path + == \"/etc/sudoers\")\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode + \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"sudoers_policy_modified_chmod","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qt6","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ + \"runc*\"\n\u0026\u0026 container.id != \"\"\n\u0026\u0026 container.created_at + \u003e 90s","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"ssl_certificate_tampering_open_v2","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-x51","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Safeboot + registry modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\"]","filters":["os + == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"safeboot_modification","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"xa1-b6v-n2l","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"An + unauthorized job was added to cron scheduling","enabled":true,"expression":"(\n (rename.file.path + in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", ~\"/etc/crontab\", ~\"/etc/crontabs/**\"]\n || + rename.file.destination.path in [ ~\"/var/spool/cron/**\", ~\"/etc/cron.*/**\", + ~\"/etc/crontab\" ])\n \u0026\u0026 process.file.path not in [ \"/usr/bin/at\", + \"/usr/bin/crontab\" ]\n)\n\u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"cron_at_job_creation_rename","product_tags":["tactic:TA0002-execution","technique:T1053-scheduled-task-or-job","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tp8","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process opened a model-specific register (MSR) configuration file","enabled":true,"expression":"open.file.path + == \"/sys/module/msr/parameters/allow_writes\" \u0026\u0026 open.flags \u0026 + O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"open_msr_writes","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"34t-hic-8cn","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM + may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path + in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode + != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"pam_modification_chmod","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"rpc-ji0-zfu","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH + modified keys may have been modified","enabled":true,"expression":"(\n open.flags + \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name + in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path + in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"ssh_authorized_keys_open","product_tags":["tactic:TA0003-persistence","technique:T1098-account-manipulation","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"3i1-zpd-ycj","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + new kernel module was added","enabled":true,"expression":"(\n (rename.file.path + in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ]\n || rename.file.destination.path in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", @@ -1094,277 +1156,140 @@ http_interactions: not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_unlink","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"fyq-x5u-mv1","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - new kernel module was added","enabled":true,"expression":"(\n (utimes.file.path - in [ ~\"/lib/modules/**\", ~\"/usr/lib/modules/**\" ])\n \u0026\u0026 process.file.path + != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"kernel_module_rename","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wwy-h4d-pwm","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid + != chown.file.gid)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"systemd_modification_chown","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bv2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process + matches known relay attack tool","enabled":true,"expression":"exec.file.name + in [~\"*PetitPotam*\", ~\"*RottenPotato*\", ~\"*HotPotato*\", ~\"*JuicyPotato*\", + ~\"*just_dce_*\", ~\"*Juicy Potato*\", \"rot.exe\", \"Potato.exe\", \"SpoolSample.exe\", + \"Responder.exe\", ~\"*smbrelayx*\", ~\"*smbrelayx*\", ~\"*ntlmrelayx*\", + ~\"*LocalPotato*\"] || exec.cmdline in [~\"*Invoke-Tater*\", ~\"*smbrelay*\", + ~\"*ntlmrelay*\", ~\"*cme smb*\", ~\"*ntlm:NTLMhash*\", ~\"*Invoke-PetitPotam*\"]","filters":["os + == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"relay_attack_tool_execution","product_tags":["tactic:TA0006-credential-access","technique:T1555-credentials-from-password-stores","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fsq","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + cryptominer was potentially executed","enabled":true,"expression":"exec.cmdline + in [~\"*cpu-priority*\", ~\"*donate-level*\", ~\"*randomx-1gb-pages*\", ~\"*stratum+tcp*\", + ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", + ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os == + \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"windows_cryptominer_process","product_tags":["tactic:TA0040-impact","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"2rq-drz-11u","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process unlinked a dynamic linker config file","enabled":true,"expression":"unlink.file.path + in [\"/etc/ld.so.preload\", \"/etc/ld.so.conf\", ~\"/etc/ld.so.conf.d/*.conf\"] + \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"dynamic_linker_config_unlink","product_tags":["tactic:TA0004-privilege-escalation","technique:T1574-hijack-execution-flow","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"y5i-yxn-27t","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (chmod.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.ancestors.file.path + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.mode != + chmod.file.destination.mode\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 + process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 + process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", + \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 + process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"ssl_certificate_tampering_chmod","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-18q","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Tar + archive created","enabled":true,"expression":"exec.file.path == \"/usr/bin/tar\" + \u0026\u0026 exec.args_flags in [\"create\",\"c\"]","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"tar_execution","product_tags":["tactic:TA0009-collection","technique:T1560-archive-collected-data","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"dkb-9ud-0ca","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + container loaded a new kernel module","enabled":true,"expression":"load_module.name + != \"\" \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"kernel_module_load_container","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-4xu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kernel + modules were listed using the lsmod command","enabled":true,"expression":"exec.comm + == \"lsmod\"","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"exec_lsmod","product_tags":["tactic:TA0007-discovery","technique:T1082-system-information-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"mq1-y7n-kf2","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + database application spawned a shell, shell utility, or HTTP utility","enabled":true,"expression":"(exec.file.path + in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" + ] ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"] ||\n exec.file.path + in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"]) + \u0026\u0026\nprocess.parent.file.name in [\"mysqld\", \"mongod\", \"postgres\"] + \u0026\u0026\n!(process.parent.file.name == \"initdb\" \u0026\u0026\nexec.args + == \"-c locale -a\") \u0026\u0026\n!(process.parent.file.name == \"postgres\" + \u0026\u0026\nexec.args == ~\"*pg_wal*\")","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"database_shell_execution","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"prk-6q1-g0m","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + service may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path + in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" + ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", + ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in + [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"systemd_modification_rename","product_tags":["tactic:TA0002-execution","technique:T1569-system-services","policy:threat-detection","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"pwu-7u7-iiq","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process uses an anti-debugging technique to block debuggers","enabled":true,"expression":"ptrace.request + == PTRACE_TRACEME \u0026\u0026 process.file.name != \"\"","filters":["os == + \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"ptrace_antidebug","product_tags":["tactic:TA0005-defense-evasion","technique:T1622-debugger-evasion","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-lel","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Perl + executed with suspicious argument","enabled":true,"expression":"exec.file.name + == ~\"perl*\" \u0026\u0026 exec.args_flags in [\"e\"] \u0026\u0026 (exec.args + in [~\"*socket*\", ~\"*bind*\", ~\"*sockaddr*\", ~\"*listen*\", ~\"*accept\", + ~\"*stdin*\", ~\"*stdout\"])","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"perl_shell","product_tags":["tactic:TA0001-initial-access","technique:T1210-exploitation-of-remote-services","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"kyr-sg6-us9","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL + certificates may have been tampered with","enabled":true,"expression":"(\n (chown.file.path + in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 process.ancestors.file.path - != \"/usr/bin/kmod\"\n)","filters":["os == \"linux\""],"name":"kernel_module_utimes","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-dpm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process attempted to enable writing to model-specific registers","enabled":true,"expression":"exec.comm - == \"modprobe\" \u0026\u0026 process.args =~ \"*msr*allow_writes*\"","filters":["os - == \"linux\""],"name":"kernel_msr_write","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-xv7","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kernel - modules were listed using the kmod command","enabled":true,"expression":"exec.comm - == \"kmod\" \u0026\u0026 exec.args in [~\"*list*\"]","filters":["os == \"linux\""],"name":"kmod_list","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j1p","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows - Known DLLs location registry key modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\KnownDLLs*\"]","filters":["os - == \"windows\""],"name":"known_dll_registry_key_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-b7s","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kubernetes - DNS enumeration","enabled":true,"expression":"dns.question.name == \"any.any.svc.cluster.local\" - \u0026\u0026 dns.question.type == SRV \u0026\u0026 container.id != \"\"","filters":["os - == \"linux\""],"name":"kubernetes_dns_enumeration","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"j8a-wic-bvi","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - LD_PRELOAD variable is populated by a link to a suspicious file directory","enabled":true,"expression":"exec.envs - in [~\"LD_PRELOAD=*/tmp/*\", ~\"LD_PRELOAD=/dev/shm/*\"]","filters":["os == - \"linux\""],"name":"ld_preload_unusual_library_path","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fbb","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Library - libpam.so hooked using eBPF","enabled":true,"expression":"bpf.cmd == BPF_MAP_CREATE - \u0026\u0026 process.args in [r\"libpam\\.so\"]","filters":["os == \"linux\""],"name":"libpam_ebpf_hook","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j1b","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Looney - Tunables (CVE-2023-4911) exploit attempted","enabled":true,"expression":"exec.file.mode - \u0026 S_ISUID \u003e 0 \u0026\u0026 exec.file.uid == 0 \u0026\u0026 exec.uid - != 0 \u0026\u0026 exec.envs in [~\"*GLIBC_TUNABLES*\"]","filters":["os == - \"linux\""],"name":"looney_tunables_exploit","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6ql","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"memfd - object created","enabled":true,"expression":"exec.file.name =~ \"memfd*\" - \u0026\u0026 exec.file.path == \"\"","filters":["os == \"linux\""],"name":"memfd_create","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d1i","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process - memory was dumped using the minidump function from comsvcs.dll","enabled":true,"expression":"exec.cmdline - =~ \"*MiniDump*\" \u0026\u0026 exec.cmdline =~ \"*comsvcs*\"","filters":["os - == \"windows\""],"name":"minidump_usage","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"caz-yrk-14e","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process resolved a DNS name associated with cryptomining activity","enabled":true,"expression":"dns.question.name - in [~\"*.minexmr.com\", \"minexmr.com\", ~\"*.nanopool.org\", \"nanopool.org\", - ~\"*.supportxmr.com\", \"supportxmr.com\", ~\"*.c3pool.com\", \"c3pool.com\", - ~\"*.p2pool.io\", \"p2pool.io\", ~\"*.ethermine.org\", \"ethermine.org\", - ~\"*.f2pool.com\", \"f2pool.com\", ~\"*.poolin.me\", \"poolin.me\", ~\"*.rplant.xyz\", - \"rplant.xyz\", ~\"*.miningocean.org\", \"miningocean.org\"] \u0026\u0026 - process.file.name != \"\"","filters":["os == \"linux\""],"name":"mining_pool_lookup","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ab6","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Recently - modified file requested credentials from IMDS","enabled":true,"expression":"imds.url - =~ \"/*/meta-data/iam/security-credentials/*\" \u0026\u0026 (process.parent.file.modification_time - \u003c 120s || process.file.modification_time \u003c 30s)","filters":["os - == \"linux\""],"name":"modified_file_requesting_imds_creds","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mxb","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - host file system was mounted in a container","enabled":true,"expression":"mount.source.path - == \"/\" \u0026\u0026 mount.fs_type != \"overlay\" \u0026\u0026 container.id - != \"\"","filters":["os == \"linux\""],"name":"mount_host_fs","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ibc","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - mount utility was executed in a container","enabled":true,"expression":"exec.comm - == \"mount\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"mount_in_container","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mr5","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process - hidden using mount","enabled":true,"expression":"mount.mountpoint.path in - [~\"/proc/1*\", ~\"/proc/2*\", ~\"/proc/3*\", ~\"/proc/4*\", ~\"/proc/5*\", - ~\"/proc/6*\", ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"]","filters":["os - == \"linux\""],"name":"mount_proc_hide","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"zfb-ixo-o4w","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - suspicious file was written by a network utility","enabled":true,"expression":"open.flags - \u0026 O_CREAT \u003e 0 \u0026\u0026 process.comm in [\"wget\", \"curl\", - \"lwp-download\"]\n\u0026\u0026 (\n (open.file.path =~ \"/tmp/**\" \u0026\u0026 - open.file.name in [~\"*.sh\", ~\"*.c\", ~\"*.so\", ~\"*.ko\"])\n || open.file.path - in [~\"/usr/**\", ~\"/lib/**\", ~\"/etc/**\", ~\"/var/tmp/**\", ~\"/dev/shm/**\"]\n)","filters":["os - == \"linux\""],"name":"net_file_download","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"sqi-q1z-onu","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Network - utility executed with suspicious URI","enabled":true,"expression":"exec.comm - in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*.php*\", - ~\"*.jpg*\"] ","filters":["os == \"linux\""],"name":"net_unusual_request","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"7y2-ihu-hm2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - network utility was executed","enabled":true,"expression":"(exec.comm in [\"socat\", - \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] ||\n exec.comm - in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id == \"\" - \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", ~\"*motd.ubuntu.com*\" - ]","filters":["os == \"linux\""],"name":"net_util","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"a52-req-ghm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Exfiltration - attempt via network utility","enabled":true,"expression":"exec.comm in [\"wget\", - \"curl\", \"lwp-download\"] \u0026\u0026\nexec.args_options in [ ~\"post-file=*\", - ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] \u0026\u0026\nexec.args - not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","filters":["os == \"linux\""],"name":"net_util_exfiltration","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"w0z-64n-bss","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - network utility was executed in a container","enabled":true,"expression":"(exec.comm - in [\"socat\", \"dig\", \"nslookup\", \"host\", ~\"netcat*\", ~\"nc*\", \"ncat\"] - ||\n exec.comm in [\"wget\", \"curl\", \"lwp-download\"]) \u0026\u0026\ncontainer.id - != \"\" \u0026\u0026 exec.args not in [ ~\"*localhost*\", ~\"*127.0.0.1*\", - ~\"*motd.ubuntu.com*\" ]","filters":["os == \"linux\""],"name":"net_util_in_container","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-969","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process - arguments indicating possible netcat shell detected","enabled":true,"expression":"exec.file.name - in [\"netcat\", \"nc\", \"ncat\"] \u0026\u0026 ((exec.args_flags in [\"l\"] - \u0026\u0026 exec.args_flags in [\"p\"]) || (exec.args_flags in [\"n\"] \u0026\u0026 - exec.args_flags in [\"v\"]) || (exec.args in [~\"*/bin/bash*\", ~\"*/bin/sh*\"]))","filters":["os - == \"linux\""],"name":"netcat_shell","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-9rk","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Local - account groups were enumerated after container start up","enabled":true,"expression":"exec.file.name - in [\"tcpdump\", \"tshark\"]","filters":["os == \"linux\""],"name":"network_sniffing_tool","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"xgw-28i-480","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - container executed a new binary not found in the container image","enabled":true,"expression":"container.id - != \"\" \u0026\u0026 process.file.in_upper_layer \u0026\u0026 process.file.modification_time - \u003c 30s \u0026\u0026 exec.file.name != \"\"","filters":["os == \"linux\""],"name":"new_binary_execution_in_container","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qn0","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsenter - used to breakout of container","enabled":true,"expression":"exec.file.name - == \"nsenter\" \u0026\u0026 exec.args_options in [\"target=1\", \"t=1\"] \u0026\u0026 - container.id != \"\"","filters":["os == \"linux\""],"name":"nsenter_in_container","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"mqh-lgo-brj","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path - in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode - != chmod.file.mode \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_chmod","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"v2b-cd3-clr","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid + != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 + process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ + \"runc*\"","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"ssl_certificate_tampering_chown","product_tags":["tactic:TA0005-defense-evasion","technique:T1553-subvert-trust-controls","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-2k6","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Suspicious + usage of ntdsutil","enabled":true,"expression":"exec.file.name == \"ntdsutil.exe\" + \u0026\u0026 exec.cmdline in [~\"*ntds*\", ~\"*create*\"]","filters":["os + == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"suspicious_ntdsutil_usage","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-vqm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + scheduled task was created","enabled":true,"expression":"exec.cmdline in [~\"*at.exe\",~\"*schtasks*\"] + \u0026\u0026 exec.cmdline =~ \"*create*\"","filters":["os == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"scheduled_task_creation","product_tags":["tactic:TA0003-persistence","technique:T1053-scheduled-task-or-job","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"v2b-cd3-clr","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid != chown.file.gid) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os - == \"linux\""],"name":"nsswitch_conf_mod_chown","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"wwc-6it-t7i","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path - in [ \"/etc/nsswitch.conf\" ]\n || link.file.destination.path in [ \"/etc/nsswitch.conf\" - ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_link","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"e5h-onu-f7l","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n open.flags - \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path - in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_open","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-i9x","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n open.flags - \u0026 ((O_RDWR|O_WRONLY|O_CREAT)) \u003e 0 \u0026\u0026\n (open.file.path - in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 container.created_at \u003e - 90s \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_open_v2","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"sif-d9p-wzg","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path - in [ \"/etc/nsswitch.conf\" ]\n || rename.file.destination.path in [ \"/etc/nsswitch.conf\" - ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_rename","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"4mu-d2x-fyk","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path - in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_unlink","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"qt9-i99-q9p","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch - may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path - in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"name":"nsswitch_conf_mod_utimes","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d4i","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"NTDS + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"nsswitch_conf_mod_chown","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"9f3-haw-91q","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + AWS EKS service account token was accessed","enabled":true,"expression":"open.file.path + =~ \"/var/run/secrets/eks.amazonaws.com/serviceaccount/**\" \u0026\u0026 open.file.name + == \"token\" \u0026\u0026 process.file.path not in [\"/opt/datadog-agent/embedded/bin/agent\", + \"/opt/datadog-agent/embedded/bin/system-probe\", \"/opt/datadog-agent/embedded/bin/security-agent\", + \"/opt/datadog-agent/embedded/bin/process-agent\", \"/opt/datadog-agent/embedded/bin/trace-agent\", + \"/opt/datadog-agent/bin/agent/agent\", \"/opt/datadog/apm/inject/auto_inject_runc\", + \"/usr/bin/dd-host-install\", \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", + \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", + ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"aws_eks_service_account_token_accessed","product_tags":["tactic:TA0006-credential-access","technique:T1552-unsecured-credentials","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d4i","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"NTDS file referenced in commandline","enabled":true,"expression":"exec.cmdline - =~ \"*ntds.dit*\"","filters":["os == \"windows\""],"name":"ntds_in_commandline","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-49j","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - known kubernetes pentesting tool has been executed","enabled":true,"expression":"(exec.file.name - in [ ~\"python*\" ] \u0026\u0026 (\"KubiScan.py\" in exec.argv || \"kubestriker\" - in exec.argv ) ) || exec.file.name in [ \"kubiscan\",\"kdigger\",\"kube-hunter\",\"rakkess\",\"peirates\",\"kubescape\",\"kubeaudit\",\"kube-linter\",\"stratus\",~\"botb-*\"]","filters":["os - == \"linux\""],"name":"offensive_k8s_tool","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"4yt-ize-avz","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Omiagent - spawns a privileged child process","enabled":true,"expression":"exec.uid \u003e= - 0 \u0026\u0026 process.ancestors.file.name == \"omiagent\"","filters":["os - == \"linux\""],"name":"omigod","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tp8","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process opened a model-specific register (MSR) configuration file","enabled":true,"expression":"open.file.path - == \"/sys/module/msr/parameters/allow_writes\" \u0026\u0026 open.flags \u0026 - O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0","filters":["os == \"linux\""],"name":"open_msr_writes","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-jl7","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"openssl - used to establish backdoor","enabled":true,"expression":"exec.comm == \"openssl\" - \u0026\u0026 exec.args =~ \"*s_client*\"","filters":["os == \"linux\""],"name":"openssl_backdoor","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-0pf","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process attempted to overwrite the container entrypoint","enabled":true,"expression":"open.file.path - == \"/proc/self/fd/1\" \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY - \u003e 0 \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"overwrite_entrypoint","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-o1o","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process made a connection to a port associated with P2PInfect malware","enabled":true,"expression":"connect.addr.family - \u0026 (AF_INET|AF_INET6) \u003e 0 \u0026\u0026 connect.addr.is_public == - true \u0026\u0026 connect.addr.port \u003e= 60100 \u0026\u0026 connect.addr.port - \u003c= 60150","filters":["os == \"linux\""],"name":"p2pinfect_connection","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"m7d-vlh-3yq","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Package - management was detected in a container","enabled":true,"expression":"exec.file.path - in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] \u0026\u0026 container.id != \"\"","filters":["os - == \"linux\""],"name":"package_management_in_container","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"34t-hic-8cn","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM - may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode - != chmod.file.mode","filters":["os == \"linux\""],"name":"pam_modification_chmod","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"pfu-dvh-e5w","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM - may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 (chown.file.destination.uid - != chown.file.uid || chown.file.destination.gid != chown.file.gid)","filters":["os - == \"linux\""],"name":"pam_modification_chown","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"x7i-34j-1rv","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM - may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || link.file.destination.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_link","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"w7o-w48-j34","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM - may have been modified without authorization","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_open","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"wri-hx3-4n3","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM - may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ]\n || rename.file.destination.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_rename","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"900-1sj-xhs","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM - may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n)","filters":["os == \"linux\""],"name":"pam_modification_unlink","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"pxk-42u-fga","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PAM - may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path - in [ ~\"/etc/pam.d/**\", \"/etc/pam.conf\" ])\n) \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]","filters":["os - == \"linux\""],"name":"pam_modification_utimes","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"l2e-aka-bw6","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - passwd or chpasswd utility was used to modify an account password","enabled":true,"expression":"exec.file.path - in [\"/usr/bin/passwd\", \"/usr/sbin/chpasswd\"] \u0026\u0026 exec.args_flags - not in [\"S\", \"status\"]","filters":["os == \"linux\""],"name":"passwd_execution","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"460-gys-lqp","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - DNS lookup was done for a pastebin-like site","enabled":true,"expression":"dns.question.name - in [\"pastebin.com\", \"ghostbin.com\", \"termbin.com\", \"klgrth.io\", \"rentry.co\", - \"transfer.sh\"] \u0026\u0026 process.file.name != \"\"","filters":["os == - \"linux\""],"name":"paste_site","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"7vi-w5r-h15","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical - system binaries may have been modified","enabled":true,"expression":"(\n (chmod.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os - == \"linux\""],"name":"pci_11_5_critical_binaries_chmod","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"xiu-ghq-4zi","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical - system binaries may have been modified","enabled":true,"expression":"(\n (chown.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid - != chown.file.gid)","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_chown","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"9ym-18v-5zi","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical - system binaries may have been modified","enabled":true,"expression":"(\n (link.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || link.file.destination.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"pci_11_5_critical_binaries_link","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"fpa-r6g-2em","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical + =~ \"*ntds.dit*\"","filters":["os == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"ntds_in_commandline","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-d4w","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + file executed from /dev/shm/ directory","enabled":true,"expression":"exec.file.path + == \"/dev/shm/**\"","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"devshm_execution","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"422-svi-03v","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Potential + Dirty pipe exploitation","enabled":true,"expression":"(splice.pipe_exit_flag + \u0026 PIPE_BUF_FLAG_CAN_MERGE) \u003e 0 \u0026\u0026 (process.uid != 0 \u0026\u0026 + process.gid != 0)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"dirty_pipe_exploitation","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tat","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + RPC COM debugging registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows*\"]","filters":["os + == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"windows_com_rpc_debugging_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"sqi-q1z-onu","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Network + utility executed with suspicious URI","enabled":true,"expression":"exec.comm + in [\"wget\", \"curl\", \"lwp-download\"] \u0026\u0026 exec.args in [~\"*.php*\", + ~\"*.jpg*\"] ","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"net_unusual_request","product_tags":["tactic:TA0011-command-and-control","technique:T1105-ingress-tool-transfer","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-y7j","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", @@ -1374,21 +1299,113 @@ http_interactions: \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"pci_11_5_critical_binaries_open","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-y7j","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical - system binaries may have been modified","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n \u0026\u0026 process.file.path + ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) + \u0026\u0026 container.id != \"\" \u0026\u0026 container.created_at \u003e + 90s","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"pci_11_5_critical_binaries_open_v2","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-myb","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path + == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"sudoers_policy_modified_link","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-3b9","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n open.flags + \u0026 ((O_CREAT|O_RDWR|O_WRONLY|O_TRUNC)) \u003e 0 \u0026\u0026\n (open.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", + \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", + \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 container.id != \"\" + \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"credential_modified_open_v2","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mmo","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers + policy file may have been modified without authorization","enabled":true,"expression":"(open.flags + \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n(open.file.path + == \"/etc/sudoers\")) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", + ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", + \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"sudoers_policy_modified_open","product_tags":["tactic:TA0004-privilege-escalation","technique:T1548-abuse-elevation-control-mechanism","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"a52-req-ghm","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Exfiltration + attempt via network utility","enabled":true,"expression":"exec.comm in [\"wget\", + \"curl\", \"lwp-download\"] \u0026\u0026\nexec.args_options in [ ~\"post-file=*\", + ~\"post-data=*\", ~\"T=*\", ~\"d=@*\", ~\"upload-file=*\", ~\"F=file*\"] \u0026\u0026\nexec.args + not in [~\"*localhost*\", ~\"*127.0.0.1*\"]","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"net_util_exfiltration","product_tags":["tactic:TA0010-exfiltration","technique:T1048-exfiltration-over-alternative-protocol","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-969","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process + arguments indicating possible netcat shell detected","enabled":true,"expression":"exec.file.name + in [\"netcat\", \"nc\", \"ncat\"] \u0026\u0026 ((exec.args_flags in [\"l\"] + \u0026\u0026 exec.args_flags in [\"p\"]) || (exec.args_flags in [\"n\"] \u0026\u0026 + exec.args_flags in [\"v\"]) || (exec.args in [~\"*/bin/bash*\", ~\"*/bin/sh*\"]))","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"netcat_shell","product_tags":["tactic:TA0001-initial-access","technique:T1190-exploit-public-facing-application","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-ibc","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The + mount utility was executed in a container","enabled":true,"expression":"exec.comm + == \"mount\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"mount_in_container","product_tags":["tactic:TA0004-privilege-escalation","technique:T1611-escape-to-host","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-vez","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + winlogon registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*\"]","filters":["os + == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"winlogon_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1112-modify-registry","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"s9m-foq-qqz","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (chmod.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"pci_11_5_critical_binaries_open_v2","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"9pu-mp3-xea","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", + \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path + not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.destination.mode + != chmod.file.mode","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"credential_modified_chmod","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"gx3-4a5-w9a","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + kernel module was loaded from memory inside a container","enabled":true,"expression":"load_module.loaded_from_memory + == true \u0026\u0026 container.id !=\"\"","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"kernel_module_load_from_memory_container","product_tags":["tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"wgq-lg4-tas","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SELinux + enforcement status was disabled","enabled":true,"expression":"selinux.enforce.status + in [\"permissive\", \"disabled\"] \u0026\u0026 process.ancestors.args != ~\"*BECOME-SUCCESS*\"","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"selinux_disable_enforcement","product_tags":["tactic:TA0005-defense-evasion","technique:T1562-impair-defenses","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j1p","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows + Known DLLs location registry key modified","enabled":true,"expression":"set.registry.key_path + in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\KnownDLLs*\"]","filters":["os + == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"known_dll_registry_key_modified","product_tags":["tactic:TA0005-defense-evasion","technique:T1574-hijack-execution-flow","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-do7","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Possible + ransomware note created under common user directories","enabled":true,"expression":"open.flags + \u0026 O_CREAT \u003e 0\n\u0026\u0026 open.file.path in [~\"/home/**\", ~\"/root/**\", + ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", + ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n\u0026\u0026 + open.file.name in [r\"(?i)(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom)\"] + \u0026\u0026 open.file.name not in [r\"\\.lock$\"]","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"ransomware_note","product_tags":["tactic:TA0040-impact","technique:T1490-inhibit-system-recovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"mqh-lgo-brj","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path + in [ \"/etc/nsswitch.conf\" ])\n) \u0026\u0026 chmod.file.destination.mode + != chmod.file.mode \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", + \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", + \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", + ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"nsswitch_conf_mod_chmod","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"ehh-ypb-9pl","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + compiler was executed inside of a container","enabled":true,"expression":"(exec.comm + in [\"javac\", \"clang\", \"gcc\", \"bcc\"] || exec.file.name in [\"javac\", + \"clang\", \"gcc\", \"bcc\"] || (exec.file.name == \"go\" \u0026\u0026 exec.args + in [~\"*build*\", ~\"*run*\"])) \u0026\u0026 container.id !=\"\" \u0026\u0026 + process.ancestors.file.path != \"/usr/bin/cilium-agent\"","filters":["os == + \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"compiler_in_container","product_tags":["tactic:TA0005-defense-evasion","technique:T1027-obfuscated-files-or-information","policy:best-practice","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qf8","type":"agent_rule","attributes":{"category":"Process + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"sharpup + tool used for local privilege escalation","enabled":true,"expression":"exec.file.name + == \"sharpup.exe\" \u0026\u0026 exec.cmdline in [~\"*HijackablePaths*\", ~\"*UnquotedServicePath*\", + ~\"*ProcessDLLHijack*\", ~\"*ModifiableServiceBinaries*\", ~\"*ModifiableScheduledTask*\", + ~\"*DomainGPPPassword*\", ~\"*CachedGPPPassword*\"]","filters":["os == \"windows\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"sharpup_tool_usage","product_tags":["tactic:TA0004-privilege-escalation","technique:T1068-exploitation-for-privilege-escalation","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-b7s","type":"agent_rule","attributes":{"category":"Network + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Kubernetes + DNS enumeration","enabled":true,"expression":"dns.question.name == \"any.any.svc.cluster.local\" + \u0026\u0026 dns.question.type == SRV \u0026\u0026 container.id != \"\"","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"kubernetes_dns_enumeration","product_tags":["tactic:TA0007-discovery","technique:T1046-network-service-discovery","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mr5","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process + hidden using mount","enabled":true,"expression":"mount.mountpoint.path in + [~\"/proc/1*\", ~\"/proc/2*\", ~\"/proc/3*\", ~\"/proc/4*\", ~\"/proc/5*\", + ~\"/proc/6*\", ~\"/proc/7*\", ~\"/proc/8*\", ~\"/proc/9*\"]","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"mount_proc_hide","product_tags":["tactic:TA0005-defense-evasion","technique:T1564-hide-artifacts","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qnj","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + process made an outbound IRC connection","enabled":true,"expression":"connect.addr.port + == 6667 \u0026\u0026 connect.addr.is_public == true","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"irc_connection","product_tags":["tactic:TA0011-command-and-control","technique:T1071-application-layer-protocol","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"9pu-mp3-xea","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical system binaries may have been modified","enabled":true,"expression":"(\n (rename.file.path in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", ~\"/usr/local/sbin/*\", ~\"/boot/**\" ]\n || rename.file.destination.path @@ -1400,610 +1417,51 @@ http_interactions: process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"pci_11_5_critical_binaries_rename","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"ssp-47a-p20","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical - system binaries may have been modified","enabled":true,"expression":"(\n (unlink.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"pci_11_5_critical_binaries_rename","product_tags":["tactic:TA0005-defense-evasion","technique:T1036-masquerading","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"4mu-d2x-fyk","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"nsswitch + may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path + in [ \"/etc/nsswitch.conf\" ])\n)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"nsswitch_conf_mod_unlink","product_tags":["tactic:TA0003-persistence","technique:T1556-modify-authentication-process","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"q08-c9l-rsp","type":"agent_rule","attributes":{"category":"File + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sensitive + credential files were modified using a non-standard tool","enabled":true,"expression":"(\n (unlink.file.path + in [ \"/etc/shadow\", \"/etc/gshadow\" ])\n \u0026\u0026 process.file.path + not in [ \"/sbin/vipw\", \"/usr/sbin/vipw\", \"/sbin/vigr\", \"/usr/sbin/vigr\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"pci_11_5_critical_binaries_unlink","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"q0u-s8m-8pd","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Critical - system binaries may have been modified","enabled":true,"expression":"(\n (utimes.file.path - in [ ~\"/bin/*\", ~\"/sbin/*\", ~\"/usr/bin/*\", ~\"/usr/sbin/*\", ~\"/usr/local/bin/*\", - ~\"/usr/local/sbin/*\", ~\"/boot/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"pci_11_5_critical_binaries_utimes","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-lel","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process - arguments indicating possible perl bind shell detected","enabled":true,"expression":"exec.file.name - == ~\"perl*\" \u0026\u0026 exec.args_flags in [\"e\"] \u0026\u0026 ((exec.args - in [~\"*socket*\", ~\"*bind*\", ~\"*sockaddr*\", ~\"*listen*\", ~\"*accept\", - ~\"*stdin*\", ~\"*stdout\"]) || (exec.args in [~\"*/bin/sh*\", ~\"*/bin/bash*\"]))","filters":["os - == \"linux\""],"name":"perl_shell","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-7ez","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process - arguments indicating possible php shell detected","enabled":true,"expression":"exec.file.name - == \"php\" \u0026\u0026 exec.args_flags in [\"r\"] \u0026\u0026 ((exec.args - in [~\"*socket_bind*\", ~\"*socket_listen*\", ~\"*socket_accept*\", ~\"*socket_create*\", - ~\"*socket_write*\", ~\"*socket_read*\"]) || (exec.args in [~\"*/bin/bash*\", - ~\"*/bin/sh*\"]))","filters":["os == \"linux\""],"name":"php_shell","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-zse","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"PHP - web application spawning shell","enabled":true,"expression":"exec.file.name - in [~\"powershell*\",\"cmd.exe\"] \u0026\u0026 process.parent.file.name in - [\"php.exe\",\"php-cgi.exe\"]","filters":["os == \"windows\""],"name":"php_spawning_shell","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-8j2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - web application spawned a shell or shell utility","enabled":true,"expression":"(exec.file.path - in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] || exec.comm in [\"wget\", \"curl\", \"lwp-download\"] || exec.file.path - in [\"/bin/cat\",\"/bin/chgrp\",\"/bin/chmod\",\"/bin/chown\",\"/bin/cp\",\"/bin/date\",\"/bin/dd\",\"/bin/df\",\"/bin/dir\",\"/bin/echo\",\"/bin/ln\",\"/bin/ls\",\"/bin/mkdir\",\"/bin/mknod\",\"/bin/mktemp\",\"/bin/mv\",\"/bin/pwd\",\"/bin/readlink\",\"/bin/rm\",\"/bin/rmdir\",\"/bin/sleep\",\"/bin/stty\",\"/bin/sync\",\"/bin/touch\",\"/bin/uname\",\"/bin/vdir\",\"/usr/bin/arch\",\"/usr/bin/b2sum\",\"/usr/bin/base32\",\"/usr/bin/base64\",\"/usr/bin/basename\",\"/usr/bin/chcon\",\"/usr/bin/cksum\",\"/usr/bin/comm\",\"/usr/bin/csplit\",\"/usr/bin/cut\",\"/usr/bin/dircolors\",\"/usr/bin/dirname\",\"/usr/bin/du\",\"/usr/bin/env\",\"/usr/bin/expand\",\"/usr/bin/expr\",\"/usr/bin/factor\",\"/usr/bin/fmt\",\"/usr/bin/fold\",\"/usr/bin/groups\",\"/usr/bin/head\",\"/usr/bin/hostid\",\"/usr/bin/id\",\"/usr/bin/install\",\"/usr/bin/join\",\"/usr/bin/link\",\"/usr/bin/logname\",\"/usr/bin/md5sum\",\"/usr/bin/md5sum.textutils\",\"/usr/bin/mkfifo\",\"/usr/bin/nice\",\"/usr/bin/nl\",\"/usr/bin/nohup\",\"/usr/bin/nproc\",\"/usr/bin/numfmt\",\"/usr/bin/od\",\"/usr/bin/paste\",\"/usr/bin/pathchk\",\"/usr/bin/pinky\",\"/usr/bin/pr\",\"/usr/bin/printenv\",\"/usr/bin/printf\",\"/usr/bin/ptx\",\"/usr/bin/realpath\",\"/usr/bin/runcon\",\"/usr/bin/seq\",\"/usr/bin/sha1sum\",\"/usr/bin/sha224sum\",\"/usr/bin/sha256sum\",\"/usr/bin/sha384sum\",\"/usr/bin/sha512sum\",\"/usr/bin/shred\",\"/usr/bin/shuf\",\"/usr/bin/sort\",\"/usr/bin/split\",\"/usr/bin/stat\",\"/usr/bin/stdbuf\",\"/usr/bin/sum\",\"/usr/bin/tac\",\"/usr/bin/tail\",\"/usr/bin/tee\",\"/usr/bin/test\",\"/usr/bin/timeout\",\"/usr/bin/tr\",\"/usr/bin/truncate\",\"/usr/bin/tsort\",\"/usr/bin/tty\",\"/usr/bin/unexpand\",\"/usr/bin/uniq\",\"/usr/bin/unlink\",\"/usr/bin/users\",\"/usr/bin/wc\",\"/usr/bin/who\",\"/usr/bin/whoami\",\"/usr/sbin/chroot\",\"/bin/busybox\"]) - \u0026\u0026\n(process.parent.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", - \"httpd\"] || process.parent.file.name =~ \"php*\")","filters":["os == \"linux\""],"name":"potential_web_shell_parent","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-guo","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process was executed matching arguments for a UAC bypass technique common - in powershell empire","enabled":true,"expression":"exec.cmdline in [~\"*-NoP - -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)*\", - ~\"*-NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);*\"]","filters":["os - == \"windows\""],"name":"powershell_empire_uac_bypass","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oy4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - tool used to dump process memory has been executed","enabled":true,"expression":"exec.file.name - in [\"procmon.exe\",\"procdump.exe\"]","filters":["os == \"windows\""],"name":"procdump_execution","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"pwu-7u7-iiq","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process uses an anti-debugging technique to block debuggers","enabled":true,"expression":"ptrace.request - == PTRACE_TRACEME \u0026\u0026 process.file.name != \"\"","filters":["os == - \"linux\""],"name":"ptrace_antidebug","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"kpm-7kh-xz5","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process attempted to inject code into another process","enabled":true,"expression":"ptrace.request - == PTRACE_POKETEXT || ptrace.request == PTRACE_POKEDATA || ptrace.request - == PTRACE_POKEUSR","filters":["os == \"linux\""],"name":"ptrace_injection","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"wpz-bim-6rb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process was spawned with indicators of exploitation of CVE-2021-4034","enabled":true,"expression":"(exec.file.path - == \"/usr/bin/pkexec\" \u0026\u0026 exec.envs in [~\"*SHELL*\", ~\"*PATH*\"] - \u0026\u0026 exec.envs not in [~\"*DISPLAY*\", ~\"*DESKTOP_SESSION*\"] \u0026\u0026 - exec.uid != 0)","filters":["os == \"linux\""],"name":"pwnkit_privilege_escalation","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"g7f-kfr-tdb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Python - code was provided on the command line","enabled":true,"expression":"exec.file.name - == ~\"python*\" \u0026\u0026 exec.args_flags in [\"c\"] \u0026\u0026 exec.args - in [~\"*-c*SOCK_STREAM*\", ~\"*-c*subprocess*\", ~\"*-c*/bash*\", ~\"*-c*/bin/sh*\", - ~\"*-c*pty.spawn*\"] \u0026\u0026 exec.args !~ \"*setuptools*\"","filters":["os - == \"linux\""],"name":"python_cli_code","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-do7","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Possible - ransomware note created under common user directories","enabled":true,"expression":"open.flags - \u0026 O_CREAT \u003e 0\n\u0026\u0026 open.file.path in [~\"/home/**\", ~\"/root/**\", - ~\"/bin/**\", ~\"/usr/bin/**\", ~\"/opt/**\", ~\"/etc/**\", ~\"/var/log/**\", - ~\"/var/lib/log/**\", ~\"/var/backup/**\", ~\"/var/www/**\"]\n\u0026\u0026 - open.file.name in [r\"(?i)(restore|recover|read|instruction|how_to|ransom|lock).*(your_|crypt|lock|file|ransom)\"] - \u0026\u0026 open.file.name not in [r\"\\.lock$\"]","filters":["os == \"linux\""],"name":"ransomware_note","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-y27","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"RC - scripts modified","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) - \u003e 0 \u0026\u0026 (open.file.path in [\"/etc/rc.common\", \"/etc/rc.local\"])) - \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os - == \"linux\""],"name":"rc_scripts_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qwm","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - kubeconfig file was accessed","enabled":true,"expression":"open.file.path - in [~\"/home/*/.kube/config\", \"/root/.kube/config\"]","filters":["os == - \"linux\""],"name":"read_kubeconfig","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-npv","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Detects - CVE-2022-0543","enabled":true,"expression":"(open.file.path =~ \"/usr/lib/x86_64-linux-gnu/*\" - \u0026\u0026 open.file.name in [\"libc-2.29.so\", \"libc-2.30.so\", \"libc-2.31.so\", - \"libc-2.32.so\", \"libc-2.33.so\", \"libc-2.34.so\", \"libc-2.35.so\", \"libc-2.36.so\", - \"libc-2.37.so\"]) \u0026\u0026 process.ancestors.comm in [\"redis-check-rdb\", - \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_sandbox_escape","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wv3","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Redis - module has been created","enabled":true,"expression":"(open.flags \u0026 (O_CREAT|O_TRUNC|O_RDWR|O_WRONLY) - \u003e 0 \u0026\u0026 open.file.path =~ \"/tmp/**\" \u0026\u0026 open.file.name - in [~\"*.rdb\", ~\"*.aof\", ~\"*.so\"]) \u0026\u0026 process.file.name in - [\"redis-check-rdb\", \"redis-server\"]","filters":["os == \"linux\""],"name":"redis_save_module","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-jed","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows - registry hives file location key modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\hivelist*\"]","filters":["os - == \"windows\""],"name":"registry_hives_file_path_key_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6oh","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - Registry runkey has been modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\", - ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Runonce\", - ~\"HKEY_LOCAL_MACHINE\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\", - ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal - Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\", ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows - NT\\CurrentVersion\\Terminal Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\Runonce\", - ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Terminal - Server\\Install\\Software\\Microsoft\\Windows\\CurrentVersion\\RunonceEx\"]","filters":["os - == \"windows\""],"name":"registry_runkey_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6x2","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Service - registry runkey modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\", - ~\"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CurrentVersion\\RunServices\"]","filters":["os - == \"windows\""],"name":"registry_service_runkey_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bv2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process - matches known relay attack tool","enabled":true,"expression":"exec.file.name - in [~\"*PetitPotam*\", ~\"*RottenPotato*\", ~\"*HotPotato*\", ~\"*JuicyPotato*\", - ~\"*just_dce_*\", ~\"*Juicy Potato*\", \"rot.exe\", \"Potato.exe\", \"SpoolSample.exe\", - \"Responder.exe\", ~\"*smbrelayx*\", ~\"*smbrelayx*\", ~\"*ntlmrelayx*\", - ~\"*LocalPotato*\"] || exec.cmdline in [~\"*Invoke-Tater*\", ~\"*smbrelay*\", - ~\"*ntlmrelay*\", ~\"*cme smb*\", ~\"*ntlm:NTLMhash*\", ~\"*Invoke-PetitPotam*\"]","filters":["os - == \"windows\""],"name":"relay_attack_tool_execution","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-eho","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Container - escape attempted by overwriting release_agent","enabled":true,"expression":"open.file.name - == \"release_agent\" \u0026\u0026 open.file.path in [\"/tmp/**\", \"/home/**\", - \"/root/**\", \"/*\"] \u0026\u0026 open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY - \u003e 0","filters":["os == \"linux\""],"name":"release_agent_escape","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-b5z","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"process - arguments match rubeus credential theft tool","enabled":true,"expression":"exec.cmdline - in [~\"*asreproast*\", ~\"*/service:krbtgt*\", ~\"*dump /luid:0x*\", ~\"*kerberoast*\", - ~\"*createonly /program*\", ~\"*ptt /ticket*\", ~\"*impersonateuser*\", ~\"*renew - /ticket*\", ~\"*asktgt /user*\", ~\"*harvest /interval*\", ~\"*s4u /user*\", - ~\"*hash /password*\", ~\"*golden /aes256*\", ~\"*silver /user*\", \"*rubeus*\"]","filters":["os - == \"windows\""],"name":"rubeus_execution","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-h19","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - container breakout CVE-2024-21626 was successful","enabled":true,"expression":"chdir.syscall.path - =~ \"/proc/self/fd/*\" \u0026\u0026 chdir.file.path == \"/sys/fs/cgroup\" - \u0026\u0026 process.file.name =~ \"runc.*\"","filters":["os == \"linux\""],"name":"runc_leaky_fd","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"tlu-qlm-1ow","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - runc binary was modified in a non-standard way","enabled":true,"expression":"open.file.path - in [\"/usr/bin/runc\", \"/usr/sbin/runc\", \"/usr/bin/docker-runc\"]\n\u0026\u0026 - open.flags \u0026 O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY \u003e 0\n\u0026\u0026 - process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", - \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", \"/usr/local/bin/containerd\", - \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\"]\n\u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os - == \"linux\""],"name":"runc_modification","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-x51","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Safeboot - registry modified","enabled":true,"expression":"set.registry.key_path in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SafeBoot\"]","filters":["os - == \"windows\""],"name":"safeboot_modification","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-vqm","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - scheduled task was created","enabled":true,"expression":"exec.cmdline in [~\"*at.exe\",~\"*schtasks*\"] - \u0026\u0026 exec.cmdline =~ \"*create*\"","filters":["os == \"windows\""],"name":"scheduled_task_creation","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"wgq-lg4-tas","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SELinux - enforcement status was disabled","enabled":true,"expression":"selinux.enforce.status - in [\"permissive\", \"disabled\"] \u0026\u0026 process.ancestors.args != ~\"*BECOME-SUCCESS*\"","filters":["os - == \"linux\""],"name":"selinux_disable_enforcement","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-j45","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process is tracing privileged processes or sshd for possible credential dumping","enabled":true,"expression":"(ptrace.request - == PTRACE_PEEKTEXT || ptrace.request == PTRACE_PEEKDATA || ptrace.request - == PTRACE_PEEKUSR) \u0026\u0026 ptrace.tracee.euid == 0 \u0026\u0026 process.comm - not in [\"dlv\", \"dlv-linux-amd64\", \"strace\", \"gdb\", \"lldb-server\"]","filters":["os - == \"linux\""],"name":"sensitive_tracing","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-uv8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"systemctl - used to stop a service","enabled":true,"expression":"exec.file.name == \"systemctl\" - \u0026\u0026 exec.args in [~\"*stop*\"]","filters":["os == \"linux\""],"name":"service_stop","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qf8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"sharpup - tool used for local privilege escalation","enabled":true,"expression":"exec.file.name - == \"sharpup.exe\" \u0026\u0026 exec.cmdline in [~\"*HijackablePaths*\", ~\"*UnquotedServicePath*\", - ~\"*ProcessDLLHijack*\", ~\"*ModifiableServiceBinaries*\", ~\"*ModifiableScheduledTask*\", - ~\"*DomainGPPPassword*\", ~\"*CachedGPPPassword*\"]","filters":["os == \"windows\""],"name":"sharpup_tool_usage","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"dfr-by9-sx8","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell - History was Deleted","enabled":true,"expression":"unlink.file.name in [\".bash_history\", - \".zsh_history\", \".fish_history\", \"fish_history\", \".dash_history\", - \".sh_history\"] \u0026\u0026 unlink.file.path in [~\"/root/**\", ~\"/home/**\"] - \u0026\u0026 process.comm not in [\"dockerd\", \"containerd\"]","filters":["os - == \"linux\""],"name":"shell_history_deleted","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"dmf-a2c-odj","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - symbolic link for shell history was created targeting /dev/null","enabled":true,"expression":"exec.comm - == \"ln\" \u0026\u0026 exec.args in [~\"*.*history*\", \"/dev/null\"]","filters":["os - == \"linux\""],"name":"shell_history_symlink","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"v5x-8l4-d6a","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell - History was Deleted","enabled":true,"expression":"open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) - \u003e 0 \u0026\u0026 open.file.name in [\".bash_history\", \".zsh_history\", - \".fish_history\", \"fish_history\", \".dash_history\", \".sh_history\"] \u0026\u0026 - open.file.path in [~\"/root/*\", ~\"/home/**\"] \u0026\u0026 process.file.name - == \"truncate\"","filters":["os == \"linux\""],"name":"shell_history_truncated","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-dar","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - shell made an outbound network connection","enabled":true,"expression":"connect.addr.family - \u0026 (AF_INET|AF_INET6) \u003e 0 \u0026\u0026 process.file.name in [\"dash\",\"sh\",\"static-sh\",\"sh\",\"bash\",\"bash\",\"bash-static\",\"zsh\",\"ash\",\"csh\",\"ksh\",\"tcsh\",\"busybox\",\"busybox\",\"fish\",\"ksh93\",\"rksh\",\"rksh93\",\"lksh\",\"mksh\",\"mksh-static\",\"csharp\",\"posh\",\"rc\",\"sash\",\"yash\",\"zsh5\",\"zsh5-static\"] - \u0026\u0026 connect.addr.is_public == true","filters":["os == \"linux\""],"name":"shell_net_connection","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fn2","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Shell - profile was modified","enabled":true,"expression":"open.file.path in [~\"/home/*/*profile\", - ~\"/home/*/*rc\"] \u0026\u0026 open.flags \u0026 ((O_CREAT|O_TRUNC|O_RDWR|O_WRONLY)) - \u003e 0","filters":["os == \"linux\""],"name":"shell_profile_modification","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-hbr","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"process - arguments match sliver c2 implant","enabled":true,"expression":"exec.cmdline - =~ \"*NoExit *\" \u0026\u0026 exec.cmdline =~ \"*Command *\" \u0026\u0026 - exec.cmdline =~ \"*[Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*\"","filters":["os - == \"windows\""],"name":"sliver_c2_implant_execution","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oi1","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Process - arguments indicating possible socat shell detected","enabled":true,"expression":"((exec.file.name - == \"socat\") || (exec.comm == \"socat\")) \u0026\u0026 exec.args in [~\"*/bin/bash*\", - ~\"*/bin/sh*\", ~\"*exec*\", ~\"*pty*\", ~\"*setsid*\", ~\"*stderr*\"]","filters":["os - == \"linux\""],"name":"socat_shell","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"htc-275-0wt","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n chmod.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chmod.file.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) - \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os - == \"linux\""],"name":"ssh_authorized_keys_chmod","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"7q3-6aa-pix","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n chown.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (chown.file.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) - \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid - != chown.file.gid)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_chown","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"91f-pyq-54k","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n link.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (link.file.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || - link.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" - ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_link","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"rpc-ji0-zfu","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os - == \"linux\""],"name":"ssh_authorized_keys_open","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qwu","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n open.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (open.file.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n) - \u0026\u0026 container.created_at \u003e 90s","filters":["os == \"linux\""],"name":"ssh_authorized_keys_open_v2","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"t5u-qdx-650","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n rename.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (rename.file.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ]\n || - rename.file.destination.path in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", - ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os == \"linux\""],"name":"ssh_authorized_keys_rename","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"y0y-3gl-645","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n unlink.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (unlink.file.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os - == \"linux\""],"name":"ssh_authorized_keys_unlink","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"hba-kfe-1xr","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH - modified keys may have been modified","enabled":true,"expression":"(\n utimes.file.name - in [ \"authorized_keys\", \"authorized_keys2\" ] \u0026\u0026 (utimes.file.path - in [ ~\"/root/.ssh/*\", ~\"/home/*/.ssh/*\", ~\"/var/lib/*/.ssh/*\" ])\n)","filters":["os - == \"linux\""],"name":"ssh_authorized_keys_utimes","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-o13","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - configuration directory for an ssh worm","enabled":true,"expression":"open.file.path - in [~\"/root/.prng/*\", ~\"/home/*/.prng/*\", ~\"/root/.config/prng/*\", ~\"/home/*/.config/prng/*\"] - \u0026\u0026 open.flags \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) - \u003e 0","filters":["os == \"linux\""],"name":"ssh_it_tool_config_write","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-41f","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSH - initiated a connection on a nonstandard port","enabled":true,"expression":"connect.addr.port - in [80, 8080, 88, 443, 8443, 4444] \u0026\u0026 process.file.name == \"ssh\"","filters":["os - == \"linux\""],"name":"ssh_nonstandard_connection","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-g5v","type":"agent_rule","attributes":{"category":"Kernel - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - process connected to an SSH server","enabled":true,"expression":"connect.addr.port - == 22 \u0026\u0026 connect.addr.family \u0026 (AF_INET|AF_INET6) \u003e 0 - \u0026\u0026 connect.addr.ip not in [127.0.0.0/8]","filters":["os == \"linux\""],"name":"ssh_outbound_connection","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"y5i-yxn-27t","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n (chmod.file.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 chmod.file.mode != - chmod.file.destination.mode\n\u0026\u0026 process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 - process.ancestors.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 - process.file.name !~ \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chmod","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"kyr-sg6-us9","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n (chown.file.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) \u0026\u0026 (chown.file.destination.uid - != chown.file.uid || chown.file.destination.gid != chown.file.gid)\n\u0026\u0026 - process.file.path != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ - \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_chown","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"w6f-wte-i63","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n (link.file.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || link.file.destination.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.path - != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n \u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n \u0026\u0026 process.file.name - !~ \"runc*\"\n)","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_link","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"191-ty1-ede","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ - \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_open","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qt6","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n)\n\u0026\u0026 process.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ - \"runc*\"\n\u0026\u0026 container.created_at \u003e 90s","filters":["os == - \"linux\""],"name":"ssl_certificate_tampering_open_v2","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"o5t-b08-86p","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n (rename.file.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ]\n || rename.file.destination.path - in [ ~\"/etc/ssl/certs/**\", ~\"/etc/pki/**\" ])\n \u0026\u0026 process.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ - \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_rename","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"9y1-cbb-p03","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n (unlink.file.path - in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in - [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ - \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_unlink","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"ayv-hqe-lx8","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"SSL - certificates may have been tampered with","enabled":true,"expression":"(\n (utimes.file.path - in [ ~\"/etc/ssl/certs/**\" ])\n \u0026\u0026 process.file.path not in - [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)\n\u0026\u0026 process.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path - != \"/usr/sbin/update-ca-certificates\"\n\u0026\u0026 process.ancestors.file.path + \"/usr/local/bin/dockerd\", \"/usr/sbin/groupadd\", \"/usr/sbin/useradd\", + \"/usr/sbin/usermod\", \"/usr/sbin/userdel\", \"/usr/bin/gpasswd\", \"/usr/bin/chage\", + \"/usr/sbin/chpasswd\", \"/usr/bin/passwd\" ]\n \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n\u0026\u0026 process.file.name !~ - \"runc*\"","filters":["os == \"linux\""],"name":"ssl_certificate_tampering_utimes","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-crv","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers - policy file may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path - == \"/etc/sudoers\")\n) \u0026\u0026 chmod.file.destination.mode != chmod.file.mode - \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os - == \"linux\""],"name":"sudoers_policy_modified_chmod","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-l8e","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers - policy file may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path - == \"/etc/sudoers\")\n) \u0026\u0026 (chown.file.destination.uid != chown.file.uid - || chown.file.destination.gid != chown.file.gid)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_chown","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-myb","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers - policy file may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path - == \"/etc/sudoers\"\n || link.file.destination.path == \"/etc/sudoers\")\n)","filters":["os - == \"linux\""],"name":"sudoers_policy_modified_link","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-mmo","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers - policy file may have been modified without authorization","enabled":true,"expression":"(open.flags - \u0026 (O_CREAT|O_TRUNC|O_APPEND|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n(open.file.path - == \"/etc/sudoers\")) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", - ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", - \"/usr/lib/snapd/snapd\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_open","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-550","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers - policy file may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path - == \"/etc/sudoers\"\n || rename.file.destination.path == \"/etc/sudoers\")\n)","filters":["os - == \"linux\""],"name":"sudoers_policy_modified_rename","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-bxs","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers - policy file may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path - == \"/etc/sudoers\")\n)","filters":["os == \"linux\""],"name":"sudoers_policy_modified_unlink","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-s07","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Sudoers - policy file may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path - == \"/etc/sudoers\")\n) \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", - \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/containerd\", - \"/usr/local/bin/containerd\", \"/usr/bin/dockerd\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\"]","filters":["os == \"linux\""],"name":"sudoers_policy_modified_utimes","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-5wh","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"a - SUID file was executed","enabled":true,"expression":"(setuid.euid == 0 || - setuid.uid == 0) \u0026\u0026 process.file.mode \u0026 S_ISUID \u003e 0 \u0026\u0026 - process.file.uid == 0 \u0026\u0026 process.uid != 0 \u0026\u0026 process.file.path - != \"/usr/bin/sudo\"","filters":["os == \"linux\""],"name":"suid_file_execution","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-4y4","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - suspicious bitsadmin command has been executed","enabled":true,"expression":"exec.file.name - == \"bitsadmin.exe\" \u0026\u0026 exec.cmdline in [~\"*addfile*\", ~\"*create*\", - ~\"*resume*\"]","filters":["os == \"windows\""],"name":"suspicious_bitsadmin_usage","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"afj-5sv-2wb","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - container management utility was executed in a container","enabled":true,"expression":"exec.file.name - in [\"docker\", \"kubectl\"] \u0026\u0026 container.id != \"\"","filters":["os - == \"linux\""],"name":"suspicious_container_client","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-eck","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Dll - written to a suspicious directory","enabled":true,"expression":"create.file.name - =~ \"*.dll\" \u0026\u0026 create.file.device_path not in [~\"\\Device\\*\\Windows\\System32\\**\", - ~\"\\Device\\*\\ProgramData\\docker\\**\"] \u0026\u0026 process.file.name - != \"dockerd.exe\"","filters":["os == \"windows\""],"name":"suspicious_dll_write","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-2k6","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Suspicious - usage of ntdsutil","enabled":true,"expression":"exec.file.name == \"ntdsutil.exe\" - \u0026\u0026 exec.cmdline in [~\"*ntds*\", ~\"*create*\"]","filters":["os - == \"windows\""],"name":"suspicious_ntdsutil_usage","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-zo8","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Recently - written or modified suid file has been executed","enabled":true,"expression":"((process.file.mode - \u0026 S_ISUID \u003e 0) \u0026\u0026 process.file.modification_time \u003c - 30s) \u0026\u0026 exec.file.name != \"\" \u0026\u0026 process.ancestors.file.path - not in [\"/opt/datadog-agent/embedded/bin/agent\", \"/opt/datadog-agent/embedded/bin/system-probe\", - \"/opt/datadog-agent/embedded/bin/security-agent\", \"/opt/datadog-agent/embedded/bin/process-agent\", - \"/opt/datadog-agent/embedded/bin/trace-agent\", \"/opt/datadog-agent/bin/agent/agent\", - \"/opt/datadog/apm/inject/auto_inject_runc\", \"/usr/bin/dd-host-install\", - \"/usr/bin/dd-host-container-install\", \"/usr/bin/dd-container-install\", - \"/opt/datadog-agent/bin/datadog-cluster-agent\", ~\"/opt/datadog-packages/**\", - ~\"/opt/datadog-installer/**\"]","filters":["os == \"linux\""],"name":"suspicious_suid_execution","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"48s-46n-g4w","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - service may have been modified without authorization","enabled":true,"expression":"(\n (chmod.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - \u0026\u0026 chmod.file.destination.mode != chmod.file.mode","filters":["os - == \"linux\""],"name":"systemd_modification_chmod","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"wwy-h4d-pwm","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - service may have been modified without authorization","enabled":true,"expression":"(\n (chown.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n) - \u0026\u0026 (chown.file.destination.uid != chown.file.uid || chown.file.destination.gid - != chown.file.gid)","filters":["os == \"linux\""],"name":"systemd_modification_chown","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"64n-p6m-uq1","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - service may have been modified without authorization","enabled":true,"expression":"(\n (link.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ]\n || link.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", - ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in - [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_link","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"7zw-qbm-y6d","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - service may have been modified without authorization","enabled":true,"expression":"(\n open.flags - \u0026 (O_CREAT|O_RDWR|O_WRONLY) \u003e 0 \u0026\u0026\n (open.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"systemd_modification_open","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"prk-6q1-g0m","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - service may have been modified without authorization","enabled":true,"expression":"(\n (rename.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ]\n || rename.file.destination.path in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", - ~\"/etc/systemd/system/**\" ])\n \u0026\u0026 process.file.path not in - [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", - \"/usr/bin/npm\", ~\"/usr/bin/pip*\", ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", - \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"name":"systemd_modification_rename","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"jlt-y4v-dax","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - service may have been modified without authorization","enabled":true,"expression":"(\n (unlink.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"systemd_modification_unlink","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"yjj-o5q-x00","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - service may have been modified without authorization","enabled":true,"expression":"(\n (utimes.file.path - in [ ~\"/lib/systemd/system/**\", ~\"/usr/lib/systemd/system/**\", ~\"/etc/systemd/system/**\" - ])\n \u0026\u0026 process.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os - == \"linux\""],"name":"systemd_modification_utimes","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-18q","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Tar - archive created","enabled":true,"expression":"exec.file.path == \"/usr/bin/tar\" - \u0026\u0026 exec.args_flags in [\"create\",\"c\"]","filters":["os == \"linux\""],"name":"tar_execution","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-925","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - shell with a TTY was executed in a container","enabled":true,"expression":"exec.file.path - in [ \"/bin/dash\",\n \"/usr/bin/dash\",\n \"/bin/sh\",\n \"/bin/static-sh\",\n \"/usr/bin/sh\",\n \"/bin/bash\",\n \"/usr/bin/bash\",\n \"/bin/bash-static\",\n \"/usr/bin/zsh\",\n \"/usr/bin/ash\",\n \"/usr/bin/csh\",\n \"/usr/bin/ksh\",\n \"/usr/bin/tcsh\",\n \"/usr/lib/initramfs-tools/bin/busybox\",\n \"/bin/busybox\",\n \"/usr/bin/fish\",\n \"/bin/ksh93\",\n \"/bin/rksh\",\n \"/bin/rksh93\",\n \"/bin/lksh\",\n \"/bin/mksh\",\n \"/bin/mksh-static\",\n \"/usr/bin/csharp\",\n \"/bin/posh\",\n \"/usr/bin/rc\",\n \"/bin/sash\",\n \"/usr/bin/yash\",\n \"/bin/zsh5\",\n \"/bin/zsh5-static\" - ] \u0026\u0026 process.tty_name != \"\" \u0026\u0026 process.container.id - != \"\"","filters":["os == \"linux\""],"name":"tty_shell_in_container","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-hlr","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Tunneling - or port forwarding tool used","enabled":true,"expression":"((exec.comm == - \"pivotnacci\" || exec.comm == \"gost\") \u0026\u0026 process.args_flags in - [\"L\", \"C\", \"R\"]) || (exec.comm in [\"ssh\", \"sshd\"] \u0026\u0026 process.args_flags - in [\"R\", \"L\", \"D\", \"w\"] \u0026\u0026 process.args in [r\"((25[0-5]|(2[0-4]|1\\d|[1-9])\\d)\\.?\\b){4}\"] - ) || (exec.comm == \"sshuttle\" \u0026\u0026 process.args_flags in [\"r\", - \"remote\", \"l\", \"listen\"]) || (exec.comm == \"socat\" \u0026\u0026 process.args - in [r\"(TCP4-LISTEN:|SOCKS)\"]) || (exec.comm in [\"iodine\", \"iodined\", - \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", - \"ngrok\"] \u0026\u0026 process.parent.comm in [\"bash\", \"dash\", \"ash\", - \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"])","filters":["os == - \"linux\""],"name":"tunnel_traffic","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wok","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Device - rule created","enabled":true,"expression":"open.file.path in [~\"/etc/udev/rules.d/*\", - ~\"/lib/udev/rules.d/*\", ~\"/usr/lib/udev/rules.d/*\", ~\"/usr/local/lib/udev/rules.d/*\", - ~\"/run/udev/rules.d/*\"] \u0026\u0026 open.flags \u0026 O_CREAT \u003e 0","filters":["os - == \"linux\""],"name":"udev_modification","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-oil","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"The - unshare utility was executed in a container","enabled":true,"expression":"exec.comm - == \"unshare\" \u0026\u0026 container.id != \"\"","filters":["os == \"linux\""],"name":"unshare_in_container","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"07y-k18-cih","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - user was created via an interactive session","enabled":true,"expression":"exec.file.name - in [\"useradd\", \"newusers\", \"adduser\"] \u0026\u0026 exec.tty_name !=\"\" - \u0026\u0026 process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"] - \u0026\u0026 exec.args_flags not in [\"D\"]","filters":["os == \"linux\""],"name":"user_created_tty","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-qem","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - user was deleted via an interactive session","enabled":true,"expression":"exec.file.name - in [\"userdel\", \"deluser\"] \u0026\u0026 exec.tty_name !=\"\" \u0026\u0026 - process.ancestors.file.path not in [~\"/usr/bin/apt*\", \"/usr/bin/dpkg\", - \"/usr/bin/rpm\", \"/usr/bin/unattended-upgrade\", \"/usr/bin/npm\", ~\"/usr/bin/pip*\", - ~\"/usr/local/bin/pip*\", \"/usr/bin/yum\", \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]","filters":["os - == \"linux\""],"name":"user_deleted_tty","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-a65","type":"agent_rule","attributes":{"category":"Network - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Web - application requested IMDSv1 credentials","enabled":true,"expression":"imds.aws.is_imds_v2 - == false \u0026\u0026 imds.url =~ \"*/*/meta-data/iam/security-credentials/*\" - \u0026\u0026 (process.ancestors.file.name in [\"apache2\", \"nginx\", ~\"tomcat*\", - \"httpd\"] || process.ancestors.file.name =~ \"php*\" || process.ancestors.file.name - == \"java\")","filters":["os == \"linux\""],"name":"webapp_imds_V1_request","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-nip","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Browser - WebDriver spawned shell","enabled":true,"expression":"process.parent.file.name - in [~\"chromedriver*\", \"geckodriver\"] \u0026\u0026 exec.file.name not in - [\"chrome\", \"google-chrome\", \"chromium\", \"firefox\"]","filters":["os - == \"linux\""],"name":"webdriver_spawned_shell","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-gqa","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows - boot registry key modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\IniFileMapping\\SYSTEM.ini\\boot*\"]","filters":["os - == \"windows\""],"name":"windows_boot_registry_key_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tat","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows - RPC COM debugging registry key modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows*\"]","filters":["os - == \"windows\""],"name":"windows_com_rpc_debugging_registry_key_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-76q","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows - cryptographic blocking policy modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType - 0\\CryptSIPDllRemoveSignedDataMsg*\"]","filters":["os == \"windows\""],"name":"windows_cryptographic_blocking_policy_registry_key_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-fsq","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A - cryptominer was potentially executed","enabled":true,"expression":"exec.cmdline - in [~\"*cpu-priority*\", ~\"*donate-level*\", ~\"*randomx-1gb-pages*\", ~\"*stratum+tcp*\", - ~\"*stratum+ssl*\", ~\"*stratum1+tcp*\", ~\"*stratum1+ssl*\", ~\"*stratum2+tcp*\", - ~\"*stratum2+ssl*\", ~\"*nicehash*\", ~\"*yespower*\"]","filters":["os == - \"windows\""],"name":"windows_cryptominer_process","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-6lj","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"windows - explorer file has been modified","enabled":true,"expression":"write.file.device_path - in [~\"\\Device\\*\\windows\\explorer.exe\"]","filters":["os == \"windows\""],"name":"windows_explorer_executable_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wnn","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows - firewall configuration registry key modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\*\"]","filters":["os - == \"windows\""],"name":"windows_firewall_configuration_registry_key_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-tlf","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"the - windows hosts file was modified","enabled":true,"expression":"write.file.device_path - in [~\"\\Device\\*\\windows\\system32\\Drivers\\etc\\hosts\"]","filters":["os - == \"windows\""],"name":"windows_hosts_file_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-zp4","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"microsoft - security essentials executable modified","enabled":true,"expression":"write.file.device_path - in [~\"\\Device\\*\\Program Files\\Microsoft Security Client\\msseces.exe\"]","filters":["os - == \"windows\""],"name":"windows_security_essentials_executable_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-n3u","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows - shell folders registry key modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell - Folders*\", ~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User - Shell Folders*\"]","filters":["os == \"windows\""],"name":"windows_shell_folders_registry_key_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-m9i","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows - environment variable registry key modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\Environment*\"]","filters":["os - == \"windows\""],"name":"windows_system_enviroment_variable_registry_key_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-wqf","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows - update registry key modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsUpdate*\"]","filters":["os - == \"windows\""],"name":"windows_update_registry_key_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-vez","type":"agent_rule","attributes":{"category":"File - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Windows - winlogon registry key modified","enabled":true,"expression":"set.registry.key_path - in [~\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*\"]","filters":["os - == \"windows\""],"name":"winlogon_registry_key_modified","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}},{"id":"def-000-vjv","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1737661272000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"Command - executed via WMI","enabled":true,"expression":"exec.file.name in [~\"powershell*\",\"cmd.exe\"] - \u0026\u0026 process.parent.file.name == \"WmiPrvSE.exe\"","filters":["os - == \"windows\""],"name":"wmi_spawning_shell","updateDate":1737661272000,"updater":{"name":"Datadog","handle":""}}}]}' + \"/sbin/apk\", \"/usr/lib/snapd/snapd\"]\n)","filters":["os == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"credential_modified_unlink","product_tags":["tactic:TA0006-credential-access","technique:T1003-os-credential-dumping","policy:compliance"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}},{"id":"5t3-iiv-rv5","type":"agent_rule","attributes":{"category":"Kernel + Activity","creationDate":1742407951000,"creator":{"name":"Datadog","handle":""},"defaultRule":true,"description":"A + kernel module was loaded","enabled":true,"expression":"load_module.loaded_from_memory + == false \u0026\u0026 load_module.name not in [\"nf_tables\", \"iptable_filter\", + \"ip6table_filter\", \"bpfilter\", \"ip6_tables\", \"ip6table_nat\", \"nf_reject_ipv4\", + \"ipt_REJECT\", \"iptable_raw\", \"udp_diag\", \"inet_diag\"] \u0026\u0026 + process.ancestors.file.name not in [~\"falcon*\", \"unattended-upgrade\", + \"apt.systemd.daily\", \"xtables-legacy-multi\", \"ssm-agent-worker\"]","filters":["os + == \"linux\""],"monitoring":["v5l-ynv-guh","gxu-c6v-pka","1os-ptz-he9","ddu-dat-9cx","oiv-iar-6uj","n6v-uoj-6jv","zay-klh-gzk","t0c-318-ksc","mnq-jea-ord","hjq-1ou-gxj","zt3-q2u-xka","n52-kmk-gy5","lwi-ota-cdp","eme-xsc-20m","acr-3t9-p0d","hw2-pev-bdl","mm8-gf5-1mh","wfe-tga-w8i","kz9-gsr-aet","u2n-mby-zu5","ygu-bj5-cnb","8h9-6l9-ofq","x6i-kv0-iby","wry-lqz-m1l","ljy-djc-pxw","kmt-lzi-f6r","CWS_CUSTOM-canary","hdo-seh-iaa","CWS_DD"],"name":"kernel_module_load","product_tags":["tactic:TA0003-persistence","tactic:TA0040-impact","tactic:TA0003-persistence","technique:T1547-boot-or-logon-autostart-execution","technique:T1496-resource-hijacking","policy:threat-detection"],"updateDate":1742407951000,"updater":{"name":"Datadog","handle":""}}}]}' headers: Content-Type: - application/json status: code: 200 message: OK +- recorded_at: Thu, 15 May 2025 11:49:25 GMT + request: + body: null + headers: + Accept: + - '*/*' + method: DELETE + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/v5l-ynv-guh + response: + body: + encoding: UTF-8 + string: '' + headers: + Content-Type: + - application/json + status: + code: 204 + message: No Content recorded_with: VCR 6.0.0 diff --git a/cassettes/features/v2/csm_threats/Get-all-Cloud-Workload-Security-Agent-rules-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Get-all-Cloud-Workload-Security-Agent-rules-returns-OK-response.frozen index a1b59dc82f5..78b68096f98 100644 --- a/cassettes/features/v2/csm_threats/Get-all-Cloud-Workload-Security-Agent-rules-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Get-all-Cloud-Workload-Security-Agent-rules-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:58.973Z \ No newline at end of file +2025-05-15T11:49:37.428Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Get-all-Cloud-Workload-Security-Agent-rules-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Get-all-Cloud-Workload-Security-Agent-rules-returns-OK-response.yml index f880d172357..ba9f984fd7e 100644 --- a/cassettes/features/v2/csm_threats/Get-all-Cloud-Workload-Security-Agent-rules-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Get-all-Cloud-Workload-Security-Agent-rules-returns-OK-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Tue, 01 Apr 2025 14:30:58 GMT +- recorded_at: Thu, 15 May 2025 11:49:37 GMT request: body: null headers: diff --git a/cassettes/features/v2/csm_threats/Get-the-latest-CSM-Threats-policy-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Get-the-latest-CSM-Threats-policy-returns-OK-response.frozen index 9c2278bbc1e..c22edceccf3 100644 --- a/cassettes/features/v2/csm_threats/Get-the-latest-CSM-Threats-policy-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Get-the-latest-CSM-Threats-policy-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:59.240Z \ No newline at end of file +2025-05-15T11:49:37.644Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Get-the-latest-CSM-Threats-policy-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Get-the-latest-CSM-Threats-policy-returns-OK-response.yml index 7fd067dd058..0a434ae3a24 100644 --- a/cassettes/features/v2/csm_threats/Get-the-latest-CSM-Threats-policy-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Get-the-latest-CSM-Threats-policy-returns-OK-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Tue, 01 Apr 2025 14:30:59 GMT +- recorded_at: Thu, 15 May 2025 11:49:37 GMT request: body: null headers: @@ -10,7 +10,7 @@ http_interactions: response: body: encoding: UTF-8 - string: UEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAAOAAAAZGVmYXVsdC5wb2xpY3nsvX13G7fROPp/PwW6tyc/iY9JSrLsJL6P2qtISqMnsq0jys3TE/nuAbEgF+EusAGwpJiq/uy/g7d94y6XpGTRaZieWgR28DaYGQCDwcz/Ay7fXr+/uT19d/sGXARECiAZkCERYEQiDGYkigBlEgwx4HgUYSRxAAgFMsTgHEoYsDE4TRIAaWCAhxiwKeYzTqTEFMyIDAHFM5CwiKC5qTVgMxoxGIgeuI4wFBjELCCjOeBphEVd9SPGwSiNIjBKKZKEURgROe/9aYq5IIy+AYe944PeQZejr1//Sdfy5k8AdAEJ3gCYJJDHjPu6EYIDX8r5nwAAIMACcZJIXcMpVS2dKkiQcGaGDwVwpVS3IAWESswhkmSKgcBCta7rGpFIYq6bVf91ARPg5AR4EaHpvadz8X3CTYk3AN9j1FNt9CiMsar7Zw/CbkAEHEbYewFUCrE4iSChNgnTgEjvI/jqK1NcyrmvS//5xDMt2OLBGzCCkcA5ClRJJCM/FXCMF8d+G+IMBiAWx3o6oQCpwIGiCDs/GiZ4gvEqSNeglw0I8rHwRxEcC01zGilCDT7yPraPL/ARoyMyzuZ5yTgDYGBTDtUXsDjbinBZKkEqCB1nyNlk6CzB1Aw9gTLUkH0sUV/Xaf4Neqo7GhEGWuPgK7D33j+7uTi9fXjv3958eHf28N4/vb6+eHf+8N6/Of/p5uG9/9PN+3dX/9wHfwUHqnjCGcJCFFD95yKqV8GiYh9flV8NkYZnnxGBmiwKGNQd6AUm1dMpRTNVHNsvH7eN5JnwUUSWceLpTwNwdnUJUkmUlNNoVfyRSvxkvDcT7d3EE+ELzKcEYR8ixFIqfckmmKoUFqKJMFT/L34cAFsW2LJAl9WjKZVfczRVdvoEvP4U8j5PaV9gxLEUfTwRPRjD3xiFM9FDLO7bvtiu9DudArOVMKM76S3Msm4rE0p9lsh+YNanLhxjKvs4HuIgwEF/SGhfZ2kibAEUcyFx3E04G+KV4DFKOZHz7sot2FGsXkByiPBS8GyE9ePswyTuE/oLRorzJPPNb5+nFGnYVHBdRxB0QyZkl1AhYRTVfkOMSkgo5k1Q9QD1nXY5KEqFxDwb5KdygQSiCRxjoahk4aNtBXP1tWVVmgmfxIGo32v8NACXb88Hmh+QqjEAUwIBBBTLGeMTx/6b8IjmeLWOG3KdjbGeJZRyjZ5olnTdHqywn1DLry7wyescvv62d/TquGf/9iMosZD9GEvYVajoExjn1Ig4DjCVBEaib3CWV/D1Qe/oL6c/Dfyz9+9uTy/fXdwocXt+8e728vRq4N9cXJ3eXv7jwv9wc1lTst/pFyr/GwlOWrH+W8rxEryrz78nzCuUG4xrLMh5n8FUhkd9Lan+BhPStbvgVtQMocCvj/0AIxY0rD0GpHYPaIoBQkeMx3rbtDGCyiLXtFm7DdRIDFqGhTCXasqa1tQz+720kOpzDodUxEQCxt3oIEiYNNQWzUEMI4IIS83+ZulwZ4QGzK2qLQN2He7he6yHvbdn6CYOIkKxXtM6KY8QRCHu5IgpfRdJRGTH2wcPDzVfzXA63v5yzIVQcsZin+NfUyxkDceA83cDYD+bDR4MsD6Pwaw4CFgMyUbkEFDR03UTRgtHoYAIxLjaFsf68JOQnsQRHnMY9xgfa5YKaM+CwSTRkC1kwuKYUZ9i6RMqeao64KtpqBt1RRSAPRrDZN/WEc0NUxB9HDQ1ASglRBPx1Ls1jQ7VuBpzDIVAUJ8HRwmhGg+/jTkcZj+O1C+eCungEqp/fVx6yPqHgrRSpB2LiTobwJHE3A9wRKaY1x2nHSQHM86k4iyRiqTATvpADbL1exNcPXQtYGlDb/fzarduPysWsz8B2KvbQco4adgUWrHcmzC9PPU63sf9rK6Hh7rTySezI7V16i0EZ0y6REdvRuwHtZWJGIJRPyLDfE8BwH6h724rmi8sv8Ap1LspFEFDB2Ok00OEvI+qX64MpAgLyfhmpSuEuHrBvNm1qiiMerELGb0mJNHYS+YyZDTH2Vdf5fTUI4E+ljWdcwCAWpNUILYQivAN+Ne/q8TOfUL9MqE20npxiSFUkAADNnosne9VthXt01AnRdpL7dUsVmPm1e5ThimJAkvQPFWTsL9fMwFe6SxVoQrNMWqSsh09IhFJY7szXy6IOESTGCa+6plfkrilyfmRshkFbDTCVJApBpKxKCush7WauF6+wLvF1yLH1a++WRyhGKv1vpBK5m0btnzrmysvURizmmEO1PC0VjIvpMWsADPMca6XsfoYQBntCglpAHmgkbIJYWYCOBevAOzpLlZkolXIiBAGbOY5/czYpkFBpi4yf+nwDby+UJQyJYmpR5FOOcemxrz6vZCjic2RapBlG1Hc8FGfIRma1BeoftFtjjlLExhUclOBeW1mzGoyA1w+9Y4TKMSs3C0UwjEuF0VhDZzNAh/r0V3Hnw7xn/JaYCI7Zawkk3EpgydxKZ1SKCWmAQ66aTLmMMClz1SDF1pISLKwQBbyc8B5GudzDpNJPjFk2BcUJoH5N19XtZDKKTRQm0+qzzO9WB0B/nxS/BxnR6W1eJTN6JfOo2xW3bfseHTHo18OjxZJtMikqdnYFb6qnIcH0AA/XoAfk6DlXFzD0xGhky+bpVUP1+ToQvGHB5BXUMTfypXtxMNOPDyPeFibedUh3Z8efdH8W76ULNxKli4h3S3lvruNLEqAGl3Ejml3TPtlMG1ZOYA4hhIHPpTgr+DbA7E2S3NMYVyj7f+COHrP9HFNjiyvycUqdqvyjsG/YAZfm4VT+uVvqk0f12ThHc/teO5L5TlJYlxjGvFF8Zzu447ndjz3e+Q5IgmCkc/xmAjJ5z6+TxivMa3geIwDIjP7GgOXVQBcBSAk06exPdG3gByPtd3JC+DZHujkxwUrE3uVFU6i2F5ahRM89zUq/RiikFB3m2XMGF0CZr+sfVj7NZfFmR2Itj4WS8yPYY4lW2TRAHkzjM04kdluW1u+Fm7178511l3nzpa/MwN/eXTXagyIOKM+lP4vbOjrsw9htOku75SClMJUhoyT33AAfmFDYzYbBIZUVGVAoBAHaUTo+Okkb+3NnTVnEAljUV81nVk1KAmsMnqdhSypjVLKGdqici1BnckLWRZWtgHw2Eudlh58Ton1FGvH+pJvIyKtvczaJpHWXF39Xoj0GW41dkTdTtT1B8/t0XTdIfOJSbrQ3Ap3PRs3vt5OfGXe2VH2ipTNEvwlSeump1a1L6uKHFF3l7ExUT6jkN8R6oqE2qTA3xqpNqjrn5joymK4Xb2/cfM7Qbxd+m7Sbm+Pvut12RsT2E6ofoFE16De3SLR1Spzd0T3eyW6eSJZrBr2IR/XUZrDFohgShVBGScgkI/TGFMpABSCIQKl+1KoU2xCd/mzJqb74J4ooCTtJpwwo4JU4w0YhRJ3IzzFUafwUKLwJkq1wyENWHzfPRwPuwkcY+GVIJ1mVEgOZRr/l0QWnVmOEFE553AR6HAR6mgR6qgARQnCIRShTc6xSNgM83WmDNNpzZRd2wnDdEo4o2qWwBRyoqoTIIYSuUlCKeeYojnQ1W08WaobRht9/f79lf9hcHGjKNYkbq6y39eng4FKnL9/d3p74V9d/OPiqm20aSJ8kcAZxYEvQhzVPO8bqOyMTC0wGHEWg4QTKrXngkcMb0SKfiFKD2ASyDGVBQhV14ixGEqCupwkLY9eUh75hsd9of7U3CvchhicaxBgQLSg53iE1dRZRzYAfbi5cs98n2Cg+llryuudueiZTim575oONbx8NuPqKZiOAam8JWp+zGWwE0AJh1BgM+/2TZB7p1wRUg4WwCSJCDJuYBwpQKBreGH+uEegLwDj4Ifb2+vHPBDPF8kcg8U7Ti3EoQi9F9mSVpDu1Q8qsy5LanJqqKWmwLCpxYUPLrNr2qgt9FtDZU2NoIb8SUO+rCsQkWGfUCI5jEeiKxmLhOlsKuZDdr84iJp818CI1Ix6IsJvXy7k8monXWYNbFQHGzdlLsMwEiHkyUKxhDVgjKNFGmmajXndlP8mwle1ma6XQK2m7jteywtCpVyZJUxLSG3W7M9wrEbuEvrC2yXYjGaJDCaAEme/M+BglP0i3P3EKGTud5RVFQn3K54UgOMJzduOJxLHWZPx1P1KZhkIxzBQ568sHee/CtWKCOOsIiHlPPs9p8j9lixFoUukSgK7xNRWlfEcN4AZQx+JNC5lQIFfHlVzXh9Xc1wjGQmGiNFSxqRSsyKAUlq7LCjlpKVkQDhiEeOiklltOkiLKUynpeR9AmlQySmhZASRZOWcuNSPEYtKFWgbjFKnQgxLECETkpRyKinnmybP+oWREvocaWRpNq6OOw5eVVBscnoS32uHEqU+xpMRGbFijtpAltKlDlEWpkkpQ21aShlpXMEUK40ygULicoYMUVgaVkLoZF7K4OUUobIyozpvVMqR98UkxzBSTZXyUlqhT4F/LSVDeFjBpgjh0dFxTear14uZL7+pgXx1WGUvEXIclDPS0lgE4yWULjCJErDldDCsVFFuUkJUTpLSPEuMy0lRql4d11mZLyUvp1KKYHmiZXUUVm65ZEoX2TKl5NdyusoCqcBlWTArDWwWskoSxsTlWAsmzli2crgV/+N+ftXQuC/Xa088F79G+jAdMzo2plUJE3LMrSc5W8uf95bu79W2JBh6OXy+9VWfuwjoMzgGXejtr1xr1pGGej95nWTsz2DU5gUmwMN0PBItTg7UscJCVr0cPNa9Qb5dUEC2EW+TAwCOsMS+scrxIzZeHEaunjDAgfXpAkwhELGxMXvcZCC1CtbcPV0qY+3GRWdEbNyfVTOG1YwIChmxcSlvBElUzRNzUc2KsRBaeVGCwyjluJQFUxn2qoWHjMmFzAnmVGd+LB5p9cRlrjkKCqiCimr5mT3AScTmfsLJdLmbDQVBIjzWs2bhjBsv85pkkzlrOrHXPlX5b3AoSmOHiZ9gHhOpKOkrcHZ67Q/+OfBPz99evssc0DSPeyrCePk5VfUs5zWto+gHeNoXYdwHAeFY7WU2OolWNtsKMqu502lhNMLl3E9Ign0o1c63Rg9x7RxpgXMFDRS06kDEiDTH7WLRNTu/p5ZJhHu6C5hKPte6BvAVuL68vvC/+/C9//3V6d/9s9N3/tuLm79f7KuZ1d47y0XviWwteeJKumm3xjolZ6DWIOegRdbmiCuiYgPsPR5rqwz9r+AAPNXQmaRY+kEaJ8tI/jwHK7ufUxkwk94xjtvofjWPLcZdmm60q9po8reGWBRhJNsYY05hTJC2L8LceSRuvArMhmMgtOrJVgFMFdZRsZYDm0x5w5KEJepHQU+wXsKxPoe/AMVc7Y84u2vJ83pBv2M+ftzexch6FxrFkmsae683y9p2eNkkG0dokj35JDd6SH6CKX5KX8nPRiFbujoDK76EaHXCu7K33p0D4f9gB8Las1kkat8I/Ig5xRGIWZBmb7QiImT2QkuGGOiyj77lyU5murrl65/usjmJL/ZZHSHNt5KD2ZXcr63UQasCWKGHPBYNZ1z9SXHxmMP4Kfum6m3vWirVJ39IpK9tM+o7mUOCIZFlSw4IKJ5Fc3cm2nhRyW6qCg8nCPXTJMHcj+Ac81zxUABBIaRj7EsSY/Df4OWBKEAtnOZra1jh8cZq5b4CA//yfz8Mbh7U37/fXOu/729/KJubZhKbj6dGPP/XfQtnqvZ8MafIx/ejOg+yapI4ihjFn8uNv+6oaUJJLG6uB4AnRlKrEOwfgfSfwPzhKGkdGQ38gsvtxaEpiIx/BYYchUrejBgHIntEurEKpcw0qq1695OFLraJ0TFKmv2B//3s+kv2Bu68f/fGjI01A0rMKYz6iMVJKvFb5x18emguGSjCLthB10Y7EP0Aj2AaSeMy3FiPVN2MP6K+5dgPSRBgagKK4EYvnacWzug7FvWLRd/BLAoeoWcsKFE/Aa9XOO6VN9CfvH7IYpyt4UVvvlXvvgW1yXJkKDL0p4dNnsoLcQGmhyWv20SIdDOxoZrsoYilgZ9wNiUB5hoczoyKVX+HM9EjJlqBPz1S33W/FzbwRTe8f/lXaTQuVIj4dwUDkqdmqAv+dgWWLqH+U5VXUJRVWgAbERwFbxb7VQCBSYJpsWnzn5TRG3B4kP2XT0se1MnajrQ4/K3EgdJWImqahIT8ST3/ZotwDYXurEV21iJZ5u/OWqTJTozUmn61XPwQOsVkHPpqIpuEa2bl6BaWilmqvQfSuZemPuMsOq/vcZpGu6QPEsZGmF9eWzvOG5xE81t2eS3KGec6qEIl8+3pmcsZUDKy9bQsOomPQowmfiFMQ2XxPX83ABFjk9ToXAO1bzUxHi6vgS7sojktxUODEGsI8kAQpCH8jSQuzANJujAhLhXPSdJjSpBT4fJ0V0hSDu6kPsxCKInQReAExtDUsqijzO94WlCmD1fCx2M1Ch9GEZvV7Vsu9HcgORyNCAIWzh7BXS2b4Ky8D3Y1lZ2pu30i995/uL3+cNvr7O0dvfr5oPvq48Pe0c8H3eOPD4d3wcPPh91vPz7s3wX7d72/3Q33/3X8717n9Ozs4vq2orPihagQ3Ns7PPr6rrf/sHd4YP58fXTXO/z5dffbj3latWPT/7/OePnzQffQAnyrCrz+xiRef3untpp3vf02guVIrb4Uo6ZbsewWAAYYQApYKocspQG4vDkDlaJrIt6W7sEg4D3tkePkBLx+/fprK5Xyj0T4STqMCFIQ2VajaVC/wCmsGqb65mK/boQKfMFEeWeXuttp7HYaRehVdho7u1RvZ5dazNjZpWapnV2qy9rZpe7sUm3e1uxS7Xqz7L0YcZGc1IL1i94YhjhKMG/ZU/+SJnOJ+SpPo/7HgKqDAB4yNslPzHb/qQutub+shpbS4zDLp1s53aLp1ku9VNpVUi+Qem0064hdEfViqMWLWwLd6pctfHrNM8tdYaXTi5xb39zSZlc1u6C5tcwtY3YFswuXW6+yZSpbnQqLkluL3BJkV55swTHrTHF5yVcVvZgYiZPRqF0xsoXCSD27LGSrgV0EMtlv/skkvRXwFhG5OM+keFFqZ8Laymgtmp1EdoI4k78a807a5kLWyVbd+YIkzQSokZsFcZlJSSMcc5lYFIVFCVgUfEV558SclW5WHDj8WxGWSS47fi2nrHgyUskKo1wGadFTkDhO0BgKKogVK00yIeJkhxYZRlJkAsKKhcYAbq371dpS5nDmmX/yA5jJMOeo4p9se+/p45JnvuiTjaePBJ455njZQaXwyxxQPHvM8MwhxHPHDs8cNLw4/5O35o4OnjkseOpo4JnDgGe2/p7Z7HvF7b225a+xuSnEyjPSrGulmRabNiuCwxapOflG+AkLNgqD/mM6xJxiiQVIWPA80dBJHn2yGA99knWlR1hNLHR9ibVOgYJlGNlFT98ZP21m/LSUThShuJ6WokKqHiLGcUBFaTgWiCWYQ708Aq8fQwrH2PweRSmmsjskZjh50qsxEYxYGnQpC3C3WIVlj66SMbiLBNG5lrTKX7oBJ1PMu+7OtQtnle7CiCCm28iQDmeib1TbXd2DGZQoLNJN/Tddno4Jve8SqhXSemI5U5g2+HJzlkomEKxmJ5wljCvRBaMqTAgTzu7nTTUrSaGFMe7GWHKCRAXZ3fEEd41vY1tkqM++xo6haxFnhqDwLTGPrRVPN4Q0iBamr77GKUyjuqlUHUTSELbONVOixCcue/MeExnBYZentPglr0m3UGdQapheT3hEKO5qQ+C6GqxLZzO4CiKrBLgwYTvr0p2AXVPALt/baAtS31iQNrqiBhTPLKg1Ns2tDTfZsKzndzoiw741cc2Gm1qleiF/DVd3n9PqfD1r8WLJNd8lLIzzP9ntfts4S/GjJ5mF8uZOwVdlmHq32M/FMPU+sHcMs2OYtnEuZ5hncFC+GoM1PZl7Fv5qcJS5MnsV6lrN2fbKNe8Yd8e4C4y7DlsxWLvPW2QpBbkZT6mStr2eqcUfcRb75tFuyby4CFq0Lv7ZoyPfGj29yAygfNMRk/O6mjVMSp9LxS0wNV4/6cjnWG/7STI9tg34Nxf/c3F2W2yOQx0QKg0SPyBQExDRr5NVYtl8lYbyyRvBCDGq6aKezmAie+a0FfQCSKK5yrw3A+hGeAzRvBunkdQaByGsLqQ7Y3zSevWzOP/LvSzkrhXM3JkXRWUCeSxVNPlaWMXYs2Y8Bepah7aNP4UVnpKvMKJ6Om81C1s+mOUTtcqwnCn6I+3QVxvpY+eyIXbBsyz5j3vnXNw7NEQu2K3wuxW+bZxPssI3BlZ4Fj5qjqKwMgMUals1RMLKde+Ya8dcj2GuZlcuz8JcjSEcdgywY4C2cT4NAzRFmHgmBmgKJ7FjgB0DtI3zkQwgeLuPJ+vTzob0pao+HVRWu2RhijFw1BUJRmREkI3x+5i4F9kTsZgF5p4WVB90afdlseAd/TrNDEG0+DFTyPEjImreJq3keWbypI5n9FSBOv8IquHWi07KZtQPokJM5gmeLwkv/JONKfyjKgjOr66EdtCqPuZRmSd4/shYwwLLnquup3qUybNP3g8/XvzTv3p/dnrlvz09++Hy3cXd4J+D24u3d2c6BIc8M9YDAyzv7M+7gakYvDUWK3e6+6r3rQjKrL38gAof0zTGvMEvYcGq7fzdAFRh15zmxZeh2jUBnffU/8UU9exleE/LB00DpTJynugyg5t/1Cgf2p55RoFvfaP5KU1FCiM/IkMOuZmLxdHfhhhcnfvXNxdX70/PsyApgAiQsCSNtMOd4RxArfI33niKritIhJ/AaWcWPuWTl3fmpGNcUmiRWsjOnVO0UEFEhgmMfTxMRn7IWM0e98rgxkL2BAMKLuN7/N3195uMaZiMeigOFMh319/7b0+vjfLlYkGSEf0s1TR/1xOsbUSMUTz3ZarFsHAeN2sGpgHBrQUEe2f/uOgeHRy97B5/e3i4D2zBXLhvMszcNjd3TjT4cHnuPOXl31OikZHnFp1uVimg8/ery+/O/NsP706/u7oYtM1yjONRYOKF1axj+itgw18wkk/oVFetQLrqWm8rJ618GhNKtN/Qlqf9Vhupn7CncVJakVwdYJRS/TjYaEkRi8UUiV7Q8qxhtSf+eql9Syg5X+pJVDfZsgKr/tKxnzAW+eZp/uK4820Hx4JFU62rV2JZY70xzpZCiXZdsuFb4fr3/J+8Ti8mFN/HPHvCX0oqAAopU0PqMa53k5W0AhFpkjAuC9Us5Cgw9FKXc44Biin1OTnSGUQbfBcT6iOWobYyxK4b1QwFNDoqNlBK6QYYiwjtxXqXW0yojzyJIJW9+/lv6mspZdFE6JghDKnrQTVrY9cFbk9iPC5ZH0KKkrRjHcRxnSOsG4wwlVG+ozFLlS2NA1Bwt2X45vLt+WAT2tHuhlIeaVbod/oxlrCrPU4RGOcGhIX2+oaPap3hm+6arZlzOXd4dCDAw0MZeXWALw/E8n1/rG39QyakP6pBmtoMqI8GV9Z/vJI9utyTeMbXNfUESzkqCMu+Roj5NhK+3gMpwmBTzCM438RzvhlqewQADVfr0u4JRls90KRUbj4WNf1+SIIly4V1OWbWCF1qk16bedD/JoxQ2Sts47V9a//QnnN14qiYeFlMHBcTr4qJ18XE18XEN8XEt22LP8XSiAX3aqhuSanuV9UkqzOjxNRsbZ/AMV6m2yndutlLt6rr4FUf7NsqlaywPxcv47TUsa7bwOIbFreOidCtMm5RckvHhBWjjT48NLzASQXPtFARGfaLoUxX9iLXppdQ0+nOLVZUL07ou/JsVdwfFSb7w83lJlP5f9ZzqlB3iO8loQt72fslGXe8j+D/tA9c1vndPK1S56PdblYco+QDFQwZY5KAmK2MMNs09VstC3pAFEsEpRkcRVqvRVWxjb1S7De4Uz1xthQ5drOYt5+8jj4+q15ZPB8efd076B30rGjqxEwGvXSYUpmqrmS3cG0zYPyfyiZtwUXhqzs9afeaTylD1sJfTbCcUthY8EkH1ukqjj4xyNFptUWx6Vv7Nzj5/8yPNFF1F4t8f6ISndrmCtrWZdOyIv5bHBUuZYcnWLJ/J9zx52fnDgRlU/hZt/3IXc8RGui9KR2DhAlBhhG2dVhPTwGWGG0owOreBJvKDb4LWFdL517OFwWvfJHX7LEvUXh/eAD1JemSktOFko4xtIZ+mAc71mmV+rjfuiYqevcFJaOROvZIxmrm4ErNePYW1zydN6psp9FUZ+mRNLEZrDmc9u4J7EH8CWZBoiRITcAnKULIJ61MP/OHhEI+L7gQaxMAefdx7saB4hkwNWk+GGnfaYRqRUlegMRtjg8bBlvPe6UD2YIn8ZXOa2Xt0YonYiowlZi3YMpCZfFmhhzDCUslYKPHiciqLuxECUPdViVYcnEZ8iTkYyxPDjVxnBxuFA+ZCjEjEoU6QIkfs6DplZcDBDGcgxBOMRhiTHNlgNoqKlTAVIaMk9821vev8frL7JVdz0xAkvzydoO3PQs09mxXn9m0PW80krVpo/ZB09Zpo+ah0wq08XmfsexoaTkt1dtIbZmU6iyn6impUGqF1zst1Lgm6uptoLeLurJt9F7FBvrB6m32VzWGXoF9d8y1nEL86dGOSPLtUCFE51/BtwdiR0LLSajJRHy7FNRgOr6KjG43En9aKd1kBrxlBNabBz/x0BsMQLc99FrD0EcNXQY2KLY2Y4sIreGYd7fnA3dZOsIcU2T0atVCT2BXoPrTC0hbCFI2GmEqyBT7k29Eg/rj1BjFFSy/QKKOpMLaKbIIhFCYCXyM8rzO6yP45CVzGTLasWEg9rwf0yEZIEh7ydxTMO5MPFWs7alOCsnJRJ2YS1/3wX6D1ztdiggEqffCmwRkrF046aq6YaoP3y88DicTLIT3wksw4VBiYUEEggm2v2EaaF+BumhEbFHtxScV3otP3pDJYbdNBLOYjOtO3u9jol9yGhfvQge4zWNchyQK3Dq2Cfo1YtT55q+ViL11r1VVPcx2p4XC1AYks4attQV3dikKVGucGgxfwd7bwc2+jX+a2ouC0YYR66p3fSfA64u5sObf/VjwfgI5jLGqtF+0hi3cBZbvIlsfALYG+Va1ChH5Q4gmAWM1micLkWmesJBwGBERglKZNZGBS5fpto2KDlyLFeGjiGDaKlammGtkmXDb+qp72cyXDKGzwhUNY6WqNYdYN9/6IlzgaNQfBf3Dx83rBiq35CghdISRXCuARSFkhbEZ1XEnqvZb10fXl7puEMNoBvlGPFKKYDGCMYnmart++r1/+e7i9sH+fb1fGP+SiBcLELrjfz0Brw8ODxbL66//rb++Ws411smVb7zvxbjVOOXaFAB5AWMGaC9OnuCqK19lqhf9n+Ugsd4BoFhyvfcS6xI4jP2Scr5BpXx9+nZLG8EmX2JqI5jAuBcYg4s84/Gq5XUxVqto3SbG6p1JrYWxz6twXQ/D9Wez7SG44c1mG34LVayghlyhwtXOPQvorFdJbg2dn91Tw2dCY5PSZWuIbH6q34aBMmW2K19WqHJDpDYpYraH1MYn2p8LAw36mC1ioOmN7soY2Olvy1MuxCxYFrTjNsQWCjAOUGh/F42+3OlSE8EcQJpZv2hgxjdS8NRsigtD1r3I0GJDn9jcWqugzPnXQJUSUutYWpEjsS8anuU2B7bU5YaEdiMywSArv+b4G0Jbusrd65FxyIQspCXmcSE5icZchvaxCteH4h7SCckhFSPMeyLc/ElIgoh/eOi/8hEnkiAYGSsigkXT7v3MArpXDQ6+QaBsgrn1Nu+KdCz7iMJvR2mFZPVzzmkLmUXQIWPyC/IPsE0xtDD0/2SXAcUV5ykPfctYrvb4t0WWqz/97Vhux3KfneW2qTVoZtH6I8XWOLThPPGMDFrozWqaiGfs2054VIf+RxAem7J2vS5rW6z9ZKqsBk3WM7LhjgvBjgvX4cJaE8YdI+4YcWNa/gMz4nJz2E3ZtOnGYltc2nxhsR3+WvXu4xl7t9sNV4f+R2D/TRm86fZsawzeeHm2Y6EdC32ZLNRw/bo9Fmq6fd2x0I6FtshCmEeP84ihalBsFDy9U4yTE/DJU/V3vLpraX2nixccZNjJ6whFNM53iOqg/anyYRBwm9ROkqlNQIRwIi2cDIjLFzJgqVzuF6PsFcN4yWjzi5GEySOxHyafBe9eEibNSOctSPcr6MbSL6HZ5hlsl/PMIamcp23Uy1kcw6Dz9H5K9HwkcKadfDZNzA/XYIaHACZJZK19gCsD8jKbPS3KJ8EMJWEzzHWlHe+Fh+Kgh+9x2eag6HmxYOsQJhr0hfrVRWNiCi4fPZPGu6M/w0MzfN/UvoiF03oc6FclhiAZtz+ewpvUXo1Jiw0xHkARei8y+V4Q0tUPhgoWsySUBHUbaqkpMGxqceGDy+yaNmoL/dZQWVMjqCF/0pAv6wqo1YJQIjmMR6IrGYuE6Wwq5kN2vziImnzXwIjUjHoiwm9fLuTyaiddZg1sVAcbN2UuwzASIeTJQrGENWCMo0UaaZqNed2U/ybCV7WZrpfgY/ZCblUnWuUndQW7Lj1CKL0X9mc4VmN1iZgFeYLNaJbIYAIocfY7Aw5G2S/C3U+MQuZ+R1lVkXC/4kkBOJ7QvO14InGcNRlP3a9kloEoka6OmVk6zn8VqhURxllFQsp59ntOkfstWYpCl0iVVHSJqa0q4zJuADMWPhJpXMqAAr88qua8Pq7muEYyogsRo6WMSaVmNfOltEgi/agxz0lLyYBwxCLGRSWz2nSQFlOYTkvJ+wTSoJJTQskIIsnKOXGpHyMWlSowjrqKOSGGJYiQCUlKOZWUC8OfZ/3CSAl9jjSyNBtXxx0HryooNjk9ie+lWoVKfYwnIzJixRxKUKk+WuoQZWGalDLUClzKSOMKplhplNr+sJwhQxSWhpUQOpmXMng5RaiszKjOG5Vy5H0xyTGMVFOlvJRW6FPgX0vJEB5WsClCeHR0XJP56vVi5stvaiBfHVbZS4QcB+WMtDQWwXgJpQtMokRqOR0MK1WUm5QQlZOkNM8S43JSlKpX53hW5kvJy6mUIlieaFkdhZVbLpnSRbZMKfm1nK6yQCpwWRbMSgObhayShDFxOfr8iELOWLZyuDW+6K+x1r93vsuECUQhPlKrFR0Teq+325LF1n+kF0qZ2LWrsaKTT/q00fFatubZTtjHcUI49lOI/OE8gWLpW+eSa80YShRqR/vZqcrYHX84PQOmLiAxCin5NcXaWwCjaqR548A0rlvcbIvvvAfYs0r3HbsG3XeMXoLuDPxgnF93EfjL/clf9vbGCfjhx7MPbwZsJGeQ47u3BHEm2EjeuXg4HxK1gu/37F975ClWu3ll/2+rETxnSMeAWGIGf2pcFzhTdx3uIXtpa2JDrOfWYJ0jlKdaihl1hyHb31VOQ5JDhH1IJQnwMB0vI7JUYKGN96kkXQ091i4bMlKSDAwjhibAfNwwtpTpUs96lVaQ17c3p2cXvv737cXGpuhmqIT+0v42uvSC3JQAiAUK25IBSJkMMX+Me4TGQV6///Hi9uJ/b7U0WQZ0fnp72gr0YXCzHCczOiHSzxw/+FggGME29Chx407C+n241dowLgAbARuzxpyY2QjYkDaH3eODl8ebYKt6MD4pBlNLJuprrscpBqgZ/HBxdWWFxfXp7Q+dwtsPDVdwiHx+Obi+Ov2nhT6/GPx4+/7aH1wMBpfv3xULupA4LaJcOxrxUUR8xGpDAWgAQ1YKoQlnUxLgADDnDFW7cQGtflxW1ncVvJ80Kb1Qg5/0LuoM3p/96A9uby5O3zrxizoiHVqiyPOKSimdLOoNu6iTyHlPU0+n2tiftVMILNNEH9Zb3EJwSAWLlYz3Kat7g3PtFIg5pJpw7MILgZQG2suuXgHVRiOLkEXwRmzdGlzAfi65/8+OuZ+8fshinHnl5/ZS40V2hVK9N7FplshGN/8RG5fTZLiQN4RokialrNlsVowGUB+vgHt7fyP7e1xfL+AHjhGbYv6gDrkP6rTDUy1pH0I28yV7MNPwoJaI/V5nb85S7j/o0EA670FVboH2DWlU2nTcyr27nirxl5bVjSPfkINYEnLv5gxYoEfdiO09zo6r9kWwmU1u9CfqIAOyHH174n3c3/9D3fQ0TjSGgT9Jh9h481mc5NsQg/y7mlsbIhYpxG0248s4uN9TrfVNc3pQmplLuW1DCojwBaTBkN37xi/U4rjO9YWIcEvsUffg1fHLTQZTG63ETcT9N6/918ddXbQ7pmm/MYKJF5Eh6h71jr41cUtc+uVBJX1YSR9V0i8r6eNK+lUl/bqS/lrH6GvgjlwdqbHcRSFGky4Php5+BKmyBOZTzFecoym2IYprpIsCcUGJsxPAI+LbtcqZevFSN73twWgMStQvyEb21wJeKxSwKUqBDgzHaAETIRThG/CvfxcQbqOohmSKhQkopMazYlTVLIKqLm6kQOTCq355UVVVL1eJMpthhad0OSJOwY1DgYHNSfJ5h/7++9ufTm8uFg/nDh3/wFzVfHeTUk13j62EUYQbK3Kqgp/Y7PXxy6N3LKhRG6zTs2bdw7vbaj23OvwfjMBA88fdpVETL6nki+7JSoh+1t5c3K/KP0pCEYTb+WhgAHOBYrnpeZloHUTYHov3601Pc0WtOI3g3IdSQjTRnkCXKc+yIKpQohAL6yFUVwFMFSBzJro2VmtNDjrXWBJ5zSSM7cH0hqkdrsqRzGb9wGQp/T8pQfNSzi+pkH6AsF+EADmIx5k0SjngmVyXGiSMRQMYJxF2WTdYJEydSG3GJ68j4qHGwn2nPk1lFJcydHAZ137h/rWsjr2kUzbB3VsoMa/UXK3YplGMgYiHha9v3t1evQ3zk76ts4jXVgrBUGBfe/1s3OCe5Q4bNURBNTecZ84dCR2X69tkZ1XZAynIUp1ew7Hdy0PpFQ/wxfO71+8UD7QbOIRcjsp0iFOxjMOSBUMrzWu2ZCHGKpAhHsnHsluF3qDgOOEMZlGu+lbSvpnwoRy7XK0070cpCd4cOIKeYD7ExaJm68xoNAf9hLMxzzg4kRL0JSkYxJE4wVwwCiVORUbqHFM8q0BCMZFjCfoFsBDyKRYS9LXj3SmMHKccpxU4EYK+82RjM8csCjAFfYjF0avXriSJppjnhb2OQX8rp6QU+RGGk7k/qlmMbkt+TbPgQfZIeNw9Onx99NrobFN93B2ly+e2gT9QGBDeE3OBYBQVjhFJ0e+pOU4Y0IrCVsxFfyT6SN+kL4Zlyu7J1HB7bbo/hZKiL6p6tCgwF23KhMe1bqi0T07KaFdISAPIAzCDjzPeqhUMmT4lNcHO8lvJUs4wM//t6vwFrdumAuMPawK9U4q9AQKO8JAx2cInAwuWb2afdxer3ygsOQWr/n3HmGwbLQpxkEY48CUUE2Ni23CNlYECBaoFwyoKmfWWPLvvU2IfhaodUbzuKEflt+bAy8eHtQTy7Xcf0xHjSLsbrpnTiysFDApAwLg0M77IbBubCDzbj56tumerNdfQ6sgmBJlqTnCtlC15c3Y0Vz4namX87uLs/duL7uDD2dnFYNCKCSqIJFPsSw4RoUsvrYkAFqro3t5+xUIb8Iow0BYSmcF5YTuk9iSuiTUxtdd8NXtx8WP7Je/FxY/tl7wXFz9+GNwYfZwB0v/iHk5NaN7FeNaZp7sgmup5iqZWtQvj4PWxp93fqUrUr7HR4EVRMGxT4LnZMWdoIVmyODHmRRKSuaWEggPQFdsEzzWG/VkzXu1tpmqzbdOlzWnTxJxdU+HCUZZHY2AKph+KjLRkz6kNVO7UNxMvlfGZhrWIWZApdpA/kF8gmqixXUMZuvvZD/TXlEkc2GO8+mS/2EP4+dWVKWmz3+rFQFVji3xnX5Mtfndi9RYKV/qcxZDQv19fX5f3x2dQAZfy26YDR5EfEiU65n6AIyxrFTPafOkHA6Zl3XkBdE3CKr4IzfXbvSEUoeuJ4o3eb5X0iJQzquleUK2hkNTCsvYtavVG2B01Py7h8HxDVdhyrYNpMY/r3+meAjGPhywiSDtl0pRvjMfCAvbdTbuJKaqksI41T9OWByTLWD2LLBHRevbudWwXzLbKNbjWuJ2B4+emsbbbnJZb47oruOcg0Pq7T0OeS6izLMUyI9IV5oXitrgWhvhMVAsKWCqHOrSwi0JeKbzmNK0bu6Lhbsy81vHMP/mLHJNhHtYU/2TvPTz9fsYzX/RTF0+/EfHMuxcve7lS+GVerHj23YlnXqV47h2KZ16eeHH+J2/NvSXxzOsRj6tM8zrEM29BPPP6wyu+93AxHZYE7VhhohPO9LVey6FFT7aFLR3tN5ndpTf5HdtKkaz7HY5qFHp7rdex+626PBGRKeY+OvJJnESQyk3UeqYSgI6AreQRO4/SUeUdu7gnEnQWdx3685m1WWv6/vMZo4JF+OObN+9TmaTygiIWEDo++fkW38veh9vvv3FZH9+8Ucm2wwB7dLh7XcUTPDDdq4Yc0zs1VblXeMKZrV72y37tEqb1AHWPO3VKgWdKT6eiF1gKkj1IlQHmvHVTJULfOWLHgT/B80a3zIPBD7n2TAF+bmcCBZe3NA+tVumtWpsqWUcutFuTP2djiCNEWF6pSlnOUC7L/XwxWurnoNZP7xbmIPNpuukc1Dv4fYo52KL/1ro5q98lP/uU1ZxY1pqxBh84G05YoWOrOW/dsJ3V4lfUTVu9U85nn7bHHQMWKtp8/hucCG5lXmrdNO6m5omnBmzuv69u4poc9z37vBXd422G8EaXfxuivCwNV3Lft2FLm/Ndk1u2Z5++WuXbWtPX6NDt+ZHa4Kjr+ZFacNC1IVKbXHx9dqQSaXTxxnre+MtZRKk1hiiE9HVPeubmFSxVlYEZ4/EmWF2i9+olnI6rgy/mGSjTuX4dcPlTjXphrcWnFaGUUWf9sFS1pqiUUCJNPNhSxFhmzSgyK4qE8Y1srxZjtSrUfnPwAnxzoP/95gU4Pn75Anyj/z0+Pj5eolgUImzRGojQdxrCFcPlWihzaQWpxoq5EHua8Z6cgKOjBQ3aCqrGssYtyZT/h0df9w7U//rftGkBIh9hLo26DfsSxgnmhI6bdQFXoFCgKrVMefs0dBPkrBefCUvUFyLqqx6J0jO4ZEK+IJ+Az2YPsqijqNFLVNUWf1qCnT+fFC2XUv1qvotgt0gD3mIFdYY3T1jVf9ic1b9qt+ZwbUrQJRzcoEnaDgc3B/vdcfBWIhTtOH57c/x5OL7p+LYNhl8SjbaF3wu1rKY4XKHOP5oMaRznOiwJ2tnyiav7A8xCHae3H4GbOL5Jhb0Fjm86rrapRpeFQ1+Rq3fr2bYpfRUq34y6Gy4CdgT+OajyCav6AxI4AI+5TmliguZLlS3wQPO9yArUXKhn1TuQFWr9o23tdrJg2zOwiixYn8+bb9+2weeNF2gLHLnjwB0HPvcMfCYObLyq3QoHNt227jhwx4Fbn4FHcWAaMMyFn7CIoNzVTuOVowEHBlwxF26wldAcyFIJnAVD+8u7tViyeg2pKjDsaLroPcJQ+A9FP+tTRv1V1hdEGeXrreWU8QyXO+tiuGHv+cUguLIbXcBvAXb5pUHzzGyEtwYF7Fbx9gjDoUJghKrXyAW8LTqC3AmqRmXNVgmiyEgLCpwWVlqqpnliZmo8An8x2Fs4Fj81BpqOIF8OBqrHkuVL3XbkwzYdEDVPOQmM19oljzohGHy4PDfzWwzsssn87QksUxIUvIE8PACbp7J03v7iVt7sRsHAv9R9UavCAkxWZfGLC47Qdi4b6pBFAWs7JYiEIMJS4Q+JFDCICW1yxnFagAYZdBZG4fNEX1GwWVtL3XHAIFDFDOV0ShFAORZpjNtpJ8NFRr0+ikhD5MrcI1wMKRwbH0A2SmU5XpD2hZaBb0JlNS42resJxUna77qMsvfh9mrEEEpL0JbCoIMoajL6Po8ioD5JTLV1bpESMvPvzebbTFRxxj8Br9MLIuNapvg5wNrxTUXA3Z3r7LtO5pzVeLx6eXRnrzJyiGvjz/AcSnhn8HfX7EFBIc/KK014q+KRykAoOmjio0GOOw0B2Ai4MpvhsIZnXIVLWUYBVfhlZRbRknaJkL3BCFMZzTO6YTxfPlVhI3/XkxqND8NbZOviKmm6Yrwf+Gq1Bf8NXh6I/LF4mQ68VTUHJlZIACUM2Lir3Zr2cTzEQYADswxrT6dq/WsBNC6WuglnQ7wSPEYpJ3LeXbkFO57VC2inVUvBsxHWj7MPk7hvwj31YSqZDRblLzprDLohE7KbhXSs+ZZJuiaoeoD6TrscFKVCYp4N8lO5QALRBI6xKEWGcR9tK5jngV0aGUlPblBywtGkmjt1vru2tBltehegD3NmHPZvvxg/Z8lnvZFd+PQH1LCvr8HchKpq1Xrbp6p6W/UdVT0JVW1T+1lHhY0+zrZKhA3X709Pg4VGVzO3fvou/OHYYH0irdczb5lIn9oickdZW6CsJpX1lmmr2dLw6amkLAJXMkx8+k7sSLWVVJvuB7ZNqo3Gcjsq2QaVNNyhbJ1Kmgy6dlTyealEQr5MHXgLOYAchWSKV4oF0KoIz6/F3IAk5EviLus2vRceatHMSDk33i59Qv2y0r5K6NqhpQ7PDcHt7T+fWumfEXhl0JqiTbxi4+42o8MCWVU/DLV7y8Ws3EduTS01BYZNLS58cJmZ19uaQr81VNbUCGrInzTky7oCir4JJZLDeCS6OhC26azz7FsdRE2+a8D4AK4UsB6AK7m82kmXWQMb1cHGTZnLMOw8DVeKGb/DNfAcLdJI02zM66bc+C2uyXS9BKXrFsVu9Vr2NS+yZEopjnzJ4WhEkAEtCSD9ndAx0IEouAQjxmeQByoriy+gy63Jp3sVv7MJmTJJIULEy+PDuY9jJqRXjppbkVRXShCfqX9uvI9Vv7YaQii0ayc81dAflapuFJiu71z9M1uE1nDc29s7evXzQffVx4e9o58PuscfHw7vgoefD7vffty/C/bven+7G+7/6/jf3kdQ62lXhKmUEfaWdUZfVXIcM6lXMK2Mj4iQmC4O8yRz39vU4duz6+Pu1eXg9uLdm4fB+7MfB/sN2CIsIFQ3aX5p44OAClX7C+CFkAr3t5sOUypTlUwMPXXp2KB6pP68TDi71/7a6ZizSRmdCeSYykLDRiIC65McePaP+ddIJuDZP7+ZPxPzR0uVj8vX2zTA0xYf3ubaE/A0etSaW++SS+2KVB/6qnrRC5yvLSVd6/Kd5G38pncqTRA8pdX8xnB/rb65UqqEIm5Z4G9D7CA/67V+RvC2MW+DW/xUYO67p5BSzhdHc6phSiEjpgQCSIGOvgeRVDszYXq28VjyS1PNAapJGGiGo3imUsb1XRCo34VoTYVVYPWr1t/7trpur5pdI5+3bFP1jNsoLa0zbuGeacYDrGV7gKPdLLfM4gwPYZL4JA6E/49D34afWpzLn/AQwCSJrKgHFhAH4PLt+WB6WAioJTaZStWBHpyJHhGmM9MjBa47qyZKf095ZIxz+p1+jCXsBlDCPoFxbnpQ6IYNVLnXMMc5ycAEohAfmVWV0HuNf8liBM1sh1Jqbnl4aKKXzGwoCZOO1wp4Arxf4BR6y9fXGR4GXEeKEAmcURw0xUD4jrOZYrSf8PBcFwC2AMgLrDkdlS1FGWGfPBRyFmPTO42iMUYTZtIFdsuLZVLFlNRFGBtHuJtn6F/EkPWIcDxibVG9rTmSr0MgZiG+l8f1dtHIy/EQnz+yd2Nk+5o46ZeUfE8i/BYmCaHju8E/B7cXb3uEkjs1ijZLD4clxGKfJ8gP8DAdj43PgbVQdnN9Bs7evwVZBb8X/NkvKyOKzxPJxhwmIUH+MGJoorBljbjXRFqpMuAqcxbe28bZWd67+d37y/M7F5rldp5gcGC+Dy6vz6PoBsdsigdkTHFwDiV8K8brITTW5qxWstTtFgpgetOQMGlEeTRfzThvtSg3Bj8dlKTdhBOmlg2z5HYCHUe6G+EpdqGgOaQBi++7h+NhN4HjLCaekBzKNP4viZJKjhBROedwEehwEepoEeqoAEUJwoVQ7HMsEjbDreFf3Azg+yRiHDsFqYJdQru2FHClKoaSjyNabeDrrt1yc1pSMaW15e9cH7QZ6WqDVYvHDEbOj7T1Er0u47paKr6mtyjytNivCaNrozaKu4E6vQWnOgL43TXkMMaqR3ff26Fca6FztyrRhExIYd4yNKNLhjijF10gf9XwOOysSSfmXuTl0Z3ZAok7LNGd7tCKo3VbSB8LYXeQq3FL7KQpcFWAvAqQV/E8+LAG5kBtGEQu6cHA9e1Mvye4i4XACIs12MrcSYxYFGAu1uUmc1VhC2+TiRr3DdVNw4UVPHcmEN33putG/j5NxR/Upr1S+4pToYndx3RK1O6ZSn8KuY7Quu68mCqofjri6tjm9OiBLQsVbioGb/WLF353kfd/VeQZ/w7rIsqU2iZqHIFpKU6KzO0o7YPu4wp4iNh4/QXRlfsScLDirl/3txUfMTEnbLXJbzhiu6iHmep1SiD46e3lZqOu0Vt98vR+Tjff8V54KDZPfuoU/GVNwk8xuebTwUXzC6H/GwAA//9QSwcIkllWq048AACIrQEAUEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAANAAAAY3VzdG9tLnBvbGljedSdz47kthHG7/sUxObsXbL+kRzAhwWSQw5ODGPvhqbFnpajltqSenvm7YNWLxzY1mRHEwSjb06LhaT+fiJZLFYVqb+4v//w4z9/+vzpH5/v3N/qZhrd1Lvp0Ixu37TFXZq2dV0/ufvihrJvy24qtWs6Nx2K+2s1VXX/4D6dTq7q6tvF98X1X8pwGZppKp27NNPBdeXiTn3b7J5uT637S9f2VT1+cD+2pRqLO/Z1s39yw7kt49Lj9/3g9ue2dftzt5uavqvaZnr68O5LGcam7+7ce2Wi8P7d/IS7d85955r6zv1UdXV/7Kpjeeecc3UZd0Nzmm63vJ//b9+0Uxnme65/37l+dN9/7963TXd+vF1SHk9DGW8/1J9K9+FK8eH61PnKMu0+joeq7i8fT9U4Xvqhvt1XN2N135b6zu2rdiy/qSqP1fHUlt1QqqlUu/E4Ha7/HKuH0k1XgqFM56Eb+38NZTz13VhCDEImRvJnjh+e3KfrjfPbew1SeSy7PyCNh/8HgWUDJ4iJPTZBsizgBIkTNkGm6MmACZRSxB4HKqLY40DVg9siVTHCHgcWEmG3QQoZ25pqMvBxYOzB52ST4KHHASexnLLfFEFd2vJiAlLK6olxCZiipa2tD9YRqLFsbRw8lOmF8oME1UgBVj7FvLWZYI185USksPJNeWuz2Cr5FrfmCK2RH3NEfvsbXNSvkK+BNjdzrZHPkQXX8qh4Ap51VTkg9301b7idx7xubumyRj4rAVseU0V2mKNsL/6zQn4SMmD52evmYldr5GfbXBB9lfwUZGPxhpfLJ88B2HBS8FFx+z6FEICX6hTMgA0nhXRdqsMO3ZCvTgOsfDLkaYs4RGCfh4SCAlseMQF2GkiSAAdKSMViwrU8mtLmih5WyE+yvVz1CvlZCDjCTDkmYPnsySuuz8Ne1OP6POwzAw9dJo9seZgUOUjIBJ2aY9pgye0a+XO1Kqx89gE4Lc0MnRxinks8geWbBzacrBF4rctsHrgogDn6zW3YWSM/G/LbFw/tMIvPwCFaFs7A6QkWITHgty+ct1YKvEp+Aq7nYUkZebEoOQCXZLD6iLzWVQqb2yO7Sn4Cju+zqiBHGlQN2XCqISeHWKMgx3k0e+DcFmvOyNNWFObAqG9fSCKHRJuSfz7VL98A+HXz0ALB5zJOKAxM1z9wBg3w7SDEi+svKAYNi9MBFIPZYgwIiiH5xVAEEoP6vBjMgmJQwm8Hi/B2SZ8pO0disLAcm4ZieCZECsXwTDkfFEMi/L6UDb4vzRuwwf3WRMv+Es4qLok39FbIEtB7knqKCZ1h3tQPzkCR4Bnm0wnAGSQYfDvMRyaiM2iGt0tydTTAGebDK9EZOMD3pblCEJxhLhNEZ2D8edps2W+FWT1oNPj8ye08G3AGw1/FWQrwXmsMDN+XouBb1mgRPraUUoD3NLJn+Nx0zldnCZ0hoUfIyEtE70vkzaPP0xRIEnjugQLHBJ4D+nqkEjYDRY9e90PseflwJSQG/Pw68ZxPxGYwfiZChhIRoJgoo3sayUwWZ2mUVmAfDL3GgT0ZesSbvcDXSDMRodePMc21ucgjmvFz68xBlkc0TisQ/PqNGb/CgZnh46zM86fwoEfDc/kroFaQENHrG1gEvhqURWm5VgZmNIjC17OyxIgeB2CJefksDySG+UQMbIbb3npwBgv47WAZfV8iayT0PX2s6ZmoEhCDeTN0v9uSjywLH67FYRDvSX2AHg/iyXLaDsPx6edZ7s+//eabu6G/tr80++Z4f3/4s57m6KpXa+lPpfuDljLtPo6Hqu4vH0/VOF76of7v4qYyTg/9qm9GBzVRThv5XO4rANhysmAZFyAZxRg3smHtCvBL9aVahUDJQrS4oTZYjcCkOciWutEV4eWH14SgWSVvqBednqZD361qBFISn7bUCK+BsJTY+42ETV4JwYE8+xi3AzGcx+nlw4F8UAtpwaN8S/3fdMbuq3oov56vl/8HRShYjrYdlOnp9FXGyxskePU+x418Yff3FN9slt/HgSxTXrJRb+Mj/y8oMWvgtDDI4VDEq7Ck9Lbd698BAAD//1BLBwgtiMaVEgYAAImSAABQSwECFAAUAAgACAAAAAAAkllWq048AACIrQEADgAAAAAAAAAAAAAAAAAAAAAAZGVmYXVsdC5wb2xpY3lQSwECFAAUAAgACAAAAAAALYjGlRIGAACJkgAADQAAAAAAAAAAAAAAAACKPAAAY3VzdG9tLnBvbGljeVBLBQYAAAAAAgACAHcAAADXQgAAAAA= + string: UEsDBBQACAAIAAAAAAAAAAAAAAAAAAAAAAAOAAAAZGVmYXVsdC5wb2xpY3nsvXl32ziyOPr/fAoM35z52b6hNi9Z3s3Mc9vuad92Eh/L6b592nk8EAmJiEiADYCS1ePJZ/8dLFxFSpTkeEmUPm0RYGEhagFQKFT9P+D83eWHq+vj99dvwJmHBQeCAuFjDoY4QGCKgwAQKsAAAYaGAXIF8gAmQPgInEIBPToCx1EEIPE08AABOkFsyrAQiIApFj4gaAoiGmB3pmv16JQEFHq8BS4DBDkCIfXwcAZYHCBeVf2QMjCMgwAMY+IKTAkMsJi1/jJBjGNK3oBu62C/1bGZ+6rzF1XLm78AYAPsvQEwiiALKXNUIxh5jhCzvwAAgIe4y3AkVA3HRLZ0LCFBxKj+fMhBUkp2CxKAiUAMugJPEOCIy9ZVXUMcCMRUs/KfDSgHb98CK8AkvrVULrqNmC7xBqBb5LZkGy0CQyTr/t2C0PYwh4MAWS+ATLk0jAKIiUnC2MPC+gT+/nddXIiZo0r/9a2lWzDFvTdgCAOOVF7EqBe7whFwlOudkJ/gvrk+7nQ6h7aHhohwZKMJTD9IQSHXJ/iPGL257h4e9WwcRhCzBJyncBq5b4TPEBS2hwRSSMpQIHvuisCJORyh+bG/9lEKA1wahoqcIAcxR56kSEMfCsa7h/GWkEmDVjqgkI24MwzgiCuaV0jhcvAD69PTH1/PcSkZ4lFK5wvG2QMaNmZQvgHz1C4Zl8YCxByTUYqcdYaeRojooY+g8BVkGwm3rerUf72W7I5ChIZWOPg72PngnFydHV/ffXCurz6+P7n74BxfXp69P7374Fyd/np198H59erD+4vfdsE/QEcWjxh1Eec5VP81j+rngEUpvhzZ/2aI1DLzARGo2CKHQdWBlqdTLZWSPFPGsXnz6XtH8pQ7boAXScLjX/vg5OIcxALLWU6hVcqnWKB7k31Tvskw9Wzdn7oBOjrs2m5AY8+GXogJ5kLLGdvI9vJoDRAXdqSmVRetNJRozB2O2AS7yIGuS2MiHEHHiMgU4ryOeeQYn/3cB6YsMGWBKqtGvFB+xREvi7wvwGpPIGuzmLQ5chkSvI3GvAVD+CclcMpbLg3bpi+mK+29vZxALGBPddKa4wTVVjpxtWkk2p5eQ9lwhIhoo3CAPA957QEmbZWlGHUJIJ9xgUI7YnSAGsEjN2ZYzOzGLZivaF5AMOiiheDpF1Z/ZxtGYRuTz8iV0klQRz87LCaugo05U3V4nu1TLmxMuIBBUPnOpURATBCrg6oGqO50kuMGMReIpR/5pVgggu4YjhCXVDL30rSCmHy7ycrlyHYZ8hARGAa2ZohqgXjYs2OiEI+8XJnVxCIOPT7PrXJd/msfnL877Su+dOWXeWCCIYCAIDGlbJyIynV4VUlHKZc020xHSFGLGzOFpmAa2cl+Jbf2lktFVeCLtdc9et3qHR60zG87gAJx0Q6RgLZESRvDMOOK3Oi0Ne6yCl52Wr2/Hf/ad04+vL8+Pn9/diWnxtOz99fnxxd95+rs4vj6/Jcz5+PVeUXJ9l47V/k/sff2iWF/TTH/Z8zQAuKQr58TeUi60GShxknM2hTGwu+1lVj/J4ywbba13wb+BpCjowPHQy71alY8GqRy56eLAUyGlIVQ3M92W0LqNis3fwrT3kZj32wh2T3o2B6ig2HMXSiQTeWCUn6vLfvKZbr84U1G3EVMSJKvW2SemPeFlaVS/DBIeIgFoCwZeAgiKjQ9BDMQwgC7mMZ6w7EQE1NMPJosM5fgIulwC90ihZGdHc13oRdggtQCai9mgQtdH+1lOCu851GAxZ61C+7uKt7qz9mzdtdHarebrF9t+b+c1RkNqhHbObQxGclvtgWlga1GdohYcxz6UDBKQ4ehP2LERYXsA6fv+8C81ns/6CGlKoNpceDREOK1eMYjvKXqxpTktFQe5i5lcsceKr1UhFsCBWjEYNiibKSEo0daBgxGkYLcgJdWGPbDlz25ThXUlUMeE4ICTEbNx5yGISUOQcLBRLBYjoMj6bJq8EtzC9jhsesDyAEJYbRr6gpmWpBhpTjUNQIoBHTH/L73dQo7snGJghBy7kKlORxGmCi0/DlicJA+9OQTi7lI4CKinj4tVIf9IiHN9LQJUjsvbUUhE8RmlajsHBzZZohtszGqKNEAoxEOkAOHAjHHQwFOi5fQaSAZmDIqpNjjMY9ysk6pf0G6kl8HX3e2ASyoP4z2A/wDdMxrKf/MIwA7VXtJEUY120Oz5miNqVogtvasT7tpXXd3VbqcL3pvaupUmwlGqUgSe2pbYl7ITU1AXRi0AzzIdhcA7Ob6nmxKs1XTZziBal/lBlDT4shV6YHrWp9kv5IykLiIC8rWK11ihuYFs2ZXqiL31fNdSHkmwpEavWgmfEqyMfv73zN6amFPKbHqtTJQUXaO2HzI/Tfg3/9pyHALViQ5qAM7YniCAzRCNuIuDGCtkqfTe2mnSxdv8YqlKKQPbB9/hu440yLZw4BOV+Vq5mDiFDmylqnzCx1MOPYQoMNNGXqntDlYTm9VInt5qZ2KJdOIWpW7jUGMA89wLoslte3uVlCaVVAflchfiQZJjakSw8UBjkOjjNhA6jdbFq9CWRttTVwG3XEII0cOo1OYiwuU9DOhUwLoUHYdTxCQS7q0sMJBs4l88Zo4Wa8aTCb1y3cGoW6I5BI5l4pmD7NH7HT2bcrzwF4cRistrtKi2UGs64e0Yrj7cpjVCWtWSE3CHEwRQ9kZhznbAIQSmwtIPMg8hZx1uDmdnrPJF4Ad1cXSjGkON7gPPTq1krOOkUmD3Iw7PzUUlLTAanPJXhMc6XokvxVzTGrEyu9zOYpDE/720mw9Ude8VLpG6o6rC5TfqDZHjMYR9Eq5MUesMjOkFZkeKmpHRxHkfFrsluvDESoWdf0KOJMFPlUPd5VQSwb+S1YLjMRecVSi8aiQwaKwkI4JFAIRD3l2HI0Y9FDhNVHguRYiHM0tn3L5GeAsDjOcw2icIQYP2pzAyNN/s1WXkuwZhXpyt0aUgGyFcvf+17f512GqgHkaskLZN2CJpyVSgk7JU5cSdFpeV2+lxFZKPB0pkSfRvJiI9cYj91bm3N2BGvjRHPwIexso1R5NqgSYjJ+2UJE9XFGm5Irf3YGsgjwGG1e2FVBbAfUwAuoZig8aIeJMek9aghTNrHJ2VgWzqsTuajexr8rLoAp94VZsbMXG0xAb1RrUYq7LEBTIc6AA/wCvO/wZihqGCAwrjnGfkKTZ0X1cUVIUVyv5Krbrla3gecKC5xkKkZg8/Q2P7uOKQmTL9Vuu33J9HdcLHKIKu8knxfWqj1uu33L9luvX4XossAsDh6ER5oLNHHQbUVZhL8jQCHlYpJa1Gi6tACQVAB9P7se0U5k3MDRSZp0vgGV6oJKf5ow4zbG3Pw5Cc8Dtj9HMUch0Quj6mCQn3/pKSpKA6ZOxsX8+R+IGd2ZA1a0/vuDaH8ywZYrMX/xbD3NThkW691K3qXL2YTenKutm78aUv9EI2O/dbHjBpKE9yP6RHUL+RyzFYFO2oMSBwvlMB45SAWBK6swNjgmICYyFTxn+E3ngMx3oG2CepzlFVga46yMvTu1J72XqqzQuMPZ4PKI0aMumU7M8OQXKjNbeXJZQlp3FDHU5aKWZMhXYojhbmAbApufOS3rwNaeM+5i8V596NuGNZZcsO4f7tiFK5NkC8rFNmf2ZDhrIH7Ae+1Sewz8m+1Scuj8X9nmAA9ktuz1ndqvW1zwet1XpZu6Z2XLNNTi+Xrvx1baPjbl6y3PPnudohJ7SDFfnJ6PSLUaeV6uObddmlwecGLcs9OxZqO608tGYqOZs8p7ZoTh1LT/LXLv57eS15bxqzqs74ns8zqs+0Fub9LcT0ZYdVmCHmrOvR2SHypOuLTts2eG+2WEWCRrKIXEgG1XxQIJHEMCYyG5oT62QjeIQEcEB5Jy6GIrkTa5Ovg5HZB4FqOpDcmHVjWI7YpjqcxuJCY8SKJAdoAkK9nLXZnPuCGQ7DBKPhrd2dzSwIzhC3CpAJsdJyvVcHP6XcA2i0xzOg2JOdx6oOw/Vm4fq5aAIdpEPuW+SM8QjOkVsETFteLP7oKOcEbqiks4OXh/ZDHEaMxeZa9erHVFlpITIpIKULg0hITLBjBJJPWACGZafyUEIhZsQjxszhog7A6q6tYlIdkMfLV5++HDhfOyfXUke14mri/T58rjfl4nTD++Pr8+ci7Nfzi42YemvO85xxB0ewSlBnsN9FFT4HOnL7JRxDTAYMhqCiGEilDPDDQZ2iPPuNAsXxCPIEBE5CFnXkNIQCuzaDEebXArv2pjgZaet3dcdG91GAcXCjuJBgF17CF1MRjaMogC7K3pIilng6AnC4fKn4rz82kfgVIEADaJWCQwNkaRi4xAauB+vLkDereVmI6+8IcWs2imxIvqY4Ftbd6jG4Zj+rpaE2dMg80bSG6BrmeeWo+5+zuMhJF7GF6s7cPGggAPIkeYJpzinlqa0BBbkKCJlEwhUDS/0T+K15wWgDPx0fX25iYu4bLGXITNvyKQWI5D71gsDB/KrlPILmVmVJRSr1dRSUWBQ1+LciyTT1m1UFvqzprK6Rtya/HFNvqgqEOBBW4oGBsOh9qPFdWdjPhvQ2/mPqMhPGhjiiq8ec//1/lwuK3cyyayADapgw7rMRSPsch+yaK5YRGtGjLnzNFKHjVkVyv/k/mFlZtJLINdeyXu0kh/EUrkiS+iWXLnpMI/+SH55klBWbUmCTkmaSGE8KFD6nAJ7w/QJs+QRuT5NnoO0qoAnT+E4BxyOSdZ2OBYoTJsMJ8lTNE1BGIJegMk4TYfZU65aHiCUVsSFmKXPM+Imz4LGrp8kYjkZJImJqSrlOaYBU4bu8TgsZECO9nvlnKODck7SSEqCvktJIWNcqlkSQCGtnO4VcuJC0sPMpQFlvJRZbtqL8ylEJoXkbQSJV8opDMkQuoIWc8JCP4Y0KFSgDC0LnfIRLED4lAtcyCmlEle+WdZnigvDl5BGmqaj8neH3mFpiHVOS6Bb5RKx0MdwPMRDms+R241CutAhQv04KmTIBV0hIw5LI0ULXxlBLlAxQ/iuX/isCJPxrJDBiilMRAmjKm9YyBG3+SRDMJBNFfJiUqJPjv4oJH3YLY0m92Gvd1CReXg0n7n/qgLysFtmL+4z5BUz4sK3cMoKQzrHJFLAFtPeoFRFsUkB3WISF/AsEComeaF6gUNEi3wpWDEVExcWES3KX2HkVpKMyTxbxgT/UUyXWSDmqCgLpoUPm/q0lIQhTnKMmTKjNJ05khn/0252AFq7Z1FzTzjjfwRKKRRSMtL20xHlYsRMcAJTy193Fu595LLEG1gZfLYKl69tFyhdEgI2tHYb15p2pKbeL9ZeNHKmMNjIj+ljbLg8NIhHQ77EY5vcchnIssu2TX21ZesXCWQasZ755ggFSCBHG+M6AR3Nj2im6NPAnnFMCnQhENCRvvexzphWHu9kkQ5iESpfpCojoKP2tJwxKGcEkIuAjgp5Q4iDch6f8XJWiDhXasACnHJqXciCsfBb5cIDSsVc5hgxojI/5VUhioZS3445JXNODb2BlqmpSfTLjo2JJ9mQMpuhkE5gsALhRAGdORHDk8UOFFNnkF7GJtrNur5WvQ7V1OmaVrjJ/d+gyws4gZETIRZiISn87+Dk+NLp/9Z3jk/fnb9PPauuh48VPGIedbsKJEK2oCo2RAOMFN6X3Rgm6JpwP1ys/JADmslLpRRse2jS5n7YBh5mSC6Q11JvlHZwEjKteW9vE2HZjNQPjw5sH3vIhkxgudBvHlXCw0zMnAhHyIFC7uYq1HyXiXtzcCqhgYQGZuLTKqR80RXHbkcu/VzUUl1ARLCZUuWBv4PL88sz54ePPzo/Xhz/yzk5fu+8O7v619mupHwV5KhY9BaLpSXfJiUTtjCmxIWYScZcuLPJ+mEFlugcvbLzg2kPKVtcegWc5iteA7GbI7QJVv4BOuA7wAoVBAnHi8NokZw6zcCKUR5kBkzXKiEKlwmrZq5Utet/1ai6nVUXO8ClQYBcsZE0e22bWmpHXQo8KKAtpbOt9ge2XoY1H+YZgSF2lW04YknAv1rDn3RANYRSg5sqgK7CxAFU08c6/FCzBETCbQdei9NWxJDSCb4A+VwV7i+1X8jyWl57T7/89HjGBqsZCeRLrni7dD06W4HPN3e1XU1w6rbgInrTTvQFvXd6q41FeA/Udp9RCR+MWB/JMgY0vAW+NJRb45hv2zB0zzsMXYFi2GjSyWhk7nMLGTzNeTZSUxZzAl552/hnxAgKQEi9OHW3EWAuUmcbwkdAld3YrCBVd6nqNlnbLFNrdV71zFIm76R/DZWWGjmt9p0fumsfAf2uECoMNXG932icjL75aw7U/n4yUHQqWZEyO+aIrT1ULOQ1ilT1SnZ5xGB4n4Mk691gjL6qHZX+TNkpZ4CFo2x6q4cngwQDLIoWwBAQNA1miZZr7dVKahmSuwyPiRNHEWJOAGeIZYr+HIjrQzJCjsAhAv8N9js8B1WlJJuvocGF/Gbl/g76zvn/fuxf3cnff11dqt8P1z8VL53lBbuW6f91u5G4bqYa6vV6KjqIUqSnSi5bqQIVCrit3WKseFoh63T4jLgOuh1Whf+SBMTcgBL0taI064lRNSFnQqZNBYDFh0KpzM0Pd9WPp3+YG20y6t2Orb7XRGuuHPLOwasCkC2Flg3lp0q6maA0ANsKo008J3OjUmFjKiFSkc8RZK4vZ8ohZYCnnqzWPsYoijfZVnVonVwXN7MNb+phpnFgztqhHblRfeTUf51cPuW4qUmc1NaI0pESnIrGgrZLwygW6F0SR3XS1cYYxEVJDG3bBNHmbQ8NYRwIHVxV22SXA7JuUN+TooL1YiD52PMQUa6HFkRAOjZw+pxh/mw2Hy2PBt4GZ7S5E/EvwGrlNHbFbf8Xq+3TEKU7j3z8unI8u9xxxSYYazYpbXBeIVnVmXTr4rbmQmFPuoXIn5jzeL1pRzbZUrH6nYjRCfYQU+Bwqk/H1Xs45S2sA3Q7k558r4ZtTuuRj3v3t38XviaJ0s//U0KAYLH+1LlrEByJJCH/ycpLQ5RWmgMbYhR4b+b7lQOBUYRIvmn9T4jgDeh20n8NqeKr87GhDSn+ZN4kMYZeEv2O5IsYs2dJK1xAdq9h8NJVbgWXbs2ft+bPaeazM3+uu4OBK69VbGQ4tOy+4JE6X0oNh7wQE8yTNXheUdRoniEThEe+I2mqbrJJ73Ul83zpgqCxI1K557o+HRcxq2+zszuzDOxHlA4RO780N+quUBTMrun5JS9mnKpA16XMd8cnSU6f4KGpZ5M1wNJTvsPDlzb0JohxyGY2JrbwkR1izwuar8lw5Lg+csdOLnp3aTl2+r4PAkrHsT5I9eRWVIf+Pr8EqjAwk+NCVNSI9JrY39iFxId/4iiJ/o0jG0Y4SYUzHLWonFsJT/JUV3DUgiH8kxK5kDAvpj4UmKsicAxDqGuZP/bLjIQ2wNpStVz3KFHLJUGn9UFVzNbVZOJIKZe4g1QYeAcGAZ1WLa3P1HsgGBwOsQsMnFEGJ7Wsg8TivjapySop4rVIY9aHj9eXH69bezs7vcPfO/bhp7ud3u8d++DTXffGu/u9a7/+dLd74+3etP55M9j998F/WnvHJydnl9dzqv0sXDizdrq9lzet3budbkf/vOzdtLq/H9mvP2Vp2Y5J//8qY//3jt01AK9lgaNXOnH0+kZu2W5auxsxcdOFfE9pKjFLwFdYyTNXLs5ITlDUHJWqoP2QABqLAY2JB86vTkCp6IqIN6Vb0PNYSzn5ffsWHB0dvTSTVvYSc0fb9kqIdDm81qCuEKa/87KbNyK2lSZ0db3RZziB5XuBjrarrhpwCQ7Kt2e31wK36+LtujgP3WRdvL0WaG2vBeYzttcC09T2WmCStb0WuL0WaPIe7VqgmW8WuTJRc49cHMoJ67NaGPooiBDbaIvxCHfsPsfRTCDWxFXG/2hQuVFDA0rHmZbHLIhVoRUXvDtVR9h6Pk+m8mQWTyZwNXebaVvN2Gqy1hObmaLV7KzkXTInJ9NxOhOrSVjPv7mpV826yYSbzLVmmjUzbDK5JvOqmVLNTJpMoOm8mU6XuVkymRyTOdFMhekMqCe+/HyXTXNqdtMiMGUaM4WlM5cWw2aeSqcnMyulk5H+k049ZsYxA5HNL+m0kp9G0tnDTBpqrkimiGRmSCcENfKJ+M+kfiLsVedzoj2V6FqQ5+R3Kra1tM6EdF4250VyXhLnBXAid424NfIpGX8jU1NRar5fCU4jL7WYNNIxE4pKFuZEYCL5NAXl5JwRb6lUS4SZkmFadKUSy8ipzKtZiV2WLqArS+ndoqX/ZDtCnaE3dvmfdL9hqf2bpd+orZal9iiW3ndZ6c4p96R3TJbZ91h6V2Ql+yBL73ysMPvJWkv2MpbevVhyr2Lp3Yml9yKW3n1Y+f2GuttdYWyc7TqM4LONNFNy3GQFcPDcxPj4FXci6iVnm44xPXCUxYGju1Fn1PZzPECMIIE4iKiXaICBqQKoKrSpW76aFeV8qtioMMb/kl3/5chlSPD2OO1TC9PEoML0KD2hX6XAp2xSz3qQ3qHXhhnz8/7WNn1rm15nm96AWiS5JP11cYDjMDe4LmXII7zwUQaIRohBNZUDqx1CAkdIPw+DGBFhD7D+qCxpVdzjCGjs2YR6yM5XYRjGlvIQ2S7HKtcQWPGN7TE80UpWZeNhw2mpuzDALlVtpEMPp7ytz21s1YMpFK6fp57qd6o8GWFya2OiDjcSbXBgOp5iLhaUu7CcHTEaUSalmpS7RRgfRozezupqlrJDTRzIDpFg2OWlwbZHY2Tr0HemyEApDrRtmW0GTn+CHG+BWGgsYm0fEi+YQ191jRMYB1WolB10hSZvfQVQoURKVlQMNznCIoADm8Uk/yarSbVQdetHs75CeIAJstVtraoaTMS/5Ay5MJBlApxDWBOm+du/zSvEzcSFyeg/8wW3N4i2UrqhlG7kQLfScqyCFHMwVWZjkg5zIIvMxo4e32ysfkGpbhw5+sZRbRBEQNDUgJrLSdmdiI1WiY0iHgZ40DZXolJKiM1ZTy5/heAXX/PS5WqXJfMlV7whPPed33LE3WXf+de3uWrH6Y229cNRrrcl3LcjxDjmApGcmXWBZQ9e2gNKhU2ZHdARJXreFJCJCisvw74VftzLjFsdfvGhGLc61uKWcbeMu+w7FzPuAwTCfF6MXufM40H4vCZgT2M2z9XVLIRj45q3AmQrQOYEyHNkbwor19/zrC0h1+NtWdK019K1OENGQ0c7Vipc4MmD5u/v/G6RoWNMRl+k5qOO7ojOOSpnDaLC60JxA0x0rCEydBhSO1UcTQ5MA87V2f+cnVznm2NwKpOxFzkehoqQsfIgJROL6KbwKV+sIQxcShR9VtM7jERLKwi8lgdxMJOZt/oD7ACNoDuzwzgQSsfGudH+2VPKxhueFNfQ4cIL88uLr03G93gZf57uF3ubzFxMaprV9/CLjLEpNyz0ObmRjfl9I2KN0c3x+CoSRruLbOB0rcH4VkubzUyLn9jQLibiJoOc3L3b8OJds3H/tui8JkLzgyyON3MQlquoLj7zdi28XQsv+85vai1cGyz6Qfi5PjJ0Y0bM1dY07HPjurdMvmXyb4HJ693TPgiT1wah3jLilhGXfee3xYh1EbEfiBHrwl9vGXHLiMu+8xthRM6WO8828Sa0K0pE5HcBWUg5h6WSQVFg8wi5eIhdoI24NonKnboICKmnjaNA+UK/cpIfcranvBPoT+CbeMv/qk5AJXk4AeYV18Abed8d36vzXUWsoMrDnWx4M28kS/1a3Jdf3jGhU+J4QeAYo8GZM0YzR3vXrLJG/1X7eAE/y4Lg9OKCq4ho8iVIqgBjNAOFKlb2GMORaCXVtWSP0onli/XTz2e/ORcfTo4vnHfHJz+dvz+76f/Wvz57d3OiIpGLE23y2Efixjze9HXF4J02s71R3Ze93wxPDR1ONHU8XSVgUqN5xyPcQSQOEauJjJK7JXD6vg/KsCtS+7yvGOU/jsxa8n8+cVvGBLClJgrFCoUyYhapMv2rXyp0lV/Z8cvBUerxJfH1uDp3BJ5jIg84MYl5DAMnwAMGmabHeQxc+whcnDqXV2cXH45P03j5AHMQ0SgOlNfhwQxAdYKuXRLnXSziAN1DUKc0kv4XK+vM2z3tOlHN77nszIniRpzwoH7YAzyIYOigQTR0fEor9qAXGk0GssUpkHDpbIB+uPxxneEdRMOWG3oS5IfLH513x5daWXw2N7Ni5SZHN3/T4nSjwW1qU9o5PLIxiWJhuzASMUPNR5RSgmaOiNWyhCchmCoGVgGCawMIdk5+ObN7nd6+ffC6290FpmC22FlnmLO7cJmz6v7H89MkJEf2PsYKGVluPgpTmRn2/nVx/sOJc/3x/fEPF2f9ByP4+w/LFKJwqHwrw6olp3oL6OAzcsU9RvSTi0VVdaXv1rfJ2WvCBvkL2YUtTW6/Uh0PorDHUTFNbJUP5AsWJ5nyUW491ct2SAeztt6l3L46co4O7AEVIkBMwgpbfaI9InGbz7jNKBXFXqiNShbGNYso6tk4cm1zc7z43dlFTTUsb9Qdc0ebDjiCwVCikSCwY2J07sreLQRNbravR5LNViNHvY7N0FD5upsg26UesuUUt8pKPMQEq5hgS5wMmhNL5ckuDqPCajypAwxjomrXJ6kuDfnE5S1vyWX1Zs4G1QbnHSb4dGGUMNXkJvue5iK6s29TngeWY7Dq2JORE1EaONpT4Pz4Z5tOud0KJsrmQq4JFclCzqmLYer80WWzSFBdr7p0MVnTNVa1e8Ev1l4rxATdhiz1KFhISgACCZWf1KJM6TRKaQnC4yiiTOSqmcuRYO6+Kpf4Kcyn5OuopzKwuk6cT8iXSPjqXhhKulHOkEDDXr6BQko1QCUrt0Kla8kn5EsWBZCI1u3sT/m2kDLDhMmIugiSpAflrK/jSfGr7tuTraB2Rm78W0saVk6fJStUKC+vkIuICLKNpF4dm9LIA7krM1pynL877a9DtcoVdswCJQzae+0QCagC+rUxDLPbYrn22lqSVAb9zgemSEJ9dHsdDu7uimirAtzv8E0mgKZCaPO7R6G6uu5TLpxhBfLkPki+1DgzManlLKDK3Uvgb1VTS9NktgJpK8Tod0PuqC2oZA257wvg7P4Dg6+wDFwrjHB+uJcHWVdwlaFL7mHEy0rFmIjnPZ6SHR0fewsWMCY6gl61qFLrjJymR/U3opiIVk6bpS6XtrtG764SvXxiP584yCcO84mjfOJlPvEqn3i92aan2Qpzg0gJBAk9SyTOUeZRczynMZF0PmVYCES0cuUe4pyUnGEY4zBjG1YODdnUUaKpUk4d5nHeZkxNQibIBZh3hZEsqLifLHeS1VGyhhlTK3egdndX485D7n6SQ7kAD9JnJNzm8TY2OqZZwbNst3OYegYQlAa2YJDwoZFjTQkr0eGZNcQ8ab0v0k3JR3qO7D5ena9DVP8HreRWs+psoRX55oxur/U5Gu1Zn8D/eU4oEFVht47LHLtx1K2Sk95syDl19U0FD+t9Btd7KPkspxA1tAQJFwo9zMRVSgUii63tIXW3JtJbqjTJ8JxoSSSGlWJd9spgvNt72eq0Oi0zW+yFVHiteBATEcuupIZrz4cWnLnAZAXCOMu9TVSKKpbVfUr4lTCZITJFmUNVb3mCtohyocLXvdVoUmm5nzDpa/Prvf3/9EMcybrzRX58KxN7lc3lTAMWEcgmlPA48eJSmlgSAGehsLiHde4zkR1//Y5lhwuFk/mzrFy5ZxFNMPHUNpuMQEQ5x4MAmTqMd3jdxHoTTZU2WFeuMZ/Dv1z27WRSIxd3JrDqY9JEkgLu7kB1SbKg5GSuZCI2lNp7ALlvaEGlZerT7gbrucdwqmdEgcMJHg4xGanQN/NEcSGZIXWXp91taiOR5JAceQAOhQ5kby6rKWsgYNSr90AWwo28OFTSQnAfsvEmMrrBCXgnOwE3o7PCsE6dASaQzXIhGJaJ5WzkUOZ1lqAp0DUp6TRUoTAwUScAWQEcLostVDPO1RKxoGebC8zbSA1XcdKzoWrjYWUkR0QgtgRnBgrEXBulDRiCYxoLQIebTaHlk8O3crJUbRVnrMLSyRKQjZB421Uc8rZbGYxrIxQ8kHaJcD7FwvXl0A+dkHp1zpkSQBDCGfDhBIEBQiTTeMttp0QHjIVPGf5zbVueFZw2aQ1A0rOW/ISche4aLnnmOO7B7FtT0qnyplfxMjtvLuatZie7iVBvYLh6eKRjX89sSRWIiCTajhnjMpVW2JRV0WelD6JHp88K30QN6PPrep7Z0vPTp+fqi0mPTM5V15WqqTlXqoGznSUc8QzRV30Z/HHRV7wkvlO6DH5nTgZ2m94KbyDGtkIGPHkqdSa9LaFWb8KyXGOC6EAB/gFe673VlrjBkybuuhv8j0vbNTf7m8yiy+/wf3vzaN0N7UdGYvXN7W9w+Gvu5T728Ffe1332wy88rtVdSscWYFIhvd5fn/YTO8IhYrJDShtZLnQPRseyPy0Pi2diVUyHQ0Q4niBn/IrXaNGP9XXB3J00ECEitDGnDhLvQ66JeZPD+6qAY+CLFc2ET8meCeC/Y/0cD3DfhaQVzSwJk2gVJ1LcW7KTXDA8Rqz0dhfs1gRcUqUwdyGxXlhjD49URA5Vle3HSn35wmJwPEacWy+sCGEGBeIGRCkLzTOMPRWmShUNsCmqgjLE3HrxxRpQMbA3WxosOwE46u7nPPtD4mU2vKtfhaMhHlWpMD+EWHlM1JGXOYAg1bB6wPVx4IE8D69ICQpHMfbAP94WLa6qvELKeqjpziZM11viPbHX2Z+/zuMGGJF13KCpXUR6f7zSi0Niyy9B1aFKzVVxsPOuf7ULChHulbRbZ+jLZmlvgdXmM24cN7RDztoRZDBEstJ2/v54zmytaDa31KWa3JKsj7ivasMuv4fzwBlAd+xRWnGYYiDSwxTEBRwEmPugUGZFNKCC0a1po3Tsr+Yb7mgS3Gi+WUb6ncPXhUMs8/lkZCsRFzFJDc3HdIKYIhkHEcFmyjR2Ef0XHCikhUtHiaWqVhzuKqpXhrMcBcP20Gt3N6Puez/RetBJIOpFmAyRK+Qal6QvaxEWwsQZpgHWN54jysTcJaTL3uW5qhuEMJhCtpbQMi21oOex1hCGOJiBv4Od4x+d8/dn13fm92g3h4oMHnNHGySAoofNDEJ1/B9vwVGn25kvr97+t3p7uIEYW+GcuPOym7easNUJ9+qGVyZWj6NjkIVo6VWDS10AZAX0FT9jR3MPNljZ4qxss/xV9EKr6XPyJVfzhHOvrP9QwrrwXi6q7YipbqAcBYVOwZCi5sD78vjdI2166wIUyU1vBMOWp43cs4zND743QO3DbJkrsFZ5DPyYWKuOTrMS1r7ucfDzw3K1TvDxkFzjxnEZjnNVNDgkbVDh89F1zaG0+sD00VD61R1qf8OorDt4eTRk1ntTXoaFIocuP4BpUOUzRmzdYczjIbbWg+63jIWaM5lHxEKd+9TGWNiepz89suN86jnF/VmB3q59ZKAAZcD1zXP+SlOiSNSdAZCkFxgUMGVrHa5U7Kxzw656kaJGbWqTvlXfNEmdOvVlKS7U+cZXQFBTNW/n9SvbDJMdQoKV0726HfLhfjcF1qdrNkMhncBVdCdcIIfXuH49fd8H+o6YVpBQgsCQMgB1uQEmdoDHCKTlV0RmtcMdK6k88VEz8ikXubRALMwlx8GICd+4xGFKgdpyVSK5d9Di/ldyPLOCtmvzWxGRi51u1zl0XIYlVwf6kgtGvE5hcWIAEx8mCXzNXLEODlfTV0iONJKR554TBs4ly68zITqXmQcdUCqekFfux5xh5j79W3bUbb74YfVczfyJdPaP7BDyP2LEKt3UVU3Aizi9Usn1iJxerePacvqW0786pz9Z3ehjSIbq/fmjCYaazfkDyoVcb5qpWB+wb1uZVf7070FmPTOJUq2XfyyJcm9q+Rqt/ANy/5b5wZb5nwHzV94P2/L/lv/XZqHvmP/XuWv4zGRG3envY4mM+sPfx2H2pufID9i77Uak/Onfgyx6ZnKlzvjg0eRKre3BlnO3nLvl3Bzn1hisPB7n1tmrbDl3y7nfH+ciFtS6okUsqPchnzioXYcz5/0rfrFkT/asKhsdZROCjAfaOWewXAVI0zjbG2DimUeZDz2PmaSKpktMArouioSBEx5O8rnwaCw2i2LWyItsr9sp3sGlQ2W6I1AS7rN5zInIjzZzJhz50f17EpaQkR/VI5TNuRQuYtQp4RIJp4BDk6dRWczTm+hinrprWcxiCHp7T9LJ8L2TRwSnKupaHZ38dAmmaAByl/FAUgZkZdZzK5HRhB7ZiE4RU5XuWS8sN/Ra6BYVzbPyAalyZmF+pEBfyCfbHWFdcANkLLuCdq94oEL7tnCmaKAR4ejvnMfHcTU21OV5zamUmYf7iCCwU2FUCfSCyIPct14YOJCfeMsvNHvMZ8mRc+2aWioKDOpanHuRZNq6jcpCf9ZUVteIW5M/rskXVQXkCkByOYPhUNv6cd3ZmM8G9Hb+IyrykwaGuOKrx9x/vT+Xy8qdTDIrYIMq2LAuc9EIu9yHLJorFtGaEWPuPI3UYWNWhfI/uX9YmZn0EnxK/aM0DVJQdKiSsyxWXwiF9cI8+iP5rUkipF6WoFOSJlIYDwqUPqfA3jB9wix5RK5Pk+cgrSrgyVM4zgGHY5K1HY4FCtMmw0nyFE1TEDnXBZiM03SYPeWq5QFCaUVciFn6PCNu8ixo7PpJIpbyOUlMTFUplzENmLJwj8dhIQNytN8r5xwdlHOSRlKi811KChnjUs0S84U0jwLl0ibLiQtJDzOXBpTxUma5aS/OpxCZFJK3ESReKacwJEPoClrMCQv9GNKgUIH29p/P8REsQPiUC1zIKaUIFzAI8lmfKS4MX0IaaZqOyt8deoelIdY5LYFuhZyFCn0Mx0M8pPkcgt1CfaTQIUL9OCpkyLVAISMOSyNFC1+pjMaLGcJ3/cJnRZiMZ4UMVkxhIkoYVXnDQo64zScZgoFsqpAXkxJ9cvRHIenDbmk0uQ97vYOKzMOj+cz9VxWQh90ye3GfIa+YERe+hVNWGNI5JpEitZj2BqUqik0K6BaTuIBngVAxyQvVCxwiWuRLwYqpmLiwiGhR/gojt5JkTObZMib4j2K6zAIxR0VZMC182NSnpSQMcZKjdAKuzyhNZ45kjs/Hw6kMwJqtd2EEXR/15GxFRpjcqn2IoKGJz2P5QkRm7qqt6O0XtQ3bszbZszzsMjnZHTgojDBDTgxdZzCLIF/oXKoQRCmEwvVVNOh046uvrXw8PgG6ruwDlPc8SuSYZ40D3bhqcb1tT+JNz2wn7ff0EtjvKTkH9hT8pONy2i742+3bv+3sjCLw088nH9/06VBMIUM377DLKKdDcfOrbgV8jORaYrdlfs2uNF/t+pX9v5tdSns4N38S2ypw+4KracfalV9y/UzFaE89+uiA7qu5+Vtle2vJlkJKko2q6e/GO9UHHGLBoIscSAT20CAeLWK6mCOuLvYRgW0FPVKuFFPWEhQMAuqOgX6J2Fpu9HSXWibupYS8vL46Pjlz1N93Z1/lZldDnetRr2cnHzcH2HCsMfm83BlVwXuYLgFc6kmyExRAQoWPGMjf8byvUb788PPZ9dn/XquJZhHQ6fH18VKgj/2rr46UzuFhctvVLg5uI6xMyRgLJ3UE6ZRC7SyYgRI1jVKWG10rZRzQIchPkDJ98suZ3ev0uvZBZ/9gHXyVtTbK2VuyHonG8m2mfUVkkmo2+z+dXVyY+ePy+PqnvdzVWAWXi9B4et6/vDj+zUCfnvV/vv5w6fTP+v3zD+/zBc2Ni84m64wVwht1jl7NO7FcWHop1pV7VscNsOPSypjaCkDznMR1xOgEe8gDNAkHpu6BgqVeeBsr0HM+Y+u06G5NnF3b3et/OPnZ6V9fnR2/SxYL7h6PB4Zes7y8llsljaI7yYjErKUIe6/c2F+V50Yk4kgpuZ6R70YGCaehXB05hFZdfr5MTkcySMkXCBgLPRATT4XbU2tHuVkAHmZIbu4xWkv+Lg3ZbV4XgmqnqqovVtunIUpjXTNz2PwiPdoun2ebNI1EbfDsgI6KaTyYyxtAdxxHhazpdJqPsV0dBZxZO//EuztMHfuiO4aUM8c7hqB3hwkXLFYYu/Pp1BH0TqPhTi4mdlt7OzMaM+fOZbNIqLw7WbkB2tVkWmozEWrMumnJEn/bZD22zFdrx8bExwMsbG3eYJvPa+6rkrmOpkbuFGwgCkR6dQIM0EaGEjubWVZXujnSxMS0CpYSdTpuctShuvVpd/e7MgBYi84a+Pvo7L+0B5QKmzI7oCNKkgNG4+nFCMrmO3DJgc44HiDtiHme6q59BLL3ktj0hKi3JeuR4CKJ1m7J1tq6OTXKSrgVcjcZ4wf1QcuQh7nDIfEG9NbRTtfnh/hUlePJIrFndw4P9tcZ1zJrvv2SI9LbV0fO0YGtitojErf3rBphbQV44Nq9Vu91iyvPGia93ymlu6V0r5TeL6UPSunDUvqolH4p059qJEd22qNG2XZ95I5t5g0s5RhEZnHEJohtRC6NTvDvN0xwQjQT5Gj/5RVTgQQB+m2m3zCLlQ0op35SqJ4LquhNhGp9UENbX6y9lsaRfIJ0aJ7mEF0iyfVxDNXo5kbCh9x/A/79n4YUsGyp2u29trkPGfJsjZBVhO8Ic8Fmjo8niDvykx05kM4YzRYsBBK9XlIcqOJaNMspTG06x2jWbJlQq/DiSLSSJlqyRzlh/dPPZ785Fx9Oji+cd8cnP52/P7vp/9a/Pnt3cxIzhog40b5x+kjcmMcb2csAc7GZ+rGZTqDb7SV+sZJPKGOlwj4uxQeLyWIUHIOrZPA1bMaFDzvoH368/vX46mxe65sg4he5oqDk5iomitU2rYQSF9VWlOigf6XTo4P93nvqVeijV+lZvVL7/XW5nmvEQkxgAPpKJNyc65PQBZU86Z40GugH7c3Z7Uacu3x1e3hQXt3CWFAV2n6NYCUpN5tjqeVc3deAmWA1vP2wLL0KWkyP+YfViKW+omeG4QDOHCgEdMcqDNSik6LEPFYdFyJuwkOpKoCuAqSRpFbGcaXt494lElhcUgFDo1+7onJ3KnMENVk/UVFI/0+M3Vkh53PMheO5yMlDgAzEYlToEyhg6dwk1Y8oDfowjAKUZF0hHlHiIWYyvlh7PByoUbjdq04TEYSFjAu5TU7az5lfFc9Az8mEjpF9DQVipZrLFZu0GyLAw0Hu7Zv31xfv/ExhaerMj+sm9Nr0nO3w8DAHye0ho6Gd+LW0lUprlUVfgCBHjgr9VLsnPMlixCiI3InQYJbGk8FkVKxvIfUu3Y2nttyFOq0aJWS61Jeb9EwdmddGWu29vHpujRg0G2B3hQOGo27X1uNsC2r7lIvm6IwHKOaLBE80Z5evRJApCTLCAsJHQ7GpFCqxIeQMRYxCnpjNt810+GbMBmKU5KqD83YQY+9NJ+HzMWIDlC+qN5iUBDPQjhgdsVSwRUKAtsC5yxk4lHMBJVCgmKcSgCGCpiVIyMdiJEA7B+ZDNkFcgLbS9k9gkAiQg7gEx33QTjjRZI5o4CEC2hDx3uFRUhIHE8SywtaeHv6HEiCvbC4QDOS8N6RshGwzuNzWY7GC/IiJ6wQIjmfOsGINc10IMDVgCI5pLBLd0oHd6x71jvTxZaw6PIwXU1uN1HB9D7MWn0nGCnLb/ygfgEqrATRo6eySz3h7yNuusni0qnf+skL5ua2NzpoeSg4Qt+C9uxo1Ekxff9R+k1PH3SoMEaHE5gISDzIPTOFmhv6VIjtVnMfETXXYfC5nkF7/s1X+3OnOuqL8u70CuT39eBp8yuEQyR3IEl7tG7BsL/iwm0B1kLhAmSb79wOlYqMRb6ZLOzzqqfNPzBLwJpNV4X2Fro27PvLiAHmOgHysb/HV2NykoECCKrHZRNW92jLJbKHkUsH1ZTs8bwBRiJac3DjcYOSX75Q7h/t2+uG27JBcO3ymgwZjb0YYqRnCMT10EBlS5qKw8hJa/+xCAoMcENAO8rUzePOV60xIph8tU3XLVKsNKBELMed4oiRV0krxfmAmLrUZylu5nvvh7OTDuzO7//Hk5Kzf3wgXX5MLEkwQjgWeIEcwdS5UReXJNgFzYKDy0YnNW8TVZUDue8rGOb3Vm9tE5E1AV8TUTr0t39nZz8utAs/Ofl5uFXh29vPH/pU+69FA6i9qoRh7ErAQO1md8qVxG7xgougkmJhzTBh6RweWCuYgK5FPI306FATeYPnh0HLqWGFW2swQMdFSckGjefrQliWuyEydJRyASbF10D1vg2alzViVhmayzY12TEtMaV69Tu4Q2OkwNBo7H7IojrQOMOZwVKFRMTA5e3HJQWrRkzEaKKF4vbmlNKa6YTW/zE0oZmB/UjGe5XheQuEn5nofyR8xFcgzyln5yrwxyszTiwtd0mS/U2sUWY0p8oNxtDL/PplariFPSp/SEGLyr8vLy+KG+gRK4EL+BiSwEkfdu+GnvmziYzmhzBwPBUhUngSoayE/aTA1A57mQFfks7z7qOxEuzWA3E96IiVW689SeoiLGeV0yyvXkEuqKbTScVXZXjBR3X1aIHezbVBuo7QJETSbdDsvO3ZqWL1CuBuwbPFZoAI+C6sdjh0DPgsHshblT1wJDH1hyM9RRmIjKiAbIaWSbXto0ibxEkcKi6RyGkQ9INWSuLVnuqA3akmD3wxOkqt/X5s3l9m9LDGGrLKeegjGrrag02y9gKuLE1N6vfKZ0wxBy2K8a6bVEd4JoLEY0Jh4gCAxpWwMSoVXJKFV47jXWDhpHxuW/pP50dAZ2h1G/if10mAprxeWfqMcVFjKs4OlvVVYqb+J3JP2M2EZbxGW9iVhJd4jLO0vwgqzn6y1xAOEpX0+WExmap8OlvbgYGmfDVbeS0MSUHxBAPsNiHCZidb93iYw3lwYVfZaS9RIivAMbEHhuw6lLbSb3TOt5Nm/vcfcigO4naUGfrsbnr0t12/clyUAWCYiAjxBzHF7Dg6jABKxzlGdrgS4PWAqWYi9ZoonpUp6T89usQB78xsD9frE3DKqe//7CSWcBujTmzcfYhHF4oy41MNk9Pb3a3QrWh+vf3yVZH1680YmN1GVrBD/rvOymzd+tQM4Q3LpTgV1aRPRb7BHXSg2c3imqrgHl2c7O1V7O1m5lXMqli7czJvdytWbUqpXuRtTKQmenqsmxhEcCY5TF2nCQ4xttg17YKHJfSeJSYs8Z4xmtWEM+/2fsmMxCfi1vYTmQsSl0zGwSr2Vy7BSVs8C2qtdXfxDfXOBc7+4KCtkJTet0txSrNwHC2+3XGQvDVe6gZSuJI/K2HePQB5pnLB1yaM6aN59kMeTjYn25Mipeov/4NRUoQpaiZhqPJGvSUu5jjULmrZmOw8ThP2BKao6YNaDU9RmKoy5itYnzZpIO1uSKZJMZZilLdXcM9WAh42/8+QorS44z4MTWj4EznoUUhvWZ00ayXWuaYieNVv6JmVYXXiWB6esynO1lSirNrDLFt85fNcE9Xh4fOeCeayJ77pwIN8zvrHQdhPauYL2nT+PbWNXPsSjmOkbxokHnJl2t0hkZWBKWbgOwhccaLUiRkZlvOTzNJTuXLsKuPiqQh++0vLnqeI6wyihJLEiX3gwJjlYuzcQytt8BguoMUdPrdEjyta6XVQ49JGVKNy+6rwArzrq76sX4OBg/wV4pf4eHBwcLDiy5NzfQH/deWUHUCAGAzukk8wScg4Jve7aLk3l+CcHjEtOJZPTBgOlzbogUWjRlmv3M+Bv34Jeb+4ArsFJZfHALkrtQbq9l62O/K/96gXomMf93gvw5k233e29kg/ydxP1dENUHR7tl1Blcz0Stq8so1bxhsl54LiICX2ghxwBwwgxTEb1quoLkCtQngF1eeMhcB1cVge1qlM3I+G2OQ/aske84OYrGuMnFIvqwe4hzKvQK9TmZa36XxaMzl/f5m/MxMqfru1CO08D1nwFVRc+7rGqbwxn1f5dzVWwTY4vGxqrHB7u2zweTBATtmAxF8lB59wkULmgqhchNccZjyNCqo8ktiKkWoQ8wDHLVuQ8Ho6/UZFTp6d5DIlTo2hpIHBytTQ7o2pQ5/cmxGq/cxWZAJbLhXuu7jvAQpWo2Uyh9Kgip+5M9BFETp2KZ9mBVt2J1ApiZTujPzarNWGzZ8peNefHWw77Gmxxj1V9hxwGQOUpfNW7ezyLf1QOrT93fwQGrT86b8BquXqaHpM3qPV7W3lvBdVjY6CJoHqGgqbeDOMxBE2tJcWcSNiKgK0IeGgMfKsioNYy51FEQJ1xzVYEbEXAo2PgeYuA2KOIcUdDpB7Ma80SNLipUHI3qrHNUyKAxgIkFnPLXd+sJBPKpgqyAi0PdBetDe66fVcEvB5pruBq5/DglQ0HsaTiAE30pV1DoXaIXB8SzMONSLX6+PsJkWrxSHwxqT7AgfCzR3nN/uTJYLy0Y5lDeA528cFjPal8G4isOdR5VERuYMCbi8lfDmA1h8j5mFTbueXJ0WetzvVRKTQvaub0sEuEzUJt67cubmo1W08GnXParm8eJXWahqeDkrL2YfH67XFE+mO6oH9GNIg9HQtxgacmCPofz081wU0hBxp0vctmOxyJGHs5B8R3d8DkySyVtzuvQtCbUNB3zlVf5MpiDiatMv8mCZ+/TB8kMSipdxPtxNdGYP1liphH2MU05s4ACw69EJM637zHOWiQQqdB9tPYio2wvIpv3rSthd55oefJYprDUvfvL3RAGx6HaCMeW8GrVrdzaGMykl9kC0oDWzBI+HAVP0wZVlJ547gBrnQKf5yLJBNCAkfaL3wscIDFrMB3QMUvScHXYcOKGGrG8ayUfSoGtQhST4JVJgVrDf9SR1hHndf5iNCSWjAXLOEPhbnqgt2O7aEooDO7ODArIsoLgrpbmadBAOQrgYi6PJbno/R+5nrcosk8zy9fgLXX8gLtGzz/2kPKc3lpGr05Vdk3e2n8Qh3VYr93YywDMohLHU3qFAp4o3F+U++7VCLczIqKbb9l3BPhcclvdZKzn+FbQQA6BEmZ9fBeISWTChcKSQlUkpAbCMXGobU6nX2b8jxwPgDCiqOtlh4LVh1XyEVEBLOU5yjLFriysF6QrDZf1fobXLLYmF/H6q5oj4uOXA+D/wb7HZ75ICzykNVUg261aSTaHhTQoyNbBQVso3CAPA95eqGs4gTKFeoSQB1fwI4YHaBG8MiNGRYzu3EL5nuaF1CBIxaCp19Y/Z1tGIVtHe+hDWNBHf3szAfU8lSoIhvrALyV7zJhUwNVDVDd6STHDWIupPwy3f9SLBBBdwxHKDPYyr80rSCmnElvwNCPtxBVNOcVPPXWnZwdJ/E0HmkXW3e1Vynu9HeY3xRZqV6v+rXaAc+9+g5P4Fc/YNyA2JetKw6PXttGFq7gYQAs2zlXU3rlwdvjU3r1DdQtpd8LpT/Z88knxBm1QT8elTFq7Cjvny9yjTa7V3n/XfjuWPPbYJzq8+BHZpz7voy0pfYttStqrztdfmR6r7/bc/+UW5wqGl0Fuv9ObNnnWbJP3Wn+Y7NP7Y2VLeVuKVdTbo3Rw6NTbt1Fiy3lfn+UKyBbdGJxDRmAzPXxBDUKmr70bDazrUkGWUBWjFHp6FW4OjnQbVovLHcj5fFr26VBUBqU4uB2bPOdCSjybA8K2GCMzUiKmY405WDiFA/tyuyvgklJLgcQXF//dt8n4Snbl4Zd8bmleUqF2ku5M8ds5RcDFVpqPisLMVhRS0WBQV2Lcy+SzDRoYEWhP2sqq2vErckf1+SLqgKS6zHBgsFwqA0ouO5sEhix/BEV+UkDOoRiqYAJoFjKZeVOJpkVsEEVbFiXuWiEk0CNpWI6bGMFPHPnaaQOG7MqlOuwjxWZSS9B4Txfslv1UeTTte5YKkJiQlDgCAaHQ+zqXheksXqPyQio4P1MgCFlU8g8mZUGJlflVhQZO6XwcxGeUEGg62JLbtmKL0eUC6twfFwW2xdypjyRf66sT+XwdgqCSwpQDpm9op1GuaorCabqO5V/pvPQCo5ZOzu9w9879uGnu53e7x374NNd98a7+71rv/60e+Pt3rT+eTPY/ffBf6xPoDLgHvdjIQJkLeqMMiXS/oLlkzo8DZQ/7vnPfJtG8avr8PXJ5YF9cd6/Pnv/5q7/4eTn/m7NaGHqYaKa1E/KnNMjXNb+Alg+JDz5teNBTEQsk5GmJ5uM9FAP5c9+xOitigpMRoyOi8MZQYaIyDWshTMw0WWBZX70Xy0kgWV+/tQ/Y/2jBNynDRZEK9i1Hb7spbEhbZEwSWO2iz00WRKIVVsaARYHG62Dqt3Uy9Wz7ENbVs9bXuJ/Xs43VfnJXFT7Tq1o6yBYTMr58y7tjf7zq/urPzw4stEEEWELhkcjxJC3UvhWg0AiJyu0ZOF17aME8qvaIKbcbxqz7t3kcAVbiKNuV4FEyBZU2Yg0H1WOmJP4VRJiNj+ixwqmEMV+giGABKgYn7LHEwSMQ/W1xzOzOlIiSTYJPSUBCZrKlI7Z4XnyWdOyKpdbITS3VXruG9GqnVRqh3W60SZqOTd395XZHRQoCUKxGrF5OhD/UmIzcA9EbB5S87yHgi2BbUJABx0bhxF0ayIx7HfTyCXaXnOFQP+ahqZoAKPIwaHHnV+6DkN/xIhX2KX/igYgF1waGEDkgfN3p/1JF2TWoHwdQpIdaMEpb2GuOzPpSXA1VJJM1PuYBdokur3XDpGAStnQxjDMjBZz3WjrEN47NRSWESyMoOujnl7fYXKrsC9o6EJNa74QSkzc3dVRa2qsHfnRnrUU8C2wPsMJtDZY6T0EYXhMxXHnEZwS5NWFBP+B0akUMr+iwakqAEwBkBVYkRhKS+siur5Yrs9oiHTvFIJGyB1Tnc6JmqxYKsx1SVWE0lGA7CxDPWHN0kPM0JDebsK4na6tw/wstKTuvu7Y6DYKKBZ2FA8C7NpD6GIyygdyb44ybV/uDCgVDkMjuameOWOUXSqs4GtdBsgyICkDxmjWLJZYrUk7R6KVVNeSXcgt3n/6+ew35+LDyfGF8+745Kfz92c3/Q8/Xv96fHV28w67jHI6FMkNBvD++uYkZpIQfpFTKSU35wT/iAP0DkYRJqOb/m/967N3LUzwjfyKzUxmm3mW6XZ7thqfmZ185MpYcmnosMh1PDSIRyPtx3IllF1dnoCTD+9AWsFzwZ9580QQVaHgT1HEZpGgIwYjH7vOIKAqtlFyU3dFdBUqA0llphePjq2TrHezmw/npzdnxKUeJqPrWYRAR7/vn1+eBsGVnElQH48I8k6hgO/46CFQ2dyb03LWUx8bqot4Zq6Zx9sxyIGpJXREhV5aBLNm10wWX/gpXeZxo1huUalcxugF6J5HidwXBGiCApPFIPFoeGt3RwM7giOU3P9R+tM4/C/hRqUczoNiTnceqDsP1ZuH6uWgCHaRD7lvkjPEIzqV0/EGhLB4TXPw+shmiNOYuWiNQGMJ7tV0y1Bygid7uYB5TSmQlCpdNtqMa9UFw8SmJ7vOh0tX+Uz5m6QP6krYBsPckN86+0d2CPkfMWLQqxjpBXJTrp+mMEjiW5rolasKzKSWUgzMR5zk1EIjmc1OtPTpI3HTN2fLN30fMuQdqwXfzSVkMESyRzc/mk+5VEN3sxGXNETfZjOfT7ng2iNAPaKEj1IGUQUy3wCb4WVFxtAn/Pu9G73/4DdIuDeqQw8wzhuwSbJpdRDnZs/aTCqFybQNkipAVgXIqngYNJiLxECuyXm2pAD9pG8n6q77Tcg5chF/+uJLWyQMaeAhxleVWtpQwRR+TGFVuyIvL8fPzLxy01dd/1F3XU/s91PxR44YKNX+tClASRQHkQlmNEREOBPIsOLKFclBV0GUE4ekjsekCvVhFVOYebzp64rBO+V7gt2cZf1/4jjTnndXxY8u9ZgYSdhJrQ1wXoImfPVR9fEhhr/BomHRAjugo9WXeUm5p4CDhtoL1d8nj48Qa9UtJqM63e2J8faTHudOMAS/vjtfb9QrDoO+WGpbqJrfs15Ybqj9h1RZUBQV5L+G+JJN+mdf291I5+Clbb7IzhzuqDv4LJaPzXSw/zcAAP//UEsHCNE5ZgjYRgAAUisCAFBLAwQUAAgACAAAAAAAAAAAAAAAAAAAAAAADQAAAGN1c3RvbS5wb2xpY3ncnU9v3DjSxu/5FELe8yRk/SMZYA4B3j3sYXYHg9wHspuOe7bd6rTk2P72C6mDCdZp75gKFqnHOQ0G3e3nJ5JPFYsl6f+6v//y6z9/+/D+Hx/edX/bbKexm4Zuut6O3dV2V7u77W7X7Yepu6jdsV7t6uVUN912303Xtfv/fuo3w8fu/eHQ9fvN6cMXtRs+1+PdcTtNdd/dbafrbl/vusOw214+nH51M9ztd0O/Gd90v+5qP9buZthsrx664+2ujud+/mo4dle3u113dbu/nLbDvt9tp4c3rz7X47gd9u+615pj4devll9496rrfuq2m3fdb/1+M9zs+5v6quu6blPHy+P2MJ2+8nr5f1fb3VSPy3fmfz91w9j9/HP3erfd396fPlLvD8c6nv7QcKj7NzPFm/lXl0/W6fLteN1vhru3h34c74bj5vS9zXbsL3Z186676ndj/VNVve9vDrt6eaz9VPvL8Wa6nv9z7D/W/TQTHOt0e9yPw7+OdTwM+7HGFIVMjORbjl8euvfzF5ertwap3tfLR0jj9f+CwIqBE6TMAZsgWxFwgswZm6BQCmTABEo5Ya8DFVHsdaAawL1IVYyw14HFTNhjkGPBdlPNBr4OjAN4TDaJAXodcBYruQRcAhHSbNAESqEEZwSbuqvPJiClooEYl4ApWfa2R2sjUGPx5kUf6/RM+VGiaqIIK59S8RaNW+QrZyKFlW/K3jKJJvmWvCWjLfJTSchX32FhpUG+RnIXuVrkc2LBdR6VQMBRV5Uj8txXC4Y7eSyou+1ji3xWAnYeU0VOmJP4q8E1yM9CBiy/BHVXP2yRX8zdQUaT/BzFWb3h+fIpcAQ2ToohKe7cpxgj8FadohmwcVLM81YddunGMicNsPLJkMMWcUzAOQ8JRQV2HjEBThpIsgAXSkjFUsZ1Hs3ZXeNJg/ws/voFGuQXIeAKM5WUgeVzoKC4OQ8H0YCb83AoDLx0mQKy8zApcpGQCfpojslh23OL/KVjGFY+hwh8LM0MfTjEvLTZAsu3AGycrAl4r8tsAbgpgDkFdzdNtcgvhnz1JUAnzBIKcImWhQvw8QSLkBjw1Rcu3lqBm+Rn4H4ellyQN4tSInBLBmtIyHtdpejuPuUm+Rm4vs+qglxpUDVk41RDPhxiTYJc59ESgM+2WEtBDltJmCOjXn0hSRwzuZJ/e9g8/wbALzcPnSH4UMcJhYFp/gfOoBF+HIT47P4LikHj2XAAxWB2tgYExZDD2VIEEoOGcraYBcWghD8OluB9SZ9oO0disHi+Ng3F8ESJFIrhiXY+KIZM+HOpGPxcWm7ABs9bM53Pl3B2cVmCoY9CkYg+kzRQyugMy0394AyUCJ5heToBOINEgx+H5bGV6Axa4H1J5kQDnGF5gCg6A0f4ubR0CIIzLG2C6AyMH6fNzuetMLsHTQZ/fnJ6ng04g+Hv4ixH+Kw1RYafS0nwnTVZgq8t5RzhM40SGP5supQ5WUJnyOgVMgqS0OcSBQvocZoiSQY/e6DIKYOfAX15pBI2A6WA3vdDHPj8w5WQGPDP14mX80RsBuMnKmQoFQFKmQp6ppHN5GyURhkFDtHQexw4kKFXvDkIfI80ExF6/xjT0puLvKIZ/2ydOcr5FY0zCgS/f2PG73BgZvg6K/PyOkLo1fDU+RXQKEhM6P0NLALfDcqidL5XBmY1iML3s7KkhF4HYEnl/LM8kBiWJ2JgM5zurQdnsIg/DlbQ70tkTYR+Tx9rfqKqBMRgwQw977YcEsuZF9fiMEgIpCFCrwcJZCX7Ybh5+H2R+/uff/OHp6Gfdn9sr7Y3FxfX3+rZ3nT9ai3Doe4faanT5dvxut8Md28P/TjeDcfNfxc3jsO0u/h07O9diJuOt1+1TXWc2t5mbbEop+xj3FfItxi1OLkPbY18ykLAV58Dm5MXOq6SH1mRrz5rRJavKTh5j/4sv+kF7ifjzE7egL5C/mKcCVc+ZWEnVbM18mfjLMDyIxvw3GdWQpavKTiKug1Pfzu5ppNn77VqtxjNU8Bq0j77Jeicmc0yOcrx27RHVxlym3ZWL69rb9euKTgKsB+Hpuw4qomv9LIRgK1ki55SnFaAbJSSJ9v5o//cNyFQtpgsORqDZgQmLVE8TaMZ4flGNG+yVDwVqA4P0/WwbxoEUpKQPQ3CGgjLmUNwtGVcAcGRAofkaNt+vG2JyxSiWsyOcuhZ/18e31z0m2P9dDt//CuKULSSzA/K9HD4IqNpTomFkkp0lOetBolZ2MuT0b8LRISVHK3y1SBKpZw7coYDsWiUXgJICmReHr//fSC5kDqqJH0FaSznLfbrcrE3giz2+xJGZLFfR+nuapDFfl0u9kaQxX5fAshivy5TlFaQ2X5dutbztyMxaAgluUx9n08hWrJZdulXDRSnOAhPsQRBl7vCFoo5ArKj6vM6iiX8uUxIWiiW2OcyZLRQLIEPfizmqOep8eErxaoi1sl0PZ3xfTfQ7L/icrWsBFqs2GWitRJodmV1WUpZCbQYtMvEZSXQ7NXlJY3QbNsJ07b/4/hHrFA5dxD3Y24d+R6UVDRyPuNrcCgSVFiyo0bstSCnbMDl5qURZMkCXGabjSBL9H8JU2uJ+vgWDB3tv92RlZcwIkt0d1Qc/kv5T+xcirKnTqGVGBajRUfJ41oMyiKOQuFaDA6u+u1XY0T2VKdfjeFrL78aQxMhLfFHyeFstEhr4nECEi0ihbtH8mdjRVoDj+TPhorkRI/lR/bUP9os39d2qFm+ph994+G/AwAA//9QSwcIf7LXoRwIAABNywAAUEsBAhQAFAAIAAgAAAAAANE5ZgjYRgAAUisCAA4AAAAAAAAAAAAAAAAAAAAAAGRlZmF1bHQucG9saWN5UEsBAhQAFAAIAAgAAAAAAH+y16EcCAAATcsAAA0AAAAAAAAAAAAAAAAAFEcAAGN1c3RvbS5wb2xpY3lQSwUGAAAAAAIAAgB3AAAAa08AAAAA headers: Content-Type: - application/zip diff --git a/cassettes/features/v2/csm_threats/Get-the-latest-Cloud-Workload-Security-policy-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Get-the-latest-Cloud-Workload-Security-policy-returns-OK-response.frozen index f0de7ad5984..b7bb98d22f9 100644 --- a/cassettes/features/v2/csm_threats/Get-the-latest-Cloud-Workload-Security-policy-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Get-the-latest-Cloud-Workload-Security-policy-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-01T14:30:59.438Z \ No newline at end of file +2025-05-15T11:49:38.307Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Get-the-latest-Cloud-Workload-Security-policy-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Get-the-latest-Cloud-Workload-Security-policy-returns-OK-response.yml index 6deef9d2c69..ab746d500dd 100644 --- a/cassettes/features/v2/csm_threats/Get-the-latest-Cloud-Workload-Security-policy-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Get-the-latest-Cloud-Workload-Security-policy-returns-OK-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Tue, 01 Apr 2025 14:30:59 GMT +- recorded_at: Thu, 15 May 2025 11:49:38 GMT request: body: null headers: @@ -12,7 +12,7 @@ http_interactions: encoding: UTF-8 string: "# IMPORTANT: Edits to this file will not be reflected in the Datadog\ \ App and will be overwritten with new policy file downloads. Please modify\ - \ rules in the Datadog App for full functionality.\nversion: '1743517859524'\n\ + \ rules in the Datadog App for full functionality.\nversion: '1747309778382'\n\ rules:\n- id: apparmor_modified_tty\n version: a7f3b5c2\n description: An\ \ AppArmor profile was modified in an interactive session\n expression: exec.file.name\ \ in [\"aa-disable\", \"aa-complain\", \"aa-audit\"] && exec.tty_name\n \ diff --git a/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.frozen b/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.frozen index 27be8fe236a..002c76e4a96 100644 --- a/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.frozen +++ b/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.frozen @@ -1 +1 @@ -2025-04-15T09:10:08.098Z \ No newline at end of file +2025-05-15T11:49:38.566Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.yml b/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.yml index a8cf0cc92c5..cb7d1d21495 100644 --- a/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.yml +++ b/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Bad-Request-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Tue, 15 Apr 2025 09:10:08 GMT +- recorded_at: Thu, 15 May 2025 11:49:38 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testupdateacsmthreatsagentpolicyreturnsbadrequestresponse1744708208"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testupdateacsmthreatsagentpolicyreturnsbadrequestresponse1747309778"},"type":"policy"}}' headers: Accept: - application/json @@ -14,8 +14,8 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"pp8-iw5-agt","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testupdateacsmthreatsagentpolicyreturnsbadrequestresponse1744708208","policyVersion":"1","priority":1000000001,"ruleCount":226,"updateDate":1744708208235,"updater":{"name":"CI + string: '{"data":{"id":"1td-7qk-v2w","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testupdateacsmthreatsagentpolicyreturnsbadrequestresponse1747309778","policyVersion":"1","priority":1000000070,"ruleCount":226,"updateDate":1747309778608,"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' headers: Content-Type: @@ -23,38 +23,37 @@ http_interactions: status: code: 200 message: OK -- recorded_at: Tue, 15 Apr 2025 09:10:08 GMT +- recorded_at: Thu, 15 May 2025 11:49:38 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:test"],"hostTagsLists":[["env:test"]],"name":""},"id":"pp8-iw5-agt","type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:test"],"hostTagsLists":[["env:test"]],"name":""},"id":"1td-7qk-v2w","type":"policy"}}' headers: Accept: - application/json Content-Type: - application/json method: PATCH - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/pp8-iw5-agt + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/1td-7qk-v2w response: body: encoding: UTF-8 - string: '{"errors":[{"title":"failed to update policy"}]} - - ' + string: '{"errors":["input_validation_error(Field ''tags'' is invalid: cannot + have both the new and the legacy field populated)"]}' headers: Content-Type: - application/json status: code: 400 message: Bad Request -- recorded_at: Tue, 15 Apr 2025 09:10:08 GMT +- recorded_at: Thu, 15 May 2025 11:49:38 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/pp8-iw5-agt + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/1td-7qk-v2w response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Not-Found-response.frozen b/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Not-Found-response.frozen index 435b652a26b..10aed880f54 100644 --- a/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Not-Found-response.frozen +++ b/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-04-01T14:31:00.854Z \ No newline at end of file +2025-05-15T11:49:39.566Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Not-Found-response.yml b/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Not-Found-response.yml index 390b74098f7..b0b162824f0 100644 --- a/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Not-Found-response.yml +++ b/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-Not-Found-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Tue, 01 Apr 2025 14:31:00 GMT +- recorded_at: Thu, 15 May 2025 11:49:39 GMT request: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-OK-response.frozen index 562f84a677a..0ca7f984c71 100644 --- a/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-15T09:10:09.401Z \ No newline at end of file +2025-05-15T11:49:39.767Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-OK-response.yml index 56ee1f38d2f..dc3b5fff4ee 100644 --- a/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-policy-returns-OK-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Tue, 15 Apr 2025 09:10:09 GMT +- recorded_at: Thu, 15 May 2025 11:49:39 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testupdateacsmthreatsagentpolicyreturnsokresponse1744708209"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testupdateacsmthreatsagentpolicyreturnsokresponse1747309779"},"type":"policy"}}' headers: Accept: - application/json @@ -14,8 +14,8 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"99n-cjh-wuo","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testupdateacsmthreatsagentpolicyreturnsokresponse1744708209","policyVersion":"1","priority":1000000001,"ruleCount":226,"updateDate":1744708209551,"updater":{"name":"CI + string: '{"data":{"id":"5fp-rz1-sdc","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testupdateacsmthreatsagentpolicyreturnsokresponse1747309779","policyVersion":"1","priority":1000000070,"ruleCount":226,"updateDate":1747309779800,"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' headers: Content-Type: @@ -23,23 +23,23 @@ http_interactions: status: code: 200 message: OK -- recorded_at: Tue, 15 Apr 2025 09:10:09 GMT +- recorded_at: Thu, 15 May 2025 11:49:39 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"Updated agent policy","enabled":true,"hostTagsLists":[["env:test"]],"name":"updated_agent_policy"},"id":"99n-cjh-wuo","type":"policy"}}' + string: '{"data":{"attributes":{"description":"Updated agent policy","enabled":true,"hostTagsLists":[["env:test"]],"name":"updated_agent_policy"},"id":"5fp-rz1-sdc","type":"policy"}}' headers: Accept: - application/json Content-Type: - application/json method: PATCH - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/99n-cjh-wuo + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/5fp-rz1-sdc response: body: encoding: UTF-8 - string: '{"data":{"id":"99n-cjh-wuo","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"Updated - agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:test"]],"monitoringRulesCount":225,"name":"updated_agent_policy","policyVersion":"2","priority":1000000001,"ruleCount":226,"updateDate":1744708210164,"updater":{"name":"CI + string: '{"data":{"id":"5fp-rz1-sdc","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"Updated + agent policy","disabledRulesCount":1,"enabled":true,"hostTagsLists":[["env:test"]],"monitoringRulesCount":225,"name":"updated_agent_policy","policyVersion":"2","priority":1000000070,"ruleCount":226,"updateDate":1747309780400,"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' headers: Content-Type: @@ -47,14 +47,14 @@ http_interactions: status: code: 200 message: OK -- recorded_at: Tue, 15 Apr 2025 09:10:09 GMT +- recorded_at: Thu, 15 May 2025 11:49:39 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/99n-cjh-wuo + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/5fp-rz1-sdc response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.frozen b/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.frozen index 12d907c5d09..4fa986b93ba 100644 --- a/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.frozen +++ b/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.frozen @@ -1 +1 @@ -2025-04-15T09:10:11.192Z \ No newline at end of file +2025-05-15T11:49:42.006Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.yml b/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.yml index 9302f5e2159..20b2e5180e7 100644 --- a/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.yml +++ b/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Bad-Request-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Tue, 15 Apr 2025 09:10:11 GMT +- recorded_at: Thu, 15 May 2025 11:49:42 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1744708211"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1747309782"},"type":"policy"}}' headers: Accept: - application/json @@ -14,8 +14,8 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"1i5-k3r-2dg","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1744708211","policyVersion":"1","priority":1000000001,"ruleCount":226,"updateDate":1744708211304,"updater":{"name":"CI + string: '{"data":{"id":"jf9-1l7-q9l","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1747309782","policyVersion":"1","priority":1000000070,"ruleCount":226,"updateDate":1747309782037,"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' headers: Content-Type: @@ -23,12 +23,12 @@ http_interactions: status: code: 200 message: OK -- recorded_at: Tue, 15 Apr 2025 09:10:11 GMT +- recorded_at: Thu, 15 May 2025 11:49:42 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1744708211","policy_id":"1i5-k3r-2dg","product_tags":["security:attack","technique:T1059"]},"type":"agent_rule"}}' + string: '{"data":{"attributes":{"actions":[{"set":{"name":"test_set","scope":"process","value":"test_value"}}],"description":"My + Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1747309782","policy_id":"jf9-1l7-q9l","product_tags":["security:attack","technique:T1059"]},"type":"agent_rule"}}' headers: Accept: - application/json @@ -39,10 +39,10 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"qtl-8mk-8gy","type":"agent_rule","attributes":{"category":"Process - Activity","creationDate":1744708211716,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My + string: '{"data":{"id":"lcj-vq7-sqb","type":"agent_rule","attributes":{"actions":[{"set":{"name":"test_set","value":"test_value","scope":"process"},"disabled":false}],"category":"Process + Activity","creationDate":1747309782533,"creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"defaultRule":false,"description":"My Agent rule","enabled":true,"expression":"exec.file.name == \"sh\"","filters":["os - == \"linux\""],"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1744708211","updateDate":1744708211716,"updater":{"name":"CI + == \"linux\""],"monitoring":["jf9-1l7-q9l"],"name":"testupdateacsmthreatsagentrulereturnsbadrequestresponse1747309782","product_tags":["security:attack","technique:T1059"],"updateDate":1747309782533,"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' headers: Content-Type: @@ -50,19 +50,19 @@ http_interactions: status: code: 200 message: OK -- recorded_at: Tue, 15 Apr 2025 09:10:11 GMT +- recorded_at: Thu, 15 May 2025 11:49:42 GMT request: body: encoding: UTF-8 string: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","policy_id":"1i5-k3r-2dg","product_tags":[]},"id":"invalid-agent-rule-id","type":"agent_rule"}}' + == \"sh\"","policy_id":"jf9-1l7-q9l","product_tags":[]},"id":"invalid-agent-rule-id","type":"agent_rule"}}' headers: Accept: - application/json Content-Type: - application/json method: PATCH - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/qtl-8mk-8gy + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/lcj-vq7-sqb response: body: encoding: UTF-8 @@ -75,14 +75,14 @@ http_interactions: status: code: 400 message: Bad Request -- recorded_at: Tue, 15 Apr 2025 09:10:11 GMT +- recorded_at: Thu, 15 May 2025 11:49:42 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/qtl-8mk-8gy + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/agent_rules/lcj-vq7-sqb response: body: encoding: UTF-8 @@ -93,14 +93,14 @@ http_interactions: status: code: 204 message: No Content -- recorded_at: Tue, 15 Apr 2025 09:10:11 GMT +- recorded_at: Thu, 15 May 2025 11:49:42 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/1i5-k3r-2dg + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/jf9-1l7-q9l response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Not-Found-response.frozen b/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Not-Found-response.frozen index 1a52f175ee4..65b9de2db86 100644 --- a/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Not-Found-response.frozen +++ b/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-04-01T14:31:02.941Z \ No newline at end of file +2025-05-15T11:49:44.898Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Not-Found-response.yml b/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Not-Found-response.yml index c8e3b98f19e..32c48693da0 100644 --- a/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Not-Found-response.yml +++ b/cassettes/features/v2/csm_threats/Update-a-CSM-Threats-Agent-rule-returns-Not-Found-response.yml @@ -1,9 +1,9 @@ http_interactions: -- recorded_at: Tue, 01 Apr 2025 14:31:02 GMT +- recorded_at: Thu, 15 May 2025 11:49:44 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testupdateacsmthreatsagentrulereturnsnotfoundresponse1743517862"},"type":"policy"}}' + string: '{"data":{"attributes":{"description":"My agent policy","enabled":true,"hostTags":["env:staging"],"name":"testupdateacsmthreatsagentrulereturnsnotfoundresponse1747309784"},"type":"policy"}}' headers: Accept: - application/json @@ -14,8 +14,8 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"jnw-szj-ssb","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My - agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testupdateacsmthreatsagentrulereturnsnotfoundresponse1743517862","policyVersion":"1","priority":1000000001,"ruleCount":226,"updateDate":1743517862965,"updater":{"name":"CI + string: '{"data":{"id":"zt4-lsl-d6r","type":"policy","attributes":{"blockingRulesCount":0,"datadogManaged":false,"description":"My + agent policy","disabledRulesCount":1,"enabled":true,"hostTags":["env:staging"],"monitoringRulesCount":225,"name":"testupdateacsmthreatsagentrulereturnsnotfoundresponse1747309784","policyVersion":"1","priority":1000000070,"ruleCount":226,"updateDate":1747309784931,"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}}}}' headers: Content-Type: @@ -23,12 +23,12 @@ http_interactions: status: code: 200 message: OK -- recorded_at: Tue, 01 Apr 2025 14:31:02 GMT +- recorded_at: Thu, 15 May 2025 11:49:44 GMT request: body: encoding: UTF-8 string: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","policy_id":"jnw-szj-ssb","product_tags":[]},"id":"non-existent-rule-id","type":"agent_rule"}}' + == \"sh\"","policy_id":"zt4-lsl-d6r","product_tags":[]},"id":"non-existent-rule-id","type":"agent_rule"}}' headers: Accept: - application/json @@ -48,14 +48,14 @@ http_interactions: status: code: 404 message: Not Found -- recorded_at: Tue, 01 Apr 2025 14:31:02 GMT +- recorded_at: Thu, 15 May 2025 11:49:44 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/jnw-szj-ssb + uri: https://api.datadoghq.com/api/v2/remote_config/products/cws/policy/zt4-lsl-d6r response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.frozen b/cassettes/features/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.frozen index 36ea0d26094..5f4958b3b90 100644 --- a/cassettes/features/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.frozen +++ b/cassettes/features/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.frozen @@ -1 +1 @@ -2025-04-18T09:10:14.669Z \ No newline at end of file +2025-05-15T11:49:46.132Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.yml b/cassettes/features/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.yml index ae5fd88f2bd..a38ef81a2e1 100644 --- a/cassettes/features/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.yml +++ b/cassettes/features/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Bad-Request-response.yml @@ -1,10 +1,10 @@ http_interactions: -- recorded_at: Fri, 18 Apr 2025 09:10:14 GMT +- recorded_at: Thu, 15 May 2025 11:49:46 GMT request: body: encoding: UTF-8 string: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","name":"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1744967414"},"type":"agent_rule"}}' + == \"sh\"","name":"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1747309786"},"type":"agent_rule"}}' headers: Accept: - application/json @@ -15,8 +15,8 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"03s-ro8-kgi","attributes":{"version":1,"name":"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1744967414","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1744967414924,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1744967414924,"filters":["os + string: '{"data":{"id":"acg-2ix-y1d","attributes":{"version":1,"name":"testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1747309786","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1747309786339,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1747309786339,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"}} @@ -27,23 +27,23 @@ http_interactions: status: code: 200 message: OK -- recorded_at: Fri, 18 Apr 2025 09:10:14 GMT +- recorded_at: Thu, 15 May 2025 11:49:46 GMT request: body: encoding: UTF-8 - string: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name"},"id":"03s-ro8-kgi","type":"agent_rule"}}' + string: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name"},"id":"acg-2ix-y1d","type":"agent_rule"}}' headers: Accept: - application/json Content-Type: - application/json method: PATCH - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/03s-ro8-kgi + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/acg-2ix-y1d response: body: encoding: UTF-8 string: '{"errors":["input_validation_error(Field ''expression'' is invalid: - rule `testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1744967414` + rule `testupdateacloudworkloadsecurityagentrulereturnsbadrequestresponse1747309786` error: rule syntax error: bool expected: 1:1: exec.file.name\n^)"]} ' @@ -53,14 +53,14 @@ http_interactions: status: code: 400 message: Bad Request -- recorded_at: Fri, 18 Apr 2025 09:10:14 GMT +- recorded_at: Thu, 15 May 2025 11:49:46 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/03s-ro8-kgi + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/acg-2ix-y1d response: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.frozen b/cassettes/features/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.frozen index 30a73c79d2d..7fea2940dbb 100644 --- a/cassettes/features/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.frozen +++ b/cassettes/features/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.frozen @@ -1 +1 @@ -2025-04-18T09:45:20.422Z \ No newline at end of file +2025-05-15T11:49:46.725Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.yml b/cassettes/features/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.yml index f9e30ee0213..df544a8634d 100644 --- a/cassettes/features/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.yml +++ b/cassettes/features/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-Not-Found-response.yml @@ -1,5 +1,5 @@ http_interactions: -- recorded_at: Fri, 18 Apr 2025 09:45:20 GMT +- recorded_at: Thu, 15 May 2025 11:49:46 GMT request: body: encoding: UTF-8 diff --git a/cassettes/features/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen b/cassettes/features/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen index 0ad336788ee..2e17656875f 100644 --- a/cassettes/features/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen +++ b/cassettes/features/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.frozen @@ -1 +1 @@ -2025-04-18T09:10:15.690Z \ No newline at end of file +2025-05-15T11:49:46.794Z \ No newline at end of file diff --git a/cassettes/features/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.yml b/cassettes/features/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.yml index c6442011772..96745ce9fe9 100644 --- a/cassettes/features/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.yml +++ b/cassettes/features/v2/csm_threats/Update-a-Cloud-Workload-Security-Agent-rule-returns-OK-response.yml @@ -1,10 +1,10 @@ http_interactions: -- recorded_at: Fri, 18 Apr 2025 09:10:15 GMT +- recorded_at: Thu, 15 May 2025 11:49:46 GMT request: body: encoding: UTF-8 string: '{"data":{"attributes":{"description":"My Agent rule","enabled":true,"expression":"exec.file.name - == \"sh\"","name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1744967415"},"type":"agent_rule"}}' + == \"sh\"","name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1747309786"},"type":"agent_rule"}}' headers: Accept: - application/json @@ -15,8 +15,8 @@ http_interactions: response: body: encoding: UTF-8 - string: '{"data":{"id":"szj-quo-wak","attributes":{"version":1,"name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1744967415","description":"My - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1744967416010,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1744967416010,"filters":["os + string: '{"data":{"id":"vl1-low-ydl","attributes":{"version":1,"name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1747309786","description":"My + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1747309786899,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1747309786899,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"}} @@ -27,24 +27,24 @@ http_interactions: status: code: 200 message: OK -- recorded_at: Fri, 18 Apr 2025 09:10:15 GMT +- recorded_at: Thu, 15 May 2025 11:49:46 GMT request: body: encoding: UTF-8 string: '{"data":{"attributes":{"description":"Updated Agent rule","expression":"exec.file.name - == \"sh\""},"id":"szj-quo-wak","type":"agent_rule"}}' + == \"sh\""},"id":"vl1-low-ydl","type":"agent_rule"}}' headers: Accept: - application/json Content-Type: - application/json method: PATCH - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/szj-quo-wak + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/vl1-low-ydl response: body: encoding: UTF-8 - string: '{"data":{"id":"szj-quo-wak","attributes":{"version":2,"name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1744967415","description":"Updated - Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1744967416010,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1744967416272,"filters":["os + string: '{"data":{"id":"vl1-low-ydl","attributes":{"version":2,"name":"testupdateacloudworkloadsecurityagentrulereturnsokresponse1747309786","description":"Updated + Agent rule","expression":"exec.file.name == \"sh\"","category":"Process Activity","defaultRule":false,"enabled":true,"creationAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","creationDate":1747309786899,"updateAuthorUuId":"9919ec9b-ebc7-49ee-8dc8-03626e717cca","updateDate":1747309787043,"filters":["os == \"linux\""],"actions":[],"agentConstraint":"","creator":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"},"updater":{"name":"CI Account","handle":"9919ec9b-ebc7-49ee-8dc8-03626e717cca"}},"type":"agent_rule"}} @@ -55,14 +55,14 @@ http_interactions: status: code: 200 message: OK -- recorded_at: Fri, 18 Apr 2025 09:10:15 GMT +- recorded_at: Thu, 15 May 2025 11:49:46 GMT request: body: null headers: Accept: - '*/*' method: DELETE - uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/szj-quo-wak + uri: https://api.datadoghq.com/api/v2/security_monitoring/cloud_workload_security/agent_rules/vl1-low-ydl response: body: encoding: UTF-8 diff --git a/features/v2/given.json b/features/v2/given.json index 696fef088cf..e6961de939e 100644 --- a/features/v2/given.json +++ b/features/v2/given.json @@ -555,7 +555,7 @@ "parameters": [ { "name": "body", - "value": "{\n \"data\": {\n \"type\": \"agent_rule\",\n \"attributes\": {\n \"name\": \"{{ unique_lower_alnum }}\",\n \"description\": \"My Agent rule\",\n \"expression\": \"exec.file.name == \\\"sh\\\"\",\n \"enabled\": true,\n \"product_tags\": [\"security:attack\", \"technique:T1059\"],\n \"policy_id\": \"{{ policy.data.id }}\"\n }\n }\n}" + "value": "{\n \"data\": {\n \"type\": \"agent_rule\",\n \"attributes\": {\n \"name\": \"{{ unique_lower_alnum }}\",\n \"description\": \"My Agent rule\",\n \"expression\": \"exec.file.name == \\\"sh\\\"\",\n \"actions\": [{\"set\": {\"name\": \"test_set\", \"value\": \"test_value\", \"scope\": \"process\"}}],\n \"enabled\": true,\n \"product_tags\": [\"security:attack\", \"technique:T1059\"],\n \"policy_id\": \"{{ policy.data.id }}\"\n }\n }\n}" } ], "step": "there is a valid \"agent_rule_rc\" in the system", diff --git a/lib/datadog_api_client/inflector.rb b/lib/datadog_api_client/inflector.rb index 50d80fee8af..953fa2e021b 100644 --- a/lib/datadog_api_client/inflector.rb +++ b/lib/datadog_api_client/inflector.rb @@ -1338,6 +1338,8 @@ def overrides "v2.cloud_workload_security_agent_policy_updater_attributes" => "CloudWorkloadSecurityAgentPolicyUpdaterAttributes", "v2.cloud_workload_security_agent_policy_update_request" => "CloudWorkloadSecurityAgentPolicyUpdateRequest", "v2.cloud_workload_security_agent_rule_action" => "CloudWorkloadSecurityAgentRuleAction", + "v2.cloud_workload_security_agent_rule_action_metadata" => "CloudWorkloadSecurityAgentRuleActionMetadata", + "v2.cloud_workload_security_agent_rule_action_set" => "CloudWorkloadSecurityAgentRuleActionSet", "v2.cloud_workload_security_agent_rule_attributes" => "CloudWorkloadSecurityAgentRuleAttributes", "v2.cloud_workload_security_agent_rule_create_attributes" => "CloudWorkloadSecurityAgentRuleCreateAttributes", "v2.cloud_workload_security_agent_rule_create_data" => "CloudWorkloadSecurityAgentRuleCreateData", diff --git a/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_action.rb b/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_action.rb index da882629809..3d8e4038b9f 100644 --- a/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_action.rb +++ b/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_action.rb @@ -27,6 +27,12 @@ class CloudWorkloadSecurityAgentRuleAction # Kill system call applied on the container matching the rule attr_accessor :kill + # The metadata action applied on the scope matching the rule + attr_accessor :metadata + + # The set action applied on the scope matching the rule + attr_accessor :set + attr_accessor :additional_properties # Attribute mapping from ruby-style variable name to JSON key. @@ -34,7 +40,9 @@ class CloudWorkloadSecurityAgentRuleAction def self.attribute_map { :'filter' => :'filter', - :'kill' => :'kill' + :'kill' => :'kill', + :'metadata' => :'metadata', + :'set' => :'set' } end @@ -43,7 +51,9 @@ def self.attribute_map def self.openapi_types { :'filter' => :'String', - :'kill' => :'CloudWorkloadSecurityAgentRuleKill' + :'kill' => :'CloudWorkloadSecurityAgentRuleKill', + :'metadata' => :'CloudWorkloadSecurityAgentRuleActionMetadata', + :'set' => :'CloudWorkloadSecurityAgentRuleActionSet' } end @@ -72,6 +82,14 @@ def initialize(attributes = {}) if attributes.key?(:'kill') self.kill = attributes[:'kill'] end + + if attributes.key?(:'metadata') + self.metadata = attributes[:'metadata'] + end + + if attributes.key?(:'set') + self.set = attributes[:'set'] + end end # Returns the object in the form of hash, with additionalProperties support. @@ -102,6 +120,8 @@ def ==(o) self.class == o.class && filter == o.filter && kill == o.kill && + metadata == o.metadata && + set == o.set && additional_properties == o.additional_properties end @@ -109,7 +129,7 @@ def ==(o) # @return [Integer] Hash code # @!visibility private def hash - [filter, kill, additional_properties].hash + [filter, kill, metadata, set, additional_properties].hash end end end diff --git a/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_action_metadata.rb b/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_action_metadata.rb new file mode 100644 index 00000000000..dff37849702 --- /dev/null +++ b/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_action_metadata.rb @@ -0,0 +1,125 @@ +=begin +#Datadog API V2 Collection + +#Collection of all Datadog Public endpoints. + +The version of the OpenAPI document: 1.0 +Contact: support@datadoghq.com +Generated by: https://github.com/DataDog/datadog-api-client-ruby/tree/master/.generator + + Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + This product includes software developed at Datadog (https://www.datadoghq.com/). + Copyright 2020-Present Datadog, Inc. + +=end + +require 'date' +require 'time' + +module DatadogAPIClient::V2 + # The metadata action applied on the scope matching the rule + class CloudWorkloadSecurityAgentRuleActionMetadata + include BaseGenericModel + + # The image tag of the metadata action + attr_accessor :image_tag + + # The service of the metadata action + attr_accessor :service + + # The short image of the metadata action + attr_accessor :short_image + + attr_accessor :additional_properties + + # Attribute mapping from ruby-style variable name to JSON key. + # @!visibility private + def self.attribute_map + { + :'image_tag' => :'image_tag', + :'service' => :'service', + :'short_image' => :'short_image' + } + end + + # Attribute type mapping. + # @!visibility private + def self.openapi_types + { + :'image_tag' => :'String', + :'service' => :'String', + :'short_image' => :'String' + } + end + + # Initializes the object + # @param attributes [Hash] Model attributes in the form of hash + # @!visibility private + def initialize(attributes = {}) + if (!attributes.is_a?(Hash)) + fail ArgumentError, "The input argument (attributes) must be a hash in `DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleActionMetadata` initialize method" + end + + self.additional_properties = {} + # check to see if the attribute exists and convert string to symbol for hash key + attributes = attributes.each_with_object({}) { |(k, v), h| + if (!self.class.attribute_map.key?(k.to_sym)) + self.additional_properties[k.to_sym] = v + else + h[k.to_sym] = v + end + } + + if attributes.key?(:'image_tag') + self.image_tag = attributes[:'image_tag'] + end + + if attributes.key?(:'service') + self.service = attributes[:'service'] + end + + if attributes.key?(:'short_image') + self.short_image = attributes[:'short_image'] + end + end + + # Returns the object in the form of hash, with additionalProperties support. + # @return [Hash] Returns the object in the form of hash + # @!visibility private + def to_hash + hash = {} + self.class.attribute_map.each_pair do |attr, param| + value = self.send(attr) + if value.nil? + is_nullable = self.class.openapi_nullable.include?(attr) + next if !is_nullable || (is_nullable && !instance_variable_defined?(:"@#{attr}")) + end + + hash[param] = _to_hash(value) + end + self.additional_properties.each_pair do |attr, value| + hash[attr] = value + end + hash + end + + # Checks equality by comparing each attribute. + # @param o [Object] Object to be compared + # @!visibility private + def ==(o) + return true if self.equal?(o) + self.class == o.class && + image_tag == o.image_tag && + service == o.service && + short_image == o.short_image && + additional_properties == o.additional_properties + end + + # Calculates hash code according to all attributes. + # @return [Integer] Hash code + # @!visibility private + def hash + [image_tag, service, short_image, additional_properties].hash + end + end +end diff --git a/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_action_set.rb b/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_action_set.rb new file mode 100644 index 00000000000..a423168281d --- /dev/null +++ b/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_action_set.rb @@ -0,0 +1,165 @@ +=begin +#Datadog API V2 Collection + +#Collection of all Datadog Public endpoints. + +The version of the OpenAPI document: 1.0 +Contact: support@datadoghq.com +Generated by: https://github.com/DataDog/datadog-api-client-ruby/tree/master/.generator + + Unless explicitly stated otherwise all files in this repository are licensed under the Apache-2.0 License. + This product includes software developed at Datadog (https://www.datadoghq.com/). + Copyright 2020-Present Datadog, Inc. + +=end + +require 'date' +require 'time' + +module DatadogAPIClient::V2 + # The set action applied on the scope matching the rule + class CloudWorkloadSecurityAgentRuleActionSet + include BaseGenericModel + + # Whether the value should be appended to the field + attr_accessor :append + + # The field of the set action + attr_accessor :field + + # The name of the set action + attr_accessor :name + + # The scope of the set action + attr_accessor :scope + + # The size of the set action + attr_accessor :size + + # The time to live of the set action + attr_accessor :ttl + + # The value of the set action + attr_accessor :value + + attr_accessor :additional_properties + + # Attribute mapping from ruby-style variable name to JSON key. + # @!visibility private + def self.attribute_map + { + :'append' => :'append', + :'field' => :'field', + :'name' => :'name', + :'scope' => :'scope', + :'size' => :'size', + :'ttl' => :'ttl', + :'value' => :'value' + } + end + + # Attribute type mapping. + # @!visibility private + def self.openapi_types + { + :'append' => :'Boolean', + :'field' => :'String', + :'name' => :'String', + :'scope' => :'String', + :'size' => :'Integer', + :'ttl' => :'Integer', + :'value' => :'String' + } + end + + # Initializes the object + # @param attributes [Hash] Model attributes in the form of hash + # @!visibility private + def initialize(attributes = {}) + if (!attributes.is_a?(Hash)) + fail ArgumentError, "The input argument (attributes) must be a hash in `DatadogAPIClient::V2::CloudWorkloadSecurityAgentRuleActionSet` initialize method" + end + + self.additional_properties = {} + # check to see if the attribute exists and convert string to symbol for hash key + attributes = attributes.each_with_object({}) { |(k, v), h| + if (!self.class.attribute_map.key?(k.to_sym)) + self.additional_properties[k.to_sym] = v + else + h[k.to_sym] = v + end + } + + if attributes.key?(:'append') + self.append = attributes[:'append'] + end + + if attributes.key?(:'field') + self.field = attributes[:'field'] + end + + if attributes.key?(:'name') + self.name = attributes[:'name'] + end + + if attributes.key?(:'scope') + self.scope = attributes[:'scope'] + end + + if attributes.key?(:'size') + self.size = attributes[:'size'] + end + + if attributes.key?(:'ttl') + self.ttl = attributes[:'ttl'] + end + + if attributes.key?(:'value') + self.value = attributes[:'value'] + end + end + + # Returns the object in the form of hash, with additionalProperties support. + # @return [Hash] Returns the object in the form of hash + # @!visibility private + def to_hash + hash = {} + self.class.attribute_map.each_pair do |attr, param| + value = self.send(attr) + if value.nil? + is_nullable = self.class.openapi_nullable.include?(attr) + next if !is_nullable || (is_nullable && !instance_variable_defined?(:"@#{attr}")) + end + + hash[param] = _to_hash(value) + end + self.additional_properties.each_pair do |attr, value| + hash[attr] = value + end + hash + end + + # Checks equality by comparing each attribute. + # @param o [Object] Object to be compared + # @!visibility private + def ==(o) + return true if self.equal?(o) + self.class == o.class && + append == o.append && + field == o.field && + name == o.name && + scope == o.scope && + size == o.size && + ttl == o.ttl && + value == o.value && + additional_properties == o.additional_properties + end + + # Calculates hash code according to all attributes. + # @return [Integer] Hash code + # @!visibility private + def hash + [append, field, name, scope, size, ttl, value, additional_properties].hash + end + end +end diff --git a/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_attributes.rb b/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_attributes.rb index a7325ca5b1e..3f143cc94c1 100644 --- a/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_attributes.rb +++ b/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_attributes.rb @@ -27,6 +27,9 @@ class CloudWorkloadSecurityAgentRuleAttributes # The version of the Agent attr_accessor :agent_constraint + # The blocking policies that the rule belongs to + attr_accessor :blocking + # The category of the Agent rule attr_accessor :category @@ -45,6 +48,9 @@ class CloudWorkloadSecurityAgentRuleAttributes # The description of the Agent rule attr_accessor :description + # The disabled policies that the rule belongs to + attr_accessor :disabled + # Whether the Agent rule is enabled attr_accessor :enabled @@ -54,6 +60,9 @@ class CloudWorkloadSecurityAgentRuleAttributes # The platforms the Agent rule is supported on attr_accessor :filters + # The monitoring policies that the rule belongs to + attr_accessor :monitoring + # The name of the Agent rule attr_accessor :name @@ -83,15 +92,18 @@ def self.attribute_map { :'actions' => :'actions', :'agent_constraint' => :'agentConstraint', + :'blocking' => :'blocking', :'category' => :'category', :'creation_author_uu_id' => :'creationAuthorUuId', :'creation_date' => :'creationDate', :'creator' => :'creator', :'default_rule' => :'defaultRule', :'description' => :'description', + :'disabled' => :'disabled', :'enabled' => :'enabled', :'expression' => :'expression', :'filters' => :'filters', + :'monitoring' => :'monitoring', :'name' => :'name', :'product_tags' => :'product_tags', :'update_author_uu_id' => :'updateAuthorUuId', @@ -108,15 +120,18 @@ def self.openapi_types { :'actions' => :'Array', :'agent_constraint' => :'String', + :'blocking' => :'Array', :'category' => :'String', :'creation_author_uu_id' => :'String', :'creation_date' => :'Integer', :'creator' => :'CloudWorkloadSecurityAgentRuleCreatorAttributes', :'default_rule' => :'Boolean', :'description' => :'String', + :'disabled' => :'Array', :'enabled' => :'Boolean', :'expression' => :'String', :'filters' => :'Array', + :'monitoring' => :'Array', :'name' => :'String', :'product_tags' => :'Array', :'update_author_uu_id' => :'String', @@ -163,6 +178,12 @@ def initialize(attributes = {}) self.agent_constraint = attributes[:'agent_constraint'] end + if attributes.key?(:'blocking') + if (value = attributes[:'blocking']).is_a?(Array) + self.blocking = value + end + end + if attributes.key?(:'category') self.category = attributes[:'category'] end @@ -187,6 +208,12 @@ def initialize(attributes = {}) self.description = attributes[:'description'] end + if attributes.key?(:'disabled') + if (value = attributes[:'disabled']).is_a?(Array) + self.disabled = value + end + end + if attributes.key?(:'enabled') self.enabled = attributes[:'enabled'] end @@ -201,6 +228,12 @@ def initialize(attributes = {}) end end + if attributes.key?(:'monitoring') + if (value = attributes[:'monitoring']).is_a?(Array) + self.monitoring = value + end + end + if attributes.key?(:'name') self.name = attributes[:'name'] end @@ -260,15 +293,18 @@ def ==(o) self.class == o.class && actions == o.actions && agent_constraint == o.agent_constraint && + blocking == o.blocking && category == o.category && creation_author_uu_id == o.creation_author_uu_id && creation_date == o.creation_date && creator == o.creator && default_rule == o.default_rule && description == o.description && + disabled == o.disabled && enabled == o.enabled && expression == o.expression && filters == o.filters && + monitoring == o.monitoring && name == o.name && product_tags == o.product_tags && update_author_uu_id == o.update_author_uu_id && @@ -283,7 +319,7 @@ def ==(o) # @return [Integer] Hash code # @!visibility private def hash - [actions, agent_constraint, category, creation_author_uu_id, creation_date, creator, default_rule, description, enabled, expression, filters, name, product_tags, update_author_uu_id, update_date, updated_at, updater, version, additional_properties].hash + [actions, agent_constraint, blocking, category, creation_author_uu_id, creation_date, creator, default_rule, description, disabled, enabled, expression, filters, monitoring, name, product_tags, update_author_uu_id, update_date, updated_at, updater, version, additional_properties].hash end end end diff --git a/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_create_attributes.rb b/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_create_attributes.rb index bb642bb5be3..d3106b7cc52 100644 --- a/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_create_attributes.rb +++ b/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_create_attributes.rb @@ -21,9 +21,15 @@ module DatadogAPIClient::V2 class CloudWorkloadSecurityAgentRuleCreateAttributes include BaseGenericModel + # The blocking policies that the rule belongs to + attr_accessor :blocking + # The description of the Agent rule. attr_accessor :description + # The disabled policies that the rule belongs to + attr_accessor :disabled + # Whether the Agent rule is enabled attr_accessor :enabled @@ -33,6 +39,9 @@ class CloudWorkloadSecurityAgentRuleCreateAttributes # The platforms the Agent rule is supported on attr_accessor :filters + # The monitoring policies that the rule belongs to + attr_accessor :monitoring + # The name of the Agent rule. attr_reader :name @@ -48,10 +57,13 @@ class CloudWorkloadSecurityAgentRuleCreateAttributes # @!visibility private def self.attribute_map { + :'blocking' => :'blocking', :'description' => :'description', + :'disabled' => :'disabled', :'enabled' => :'enabled', :'expression' => :'expression', :'filters' => :'filters', + :'monitoring' => :'monitoring', :'name' => :'name', :'policy_id' => :'policy_id', :'product_tags' => :'product_tags' @@ -62,10 +74,13 @@ def self.attribute_map # @!visibility private def self.openapi_types { + :'blocking' => :'Array', :'description' => :'String', + :'disabled' => :'Array', :'enabled' => :'Boolean', :'expression' => :'String', :'filters' => :'Array', + :'monitoring' => :'Array', :'name' => :'String', :'policy_id' => :'String', :'product_tags' => :'Array' @@ -90,10 +105,22 @@ def initialize(attributes = {}) end } + if attributes.key?(:'blocking') + if (value = attributes[:'blocking']).is_a?(Array) + self.blocking = value + end + end + if attributes.key?(:'description') self.description = attributes[:'description'] end + if attributes.key?(:'disabled') + if (value = attributes[:'disabled']).is_a?(Array) + self.disabled = value + end + end + if attributes.key?(:'enabled') self.enabled = attributes[:'enabled'] end @@ -108,6 +135,12 @@ def initialize(attributes = {}) end end + if attributes.key?(:'monitoring') + if (value = attributes[:'monitoring']).is_a?(Array) + self.monitoring = value + end + end + if attributes.key?(:'name') self.name = attributes[:'name'] end @@ -178,10 +211,13 @@ def to_hash def ==(o) return true if self.equal?(o) self.class == o.class && + blocking == o.blocking && description == o.description && + disabled == o.disabled && enabled == o.enabled && expression == o.expression && filters == o.filters && + monitoring == o.monitoring && name == o.name && policy_id == o.policy_id && product_tags == o.product_tags && @@ -192,7 +228,7 @@ def ==(o) # @return [Integer] Hash code # @!visibility private def hash - [description, enabled, expression, filters, name, policy_id, product_tags, additional_properties].hash + [blocking, description, disabled, enabled, expression, filters, monitoring, name, policy_id, product_tags, additional_properties].hash end end end diff --git a/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_update_attributes.rb b/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_update_attributes.rb index f8a43d2502b..6663908ee28 100644 --- a/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_update_attributes.rb +++ b/lib/datadog_api_client/v2/models/cloud_workload_security_agent_rule_update_attributes.rb @@ -21,15 +21,24 @@ module DatadogAPIClient::V2 class CloudWorkloadSecurityAgentRuleUpdateAttributes include BaseGenericModel + # The blocking policies that the rule belongs to + attr_accessor :blocking + # The description of the Agent rule attr_accessor :description + # The disabled policies that the rule belongs to + attr_accessor :disabled + # Whether the Agent rule is enabled attr_accessor :enabled # The SECL expression of the Agent rule attr_accessor :expression + # The monitoring policies that the rule belongs to + attr_accessor :monitoring + # The ID of the policy where the Agent rule is saved attr_accessor :policy_id @@ -42,9 +51,12 @@ class CloudWorkloadSecurityAgentRuleUpdateAttributes # @!visibility private def self.attribute_map { + :'blocking' => :'blocking', :'description' => :'description', + :'disabled' => :'disabled', :'enabled' => :'enabled', :'expression' => :'expression', + :'monitoring' => :'monitoring', :'policy_id' => :'policy_id', :'product_tags' => :'product_tags' } @@ -54,9 +66,12 @@ def self.attribute_map # @!visibility private def self.openapi_types { + :'blocking' => :'Array', :'description' => :'String', + :'disabled' => :'Array', :'enabled' => :'Boolean', :'expression' => :'String', + :'monitoring' => :'Array', :'policy_id' => :'String', :'product_tags' => :'Array' } @@ -80,10 +95,22 @@ def initialize(attributes = {}) end } + if attributes.key?(:'blocking') + if (value = attributes[:'blocking']).is_a?(Array) + self.blocking = value + end + end + if attributes.key?(:'description') self.description = attributes[:'description'] end + if attributes.key?(:'disabled') + if (value = attributes[:'disabled']).is_a?(Array) + self.disabled = value + end + end + if attributes.key?(:'enabled') self.enabled = attributes[:'enabled'] end @@ -92,6 +119,12 @@ def initialize(attributes = {}) self.expression = attributes[:'expression'] end + if attributes.key?(:'monitoring') + if (value = attributes[:'monitoring']).is_a?(Array) + self.monitoring = value + end + end + if attributes.key?(:'policy_id') self.policy_id = attributes[:'policy_id'] end @@ -129,9 +162,12 @@ def to_hash def ==(o) return true if self.equal?(o) self.class == o.class && + blocking == o.blocking && description == o.description && + disabled == o.disabled && enabled == o.enabled && expression == o.expression && + monitoring == o.monitoring && policy_id == o.policy_id && product_tags == o.product_tags && additional_properties == o.additional_properties @@ -141,7 +177,7 @@ def ==(o) # @return [Integer] Hash code # @!visibility private def hash - [description, enabled, expression, policy_id, product_tags, additional_properties].hash + [blocking, description, disabled, enabled, expression, monitoring, policy_id, product_tags, additional_properties].hash end end end